THREAT ALERT

Daily vulnerability intelligence for defenders – fresh CVEs with exploitability signals, patch status, and action-oriented priorities from 17 sources.

CVEs published

Track vulnerabilities that matter to your stack

Personalized alerts, dashboards, and weekly digests – free.

Trending Now

Critical Watch

Attack Technique Trend

Prediction based on ZDI Disclosures & CVE data · 30 days

Analytics

Vendor Today – Quick Filter

Techniques

results

Sort:

Base Score

Vector String

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

0 | 3.9| 6.9| 8.9| 10

NONE LOW MEDIUM HIGH CRITICAL

CVSS Filter – CVEs match

No CVEs match the selected criteria

Browse older vulnerabilities in Archive

Live Feed auto-refresh 60s

Vulnerability Intelligence — September 12, 2025

94 CVEs tracked today. 10 Critical, 29 High, 48 Medium, 6 Low.

CVE-2025-58434 CRITICAL CVSS 9.8
Flowise is a drag & drop user interface to build a customized large language model flow. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass Flowise
CVE-2025-55835 CRITICAL CVSS 9.8
File Upload vulnerability in SueamCMS v.0.1.2 allows a remote attacker to execute arbitrary code via the lack of filtering. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE File Upload Sueamcms
CVE-2025-45583 CRITICAL CVSS 9.1
Incorrect access control in the FTP protocol of Audi UTR 2.0 Universal Traffic Recorder 2.0 allows attackers to authenticate into the service using any combination of username and password. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Universal Traffic Recorder Firmware
CVE-2025-21043 HIGH CVSS 8.8
Samsung libimagecodec.quram.so contains a second out-of-bounds write in the image codec library, a separate vulnerability from CVE-2025-21042 affecting Samsung devices.

Memory Corruption Buffer Overflow RCE Android
CVE-2025-21042 HIGH CVSS 8.8
Samsung libimagecodec.quram.so contains an out-of-bounds write allowing remote code execution through crafted image files on Samsung Android devices.

Memory Corruption Buffer Overflow RCE Android
CVE-2025-10266 CRITICAL CVSS 9.3
NUP Pro developed by NewType Infortech has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi
CVE-2025-8699 CRITICAL CVSS 9.1
Some "Stored Value" Unattended Payment Solutions of KioSoft use vulnerable NFC cards. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
CVE-2024-45434 CRITICAL CVSS 9.8
OpenSynergy BlueSDK (aka Blue SDK) through 6.x has a Use-After-Free. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption Denial Of Service RCE Use After Free Blue Sdk
CVE-2025-10365 CRITICAL CVSS 9.3
The Evertz SDVN 3080ipx-10G is a High Bandwidth Ethernet Switching Fabric for Video Application. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass PHP Command Injection
CVE-2025-10364 CRITICAL CVSS 9.3
The Evertz SDVN 3080ipx-10G is a High Bandwidth Ethernet Switching Fabric for Video Application. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Command Injection PHP
CVE-2025-10264 CRITICAL CVSS 10.0
Certain models of NVR developed by Digiever has an Exposure of Sensitive Information vulnerability, allowing unauthenticated remoter attackers to access the system configuration file and obtain. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
CVE-2025-9556 CRITICAL CVSS 9.8
Langchaingo supports the use of jinja2 syntax when parsing prompts, which is in turn parsed using the gonja library v1.5.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Langchain AI / ML
CVE-2025-59054 HIGH CVSS 8.5
dstack is a software development kit (SDK) to simplify the deployment of arbitrary containerized apps into trusted execution environments. Rated high severity (CVSS 8.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Path Traversal Information Disclosure
CVE-2025-58754 HIGH CVSS 7.5
Axios is a promise based HTTP client for the browser and Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Node.js Axios Redhat
CVE-2025-57579 HIGH CVSS 8.0
An issue in TOTOLINK Wi-Fi 6 Router Series Device X2000R-Gh-V2.0.0 allows a remote attacker to execute arbitrary code via the default password. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass RCE X2000r Firmware TOTOLINK
CVE-2025-57578 HIGH CVSS 8.0
An issue in H3C Magic M Device M2V100R006 allows a remote attacker to execute arbitrary code via the default password. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass RCE
CVE-2025-57577 HIGH CVSS 8.0
An issue in H3C Device R365V300R004 allows a remote attacker to execute arbitrary code via the default password. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass RCE
CVE-2025-55319 HIGH CVSS 8.8
Ai command injection in Agentic AI and Visual Studio Code allows an unauthorized attacker to execute code over a network. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection Visual Studio Code
CVE-2025-45587 HIGH CVSS 7.0
A stack overflow in the FTP service of Audi UTR 2.0 Universal Traffic Recorder 2.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. Rated high severity (CVSS 7.0), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Denial Of Service Buffer Overflow Stack Overflow Universal Traffic Recorder Firmware
CVE-2025-45586 HIGH CVSS 7.5
An issue in Audi UTR 2.0 Universal Traffic Recorder 2.0 allows attackers to arbitrarily overwrite files via supplying a crafted PUT request. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Universal Traffic Recorder Firmware
CVE-2025-45584 HIGH CVSS 7.5
Incorrect access control in the web service of Audi UTR 2.0 Universal Traffic Recorder 2.0 allows attackers to download car information without authentication. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Universal Traffic Recorder Firmware
CVE-2025-43796 HIGH CVSS 7.1
Liferay Portal 7.4.0 through 7.4.3.101, and Liferay DXP 2023.Q3.0 through 2023.Q3.4, 7.4 GA through update 92 and 7.3 GA though update 35 does not limit the number of objects returned from a GraphQL. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Digital Experience Platform Liferay Portal
CVE-2025-39797 HIGH CVSS 7.8
In the Linux kernel, the following vulnerability has been resolved: xfrm: Duplicate SPI Handling The issue originates when Strongswan initiates an XFRM_MSG_ALLOCSPI Netlink message, which triggers. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

Information Disclosure Linux Linux Kernel Redhat Suse
CVE-2025-39796 HIGH CVSS 7.8
In the Linux kernel, the following vulnerability has been resolved: net: lapbether: ignore ops-locked netdevs Syzkaller managed to trigger lock dependency in xsk_notify via register_netdevice. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

Information Disclosure Linux Linux Kernel Redhat Suse
CVE-2025-39793 HIGH CVSS 7.8
In the Linux kernel, the following vulnerability has been resolved: io_uring/memmap: cast nr_pages to size_t before shifting If the allocated size exceeds UINT_MAX, then it's necessary to cast the. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

Buffer Overflow Linux Linux Kernel Redhat Suse
CVE-2025-27240 HIGH CVSS 7.5
A Zabbix adminitrator can inject arbitrary SQL during the autoremoval of hosts by inserting malicious SQL in the 'Visible name' field. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Zabbix
CVE-2025-27234 HIGH CVSS 7.3
Zabbix Agent 2 smartctl plugin does not properly sanitize smart.disk.get parameters, allowing an attacker to inject unexpected arguments into the smartctl command. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. No vendor patch available.

Command Injection RCE
CVE-2025-10269 HIGH CVSS 7.5
The Spirit Framework plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.2.13. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

WordPress Lfi PHP RCE Information Disclosure
CVE-2025-10265 HIGH CVSS 8.7
Certain models of NVR developed by Digiever has an OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the device. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection
CVE-2025-10176 HIGH CVSS 7.2
The The Hack Repair Guy's Plugin Archiver plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the prepare_items function in all versions up to,. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress PHP Path Traversal RCE
CVE-2025-9807 HIGH CVSS 7.5
The The Events Calendar plugin for WordPress is vulnerable to time-based SQL Injection via the ‘s’ parameter in all versions up to, and including, 6.15.1 due to insufficient escaping on the user. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress SQLi PHP
CVE-2025-9086 HIGH CVSS 7.5
1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Buffer Overflow Information Disclosure Curl Debian Linux Redhat
CVE-2025-8575 HIGH CVSS 7.2
The LWS Cleaner plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'lws_cl_delete_file' function in all versions up to, and including,. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress PHP RCE
CVE-2025-7448 HIGH CVSS 8.6
Wi-SUN unexpected 4- Way Handshake packet receptions may lead to predictable keys and potentially leading to Man in the middle (MitM) attack. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
CVE-2025-6638 HIGH CVSS 7.5
A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically affecting the MarianTokenizer's `remove_language_code()` method. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Transformers Hugging Face AI / ML Redhat
CVE-2025-6454 HIGH CVSS 8.5
An issue has been discovered in GitLab CE/EE affecting all versions from 16.11 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2 that could have allowed authenticated users to make unintended. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable. No vendor patch available.

Gitlab SSRF
CVE-2025-4235 HIGH CVSS 7.2
An information exposure vulnerability in the Palo Alto Networks User-ID Credential Agent (Windows-based) can expose the service account password under specific non-default configurations. Rated high severity (CVSS 7.2), this vulnerability is low attack complexity. No vendor patch available.

Paloalto Microsoft Information Disclosure Windows
CVE-2025-2256 HIGH CVSS 7.5
An issue has been discovered in GitLab CE/EE affecting all versions from 7.12 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2 that could have allowed unauthorized users to render the GitLab. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Gitlab
CVE-2024-45432 HIGH CVSS 7.5
OpenSynergy BlueSDK (aka Blue SDK) through 6.x mishandles a function call. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Blue Sdk
CVE-2025-59139 MEDIUM CVSS 5.3
Hono is a Web application framework that provides support for any JavaScript runtime. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Hono
CVE-2025-59058 MEDIUM CVSS 5.9
httpsig-rs is a Rust implementation of IETF RFC 9421 http message signatures. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure
CVE-2025-58781 MEDIUM CVSS 6.3
WTW-EAGLE App does not properly validate server certificates, which may allow a man-in-the-middle attacker to monitor encrypted traffic. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
CVE-2025-56467 MEDIUM CVSS 6.5
An issue was discovered in AXIS BANK LIMITED Axis Mobile App 9.9 that allows attackers to obtain sensitive information without a UPI PIN, such as account information, balances, transaction history,. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure
CVE-2025-55996 MEDIUM CVSS 6.3
Viber Desktop 25.6.0 is vulnerable to HTML Injection via the text parameter of the message compose/forward interface. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Viber
CVE-2025-52074 MEDIUM CVSS 6.1
PHPGURUKUL Online Shopping Portal 2.1 is vulnerable to Cross Site Scripting (XSS) due to lack of input sanitization in the quantity parameter when adding a product to the cart. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Online Shopping Portal
CVE-2025-45585 MEDIUM CVSS 5.4
Multiple stored cross-site scripting (XSS) vulnerabilities in Audi UTR 2.0 Universal Traffic Recorder 2.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Universal Traffic Recorder Firmware
CVE-2025-43795 MEDIUM CVSS 5.1
Open redirect vulnerability in the System Settings in Liferay Portal 7.1.0 through 7.4.3.101, and Liferay DXP 2023.Q3.1 through 2023.Q3.4 , 7.4 GA through update 92, 7.3 GA through update 35, and. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Open Redirect Digital Experience Platform Liferay Portal
CVE-2025-43788 MEDIUM CVSS 5.3
The organization selector in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q1.1 through 2024.Q1.12 and 7.4 update 81 through update 85 does not check user permission, which allows. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Digital Experience Platform Liferay Portal
CVE-2025-43787 MEDIUM CVSS 5.1
A Stored cross-site scripting vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q3.0, 2025.Q2.0 through 2025.Q2.12, 2025.Q1.0 through 2025.Q1.17, 2024.Q4.0 through. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Digital Experience Platform Liferay Portal
CVE-2025-39798 MEDIUM CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved: NFS: Fix the setting of capabilities when automounting a new filesystem Capabilities cannot be inherited when we cross into a new. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Information Disclosure Linux Linux Kernel Debian Linux Redhat
CVE-2025-39795 MEDIUM CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved: block: avoid possible overflow for chunk_sectors check in blk_stack_limits() In blk_stack_limits(), we check that the. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Buffer Overflow Linux Linux Kernel Debian Linux Redhat
CVE-2025-39794 MEDIUM CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved: ARM: tegra: Use I/O memcpy to write to IRAM Kasan crashes the kernel trying to check boundaries when using the normal memcpy. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Denial Of Service Linux Linux Kernel Debian Linux Redhat
CVE-2025-39792 MEDIUM CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved: dm: Always split write BIOs to zoned device limits Any zoned DM target that requires zone append emulation will use the block layer. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Information Disclosure Linux Linux Kernel Redhat Suse
CVE-2025-27233 MEDIUM CVSS 5.7
Zabbix Agent 2 smartctl plugin does not properly sanitize smart.disk.get parameters, allowing an attacker to inject unexpected arguments into the smartctl command. Rated medium severity (CVSS 5.7). No vendor patch available.

Command Injection Microsoft Windows
CVE-2025-10330 MEDIUM CVSS 5.3
A flaw has been found in cdevroe unmark up to 1.9.3. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Unmark
CVE-2025-10329 MEDIUM CVSS 5.3
A vulnerability was detected in cdevroe unmark up to 1.9.3. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SSRF Unmark
CVE-2025-10328 MEDIUM CVSS 5.3
A security vulnerability has been detected in MiczFlor RPi-Jukebox-RFID up to 2.8.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection PHP Rpi Jukebox Rfid
CVE-2025-10327 MEDIUM CVSS 5.3
A weakness has been identified in MiczFlor RPi-Jukebox-RFID up to 2.8.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection PHP Rpi Jukebox Rfid
CVE-2025-10326 MEDIUM CVSS 5.3
A security flaw has been discovered in MiczFlor RPi-Jukebox-RFID up to 2.8.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection PHP Rpi Jukebox Rfid
CVE-2025-10325 MEDIUM CVSS 5.3
A vulnerability was identified in Wavlink WL-WN578W2 221110. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Wl Wn578W2 Firmware
CVE-2025-10324 MEDIUM CVSS 6.9
A vulnerability was determined in Wavlink WL-WN578W2 221110. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Wl Wn578W2 Firmware
CVE-2025-10323 MEDIUM CVSS 6.9
A vulnerability was found in Wavlink WL-WN578W2 221110. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Wl Wn578W2 Firmware
CVE-2025-10322 MEDIUM CVSS 5.5
A vulnerability has been found in Wavlink WL-WN578W2 221110. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Wl Wn578W2 Firmware
CVE-2025-10321 MEDIUM CVSS 5.5
A flaw has been found in Wavlink WL-WN578W2 221110. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Wl Wn578W2 Firmware
CVE-2025-10319 MEDIUM CVSS 5.3
A security flaw has been discovered in JeecgBoot up to 3.8.2. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Jeecg Boot
CVE-2025-10318 MEDIUM CVSS 5.3
A vulnerability was identified in JeecgBoot up to 3.8.2. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Jeecg Boot
CVE-2025-10291 MEDIUM CVSS 5.3
A weakness has been identified in linlinjava litemall up to 1.8.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Litemall
CVE-2025-10288 MEDIUM CVSS 5.5
A vulnerability was found in roncoo roncoo-pay up to 9428382af21cd5568319eae7429b7e1d0332ff40. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
CVE-2025-10278 MEDIUM CVSS 5.3
A flaw has been found in YunaiV ruoyi-vue-pro up to 2025.09. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Ruoyi Vue Pro
CVE-2025-10277 MEDIUM CVSS 5.3
A vulnerability was detected in YunaiV yudao-cloud up to 2025.09. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Yudao Cloud
CVE-2025-10276 MEDIUM CVSS 5.3
A security vulnerability has been detected in YunaiV ruoyi-vue-pro up to 2025.09. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Ruoyi Vue Pro
CVE-2025-10275 MEDIUM CVSS 5.3
A weakness has been identified in YunaiV yudao-cloud up to 2025.09. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Yudao Cloud
CVE-2025-10274 MEDIUM CVSS 5.3
A security flaw has been discovered in erjinzhi 10OA 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS 10Oa
CVE-2025-10273 MEDIUM CVSS 5.1
A vulnerability was identified in erjinzhi 10OA 1.0. Rated medium severity (CVSS 5.1), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal 10Oa
CVE-2025-10267 MEDIUM CVSS 6.9
NUP Portal developed by NewType Infortech has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to directly upload files. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
CVE-2025-10148 MEDIUM CVSS 5.3
curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Curl Redhat Suse
CVE-2025-10094 MEDIUM CVSS 6.5
An issue has been discovered in GitLab CE/EE affecting all versions from 10.7 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2 that could have allowed authenticated users to disrupt access. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Gitlab Information Disclosure
CVE-2025-9881 MEDIUM CVSS 6.1
The Ultimate Blogroll plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.2. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF PHP
CVE-2025-9880 MEDIUM CVSS 6.1
The Side Slide Responsive Menu plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF PHP
CVE-2025-9879 MEDIUM CVSS 6.4
The Spotify Embed Creator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'spotify' shortcode in all versions up to, and including, 1.0.5 due to insufficient input. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS PHP
CVE-2025-9877 MEDIUM CVSS 6.4
The Embed Google Datastudio plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'egds' shortcode in all versions up to, and including, 1.0.0 due to insufficient input. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Google XSS PHP
CVE-2025-8280 MEDIUM CVSS 5.8
The Contact Form 7 reCAPTCHA WordPress plugin through version 1.2.0 contains a reflected cross-site scripting (XSS) vulnerability caused by improper handling of the REQUEST_URI server variable. An attacker can craft a malicious URL containing JavaScript payload that, when clicked by a user in vulnerable browsers, executes arbitrary code in the victim's session with access to form data and site functionality. While a public proof-of-concept exists and the vulnerability affects all versions through 1.2.0, the low EPSS score (0.04%, percentile 12%) and requirement for user interaction and older browser targets suggest limited real-world exploitation likelihood despite the moderate CVSS 5.8 score.

XSS WordPress PHP Contact Form 7 Recaptcha
CVE-2025-7337 MEDIUM CVSS 6.5
An issue has been discovered in GitLab CE/EE affecting all versions from 7.8 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2 that could have allowed an authenticated user with. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Gitlab
CVE-2025-6769 MEDIUM CVSS 4.3
An issue has been discovered in GitLab CE/EE affecting all versions from 15.1 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2 that could have allowed authenticated users to view. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Gitlab Information Disclosure
CVE-2025-1250 MEDIUM CVSS 6.5
An issue has been discovered in GitLab CE/EE affecting all versions from 15.0 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2 that could have allowed an authenticated user to stall. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Gitlab
CVE-2024-45433 MEDIUM CVSS 6.5
OpenSynergy BlueSDK (aka Blue SDK) through 6.x has Incorrect Control Flow Scoping. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Blue Sdk
CVE-2024-45431 MEDIUM CVSS 5.3
OpenSynergy BlueSDK (aka Blue SDK) through 6.x has Improper Input Validation. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Blue Sdk
CVE-2025-43789 LOW CVSS 1.0
JSON Web Services in Liferay Portal 7.4.0 through 7.4.3.119, and Liferay DXP 2024.Q1.1 through 2024.Q1.9, 7.4 GA through update 92 published to OSGi are registered and invoked directly as classes. Rated low severity (CVSS 1.0). No vendor patch available.

Authentication Bypass Digital Experience Platform Liferay Portal
CVE-2025-39799 None
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. No vendor patch available.

Information Disclosure
CVE-2025-27238 LOW CVSS 2.1
Due to a bug in Zabbix API, the hostprototype.get method lists all host prototypes to users that do not have any user groups assigned to them. Rated low severity (CVSS 2.1), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass Zabbix
CVE-2025-10320 LOW CVSS 2.3
A vulnerability was detected in iteachyou Dreamer CMS up to 4.1.3.2. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable. No vendor patch available.

Brute Force Information Disclosure
CVE-2025-10287 LOW CVSS 2.3
A vulnerability has been found in roncoo roncoo-pay up to 9428382af21cd5568319eae7429b7e1d0332ff40. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure
CVE-2025-4234 LOW CVSS 2.4
A problem with the Palo Alto Networks Cortex XDR Microsoft 365 Defender Pack can result in exposure of user credentials in application logs. Rated low severity (CVSS 2.4), this vulnerability is low attack complexity. No vendor patch available.

Paloalto Microsoft Information Disclosure
CVE-2025-3650 LOW CVSS 3.5
The jQuery Colorbox WordPress plugin through 4.6.3 uses the colorbox library, which does not sanitize title attributes on links before using them, allowing users with at least the contributor role to. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS PHP

Today's Vulnerabilities Vulnerabilities