THREAT ALERT

ACT NOW CVE-2025-49844 9.9 UAF in Redis 8.2.1 via crafted Lua scripts by authenticated users. EPSS 12.4%. Patch available. | ACT NOW CVE-2025-60787 7.2 MotionEye video surveillance software version 0.43.1b4 and earlier contains an authenticated OS command injection via configuration parameters such as image_file_name. Admin users can inject commands that execute when the Motion daemon restarts, achieving code execution on the surveillance server. | ACT NOW CVE-2025-41244 7.8 VMware Aria Operations and VMware Tools contain a local privilege escalation vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available. | ACT NOW CVE-2025-20362 6.5 Update: On November 5, 2025, Cisco became aware of a new attack variant against devices running Cisco Secure ASA Software or Cisco Secure FTD Software releases that are affected by CVE-2025-20333 and. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and EPSS exploitation probability 43.6%. | ACT NOW CVE-2025-20333 9.9 A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an authenticated, remote. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. Actively exploited in the wild (cisa kev) and EPSS exploitation probability 18.8%. | ACT NOW CVE-2025-20352 7.7 A vulnerability in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS Software and Cisco IOS XE Software could allow the following: An authenticated, remote attacker with low. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. Actively exploited in the wild (cisa kev) and no vendor patch available. | ACT NOW CVE-2025-10585 9.8 Google Chrome V8 JavaScript engine contains a type confusion vulnerability enabling heap corruption through crafted HTML pages, exploited in the wild in June 2025. | ACT NOW CVE-2025-26399 9.8 SolarWinds Web Help Desk contains an unauthenticated deserialization RCE via AjaxProxy, a patch bypass of both CVE-2024-28988 and CVE-2024-28986, the third iteration of this vulnerability. | EMERGENCY CVE-2025-59528 10.0 Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig parameter is parsed unsafely, allowing attackers to inject arbitrary system commands through the MCP server configuration that are executed when Flowise spawns the MCP server process. | ACT NOW CVE-2025-59689 6.1 Libraesva ESG 4.5 through 5.5.x before 5.5.7 allows command injection via a compressed e-mail attachment. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and no vendor patch available. | ACT NOW CVE-2025-48703 9.0 CentOS Web Panel (CWP) allows unauthenticated remote code execution through OS command injection in the filemanager changePerm request's t_total parameter. | ACT NOW CVE-2025-10035 10.0 Fortra GoAnywhere MFT contains a deserialization vulnerability in the License Servlet allowing command injection through crafted license response signatures. | EMERGENCY CVE-2025-9242 9.3 WatchGuard Fireware OS contains an out-of-bounds write in IKEv2 VPN handling enabling unauthenticated remote code execution on WatchGuard firewalls. | EMERGENCY CVE-2025-52053 9.8 TOTOLINK X6000R router firmware V9.4.0cu.1360_B20241207 contains an unauthenticated command injection in the sub_417D74 function via the file_name parameter. Remote attackers can execute arbitrary commands on the router without authentication through crafted HTTP requests. |

Daily vulnerability intelligence for defenders – fresh CVEs with exploitability signals, patch status, and action-oriented priorities from 17 sources.

CVEs published

Get CVEs that hit your stack — not 200/day

Pick your technologies, get a weekly digest by email. Free, no spam.

React Python Postgres +200 more

React Next.js Python Postgres AWS +200 more

Trending Now See all

Critical Watch See all

Attack Technique Trend

Prediction based on ZDI Disclosures & CVE data · 30 days

Analytics

Vendor Today – Quick Filter

Techniques

results

Sort:

Base Score

Vector String

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

0 | 3.9| 6.9| 8.9| 10

NONE LOW MEDIUM HIGH CRITICAL

CVSS Filter – CVEs match

No CVEs match the selected criteria

Incoming 20

Pre-NVD – not yet scored

Browse older vulnerabilities in Archive

Live Feed auto-refresh 60s

Vulnerability Intelligence — October 13, 2025

14 CVEs tracked today. 0 Critical, 1 High, 8 Medium, 5 Low.

CVE-2025-11666 HIGH CVSS 7.0
Hard-coded credentials in Tenda RP3 Pro firmware (versions up to 22.5.7.93) allow local high-privilege attackers to bypass authentication during firmware updates via the force_upgrade.sh script. Public exploit code exists on GitHub. CVSS 7.0 (High) reflects local access requirement with high privileges, making this a lower real-world priority despite the severity rating - exploitation requires an attacker to already have administrative console access to the device.

Authentication Bypass Tenda
CVE-2025-11662 MEDIUM CVSS 5.5
A security flaw has been discovered in SourceCodester Best Salon Management System 1.0. Impacted is an unknown function of the file /booking.php. The manipulation of the argument serv_id results in sql injection. It is possible to launch the attack remotely. The exploit has been released to the publ...

PHP SQLi Best Salon Management System
CVE-2025-11661 MEDIUM CVSS 5.5
A vulnerability was found in ProjectsAndPrograms School Management System up to 6b6fae5426044f89c08d0dd101c7fa71f9042a59. This affects an unknown part. Performing manipulation results in missing authentication. The attack is possible to be carried out remotely. The exploit has been made public and c...

Authentication Bypass School Management System
CVE-2025-11660 MEDIUM CVSS 5.5
A vulnerability has been found in ProjectsAndPrograms School Management System up to 6b6fae5426044f89c08d0dd101c7fa71f9042a59. Affected by this issue is some unknown functionality of the file /assets/uploadSllyabus.php. Such manipulation of the argument File leads to unrestricted upload. The attack ...

PHP Authentication Bypass File Upload School Management System
CVE-2025-11659 MEDIUM CVSS 5.5
A flaw has been found in ProjectsAndPrograms School Management System up to 6b6fae5426044f89c08d0dd101c7fa71f9042a59. Affected by this vulnerability is an unknown functionality of the file /assets/uploadNotes.php. This manipulation of the argument File causes unrestricted upload. Remote exploitation...

PHP Authentication Bypass File Upload School Management System
CVE-2025-11658 MEDIUM CVSS 5.5
A vulnerability was detected in ProjectsAndPrograms School Management System up to 6b6fae5426044f89c08d0dd101c7fa71f9042a59. Affected is an unknown function of the file /assets/changeSllyabus.php. The manipulation of the argument File results in unrestricted upload. The attack may be launched remote...

PHP Authentication Bypass File Upload School Management System
CVE-2025-11657 MEDIUM CVSS 5.5
A security vulnerability has been detected in ProjectsAndPrograms School Management System up to 6b6fae5426044f89c08d0dd101c7fa71f9042a59. This impacts an unknown function of the file /assets/createNotice.php. The manipulation of the argument File leads to unrestricted upload. The attack may be init...

PHP Authentication Bypass File Upload School Management System
CVE-2025-11656 MEDIUM CVSS 5.5
A weakness has been identified in ProjectsAndPrograms School Management System up to 6b6fae5426044f89c08d0dd101c7fa71f9042a59. This affects an unknown function of the file /assets/editNotes.php. Executing manipulation of the argument File can lead to unrestricted upload. The attack can be launched r...

PHP Authentication Bypass File Upload School Management System
CVE-2025-11654 MEDIUM CVSS 5.5
A vulnerability was identified in yousaf530 Inferno Online Clothing Store up to 827dd42bfbe380e8de76fdc67958c24cf1246208. The affected element is an unknown function of the file /log.php. Such manipulation of the argument cemail/password leads to sql injection. It is possible to launch the attack re...

PHP SQLi
CVE-2025-11668 LOW CVSS 2.0
SQL injection in Automated Voting System 1.0 allows high-privileged remote attackers to manipulate the Password parameter in /admin/update_user.php, potentially causing limited confidentiality and integrity impacts. The vulnerability requires admin-level privileges (PR:H) to exploit and has publicly available exploit code, but carries very low real-world risk due to EPSS of 0.01% and the high privilege requirement that limits practical attack surface.

PHP SQLi Automated Voting System
CVE-2025-11667 LOW CVSS 2.1
SQL injection in Automated Voting System 1.0 allows authenticated remote attackers to manipulate the firstname parameter in /admin/add_candidate_modal.php, resulting in limited confidentiality, integrity, and availability impact. The vulnerability has a very low CVSS score (2.1) due to requirement for authenticated access and limited scope, but publicly available exploit code exists. Active exploitation is not confirmed in CISA KEV, and the EPSS score of 0.01% indicates minimal real-world exploitation probability despite public POC availability.

PHP SQLi Automated Voting System
CVE-2025-11664 LOW CVSS 2.0
SQL injection in Campcodes Online Beauty Parlor Management System 1.0 allows high-privileged attackers to manipulate the searchdata parameter in /admin/search-appointment.php, enabling arbitrary database queries with limited confidentiality and integrity impact. The vulnerability requires administrative privileges to exploit and has a publicly disclosed proof-of-concept, though real-world exploitation risk is minimal given the EPSS score of 0.01% and the requirement for high-privilege access.

PHP SQLi Online Beauty Parlor Management System
CVE-2025-11663 LOW CVSS 2.0
SQL injection in Campcodes Online Beauty Parlor Management System 1.0 allows authenticated high-privilege administrators to execute arbitrary SQL queries via the sername parameter in /admin/manage-services.php. The vulnerability requires high administrative privileges and has publicly available exploit code, though real-world impact is limited by its requirement for already-compromised admin accounts with no lateral movement or privilege escalation capability.

PHP SQLi Online Beauty Parlor Management System
CVE-2025-11655 LOW CVSS 2.0
Improper access control in Total.js Flow SVG File Handler allows high-privileged remote attackers to upload files without proper restrictions, bypassing upload security controls. The vulnerability affects versions up to commit 673ef9144dd25d4f4fd4fdfda5af27f230198924 and has public exploit code available, though real-world exploitation risk is constrained by the requirement for administrative privileges (PR:H in CVSS vector) and minor confidentiality/integrity impact.

Authentication Bypass File Upload

Track CVEs for your stack Sign up free →

Today's Vulnerabilities Vulnerabilities