351 CVEs tracked today. 33 Critical, 157 High, 147 Medium, 13 Low.
-
CVE-2025-54236
CRITICAL
CVSS 9.1
Session hijacking in Adobe Commerce (Magento) 2.4.x through 2.4.9-alpha2 allows remote unauthenticated attackers to take over active user sessions via improper input validation, confirmed actively exploited (CISA KEV). With 73.72% EPSS score (99th percentile) and public exploit code available, this represents a critical, widespread threat to e-commerce platforms. Attackers gain unauthorized access to user accounts including administrative sessions without requiring victim interaction.
Information Disclosure
Adobe
-
CVE-2025-58997
CRITICAL
CVSS 9.6
Cross-Site Request Forgery (CSRF) vulnerability in Frenify Mow allows Code Injection.10. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
CSRF
-
CVE-2025-58768
CRITICAL
CVSS 9.6
DeepChat is a smart assistant uses artificial intelligence. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
XSS
RCE
Code Injection
Deepchat
-
CVE-2025-58762
CRITICAL
CVSS 9.1
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
RCE
Python
Path Traversal
Tautulli
-
CVE-2025-58462
CRITICAL
CVSS 9.3
OPEXUS FOIAXpress Public Access Link (PAL) before version 11.13.1.0 allows SQL injection via SearchPopularDocs.aspx. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
SQLi
Foiaxpress Public Access Link
-
CVE-2025-57085
CRITICAL
CVSS 9.8
Tenda W30E V16.01.0.19 (5037) was discovered to contain a stack overflow in the v17 parameter in the UploadCfg function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Buffer Overflow
Denial Of Service
Stack Overflow
Tenda
W30e Firmware
-
CVE-2025-55730
CRITICAL
CVSS 10.0
XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
RCE
Atlassian
-
CVE-2025-55729
CRITICAL
CVSS 10.0
XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
RCE
Atlassian
-
CVE-2025-55727
CRITICAL
CVSS 10.0
XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
RCE
Code Injection
Atlassian
Pro Macros
-
CVE-2025-55051
CRITICAL
CVSS 10.0
CWE-1392: Use of Default Credentials. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Information Disclosure
-
CVE-2025-47579
CRITICAL
CVSS 9.0
Deserialization of Untrusted Data vulnerability in ThemeGoods Photography.5.2. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Deserialization
-
CVE-2025-47569
CRITICAL
CVSS 9.3
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPSwings WooCommerce Ultimate Gift Card - Create, Sell and Manage Gift Cards with Customized. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
WordPress
SQLi
-
CVE-2025-42958
CRITICAL
CVSS 9.1
Due to a missing authentication check in the SAP NetWeaver application on IBM i-series, the application allows high privileged unauthorized users to read, modify, or delete sensitive information, as. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Authentication Bypass
Privilege Escalation
IBM
SAP
-
CVE-2025-32486
CRITICAL
CVSS 9.8
Weak Password Recovery Mechanism for Forgotten Password vulnerability in Hossein Material Dashboard.4.6. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Information Disclosure
-
CVE-2025-59046
CRITICAL
CVSS 9.8
The npm package `interactive-git-checkout` is an interactive command-line tool that allows users to checkout a git branch while it prompts for the branch name on the command-line. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Command Injection
Node.js
-
CVE-2025-59039
CRITICAL
CVSS 9.3
Prebid Universal Creative (PUC) is a JavaScript API to render multiple formats. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Information Disclosure
Node.js
-
CVE-2025-58448
CRITICAL
CVSS 9.1
rAthena is an open-source cross-platform massively multiplayer online role playing game (MMORPG) server. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This SQL Injection vulnerability could allow attackers to execute arbitrary SQL commands against the database.
SQLi
Rathena
-
CVE-2025-58447
CRITICAL
CVSS 9.8
rAthena is an open-source cross-platform massively multiplayer online role playing game (MMORPG) server. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
RCE
Buffer Overflow
Denial Of Service
Heap Overflow
Rathena
-
CVE-2025-57633
CRITICAL
CVSS 9.8
A command injection vulnerability in FTP-Flask-python through 5173b68 allows unauthenticated remote attackers to execute arbitrary OS commands. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Python
Command Injection
-
CVE-2025-55728
CRITICAL
CVSS 10.0
XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
RCE
Code Injection
Atlassian
Pro Macros
-
CVE-2025-55232
CRITICAL
CVSS 9.8
Deserialization of untrusted data in Microsoft High Performance Compute Pack (HPC) allows an unauthorized attacker to execute code over a network. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Deserialization
Microsoft
Hpc Pack
-
CVE-2025-55050
CRITICAL
CVSS 9.8
CWE-1242: Inclusion of Undocumented Features. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Information Disclosure
-
CVE-2025-55049
CRITICAL
CVSS 9.1
Use of Default Cryptographic Key (CWE-1394). Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Information Disclosure
-
CVE-2025-54261
CRITICAL
CVSS 10.0
ColdFusion versions 2025.3, 2023.15, 2021.21 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
RCE
Path Traversal
Coldfusion
-
CVE-2025-44594
CRITICAL
CVSS 9.1
halo v2.20.17 and before is vulnerable to server-side request forgery (SSRF) in /apis/uc.api.storage.halo.run/v1alpha1/attachments/-/upload-from-url. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
SSRF
Halo
-
CVE-2025-42944
CRITICAL
CVSS 10.0
Due to a deserialization vulnerability in SAP NetWeaver, an unauthenticated attacker could exploit the system through the RMI-P4 module by submitting malicious payload to an open port. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Java
Deserialization
Command Injection
SAP
-
CVE-2025-42922
CRITICAL
CVSS 9.9
SAP NetWeaver AS Java allows an attacker authenticated as a non-administrative user to use a flaw in an available service to upload an arbitrary file. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
RCE
Java
SAP
Code Injection
-
CVE-2025-40804
CRITICAL
CVSS 9.3
A vulnerability has been identified in SIMATIC Virtualization as a Service (SIVaaS) (All versions). Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Information Disclosure
-
CVE-2025-40795
CRITICAL
CVSS 9.3
A vulnerability has been identified in SIMATIC PCS neo V4.1 (All versions), SIMATIC PCS neo V5.0 (All versions), SIMATIC PCS neo V6.0 (All versions), User Management Component (UMC) (All versions <. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
RCE
Buffer Overflow
Denial Of Service
Stack Overflow
User Management Component
-
CVE-2025-10183
CRITICAL
CVSS 9.1
A blind XML External Entity (XXE) injection in the OpenMessaging webservice in TecCom TecConnect 4.1 allows an unauthenticated attacker to exfiltrate arbitrary files to an attacker-controlled server. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XXE
-
CVE-2025-10159
CRITICAL
CVSS 9.8
An authentication bypass vulnerability allows remote attackers to gain administrative privileges on Sophos AP6 Series Wireless Access Points older than firmware version 1.7.2563 (MR7). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Authentication Bypass
-
CVE-2025-10134
CRITICAL
CVSS 9.1
The Goza - Nonprofit Charity WordPress Theme theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the alone_import_pack_restore_data() function in. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
PHP
WordPress
RCE
-
CVE-2025-9994
CRITICAL
CVSS 9.8
The Amp’ed RF BT-AP 111 Bluetooth access point's HTTP admin interface does not have an authentication feature, allowing unauthorized access to anyone with network access. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Authentication Bypass
-
CVE-2025-59042
HIGH
CVSS 7.0
PyInstaller bundles a Python application and all its dependencies into a single package. Rated high severity (CVSS 7.0), this vulnerability is low attack complexity. No vendor patch available.
Windows
Privilege Escalation
RCE
Python
Microsoft
-
CVE-2025-59038
HIGH
CVSS 8.6
Prebid.js is a free and open source library for publishers to quickly implement header bidding. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Information Disclosure
Node.js
-
CVE-2025-59037
HIGH
CVSS 8.6
DuckDB is an analytical in-process SQL database management system. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Information Disclosure
Node.js
Red Hat
-
CVE-2025-59018
HIGH
CVSS 7.1
Missing authorization checks in the Workspace Module of TYPO3 CMS versions 9.0.0‑9.5.54, 10.0.0‑10.4.53, 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to directly invoke the. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Information Disclosure
Typo3
-
CVE-2025-59008
HIGH
CVSS 7.6
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in PressTigers ZIP Code Based Content Protection allows SQL Injection.0.0. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
SQLi
-
CVE-2025-58993
HIGH
CVSS 7.6
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Themeum Tutor LMS allows SQL Injection.7.4. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
SQLi
-
CVE-2025-58991
HIGH
CVSS 7.1
Cross-Site Request Forgery (CSRF) vulnerability in Cristiano Zanca WooCommerce Booking Bundle Hours allows Stored XSS.7.4. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
WordPress
XSS
CSRF
-
CVE-2025-58765
HIGH
CVSS 7.1
wabac.js provides a full web archive replay system, or 'wayback machine', using Service Workers. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-58763
HIGH
CVSS 8.0
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.
RCE
Python
Command Injection
Tautulli
-
CVE-2025-58761
HIGH
CVSS 8.6
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Python
Path Traversal
Tautulli
-
CVE-2025-58760
HIGH
CVSS 8.6
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Python
Path Traversal
Tautulli
-
CVE-2025-58757
HIGH
CVSS 8.8
MONAI (Medical Open Network for AI) is an AI toolkit for health care imaging. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
RCE
Deserialization
Medical Open Network For Ai
-
CVE-2025-58756
HIGH
CVSS 8.8
MONAI (Medical Open Network for AI) is an AI toolkit for health care imaging. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
RCE
Deserialization
Medical Open Network For Ai
-
CVE-2025-58755
HIGH
CVSS 8.8
MONAI (Medical Open Network for AI) is an AI toolkit for health care imaging. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Path Traversal
Medical Open Network For Ai
-
CVE-2025-58750
HIGH
CVSS 8.2
rAthena is an open-source cross-platform massively multiplayer online role playing game (MMORPG) server. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Buffer Overflow vulnerability could allow attackers to corrupt memory to execute arbitrary code or crash the application.
Buffer Overflow
Rathena
-
CVE-2025-58430
HIGH
CVSS 8.6
listmonk is a standalone, self-hosted, newsletter and mailing list manager. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
XSS
CSRF
Listmonk
Suse
-
CVE-2025-58215
HIGH
CVSS 8.1
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in gavias Ziston allows PHP Local File Inclusion. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
PHP
Information Disclosure
LFI
-
CVE-2025-58180
HIGH
CVSS 7.5
OctoPrint provides a web interface for controlling consumer 3D printers. Rated high severity (CVSS 7.5), this vulnerability is low attack complexity. Public exploit code available.
Command Injection
Octoprint
-
CVE-2025-58063
HIGH
CVSS 7.1
CoreDNS is a DNS server that chains plugins. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Information Disclosure
Red Hat
Suse
-
CVE-2025-57278
HIGH
CVSS 8.8
The LB-Link BL-CPE300M AX300 4G LTE Router firmware version BL-R8800_B10_ALK_SL_V01.01.02P42U14_06 does not implement proper session handling. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Authentication Bypass
Bl Cpe300M Firmware
-
CVE-2025-57087
HIGH
CVSS 7.5
Tenda W30E V16.01.0.19 (5037) was discovered to contain a stack overflow in the countryCode parameter in the werlessAdvancedSet function. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Buffer Overflow
Denial Of Service
Stack Overflow
Tenda
W30e Firmware
-
CVE-2025-57086
HIGH
CVSS 7.5
Tenda W30E V16.01.0.19 (5037) was discovered to contain a stack overflow in the String parameter in the formDeleteMeshNode function. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Buffer Overflow
Denial Of Service
Stack Overflow
Tenda
W30e Firmware
-
CVE-2025-57078
HIGH
CVSS 7.5
Tenda G3 v3.0br_V15.11.0.17 was discovered to contain a stack overflow in the pppoeServerWhiteMacIndex parameter in the formModifyPppAuthWhiteMac function. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Buffer Overflow
Denial Of Service
Stack Overflow
Tenda
G3 Firmware
-
CVE-2025-57072
HIGH
CVSS 7.5
Tenda G3 v3.0br_V15.11.0.17 was discovered to contain a stack overflow in the staticRouteGateway parameter in the formSetStaticRoute function. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Buffer Overflow
Denial Of Service
Stack Overflow
Tenda
G3 Firmware
-
CVE-2025-57071
HIGH
CVSS 7.5
Tenda G3 v3.0br_V15.11.0.17 was discovered to contain a stack overflow in the vpnUsers parameter in the formAddVpnUsers function. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Buffer Overflow
Denial Of Service
Stack Overflow
Tenda
G3 Firmware
-
CVE-2025-57070
HIGH
CVSS 7.5
Tenda G3 v3.0br_V15.11.0.17 was discovered to contain a stack overflow in the gstUp parameter in the guestWifiRuleRefresh function. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Buffer Overflow
Denial Of Service
Stack Overflow
Tenda
G3 Firmware
-
CVE-2025-57069
HIGH
CVSS 7.5
Tenda G3 v3.0br_V15.11.0.17 was discovered to contain a stack overflow in the pPppUser parameter in the getsinglepppuser function. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Buffer Overflow
Denial Of Service
Stack Overflow
Tenda
G3 Firmware
-
CVE-2025-57064
HIGH
CVSS 7.5
Tenda G3 v3.0br_V15.11.0.17 was discovered to contain a stack overflow in the bindDhcpIndex parameter in the modifyDhcpRule function. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Buffer Overflow
Denial Of Service
Stack Overflow
Tenda
G3 Firmware
-
CVE-2025-57063
HIGH
CVSS 7.5
Tenda G3 v3.0br_V15.11.0.17 was discovered to contain a stack overflow in the portMappingIndex parameter in the formDelPortMapping function. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Buffer Overflow
Denial Of Service
Stack Overflow
Tenda
G3 Firmware
-
CVE-2025-57062
HIGH
CVSS 7.5
Tenda G3 v3.0br_V15.11.0.17 was discovered to contain a stack overflow in the delDhcpIndex parameter in the formDelDhcpRule function. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Buffer Overflow
Denial Of Service
Stack Overflow
Tenda
G3 Firmware
-
CVE-2025-57061
HIGH
CVSS 7.5
Tenda G3 v3.0br_V15.11.0.17 was discovered to contain multiple stack overflows in the formIPMacBindModify function via the ruleId, ip, mac, v6 and remark parameters. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Buffer Overflow
Denial Of Service
Stack Overflow
Tenda
G3 Firmware
-
CVE-2025-57060
HIGH
CVSS 7.5
Tenda G3 v3.0br_V15.11.0.17 was discovered to contain a stack overflow in the rules parameter in the dns_forward_rule_store function. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Buffer Overflow
Denial Of Service
Stack Overflow
Tenda
G3 Firmware
-
CVE-2025-57059
HIGH
CVSS 7.5
Tenda G3 v3.0br_V15.11.0.17 was discovered to contain a stack overflow in the dhcpIndex parameter in the addDhcpRule function. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Buffer Overflow
Denial Of Service
Stack Overflow
Tenda
G3 Firmware
-
CVE-2025-57058
HIGH
CVSS 7.5
Tenda G3 v3.0br_V15.11.0.17 was discovered to contain multiple stack overflows in the formSetDebugCfg function via the pEnable, pLevel, and pModule parameters. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Buffer Overflow
Denial Of Service
Stack Overflow
Tenda
G3 Firmware
-
CVE-2025-57057
HIGH
CVSS 7.5
Tenda G3 v3.0br_V15.11.0.17 was discovered to contain a stack overflow in the listStr parameter in the ipMacBindListStore function. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Buffer Overflow
Denial Of Service
Stack Overflow
Tenda
G3 Firmware
-
CVE-2025-55317
HIGH
CVSS 7.8
Improper link resolution before file access ('link following') in Microsoft AutoUpdate (MAU) allows an authorized attacker to elevate privileges locally. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Information Disclosure
Microsoft
Autoupdate
-
CVE-2025-55316
HIGH
CVSS 7.8
External control of file name or path in Azure Arc allows an authorized attacker to elevate privileges locally. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Information Disclosure
Microsoft
Azure Connected Machine Agent
-
CVE-2025-55245
HIGH
CVSS 7.8
Improper link resolution before file access ('link following') in Xbox allows an authorized attacker to elevate privileges locally. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Information Disclosure
Xbox Gaming Services
-
CVE-2025-55243
HIGH
CVSS 7.5
Exposure of sensitive information to an unauthorized actor in Microsoft Office Plus allows an unauthorized attacker to perform spoofing over a network. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Information Disclosure
Microsoft
Officeplus
-
CVE-2025-55236
HIGH
CVSS 7.3
Time-of-check time-of-use (toctou) race condition in Graphics Kernel allows an authorized attacker to execute code locally. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. No vendor patch available.
Information Disclosure
Microsoft
Windows 10 1809
Windows 10 21h2
Windows 10 22h2
-
CVE-2025-55234
HIGH
CVSS 8.8
SMB Server might be susceptible to relay attacks depending on the configuration. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Authentication Bypass
Microsoft
Windows 10 1507
Windows 10 1607
Windows 10 1809
-
CVE-2025-55228
HIGH
CVSS 7.8
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Win32K - GRFX allows an authorized attacker to execute code locally. Rated high severity (CVSS 7.8). No vendor patch available.
Windows
Information Disclosure
Race Condition
Microsoft
Windows 10 21h2
-
CVE-2025-55227
HIGH
CVSS 8.8
Improper neutralization of special elements used in a command ('command injection') in SQL Server allows an authorized attacker to elevate privileges over a network. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Command Injection
Sql Server 2016
Sql Server 2017
Sql Server 2019
Sql Server 2022
-
CVE-2025-55224
HIGH
CVSS 7.8
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Win32K - GRFX allows an authorized attacker to execute code locally. Rated high severity (CVSS 7.8). No vendor patch available.
Windows
Information Disclosure
Race Condition
Microsoft
Windows 10 1809
-
CVE-2025-55223
HIGH
CVSS 7.0
Concurrent execution using shared resource with improper synchronization ('race condition') in Graphics Kernel allows an authorized attacker to elevate privileges locally. Rated high severity (CVSS 7.0). No vendor patch available.
Information Disclosure
Race Condition
Microsoft
Windows 10 1809
Windows 10 21h2
-
CVE-2025-55148
HIGH
CVSS 7.6
Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Authentication Bypass
Ivanti
Connect Secure
Policy Secure
Zero Trust Access Gateway
-
CVE-2025-55147
HIGH
CVSS 8.8
CSRF in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
CSRF
Ivanti
Connect Secure
Policy Secure
Zero Trust Access Gateway
-
CVE-2025-55145
HIGH
CVSS 8.9
Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before. Rated high severity (CVSS 8.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Authentication Bypass
Ivanti
Connect Secure
Policy Secure
Zero Trust Access Gateway
-
CVE-2025-55142
HIGH
CVSS 8.8
Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Authentication Bypass
Ivanti
Connect Secure
Policy Secure
Zero Trust Access Gateway
-
CVE-2025-55141
HIGH
CVSS 8.8
Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Authentication Bypass
Ivanti
Connect Secure
Policy Secure
Zero Trust Access Gateway
-
CVE-2025-55047
HIGH
CVSS 8.4
CWE-798 Use of Hard-coded Credentials. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Authentication Bypass
-
CVE-2025-54919
HIGH
CVSS 7.5
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Win32K - GRFX allows an authorized attacker to execute code locally. Rated high severity (CVSS 7.5). No vendor patch available.
Windows
Information Disclosure
Race Condition
Microsoft
Windows 10 1809
-
CVE-2025-54918
HIGH
CVSS 8.8
Improper authentication in Windows NTLM allows an authorized attacker to elevate privileges over a network. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Windows
Authentication Bypass
Microsoft
Windows 10 1507
Windows 10 1607
-
CVE-2025-54916
HIGH
CVSS 7.8
Stack-based buffer overflow in Windows NTFS allows an authorized attacker to execute code locally. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Windows
Buffer Overflow
Microsoft
Stack Overflow
Windows 10 1507
-
CVE-2025-54913
HIGH
CVSS 7.8
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows UI XAML Maps MapControlSettings allows an authorized attacker to elevate privileges locally. Rated high severity (CVSS 7.8). No vendor patch available.
Windows
Information Disclosure
Race Condition
Microsoft
Windows 10 1507
-
CVE-2025-54912
HIGH
CVSS 7.8
Use after free in Windows BitLocker allows an authorized attacker to elevate privileges locally. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Windows
Denial Of Service
Use After Free
Memory Corruption
Microsoft
-
CVE-2025-54911
HIGH
CVSS 7.3
Use after free in Windows BitLocker allows an authorized attacker to elevate privileges locally. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. No vendor patch available.
Windows
Denial Of Service
Use After Free
Memory Corruption
Microsoft
-
CVE-2025-54910
HIGH
CVSS 8.4
Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Buffer Overflow
Heap Overflow
Microsoft
365 Apps
Office
-
CVE-2025-54908
HIGH
CVSS 7.8
Use after free in Microsoft Office PowerPoint allows an unauthorized attacker to execute code locally. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Denial Of Service
Use After Free
Memory Corruption
Microsoft
365 Apps
-
CVE-2025-54907
HIGH
CVSS 7.8
Heap-based buffer overflow in Microsoft Office Visio allows an unauthorized attacker to execute code locally. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Buffer Overflow
Heap Overflow
Microsoft
365 Apps
Office
-
CVE-2025-54906
HIGH
CVSS 7.8
Free of memory not on the heap in Microsoft Office allows an unauthorized attacker to execute code locally. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Authentication Bypass
Use After Free
Memory Corruption
Microsoft
365 Apps
-
CVE-2025-54905
HIGH
CVSS 7.1
Untrusted pointer dereference in Microsoft Office Word allows an unauthorized attacker to disclose information locally. Rated high severity (CVSS 7.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Information Disclosure
Microsoft
365 Apps
Office
Office Long Term Servicing Channel
-
CVE-2025-54904
HIGH
CVSS 7.8
Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Denial Of Service
Use After Free
Memory Corruption
Microsoft
365 Apps
-
CVE-2025-54903
HIGH
CVSS 7.8
Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Denial Of Service
Use After Free
Memory Corruption
Microsoft
365 Apps
-
CVE-2025-54902
HIGH
CVSS 7.8
Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to execute code locally. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Buffer Overflow
Information Disclosure
Microsoft
365 Apps
Excel
-
CVE-2025-54900
HIGH
CVSS 7.8
Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Buffer Overflow
Heap Overflow
Microsoft
365 Apps
Excel
-
CVE-2025-54899
HIGH
CVSS 7.8
Free of memory not on the heap in Microsoft Office Excel allows an unauthorized attacker to execute code locally. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Authentication Bypass
Microsoft
365 Apps
Excel
Office
-
CVE-2025-54898
HIGH
CVSS 7.8
Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to execute code locally. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Buffer Overflow
Information Disclosure
Microsoft
365 Apps
Excel
-
CVE-2025-54897
HIGH
CVSS 8.8
Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Deserialization
Microsoft
Sharepoint Server
-
CVE-2025-54896
HIGH
CVSS 7.8
Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Denial Of Service
Use After Free
Memory Corruption
Microsoft
365 Apps
-
CVE-2025-54895
HIGH
CVSS 7.8
Integer overflow or wraparound in Windows SPNEGO Extended Negotiation allows an authorized attacker to elevate privileges locally. Rated high severity (CVSS 7.8). No vendor patch available.
Windows
Buffer Overflow
Integer Overflow
Microsoft
Windows 10 1507
-
CVE-2025-54894
HIGH
CVSS 7.8
Local Security Authority Subsystem Service Elevation of Privilege Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Buffer Overflow
Heap Overflow
Microsoft
Windows 10 1507
Windows 10 1607
-
CVE-2025-54709
HIGH
CVSS 8.1
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in uxper Sala.1.6. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
PHP
Information Disclosure
LFI
-
CVE-2025-54260
HIGH
CVSS 7.8
Substance3D - Modeler versions 1.22.2 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Buffer Overflow
Information Disclosure
Substance 3d Modeler
-
CVE-2025-54259
HIGH
CVSS 7.8
Substance3D - Modeler versions 1.22.2 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could result in arbitrary code execution in the context of the current user. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
RCE
Integer Overflow
Substance 3d Modeler
-
CVE-2025-54258
HIGH
CVSS 7.8
Substance3D - Modeler versions 1.22.2 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
RCE
Denial Of Service
Use After Free
Memory Corruption
Substance 3d Modeler
-
CVE-2025-54257
HIGH
CVSS 7.8
Acrobat Reader versions 24.001.30254, 20.005.30774, 25.001.20672 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
RCE
Denial Of Service
Use After Free
Memory Corruption
Adobe
-
CVE-2025-54256
HIGH
CVSS 8.6
Dreamweaver Desktop versions 21.5 and earlier are affected by a Cross-Site Request Forgery (CSRF) vulnerability that could result in arbitrary code execution in the context of the current user. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
RCE
CSRF
Dreamweaver
-
CVE-2025-54248
HIGH
CVSS 7.7
Adobe Experience Manager versions 6.5.23.0 and earlier are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Authentication Bypass
Adobe
Experience Manager
-
CVE-2025-54245
HIGH
CVSS 7.8
Substance3D - Viewer versions 0.25.1 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
RCE
Buffer Overflow
Memory Corruption
Substance 3d Viewer
-
CVE-2025-54244
HIGH
CVSS 7.8
Substance3D - Viewer versions 0.25.1 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
RCE
Buffer Overflow
Heap Overflow
Substance 3d Viewer
-
CVE-2025-54243
HIGH
CVSS 7.8
Substance3D - Viewer versions 0.25.1 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
RCE
Buffer Overflow
Memory Corruption
Substance 3d Viewer
-
CVE-2025-54242
HIGH
CVSS 7.8
Premiere Pro versions 25.3, 24.6.5 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
RCE
Denial Of Service
Use After Free
Memory Corruption
Premiere Pro
-
CVE-2025-54116
HIGH
CVSS 7.3
Improper access control in Windows MultiPoint Services allows an authorized attacker to elevate privileges locally. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. No vendor patch available.
Windows
Authentication Bypass
Microsoft
Windows 10 1507
Windows 10 1607
-
CVE-2025-54115
HIGH
CVSS 7.0
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Hyper-V allows an authorized attacker to elevate privileges locally. Rated high severity (CVSS 7.0). No vendor patch available.
Windows
Information Disclosure
Race Condition
Microsoft
Windows 10 1809
-
CVE-2025-54114
HIGH
CVSS 7.0
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Connected Devices Platform Service allows an authorized attacker to elevate privileges locally. Rated high severity (CVSS 7.0). No vendor patch available.
Windows
Information Disclosure
Race Condition
Microsoft
Windows 10 1607
-
CVE-2025-54113
HIGH
CVSS 8.8
Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Windows
Buffer Overflow
Heap Overflow
Microsoft
Windows Server 2008
-
CVE-2025-54112
HIGH
CVSS 7.0
Use after free in Microsoft Virtual Hard Drive allows an authorized attacker to elevate privileges locally. Rated high severity (CVSS 7.0). No vendor patch available.
Denial Of Service
Use After Free
Memory Corruption
Microsoft
Windows 10 1507
-
CVE-2025-54111
HIGH
CVSS 7.8
Use after free in Windows UI XAML Phone DatePickerFlyout allows an authorized attacker to elevate privileges locally. Rated high severity (CVSS 7.8). No vendor patch available.
Windows
Denial Of Service
Use After Free
Memory Corruption
Microsoft
-
CVE-2025-54110
HIGH
CVSS 8.8
Integer overflow or wraparound in Windows Kernel allows an authorized attacker to elevate privileges locally. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. No vendor patch available.
Windows
Buffer Overflow
Integer Overflow
Microsoft
Windows 10 1507
-
CVE-2025-54108
HIGH
CVSS 7.0
Concurrent execution using shared resource with improper synchronization ('race condition') in Capability Access Management Service (camsvc) allows an authorized attacker to elevate privileges. Rated high severity (CVSS 7.0). No vendor patch available.
Information Disclosure
Race Condition
Microsoft
Windows 11 24h2
Windows Server 2025
-
CVE-2025-54106
HIGH
CVSS 8.8
Integer overflow or wraparound in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Windows
Buffer Overflow
Integer Overflow
Microsoft
Windows Server 2012
-
CVE-2025-54105
HIGH
CVSS 7.0
Concurrent execution using shared resource with improper synchronization ('race condition') in Microsoft Brokering File System allows an authorized attacker to elevate privileges locally. Rated high severity (CVSS 7.0). No vendor patch available.
Information Disclosure
Race Condition
Microsoft
Windows 11 24h2
Windows Server 2022 23h2
-
CVE-2025-54103
HIGH
CVSS 7.4
Use after free in Windows Management Services allows an unauthorized attacker to elevate privileges locally. Rated high severity (CVSS 7.4), this vulnerability is no authentication required. No vendor patch available.
Windows
Denial Of Service
Use After Free
Memory Corruption
Microsoft
-
CVE-2025-54102
HIGH
CVSS 7.8
Use after free in Windows Connected Devices Platform Service allows an authorized attacker to elevate privileges locally. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Windows
Denial Of Service
Use After Free
Memory Corruption
Microsoft
-
CVE-2025-54099
HIGH
CVSS 7.0
Stack-based buffer overflow in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. Rated high severity (CVSS 7.0). No vendor patch available.
Windows
Buffer Overflow
Microsoft
Stack Overflow
Windows 10 1507
-
CVE-2025-54098
HIGH
CVSS 7.8
Improper access control in Windows Hyper-V allows an authorized attacker to elevate privileges locally. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Windows
Authentication Bypass
Microsoft
Windows 10 1507
Windows 10 1607
-
CVE-2025-54093
HIGH
CVSS 7.0
Time-of-check time-of-use (toctou) race condition in Windows TCP/IP allows an authorized attacker to elevate privileges locally. Rated high severity (CVSS 7.0). No vendor patch available.
Windows
Information Disclosure
Microsoft
Windows 10 1507
Windows 10 1607
-
CVE-2025-54092
HIGH
CVSS 7.8
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Hyper-V allows an authorized attacker to elevate privileges locally. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Windows
Information Disclosure
Race Condition
Microsoft
Windows 10 1809
-
CVE-2025-54091
HIGH
CVSS 7.8
Integer overflow or wraparound in Windows Hyper-V allows an authorized attacker to elevate privileges locally. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Windows
Buffer Overflow
Heap Overflow
Microsoft
Windows 10 1507
-
CVE-2025-54084
HIGH
CVSS 8.5
OS Command ('OS Command Injection') vulnerability in Calix GigaCenter ONT (Quantenna SoC modules) allows authenticated attackers with 'super' user credentials to execute arbitrary OS commands through. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. No vendor patch available.
Command Injection
-
CVE-2025-53914
HIGH
CVSS 7.0
Excessive Privileges vulnerability in Calix GigaCenter ONT (Broadcom SoC modules) allows Privilege Abuse. Rated high severity (CVSS 7.0), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Privilege Escalation
Broadcom
-
CVE-2025-53913
HIGH
CVSS 7.0
Excessive Privileges vulnerability in Calix GigaCenter ONT (Quantenna SoC modules) allows Privilege Abuse. Rated high severity (CVSS 7.0), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Privilege Escalation
-
CVE-2025-53807
HIGH
CVSS 7.0
Concurrent execution using shared resource with improper synchronization ('race condition') in Microsoft Graphics Component allows an authorized attacker to elevate privileges locally. Rated high severity (CVSS 7.0). No vendor patch available.
Information Disclosure
Race Condition
Microsoft
Windows 10 1809
Windows 10 21h2
-
CVE-2025-53805
HIGH
CVSS 7.5
Out-of-bounds read in Windows Internet Information Services allows an unauthorized attacker to deny service over a network. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Windows
Buffer Overflow
Information Disclosure
Microsoft
Windows 11 22h2
-
CVE-2025-53802
HIGH
CVSS 7.0
Use after free in Windows Bluetooth Service allows an authorized attacker to elevate privileges locally. Rated high severity (CVSS 7.0). No vendor patch available.
Windows
Denial Of Service
Use After Free
Memory Corruption
Microsoft
-
CVE-2025-53801
HIGH
CVSS 7.8
Untrusted pointer dereference in Windows DWM allows an authorized attacker to elevate privileges locally. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Windows
Information Disclosure
Microsoft
Windows 10 1507
Windows 10 1607
-
CVE-2025-53800
HIGH
CVSS 7.8
No cwe for this issue in Microsoft Graphics Component allows an authorized attacker to elevate privileges locally. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Information Disclosure
Microsoft
Windows 10 1607
Windows 10 1809
Windows 10 21h2
-
CVE-2025-53303
HIGH
CVSS 8.8
Deserialization of Untrusted Data vulnerability in ThemeMove ThemeMove Core allows Object Injection.4.2. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Deserialization
-
CVE-2025-52915
HIGH
CVSS 7.2
K7RKScan.sys 23.0.0.10, part of the K7 Security Anti-Malware suite, allows an admin-privileged user to send crafted IOCTL requests to terminate processes that are protected through a third-party. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Privilege Escalation
Denial Of Service
-
CVE-2025-52322
HIGH
CVSS 7.5
An issue in Open5GS v2.7.2 and before allows a remote attacker to cause a denial of service via a crafted Create Session Request message to the SMF (PGW-C), using the IP address of a legitimate UE in. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Denial Of Service
Open5gs
-
CVE-2025-49734
HIGH
CVSS 7.0
Improper restriction of communication channel to intended endpoints in Windows PowerShell allows an authorized attacker to elevate privileges locally. Rated high severity (CVSS 7.0). No vendor patch available.
Windows
Information Disclosure
Microsoft
Powershell
Windows 10 1607
-
CVE-2025-49692
HIGH
CVSS 7.8
Improper access control in Azure Windows Virtual Machine Agent allows an authorized attacker to elevate privileges locally. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Windows
Authentication Bypass
Microsoft
Azure Connected Machine Agent
-
CVE-2025-49459
HIGH
CVSS 7.8
Missing authorization in the installer for Zoom Workplace for Windows on ARM before version 6.5.0 may allow an authenticated user to conduct an escalation of privilege via local access. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Windows
Authentication Bypass
Privilege Escalation
Microsoft
-
CVE-2025-49430
HIGH
CVSS 7.2
Server-Side Request Forgery (SSRF) vulnerability in FWDesign Ultimate Video Player allows Server Side Request Forgery.1. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
SSRF
-
CVE-2025-48208
HIGH
CVSS 8.8
Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') vulnerability in Apache HertzBeat . Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Apache
LDAP
Code Injection
Hertzbeat
-
CVE-2025-48101
HIGH
CVSS 8.8
Deserialization of Untrusted Data vulnerability in webdevstudios Constant Contact for WordPress allows Object Injection.1.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
WordPress
Deserialization
-
CVE-2025-47695
HIGH
CVSS 7.5
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in solwin Blog Designer PRO.4.7. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.
PHP
Information Disclosure
LFI
-
CVE-2025-47694
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in solwin Blog Designer PRO.4.7. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-47571
HIGH
CVSS 7.5
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in highwarden Super Store Finder.9.7. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
PHP
Information Disclosure
LFI
-
CVE-2025-47570
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in villatheme WooCommerce Photo Reviews.3.13. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
WordPress
XSS
-
CVE-2025-43491
HIGH
CVSS 7.3
A vulnerability in the Poly Lens Desktop application running on the Windows platform might allow modifications to the filesystem, which might lead to SYSTEM level privileges being granted. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. No vendor patch available.
Windows
Information Disclosure
Microsoft
Poly Lens Desktop
-
CVE-2025-42933
HIGH
CVSS 8.8
When a user logs in via SAP Business One native client, the SLD backend service fails to enforce proper encryption of certain APIs. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Information Disclosure
SAP
-
CVE-2025-42929
HIGH
CVSS 8.1
Due to missing input validation, an attacker with high privilege access to ABAP reports could delete the content of arbitrary database tables, if the tables are not protected by an authorization. Rated high severity (CVSS 8.1), this vulnerability is low attack complexity. No vendor patch available.
Information Disclosure
-
CVE-2025-42916
HIGH
CVSS 8.1
Due to missing input validation, an attacker with high privilege access to ABAP reports could delete the content of arbitrary database tables, if the tables are not protected by an authorization. Rated high severity (CVSS 8.1), this vulnerability is low attack complexity. No vendor patch available.
Information Disclosure
-
CVE-2025-41701
HIGH
CVSS 7.8
An unauthenticated attacker can trick a local user into executing arbitrary commands by opening a deliberately manipulated project file with an affected engineering tool. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Deserialization
-
CVE-2025-40798
HIGH
CVSS 8.7
A vulnerability has been identified in SIMATIC PCS neo V4.1 (All versions), SIMATIC PCS neo V5.0 (All versions), SIMATIC PCS neo V6.0 (All versions), User Management Component (UMC) (All versions <. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Buffer Overflow
Denial Of Service
Information Disclosure
User Management Component
Simatic Pcs Neo
-
CVE-2025-40797
HIGH
CVSS 8.7
A vulnerability has been identified in SIMATIC PCS neo V4.1 (All versions), SIMATIC PCS neo V5.0 (All versions), SIMATIC PCS neo V6.0 (All versions), User Management Component (UMC) (All versions <. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Buffer Overflow
Denial Of Service
Information Disclosure
User Management Component
Simatic Pcs Neo
-
CVE-2025-40796
HIGH
CVSS 8.7
A vulnerability has been identified in SIMATIC PCS neo V4.1 (All versions), SIMATIC PCS neo V5.0 (All versions), SIMATIC PCS neo V6.0 (All versions), User Management Component (UMC) (All versions <. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Buffer Overflow
Denial Of Service
Information Disclosure
User Management Component
Simatic Pcs Neo
-
CVE-2025-33045
HIGH
CVSS 8.2
APTIOV contains vulnerabilities in the BIOS where a privileged user may cause “Write-what-where Condition” and “Exposure of Sensitive Information to an Unauthorized Actor” through local access. Rated high severity (CVSS 8.2), this vulnerability is low attack complexity. No vendor patch available.
Information Disclosure
Aptio V
-
CVE-2025-32689
HIGH
CVSS 7.5
Improper Validation of Specified Quantity in Input vulnerability in ThemesGrove WP SmartPay.7.13. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Information Disclosure
-
CVE-2025-29089
HIGH
CVSS 7.5
An issue in TP-Link AX10 Ax1500 v.1.3.10 Build (20230130) allows a remote attacker to obtain sensitive information. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Information Disclosure
TP-Link
-
CVE-2025-24404
HIGH
CVSS 8.8
XML Injection RCE by parse http sitemap xml response vulnerability in Apache HertzBeat. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Apache
Code Injection
Hertzbeat
-
CVE-2025-23344
HIGH
CVSS 7.3
The NVIDIA NVDebug tool contains a vulnerability that may allow an actor to run code on the platform host as a non-privileged user. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. No vendor patch available.
RCE
Denial Of Service
Information Disclosure
Command Injection
Nvdebug
-
CVE-2025-23343
HIGH
CVSS 7.6
The NVIDIA NVDebug tool contains a vulnerability that may allow an actor to write files to restricted components. Rated high severity (CVSS 7.6). No vendor patch available.
Denial Of Service
Information Disclosure
Path Traversal
Nvdebug
Nvidia
-
CVE-2025-23342
HIGH
CVSS 8.2
The NVIDIA NVDebug tool contains a vulnerability that may allow an actor to gain access to a privileged account . Rated high severity (CVSS 8.2), this vulnerability is low attack complexity. No vendor patch available.
RCE
Denial Of Service
Information Disclosure
Nvdebug
Nvidia
-
CVE-2025-10199
HIGH
CVSS 7.8
A local privilege escalation vulnerability exists in Sunshine for Windows (version v2025.122.141614 and likely prior versions) due to an unquoted service path. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Windows
Privilege Escalation
Microsoft
Sunshine
-
CVE-2025-10198
HIGH
CVSS 7.8
Sunshine for Windows, version v2025.122.141614, contains a DLL search-order hijacking vulnerability, allowing attackers to insert a malicious DLL in user-writeable PATH directories. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Windows
Information Disclosure
Microsoft
Sunshine
-
CVE-2025-10172
HIGH
CVSS 7.4
A flaw has been found in UTT 750W up to 3.2.2-191225. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Buffer Overflow
750w Firmware
-
CVE-2025-10171
HIGH
CVSS 7.4
A vulnerability was detected in UTT 1250GW up to 3.2.2-200710. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Buffer Overflow
1250Gw Firmware
-
CVE-2025-10170
HIGH
CVSS 7.4
A security vulnerability has been detected in UTT 1200GW up to 3.0.0-170831. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Buffer Overflow
1200Gw Firmware
-
CVE-2025-10169
HIGH
CVSS 7.4
A weakness has been identified in UTT 1200GW up to 3.0.0-170831. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Buffer Overflow
1200Gw Firmware
-
CVE-2025-10120
HIGH
CVSS 7.4
A vulnerability was detected in Tenda AC20 up to 16.03.08.12. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Buffer Overflow
Tenda
Ac20 Firmware
-
CVE-2025-9951
HIGH
CVSS 7.2
A heap-buffer-overflow write exists in jpeg2000dec FFmpeg which allows an attacker to potentially gain remote code execution or cause denial of service via the channel definition cdef atom of. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable. No vendor patch available.
RCE
Buffer Overflow
Denial Of Service
Heap Overflow
Suse
-
CVE-2025-9872
HIGH
CVSS 8.8
Insufficient filename validation in Ivanti Endpoint Manager before 2024 SU3 SR1 and 2022 SU8 SR2 allows a remote unauthenticated attacker to achieve remote code execution. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
RCE
Ivanti
File Upload
Endpoint Manager
-
CVE-2025-9712
HIGH
CVSS 8.8
Insufficient filename validation in Ivanti Endpoint Manager before 2024 SU3 SR1 and 2022 SU8 SR2 allows a remote unauthenticated attacker to achieve remote code execution. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
RCE
Ivanti
File Upload
Endpoint Manager
-
CVE-2025-9539
HIGH
CVSS 8.0
The AutomatorWP - Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
PHP
WordPress
Privilege Escalation
RCE
Code Injection
-
CVE-2025-9364
HIGH
CVSS 8.7
An open database issue exists in the affected product and version. Rated high severity (CVSS 8.7), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Information Disclosure
Redis
Factorytalk Analytics Logixai
-
CVE-2025-9166
HIGH
CVSS 8.2
A denial-of-service security issue exists in the affected product and version. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Denial Of Service
Null Pointer Dereference
Controllogix 5580 Firmware
-
CVE-2025-9161
HIGH
CVSS 7.3
A security issue exists within FactoryTalk Optix MQTT broker due to the lack of URI sanitization. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable. No vendor patch available.
RCE
Command Injection
Factorytalk Optix
-
CVE-2025-9160
HIGH
CVSS 7.0
A code execution security issue exists in the affected product. Rated high severity (CVSS 7.0), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Authentication Bypass
RCE
-
CVE-2025-9065
HIGH
CVSS 8.6
A server-side request forgery security issue exists within Rockwell Automation ThinManager® software due to the lack of input sanitization. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
SSRF
Rockwell
Thinmanager
-
CVE-2025-8008
HIGH
CVSS 7.1
A security issue exists in the protected mode of EN4TR devices, where sending specifically crafted messages during a Forward Close operation can cause the device to crash. Rated high severity (CVSS 7.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Denial Of Service
1756 En2Tr Series A Firmware
1756 En2Tr Series B Firmware
1756 En2Tr Series C Firmware
1756 En4Tr Firmware
-
CVE-2025-8007
HIGH
CVSS 7.1
A security issue exists in the protected mode of 1756-EN4TR and 1756-EN2TR communication modules, where a Concurrent Forward Close operation can trigger a Major Non-Recoverable (MNFR) fault. Rated high severity (CVSS 7.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Denial Of Service
1756 En2Tr Series A Firmware
1756 En2Tr Series B Firmware
1756 En2Tr Series C Firmware
1756 En4Tr Firmware
-
CVE-2025-7970
HIGH
CVSS 8.7
A security issue exists within FactoryTalk Activation Manager. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Authentication Bypass
Information Disclosure
Factorytalk Activation Manager
-
CVE-2025-7635
HIGH
CVSS 8.7
Unauthenticated Telnet access vulnerability in Calix GigaCenter ONT allows root access. Rated high severity (CVSS 8.7), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Authentication Bypass
Calix Gigacenter Ont
-
CVE-2025-7350
HIGH
CVSS 8.6
A security issue affecting multiple Cisco devices also directly impacts Stratix® 5410, 5700, and 8000 devices. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
RCE
Cisco
-
CVE-2025-59044
MEDIUM
CVSS 4.4
Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. Rated medium severity (CVSS 4.4), this vulnerability is low attack complexity. No vendor patch available.
Information Disclosure
Microsoft
Suse
-
CVE-2025-59036
MEDIUM
CVSS 5.5
Infrahub offers a central hub to manage data, templates, and playbooks. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Information Disclosure
-
CVE-2025-59019
MEDIUM
CVSS 5.3
Missing authorization checks in the CSV download feature of TYPO3 CMS versions 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to disclose information from arbitrary database. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Information Disclosure
Typo3
-
CVE-2025-59017
MEDIUM
CVSS 5.3
Missing authorization checks in the Backend Routing of TYPO3 CMS versions 9.0.0‑9.5.54, 10.0.0‑10.4.53, 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to directly invoke AJAX. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Authentication Bypass
Typo3
-
CVE-2025-59016
MEDIUM
CVSS 5.3
Error messages containing sensitive information in the File Abstraction Layer in TYPO3 CMS versions 9.0.0-9.5.54, 10.0.0-10.4.53, 11.0.0-11.5.47, 12.0.0-12.4.36, and 13.0.0-13.4.17 allow backend. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Information Disclosure
Typo3
-
CVE-2025-59015
MEDIUM
CVSS 6.3
A deterministic three‑character prefix in the Password Generation component of TYPO3 CMS versions 12.0.0-12.4.36 and 13.0.0-13.4.17 reduces entropy, allowing attackers to carry out brute‑force. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Information Disclosure
Typo3
-
CVE-2025-59014
MEDIUM
CVSS 5.1
An uncaught exception in the Bookmark Toolbar of TYPO3 CMS versions 11.0.0-11.5.47, 12.0.0-12.4.36, and 13.0.0-13.4.17 lets administrator‑level backend users trigger a denial‑of‑service condition in. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Information Disclosure
Typo3
-
CVE-2025-59013
MEDIUM
CVSS 5.3
An open‑redirect vulnerability in GeneralUtility::sanitizeLocalUrl of TYPO3 CMS 9.0.0-9.5.54, 10.0.0-10.4.53, 11.0.0-11.5.47, 12.0.0-12.4.36, and 13.0.0-13.4.17 allows an attacker to redirect users. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Open Redirect
Typo3
-
CVE-2025-59005
MEDIUM
CVSS 4.3
Missing Authorization vulnerability in frenify Categorify allows Exploiting Incorrectly Configured Access Control Security Levels.0.7.5. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Authentication Bypass
-
CVE-2025-58990
MEDIUM
CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HasTech ShopLentor allows Stored XSS.2.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
XSS
-
CVE-2025-58989
MEDIUM
CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in silverplugins217 Dynamic Text Field For Contact Form 7 allows Stored XSS.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-58988
MEDIUM
CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Joe Dolson My Tickets allows Stored XSS.0.22. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-58987
MEDIUM
CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AntoineH Football Pool allows Stored XSS.12.6. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-58985
MEDIUM
CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Additional Custom Product Tabs for WooCommerce allows Stored XSS.7.3. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
WordPress
XSS
-
CVE-2025-58984
MEDIUM
CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in nanbu Welcart e-Commerce allows Stored XSS.11.20. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-58983
MEDIUM
CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Stefano Lissa Include Me allows Stored XSS.3.2. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-58982
MEDIUM
CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pixeline Pixeline's Email Protector allows Stored XSS.3.8. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-58981
MEDIUM
CVSS 5.4
Missing Authorization vulnerability in Equalize Digital Accessibility Checker by Equalize Digital allows Exploiting Incorrectly Configured Access Control Security Levels.31.0. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Authentication Bypass
-
CVE-2025-58980
MEDIUM
CVSS 5.3
Missing Authorization vulnerability in recorp Export WP Page to Static HTML/CSS allows Accessing Functionality Not Properly Constrained by ACLs.1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Authentication Bypass
-
CVE-2025-58979
MEDIUM
CVSS 5.3
Missing Authorization vulnerability in BerqWP BerqWP allows Exploiting Incorrectly Configured Access Control Security Levels.2.53. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Authentication Bypass
-
CVE-2025-58978
MEDIUM
CVSS 5.3
Missing Authorization vulnerability in WP Swings PDF Generator for WordPress allows Exploiting Incorrectly Configured Access Control Security Levels.5.4. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
WordPress
Authentication Bypass
-
CVE-2025-58977
MEDIUM
CVSS 4.9
Server-Side Request Forgery (SSRF) vulnerability in Rhys Wynne WP eBay Product Feeds allows Server Side Request Forgery.4.8. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable. No vendor patch available.
SSRF
-
CVE-2025-58976
MEDIUM
CVSS 4.3
Missing Authorization vulnerability in Equalize Digital Accessibility Checker by Equalize Digital allows Exploiting Incorrectly Configured Access Control Security Levels.31.0. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Authentication Bypass
-
CVE-2025-58975
MEDIUM
CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in Helmut Wandl Advanced Settings allows Cross Site Request Forgery.1.1. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
CSRF
-
CVE-2025-58759
MEDIUM
CVSS 5.1
TinyEnv is an environment variable loader for PHP applications. Rated medium severity (CVSS 5.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
PHP
Information Disclosure
Tinyenv
-
CVE-2025-58758
MEDIUM
CVSS 5.1
TinyEnv is an environment variable loader for PHP applications. Rated medium severity (CVSS 5.1), this vulnerability is no authentication required, low attack complexity.
PHP
Information Disclosure
Tinyenv
-
CVE-2025-58753
MEDIUM
CVSS 5.3
Copyparty is a portable file server. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity.
Information Disclosure
Path Traversal
Copyparty
-
CVE-2025-58442
MEDIUM
CVSS 5.3
Saleor is an e-commerce platform. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Information Disclosure
-
CVE-2025-58435
MEDIUM
CVSS 4.1
Open OnDemand is an open-source HPC portal. Rated medium severity (CVSS 4.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Information Disclosure
-
CVE-2025-58135
MEDIUM
CVSS 5.3
Improper action enforcement in certain Zoom Workplace Clients for Windows may allow an unauthenticated user to conduct a disclosure of information via network access. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Windows
Information Disclosure
Microsoft
Workplace Desktop
Meeting Software Development Kit
-
CVE-2025-58134
MEDIUM
CVSS 4.3
Incorrect authorization in certain Zoom Workplace Clients for Windows may allow an authenticated user to conduct an impact to integrity via network access. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Windows
Authentication Bypass
Microsoft
Workplace Desktop
Meeting Software Development Kit
-
CVE-2025-58131
MEDIUM
CVSS 6.6
Race condition in the Zoom Workplace VDI Plugin macOS Universal installer for VMware Horizon before version 6.4.10 (or before 6.2.15 and 6.3.12 in their respective tracks) may allow an authenticated. Rated medium severity (CVSS 6.6), this vulnerability is low attack complexity. No vendor patch available.
Information Disclosure
Apple
macOS
VMware
-
CVE-2025-57665
MEDIUM
CVSS 6.4
Element Plus Link component (el-link) through 2.10.6 implements insufficient input validation for the href attribute, creating a security abstraction gap that obscures URL-based attack vectors. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
XSS
Open Redirect
Element Plus
-
CVE-2025-57540
MEDIUM
CVSS 5.4
A stored cross-site scripting (XSS) vulnerability exists in the WebAuthn Relying Party field within the Datacenter configuration of Proxmox Virtual Environment (PVE) 8.4. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
XSS
Virtual Environment
-
CVE-2025-57539
MEDIUM
CVSS 5.4
A stored cross-site scripting (XSS) vulnerability in the U2F Origin field of the Datacenter configuration in Proxmox Virtual Environment (PVE) 8.4 allows authenticated users to store malicious input. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
XSS
Virtual Environment
-
CVE-2025-57538
MEDIUM
CVSS 5.4
A stored cross-site scripting (XSS) vulnerability in the HTTP Proxy field within the Datacenter configuration panel of Proxmox Virtual Environment (PVE) 8.4 allows an authenticated user to inject. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
XSS
Virtual Environment
-
CVE-2025-55226
MEDIUM
CVSS 6.7
Concurrent execution using shared resource with improper synchronization ('race condition') in Graphics Kernel allows an authorized attacker to execute code locally. Rated medium severity (CVSS 6.7). No vendor patch available.
Information Disclosure
Race Condition
Microsoft
Windows 10 1507
Windows 10 1607
-
CVE-2025-55225
MEDIUM
CVSS 6.5
Out-of-bounds read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Windows
Buffer Overflow
Information Disclosure
Microsoft
Windows Server 2008
-
CVE-2025-55146
MEDIUM
CVSS 4.9
An unchecked return value in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Denial Of Service
Ivanti
Connect Secure
Policy Secure
Zero Trust Access Gateway
-
CVE-2025-55144
MEDIUM
CVSS 5.4
Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Authentication Bypass
Ivanti
Connect Secure
Policy Secure
Zero Trust Access Gateway
-
CVE-2025-55143
MEDIUM
CVSS 6.1
Reflected text injection in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
Ivanti
Connect Secure
Policy Secure
Zero Trust Access Gateway
-
CVE-2025-55139
MEDIUM
CVSS 6.8
SSRF in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
SSRF
Ivanti
Connect Secure
Policy Secure
Zero Trust Access Gateway
-
CVE-2025-55054
MEDIUM
CVSS 6.1
CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting'). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-55053
MEDIUM
CVSS 6.5
CWE-328: Use of Weak Hash. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Information Disclosure
-
CVE-2025-55052
MEDIUM
CVSS 4.3
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Information Disclosure
-
CVE-2025-54917
MEDIUM
CVSS 4.3
Protection mechanism failure in Windows MapUrlToZone allows an unauthorized attacker to bypass a security feature over a network. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Windows
Authentication Bypass
Microsoft
Windows 10 1507
Windows 10 1607
-
CVE-2025-54915
MEDIUM
CVSS 6.7
Access of resource using incompatible type ('type confusion') in Windows Defender Firewall Service allows an authorized attacker to elevate privileges locally. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
Windows
Information Disclosure
Memory Corruption
Microsoft
Windows 10 1507
-
CVE-2025-54901
MEDIUM
CVSS 5.5
Buffer over-read in Microsoft Office Excel allows an unauthorized attacker to disclose information locally. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Buffer Overflow
Microsoft
365 Apps
Excel
Office
-
CVE-2025-54255
MEDIUM
CVSS 4.0
Acrobat Reader versions 24.001.30254, 20.005.30774, 25.001.20672 and earlier are affected by a Violation of Secure Design Principles vulnerability that could result in a security feature bypass. Rated medium severity (CVSS 4.0), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Authentication Bypass
Adobe
Acrobat
Acrobat Dc
Acrobat Reader
-
CVE-2025-54252
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.23.0 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
XSS
Adobe
Experience Manager
-
CVE-2025-54251
MEDIUM
CVSS 4.3
Adobe Experience Manager versions 6.5.23.0 and earlier are affected by an XML Injection vulnerability that could result in a Security feature bypass. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Authentication Bypass
Adobe
Experience Manager
-
CVE-2025-54250
MEDIUM
CVSS 4.9
Adobe Experience Manager versions 6.5.23.0 and earlier are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Authentication Bypass
Adobe
Experience Manager
-
CVE-2025-54249
MEDIUM
CVSS 6.5
Adobe Experience Manager versions 6.5.23.0 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in a Security feature bypass. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
SSRF
Adobe
Experience Manager
-
CVE-2025-54247
MEDIUM
CVSS 6.5
Adobe Experience Manager versions 6.5.23.0 and earlier are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Authentication Bypass
Adobe
Experience Manager
-
CVE-2025-54246
MEDIUM
CVSS 6.5
Adobe Experience Manager versions 6.5.23.0 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Authentication Bypass
Adobe
Experience Manager
-
CVE-2025-54241
MEDIUM
CVSS 5.5
After Effects versions 25.3, 24.6.7 and earlier are affected by an out-of-bounds read vulnerability that could lead to memory exposure, potentially disclosing sensitive information. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Buffer Overflow
Information Disclosure
After Effects
-
CVE-2025-54240
MEDIUM
CVSS 5.5
After Effects versions 25.3, 24.6.7 and earlier are affected by an out-of-bounds read vulnerability that could lead to memory exposure, potentially disclosing sensitive information. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Buffer Overflow
Information Disclosure
After Effects
-
CVE-2025-54239
MEDIUM
CVSS 5.5
After Effects versions 25.3, 24.6.7 and earlier are affected by an out-of-bounds read vulnerability that could lead to memory exposure, potentially disclosing sensitive information. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Buffer Overflow
Information Disclosure
After Effects
-
CVE-2025-54109
MEDIUM
CVSS 6.7
Access of resource using incompatible type ('type confusion') in Windows Defender Firewall Service allows an authorized attacker to elevate privileges locally. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
Windows
Information Disclosure
Memory Corruption
Microsoft
Windows 10 1507
-
CVE-2025-54107
MEDIUM
CVSS 4.3
Improper resolution of path equivalence in Windows MapUrlToZone allows an unauthorized attacker to bypass a security feature over a network. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Windows
Authentication Bypass
Microsoft
Windows 10 1507
Windows 10 1607
-
CVE-2025-54104
MEDIUM
CVSS 6.7
Access of resource using incompatible type ('type confusion') in Windows Defender Firewall Service allows an authorized attacker to elevate privileges locally. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
Windows
Information Disclosure
Memory Corruption
Microsoft
Windows 10 1507
-
CVE-2025-54101
MEDIUM
CVSS 4.8
Use after free in Windows SMBv3 Client allows an authorized attacker to execute code over a network. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable. No vendor patch available.
Windows
Denial Of Service
Use After Free
Memory Corruption
Microsoft
-
CVE-2025-54097
MEDIUM
CVSS 6.5
Out-of-bounds read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Windows
Buffer Overflow
Information Disclosure
Microsoft
Windows Server 2008
-
CVE-2025-54096
MEDIUM
CVSS 6.5
Out-of-bounds read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Windows
Buffer Overflow
Information Disclosure
Microsoft
Windows Server 2008
-
CVE-2025-54095
MEDIUM
CVSS 6.5
Out-of-bounds read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Windows
Buffer Overflow
Information Disclosure
Microsoft
Windows Server 2008
-
CVE-2025-54094
MEDIUM
CVSS 6.7
Access of resource using incompatible type ('type confusion') in Windows Defender Firewall Service allows an authorized attacker to elevate privileges locally. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
Windows
Information Disclosure
Memory Corruption
Microsoft
Windows 10 1507
-
CVE-2025-54083
MEDIUM
CVSS 5.1
Insecure Storage of Sensitive Information vulnerability in Calix GigaCenter ONT (Quantenna SoC modules) allows admin access to the web interface. Rated medium severity (CVSS 5.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Information Disclosure
-
CVE-2025-53810
MEDIUM
CVSS 6.7
Access of resource using incompatible type ('type confusion') in Windows Defender Firewall Service allows an authorized attacker to elevate privileges locally. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
Windows
Information Disclosure
Memory Corruption
Microsoft
Windows 10 1507
-
CVE-2025-53809
MEDIUM
CVSS 6.5
Improper input validation in Windows Local Security Authority Subsystem Service (LSASS) allows an authorized attacker to deny service over a network. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Windows
Information Disclosure
Microsoft
Windows 11 24h2
Windows Server 2025
-
CVE-2025-53808
MEDIUM
CVSS 6.7
Access of resource using incompatible type ('type confusion') in Windows Defender Firewall Service allows an authorized attacker to elevate privileges locally. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
Windows
Information Disclosure
Memory Corruption
Microsoft
Windows 10 1507
-
CVE-2025-53806
MEDIUM
CVSS 6.5
Buffer over-read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Windows
Buffer Overflow
Information Disclosure
Microsoft
Windows Server 2008
-
CVE-2025-53804
MEDIUM
CVSS 5.5
Exposure of sensitive information to an unauthorized actor in Windows Kernel allows an authorized attacker to disclose information locally. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.
Windows
Information Disclosure
Microsoft
Windows 10 1507
Windows 10 1607
-
CVE-2025-53803
MEDIUM
CVSS 5.5
Generation of error message containing sensitive information in Windows Kernel allows an authorized attacker to disclose information locally. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.
Windows
Information Disclosure
Microsoft
Windows 10 1507
Windows 10 1607
-
CVE-2025-53799
MEDIUM
CVSS 5.5
Use of uninitialized resource in Windows Imaging Component allows an unauthorized attacker to disclose information locally. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Windows
Information Disclosure
Microsoft
Office
Windows 10 1507
-
CVE-2025-53798
MEDIUM
CVSS 6.5
Buffer over-read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Windows
Buffer Overflow
Microsoft
Windows Server 2008
Windows Server 2012
-
CVE-2025-53797
MEDIUM
CVSS 6.5
Buffer over-read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Windows
Buffer Overflow
Microsoft
Windows Server 2008
Windows Server 2012
-
CVE-2025-53796
MEDIUM
CVSS 6.5
Buffer over-read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Windows
Buffer Overflow
Microsoft
Windows Server 2008
Windows Server 2012
-
CVE-2025-53609
MEDIUM
CVSS 4.9
A Relative Path Traversal vulnerability [CWE-23] in FortiWeb 7.6.0 through 7.6.4, 7.4.0 through 7.4.8, 7.2.0 through 7.2.11, 7.0.2 through 7.0.11 may allow an authenticated attacker to perform an. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Path Traversal
Fortinet
Fortiweb
-
CVE-2025-53348
MEDIUM
CVSS 5.3
Missing Authorization vulnerability in Laborator Kalium.18.3. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Authentication Bypass
-
CVE-2025-53340
MEDIUM
CVSS 5.3
Missing Authorization vulnerability in awesomesupport Awesome Support.3.4. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Authentication Bypass
-
CVE-2025-53291
MEDIUM
CVSS 5.4
Missing Authorization vulnerability in spoddev2021 Spreadconnect.1.5. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Authentication Bypass
-
CVE-2025-52277
MEDIUM
CVSS 6.1
Cross Site Scripting vulnerability in YesWiki v.4.54 allows a remote attacker to execute arbitrary code via a crafted payload to the meta configuration robots field. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
XSS
RCE
Yeswiki
-
CVE-2025-49860
MEDIUM
CVSS 5.3
Missing Authorization vulnerability in Majestic Support Majestic Support.1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Authentication Bypass
-
CVE-2025-49461
MEDIUM
CVSS 4.3
Cross-site scripting in certain Zoom Workplace Clients may allow an unauthenticated user to conduct a denial of service via network access. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
Denial Of Service
Workplace Desktop
Meeting Software Development Kit
Rooms
-
CVE-2025-49460
MEDIUM
CVSS 4.3
Uncontrolled resource consumption in certain Zoom Workplace Clients may allow an unauthenticated user to conduct a denial of service via network access. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Denial Of Service
Workplace Desktop
Meeting Software Development Kit
Rooms
Rooms Controller
-
CVE-2025-49458
MEDIUM
CVSS 6.5
Buffer overflow in certain Zoom Workplace Clients may allow an authenticated user to conduct a denial of service via network access. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Buffer Overflow
Denial Of Service
Workplace Desktop
Meeting Software Development Kit
Rooms
-
CVE-2025-47997
MEDIUM
CVSS 6.5
Concurrent execution using shared resource with improper synchronization ('race condition') in SQL Server allows an authorized attacker to disclose information over a network. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Information Disclosure
Sql Server 2016
Sql Server 2017
Sql Server 2019
Sql Server 2022
-
CVE-2025-47437
MEDIUM
CVSS 6.4
Server-Side Request Forgery (SSRF) vulnerability in LiteSpeed Technologies LiteSpeed Cache.0.1. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
SSRF
-
CVE-2025-47416
MEDIUM
CVSS 5.9
A vulnerability exists in the ConsoleFindCommandMatchList function in libsymproc. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable. No vendor patch available.
Authentication Bypass
-
CVE-2025-47415
MEDIUM
CVSS 6.8
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in CRESTRON TOUCHSCREENS x70 allows Relative Path Traversal.000.0110.001 before 3.001.0031.001. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Path Traversal
-
CVE-2025-44595
MEDIUM
CVSS 6.1
Halo v2.20.17 and before is vulnerable to Cross Site Scripting (XSS) in /halo_host/archives/{name}. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
Halo
-
CVE-2025-44593
MEDIUM
CVSS 6.1
Halo prior to 2.20.13 allows bypassing file type detection and uploading malicious files such as .exe and .html files. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
Halo
-
CVE-2025-43786
MEDIUM
CVSS 6.9
Enumeration of ERC from object entry in Liferay Portal 7.4.0 through 7.4.3.128, and Liferay DXP 2024.Q3.0 through 2024.Q3.1, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 and. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
Digital Experience Platform
Liferay Portal
-
CVE-2025-43781
MEDIUM
CVSS 5.3
Reflected cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.3.110 through 7.4.3.128, and Liferay DXP 2024.Q3.1 through 2024.Q3.8, 2024.Q2.0 through 2024.Q2.13 and 2024.Q1.1 through. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
Digital Experience Platform
Liferay Portal
-
CVE-2025-43778
MEDIUM
CVSS 4.8
A Stored cross-site scripting vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.11, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7,. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
XSS
Digital Experience Platform
Liferay Portal
-
CVE-2025-43777
MEDIUM
CVSS 5.1
Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Information Disclosure
Digital Experience Platform
Liferay Portal
-
CVE-2025-43776
MEDIUM
CVSS 4.6
A Stored cross-site scripting vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7,. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
XSS
Information Disclosure
Digital Experience Platform
Liferay Portal
-
CVE-2025-43775
MEDIUM
CVSS 4.6
Stored cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.0 through 7.4.3.128, and Liferay DXP 2024.Q3.0 through 2024.Q3.5, 2024.Q2.0 through 2024.Q2.12, 2024.Q1.1 through 2024.Q1.12, and. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
XSS
Digital Experience Platform
Liferay Portal
-
CVE-2025-43763
MEDIUM
CVSS 4.8
A server-side request forgery (SSRF) vulnerability exist in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
SSRF
Digital Experience Platform
Liferay Portal
-
CVE-2025-42938
MEDIUM
CVSS 6.1
Due to a Cross-Site Scripting (XSS) vulnerability in the SAP NetWeaver ABAP Platform, an unauthenticated attacker could generate a malicious link and make it publicly accessible. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
SAP
-
CVE-2025-42930
MEDIUM
CVSS 6.5
SAP Business Planning and Consolidation allows an authenticated standard user to call a function module by crafting specific parameters that causes a loop, consuming excessive resources and resulting. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Information Disclosure
SAP
-
CVE-2025-42926
MEDIUM
CVSS 5.3
SAP NetWeaver Application Server Java does not perform an authentication check when an attacker attempts to access internal files within the web application.Upon successfully exploitation, an. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Missing Authentication for Critical Function vulnerability could allow attackers to access critical functionality without authentication.
Authentication Bypass
Java
SAP
Netweaver Application Server Java
-
CVE-2025-42925
MEDIUM
CVSS 4.3
Due to the lack of randomness in assigning Object Identifiers in the SAP NetWeaver AS JAVA IIOP service, an authenticated attacker with low privileges could predict the identifiers by conducting a. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Java
Information Disclosure
SAP
-
CVE-2025-42923
MEDIUM
CVSS 4.3
Due to insufficient CSRF protection in SAP Fiori App Manage Work Center Groups, an authenticated user could be tricked by an attacker to send unintended request to the web server. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
CSRF
SAP
-
CVE-2025-42920
MEDIUM
CVSS 6.1
Due to a Cross-Site Scripting (XSS) vulnerability in the SAP Supplier Relationship Management, an unauthenticated attacker could generate a malicious link and make it publicly accessible. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
XSS
SAP
Supplier Relationship Management
-
CVE-2025-42918
MEDIUM
CVSS 4.3
SAP NetWeaver Application Server for ABAP allows authenticated users with access to background processing to gain unauthorized read access to profile parameters. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.
Authentication Bypass
SAP
Sap Basis
-
CVE-2025-42917
MEDIUM
CVSS 6.5
SAP HCM Approve Timesheets Fiori 2.0 application does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Authentication Bypass
SAP
-
CVE-2025-42915
MEDIUM
CVSS 5.4
Fiori app Manage Payment Blocks does not perform the necessary authorization checks, allowing an attacker with basic user privileges to abuse functionalities that should be restricted to specific. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Authentication Bypass
-
CVE-2025-42912
MEDIUM
CVSS 6.5
SAP HCM My Timesheet Fiori 2.0 application does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Authentication Bypass
SAP
-
CVE-2025-42911
MEDIUM
CVSS 5.0
SAP NetWeaver (Service Data Download) allows an authenticated user to call a remote-enabled function module, which could grant access to information about the SAP system and operating system. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.
Authentication Bypass
SAP
Sap Basis
-
CVE-2025-40757
MEDIUM
CVSS 6.3
A vulnerability has been identified in APOGEE PXC Series (BACnet) (All versions), APOGEE PXC Series (P2 Ethernet) (All versions), TALON TC Series (BACnet) (All versions). Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Information Disclosure
-
CVE-2025-40594
MEDIUM
CVSS 6.9
A vulnerability has been identified in SINAMICS G220 V6.4 (All versions < V6.4 HF2), SINAMICS S200 V6.4 (All versions < V6.4 HF7), SINAMICS S210 V6.4 (All versions < V6.4 HF2). Rated medium severity (CVSS 6.9), this vulnerability is no authentication required. No vendor patch available.
Privilege Escalation
Sinamics G220 Firmware
Sinamics S200 Firmware
Sinamics S210 Firmware
-
CVE-2025-39553
MEDIUM
CVSS 4.3
Missing Authorization vulnerability in andy_moyle Church Admin.0.9. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Authentication Bypass
-
CVE-2025-39541
MEDIUM
CVSS 6.5
Missing Authorization vulnerability in Roland Murg WP Simple Booking Calendar.0.13. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Authentication Bypass
-
CVE-2025-39523
MEDIUM
CVSS 4.7
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in GoodBarber GoodBarber.0.26. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Open Redirect
-
CVE-2025-36125
MEDIUM
CVSS 6.4
IBM Hardware Management Console - Power 10.3.1050.0 and 11.1.1110.0 is vulnerable to stored cross-site scripting. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
XSS
IBM
Hardware Management Console
-
CVE-2025-36011
MEDIUM
CVSS 4.3
IBM Jazz for Service Management 1.1.3.0 through 1.1.3.24 does not set the secure attribute on authorization tokens or session cookies. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Information Disclosure
IBM
Jazz For Service Management
-
CVE-2025-34178
MEDIUM
CVSS 5.1
In pfSense CE /suricata/suricata_app_parsers.php, the value of the policy_name parameter is not sanitized of HTML-related strings/characters before being directly displayed. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
PHP
XSS
Pfsense
-
CVE-2025-34177
MEDIUM
CVSS 5.1
In pfSense CE /suricata/suricata_flow_stream.php, the value of the policy_name parameter is not sanitized of HTML-related strings/characters before being directly displayed. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
PHP
XSS
Pfsense
-
CVE-2025-34176
MEDIUM
CVSS 5.3
In pfSense CE /suricata/suricata_ip_reputation.php, the value of the iplist parameter is not sanitized of directory traversal-related strings/characters. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.
PHP
Path Traversal
Pfsense
-
CVE-2025-34175
MEDIUM
CVSS 5.1
In pfSense CE /usr/local/www/suricata/suricata_filecheck.php, the value of the filehash parameter is directly displayed without sanitizing for HTML-related characters/strings. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
PHP
XSS
Pfsense
-
CVE-2025-34174
MEDIUM
CVSS 5.1
In pfSense CE /usr/local/www/status_traffic_totals.php, the value of the start-day parameter is not ensured to be a numeric value or sanitized of HTML-related characters/strings before being directly. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
PHP
XSS
Pfsense
-
CVE-2025-34173
MEDIUM
CVSS 5.3
In pfSense CE /usr/local/www/snort/snort_ip_reputation.php, the value of the iplist parameter is not sanitized of directory traversal-related characters/strings before being used to check if a file. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.
PHP
Path Traversal
Pfsense
-
CVE-2025-34172
MEDIUM
CVSS 4.8
In pfSense CE /usr/local/www/haproxy/haproxy_stats.php, the value of the showsticktablecontent parameter is displayed after being read from HTTP GET requests. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
PHP
XSS
Pfsense
-
CVE-2025-32688
MEDIUM
CVSS 5.4
Missing Authorization vulnerability in Sovica Target Video Easy Publish.8.8. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Authentication Bypass
-
CVE-2025-30875
MEDIUM
CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alexandre Froger WP Weixin allows Stored XSS.3.16. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-10164
MEDIUM
CVSS 5.5
A security flaw has been discovered in lmsys sglang 0.4.6. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Deserialization
-
CVE-2025-10123
MEDIUM
CVSS 5.5
A vulnerability was determined in D-Link DIR-823X up to 250416. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Command Injection
D-Link
-
CVE-2025-10118
MEDIUM
CVSS 5.5
A security vulnerability has been detected in itsourcecode E-Logbook with Health Monitoring System for COVID-19 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
PHP
SQLi
-
CVE-2025-10116
MEDIUM
CVSS 5.5
A vulnerability was identified in SiempreCMS up to 1.3.6. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
PHP
Authentication Bypass
File Upload
-
CVE-2025-10115
MEDIUM
CVSS 5.5
A vulnerability was determined in SiempreCMS up to 1.3.6. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
PHP
SQLi
-
CVE-2025-10114
MEDIUM
CVSS 5.5
A vulnerability was found in PHPGurukul Small CRM 4.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
PHP
SQLi
-
CVE-2025-10113
MEDIUM
CVSS 5.5
A security vulnerability has been detected in itsourcecode Student Information Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
PHP
SQLi
-
CVE-2025-10112
MEDIUM
CVSS 5.5
A weakness has been identified in itsourcecode Student Information Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
PHP
SQLi
-
CVE-2025-10095
MEDIUM
CVSS 5.3
A SQL injection vulnerability has been identified in the SMPP server component of the SMSEagle firmware, specifically affecting the handling of certain parameters within the server's database. Rated medium severity (CVSS 5.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
SQLi
-
CVE-2025-9997
MEDIUM
CVSS 5.8
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could cause command injection in BLMon that is executed in the operating system console when in a SSH session.
Command Injection
-
CVE-2025-9996
MEDIUM
CVSS 5.8
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could cause the execution of any shell command when executing a netstat command using BLMon Console in an SSH session.
Command Injection
-
CVE-2025-9542
MEDIUM
CVSS 5.4
The AutomatorWP - Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to unauthorized access and modification of data due to a. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
PHP
WordPress
Authentication Bypass
-
CVE-2025-9489
MEDIUM
CVSS 5.0
The The WP-Members Membership Plugin plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.5.4.2. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable. No vendor patch available.
PHP
WordPress
RCE
Code Injection
-
CVE-2025-9269
MEDIUM
CVSS 6.9
A Server-Side Request Forgery (SSRF) vulnerability has been identified in the embedded web server in various Lexmark devices. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
SSRF
-
CVE-2025-9061
MEDIUM
CVSS 6.4
The Wilmer Core plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 2.4.5 due to insufficient input sanitization and output escaping on. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
PHP
WordPress
XSS
-
CVE-2025-9058
MEDIUM
CVSS 6.4
The Mikado Core plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping on. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
PHP
WordPress
XSS
-
CVE-2025-8712
MEDIUM
CVSS 5.4
Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 22.8R2.3-723 and Ivanti Neurons for Secure Access before. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Authentication Bypass
Ivanti
Connect Secure
Policy Secure
Zero Trust Access Gateway
-
CVE-2025-8711
MEDIUM
CVSS 5.4
CSRF in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
CSRF
Ivanti
Connect Secure
Policy Secure
Zero Trust Access Gateway
-
CVE-2025-7746
MEDIUM
CVSS 5.3
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists that could cause an unvalidated data injected by a malicious user potentially leading to modify or read data in a victim’s browser.
XSS
-
CVE-2025-5005
MEDIUM
CVSS 5.5
A vulnerability was detected in Shanghai Lingdang Information Technology Lingdang CRM up to 8.6.5.4. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
PHP
SSRF
-
CVE-2024-45325
MEDIUM
CVSS 6.7
An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerabilities [CWE-78] in Fortinet FortiDDoS-F version 7.0.0 through 7.02 and before 6.6.3 may allow a. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
Fortinet
Command Injection
Fortiddos F
-
CVE-2025-43774
None
Rejected reason: This CVE ID is rejected. No vendor patch available.
Information Disclosure
-
CVE-2025-42927
LOW
CVSS 3.4
SAP NetWeaver AS Java application uses Adobe Document Service, installed with a vulnerable version of OpenSSL.Successful exploitation of known vulnerabilities in the outdated OpenSSL library would. Rated low severity (CVSS 3.4), this vulnerability is low attack complexity. No vendor patch available.
Java
Information Disclosure
OpenSSL
SAP
Adobe
-
CVE-2025-42914
LOW
CVSS 3.1
Due to missing authorization checks, SAP HCM My Timesheet Fiori 2.0 application allows an authenticated attacker with in-depth system knowledge to escalate privileges and perform activities that are. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable. No vendor patch available.
Authentication Bypass
SAP
-
CVE-2025-42913
LOW
CVSS 3.1
Due to missing authorization checks, SAP HCM My Timesheet Fiori 2.0 application allows an authenticated attacker with in-depth system knowledge to escalate privileges and perform activities that are. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable. No vendor patch available.
Authentication Bypass
SAP
-
CVE-2025-40803
LOW
CVSS 2.3
A vulnerability has been identified in RUGGEDCOM RST2428P (6GK6242-6PA00) (All versions). Rated low severity (CVSS 2.3), this vulnerability is no authentication required. No vendor patch available.
Information Disclosure
Ruggedcom Rst2428P Firmware
-
CVE-2025-40802
LOW
CVSS 2.3
A vulnerability has been identified in RUGGEDCOM RST2428P (6GK6242-6PA00) (All versions). Rated low severity (CVSS 2.3), this vulnerability is no authentication required. No vendor patch available.
Denial Of Service
Ruggedcom Rst2428P Firmware
-
CVE-2025-10122
LOW
CVSS 2.0
A vulnerability was found in Maccms10 2025.1000.4050. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
PHP
SQLi
-
CVE-2025-10121
LOW
CVSS 2.1
A flaw has been found in uverif up to 3.2. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
SQLi
-
CVE-2025-10117
LOW
CVSS 2.0
A weakness has been identified in SourceCodester Simple To-Do List System 1.0. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
PHP
XSS
-
CVE-2025-10107
LOW
CVSS 2.0
A vulnerability has been found in TRENDnet TEW-831DR 1.0 (601.130.1.1410). Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Command Injection
-
CVE-2025-9111
LOW
CVSS 3.5
The AI ChatBot for WordPress WordPress plugin before 7.1.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
PHP
WordPress
XSS
Wpbot
-
CVE-2025-8889
LOW
CVSS 3.8
The Compress & Upload WordPress plugin before 1.0.5 does not properly validate uploaded files, allowing high privilege users such as admin to upload arbitrary files on the server even when they. Rated low severity (CVSS 3.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
PHP
WordPress
File Upload
Compress And Upload Plugin
-
CVE-2025-8277
LOW
CVSS 3.1
A flaw was found in libssh's handling of key exchange (KEX) processes when a client repeatedly sends incorrect KEX guesses. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable. No vendor patch available.
Denial Of Service
Microsoft
-
CVE-2025-5500
LOW
CVSS 1.9
A flaw has been found in ZhenShi Mibro Fit App 1.6.3.17499 on Android. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. No vendor patch available.
Information Disclosure
Google