Skip to main content
CVE-2025-54236 CRITICAL POC KEV THREAT Emergency

Session hijacking in Adobe Commerce (Magento) 2.4.x through 2.4.9-alpha2 allows remote unauthenticated attackers to take over active user sessions via improper input validation, confirmed actively exploited (CISA KEV). With 73.72% EPSS score (99th percentile) and public exploit code available, this represents a critical, widespread threat to e-commerce platforms. Attackers gain unauthorized access to user accounts including administrative sessions without requiring victim interaction.

Adobe Information Disclosure
NVD
CVSS 3.1
9.1
EPSS
73.7%
Threat
7.0
CVE-2025-58768 CRITICAL POC Act Now

DeepChat is a smart assistant uses artificial intelligence. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection XSS Deepchat
NVD GitHub
CVSS 3.1
9.6
EPSS
0.1%
CVE-2025-58762 CRITICAL POC PATCH Act Now

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Python RCE Path Traversal Tautulli
NVD GitHub
CVSS 3.1
9.1
EPSS
0.6%
CVE-2025-55730 CRITICAL Act Now

XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Atlassian RCE
NVD GitHub
CVSS 3.1
10.0
EPSS
0.5%
CVE-2025-55729 CRITICAL Act Now

XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Atlassian RCE
NVD GitHub
CVSS 3.1
10.0
EPSS
0.5%
CVE-2025-55051 CRITICAL Act Now

CWE-1392: Use of Default Credentials. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD
CVSS 3.1
10.0
EPSS
0.1%
CVE-2025-32486 CRITICAL Act Now

Weak Password Recovery Mechanism for Forgotten Password vulnerability in Hossein Material Dashboard.4.6. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-58997 CRITICAL Act Now

Cross-Site Request Forgery (CSRF) vulnerability in Frenify Mow allows Code Injection.10. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
CVSS 3.1
9.6
EPSS
0.0%
CVE-2025-40795 CRITICAL Act Now

A vulnerability has been identified in SIMATIC PCS neo V4.1 (All versions), SIMATIC PCS neo V5.0 (All versions), SIMATIC PCS neo V6.0 (All versions), User Management Component (UMC) (All versions <. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Buffer Overflow Stack Overflow RCE
NVD VulDB
CVSS 4.0
9.3
EPSS
0.2%
CVE-2025-58462 CRITICAL Act Now

OPEXUS FOIAXpress Public Access Link (PAL) before version 11.13.1.0 allows SQL injection via SearchPopularDocs.aspx. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Foiaxpress Public Access Link
NVD GitHub
CVSS 4.0
9.3
EPSS
0.1%
CVE-2025-47569 CRITICAL Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPSwings WooCommerce Ultimate Gift Card - Create, Sell and Manage Gift Cards with Customized. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress SQLi
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2025-42958 CRITICAL Act Now

Due to a missing authentication check in the SAP NetWeaver application on IBM i-series, the application allows high privileged unauthorized users to read, modify, or delete sensitive information, as. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass SAP IBM Privilege Escalation
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-47579 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in ThemeGoods Photography.5.2. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.0
EPSS
0.1%
CVE-2025-59046 CRITICAL This Week

The npm package `interactive-git-checkout` is an interactive command-line tool that allows users to checkout a git branch while it prompts for the branch name on the command-line. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection Node.js
NVD GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2025-59039 CRITICAL MAL This Week

Prebid Universal Creative (PUC) is a JavaScript API to render multiple formats. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Node.js
NVD GitHub
CVSS 4.0
9.3
EPSS
0.1%
CVE-2025-58448 CRITICAL PATCH This Week

rAthena is an open-source cross-platform massively multiplayer online role playing game (MMORPG) server. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This SQL Injection vulnerability could allow attackers to execute arbitrary SQL commands against the database.

SQLi Rathena
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2025-58447 CRITICAL PATCH This Week

rAthena is an open-source cross-platform massively multiplayer online role playing game (MMORPG) server. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Heap Overflow Denial Of Service Buffer Overflow RCE Rathena
NVD GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2025-57633 CRITICAL This Week

A command injection vulnerability in FTP-Flask-python through 5173b68 allows unauthenticated remote attackers to execute arbitrary OS commands. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python Command Injection
NVD GitHub
CVSS 3.1
9.8
EPSS
0.5%
CVE-2025-10159 CRITICAL This Week

An authentication bypass vulnerability allows remote attackers to gain administrative privileges on Sophos AP6 Series Wireless Access Points older than firmware version 1.7.2563 (MR7). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-44594 CRITICAL This Week

halo v2.20.17 and before is vulnerable to server-side request forgery (SSRF) in /apis/uc.api.storage.halo.run/v1alpha1/attachments/-/upload-from-url. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Halo
NVD
CVSS 3.1
9.1
EPSS
0.0%
CVE-2025-55728 CRITICAL PATCH This Week

XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Atlassian RCE Code Injection Pro Macros
NVD GitHub
CVSS 3.1
10.0
EPSS
3.3%
CVE-2025-55727 CRITICAL POC PATCH Act Now

XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Atlassian RCE Code Injection Pro Macros
NVD GitHub
CVSS 3.1
10.0
EPSS
6.9%
CVE-2025-55050 CRITICAL This Week

CWE-1242: Inclusion of Undocumented Features. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-55049 CRITICAL This Week

Use of Default Cryptographic Key (CWE-1394). Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD
CVSS 3.1
9.1
EPSS
0.0%
CVE-2025-57085 CRITICAL POC Act Now

Tenda W30E V16.01.0.19 (5037) was discovered to contain a stack overflow in the v17 parameter in the UploadCfg function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Tenda Denial Of Service Buffer Overflow Stack Overflow W30e Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-55232 CRITICAL This Week

Deserialization of untrusted data in Microsoft High Performance Compute Pack (HPC) allows an unauthorized attacker to execute code over a network. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Microsoft Hpc Pack
NVD
CVSS 3.1
9.8
EPSS
1.2%
CVE-2025-54261 CRITICAL This Week

ColdFusion versions 2025.3, 2023.15, 2021.21 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Path Traversal Coldfusion
NVD
CVSS 3.1
10.0
EPSS
2.0%
CVE-2025-10183 CRITICAL This Week

A blind XML External Entity (XXE) injection in the OpenMessaging webservice in TecCom TecConnect 4.1 allows an unauthenticated attacker to exfiltrate arbitrary files to an attacker-controlled server. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-9994 CRITICAL This Week

The Amp’ed RF BT-AP 111 Bluetooth access point's HTTP admin interface does not have an authentication feature, allowing unauthorized access to anyone with network access. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-40804 CRITICAL This Week

A vulnerability has been identified in SIMATIC Virtualization as a Service (SIVaaS) (All versions). Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD
CVSS 4.0
9.3
EPSS
0.1%
CVE-2025-10134 CRITICAL This Week

The Goza - Nonprofit Charity WordPress Theme theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the alone_import_pack_restore_data() function in. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress PHP RCE
NVD
CVSS 3.1
9.1
EPSS
0.4%
CVE-2025-42944 CRITICAL This Week

Due to a deserialization vulnerability in SAP NetWeaver, an unauthenticated attacker could exploit the system through the RMI-P4 module by submitting malicious payload to an open port. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection Deserialization SAP Java
NVD
CVSS 3.1
10.0
EPSS
0.1%
CVE-2025-42922 CRITICAL This Week

SAP NetWeaver AS Java allows an attacker authenticated as a non-administrative user to use a flaw in an available service to upload an arbitrary file. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE SAP Code Injection Java
NVD
CVSS 3.1
9.9
EPSS
0.1%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy