Skip to main content
CVE-2025-56266 CRITICAL POC Act Now

A Host Header Injection vulnerability in Avigilon ACM v7.10.0.20 allows attackers to execute arbitrary code via supplying a crafted URL. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Access Control Manager
NVD GitHub
CVSS 3.1
9.8
EPSS
7.5%
CVE-2025-56267 CRITICAL POC Act Now

A CSV injection vulnerability in the /id_profiles endpoint of Avigilon ACM v7.10.0.20 allows attackers to execute arbitrary code via suuplying a crafted Excel file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Access Control Manager
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-9113 CRITICAL Act Now

The Doccure theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'doccure_temp_upload_to_media' function in all versions up to, and including, 1.4.8. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress RCE File Upload
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2025-9114 CRITICAL Act Now

The Doccure theme for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 1.4.8. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass WordPress
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2025-52161 CRITICAL Act Now

Scholl Communications AG Weblication CMS Core v019.004.000.000 was discovered to contain a cross-site scripting (XSS) vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Weblication Cms
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-5993 CRITICAL Act Now

ITCube CRM in versions from 2023.2 through 2025.2 is vulnerable to path traversal. Rated critical severity (CVSS 9.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal
NVD
CVSS 4.0
9.2
EPSS
0.4%
CVE-2025-58746 CRITICAL Act Now

The Volkov Labs Business Links panel for Grafana provides an interface to navigate using external links, internal dashboards, time pickers, and dropdown menus. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Grafana XSS
NVD GitHub
CVSS 3.1
9.0
EPSS
0.0%
CVE-2025-58745 CRITICAL POC Act Now

WeGIA is a Web manager for charitable institutions. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP File Upload Code Injection Wegia
NVD GitHub
CVSS 3.1
9.9
EPSS
0.2%
CVE-2025-58450 CRITICAL PATCH This Week

pREST (PostgreSQL REST), is an API that delivers an application on top of a Postgres database. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PostgreSQL SQLi Suse
NVD GitHub
CVSS 4.0
9.3
EPSS
0.0%
CVE-2025-54994 CRITICAL POC PATCH This Week

@akoskm/create-mcp-server-stdio is an MCP server starter kit that uses the StdioServerTransport. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection Node.js
NVD GitHub
CVSS 4.0
9.3
EPSS
0.3%
CVE-2025-57285 CRITICAL POC PATCH Act Now

codeceptjs 3.7.3 contains a command injection vulnerability in the emptyFolder function (lib/utils.js). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Codeceptjs
NVD GitHub
CVSS 3.1
9.8
EPSS
1.3%
CVE-2025-57141 CRITICAL POC Act Now

rsbi-os 4.7 is vulnerable to Remote Code Execution (RCE) in sqlite-jdbc. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection Ruisibi
NVD GitHub
CVSS 3.1
9.8
EPSS
0.7%
CVE-2025-22956 CRITICAL This Week

OPSI before 4.3 allows any client to retrieve any ProductPropertyState, including those of other clients. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Information Disclosure
NVD
CVSS 3.1
9.8
EPSS
0.1%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy