Skip to main content
CVE-2025-34267 HIGH POC PATCH This Week

Authenticated remote code execution in FlowiseAI Flowise (v3.0.1 up to but not including 3.0.8, and later versions when 'ALLOW_BUILTIN_DEP' is enabled) lets a logged-in user break out of the nodevm sandbox by abusing the bundled Puppeteer and Playwright modules. Because a custom tool can specify an attacker-controlled browser binary path and launch parameters, executing that tool runs an arbitrary executable on the host outside the intended sandbox, yielding code execution in the host context. Publicly available exploit code exists; the flaw is not listed in CISA KEV, and it was mis-filed by the vendor as a duplicate of CVE-2025-26319 but is distinct.

RCE Command Injection Flowise
NVD GitHub
CVSS 4.0
8.4
EPSS
6.1%
CVE-2025-59249 HIGH This Week

Privilege escalation in Microsoft Exchange Server (including 2016 cumulative updates and Subscription Edition) allows an authenticated network attacker to elevate privileges due to weak authentication mechanisms (CWE-1390). With a CVSS score of 8.8 and full confidentiality, integrity, and availability impact, this represents a significant risk to mail infrastructure, though no public exploit identified at time of analysis.

Microsoft Information Disclosure Exchange Server Exchange Server Subscription Edition
NVD
CVSS 3.1
8.8
EPSS
0.7%
CVE-2025-11715 HIGH PATCH This Week

Memory corruption in Firefox 143, Firefox ESR 140.3, Thunderbird 143, and Thunderbird ESR 140.3 enables remote arbitrary code execution when users interact with malicious content. Exploitation requires user interaction (opening crafted web content or email), but no authentication is needed. Mozilla issued patches in Firefox 144, Firefox ESR 140.4, Thunderbird 144, and Thunderbird ESR 140.4. With CVSS 8.8 and EPSS data unavailable, the vulnerability represents critical risk to unpatched installations. No public exploit identified at time of analysis, though Mozilla's acknowledgment of memory corruption evidence suggests exploitation is technically feasible.

Mozilla RCE Buffer Overflow Thunderbird Red Hat +1
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-11714 HIGH PATCH This Week

Memory corruption vulnerabilities in Mozilla Firefox and Thunderbird allow remote code execution when users interact with malicious web content. Affects Firefox ESR 115.28 and below, Firefox ESR 140.3 and below, Firefox 143 and below, Thunderbird 143 and below, and Thunderbird ESR 140.3 and below. Mozilla confirmed memory safety bugs with evidence of memory corruption presumed exploitable for arbitrary code execution. Vendor-released patches available: Firefox 144, Firefox ESR 115.29, Firefox ESR 140.4, Thunderbird 144, and Thunderbird 140.4. CVSS 8.8 severity driven by network attack vector with low complexity requiring only user interaction, no authentication required. No public exploit identified at time of analysis, though multiple internal bug reports suggest coordinated fix effort.

Mozilla RCE Buffer Overflow Thunderbird Red Hat +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-10228 HIGH This Week

Session hijacking against Rolantis Information Technologies Agentis prior to version 4.44 is possible because the application fails to regenerate session identifiers across authentication state changes, letting a remote attacker who can lure a victim into using an attacker-supplied session token take over the authenticated session. CVSS 8.8 reflects full confidentiality, integrity, and availability impact once hijacked, but no public exploit identified at time of analysis and the issue is not on the CISA KEV list.

Information Disclosure Session Fixation
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-49552 HIGH This Week

DOM-based Cross-Site Scripting in Adobe Connect 12.9 and earlier enables session hijacking when high-privileged administrators interact with attacker-crafted pages. Scope change to 'C' indicates the attacker can pivot beyond the vulnerable component's security boundary, allowing privileged session takeover that impacts both confidentiality and integrity at high levels. No active exploitation confirmed per CISA KEV at time of analysis. Adobe has released security advisory APSB25-70 addressing this vulnerability.

XSS Adobe
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-11720 HIGH PATCH This Week

User interface spoofing in Firefox and Firefox Focus for Android's custom tab implementation allows remote attackers to misrepresent subdomain origins, enabling phishing attacks through crafted URLs. The custom tab feature truncates displayed hostnames to show only the parent domain, allowing malicious content on attacker-controlled subdomains (e.g., evil.example.com) to appear as legitimate sibling subdomains (e.g., legitimate.example.com). With CVSS 8.1 (High Confidentiality/Integrity impact) and no authentication required, this represents significant phishing risk for Android Firefox users. Patched in Firefox 144; no public exploit identified at time of analysis, though the UI flaw is straightforward to exploit.

Mozilla Google Information Disclosure Suse
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-11713 HIGH PATCH This Week

Command injection via Firefox/Thunderbird 'Copy as cURL' feature on Windows allows remote attackers to execute arbitrary commands when users copy network requests as cURL commands and paste them into terminals. Affects Firefox <144, Firefox ESR <140.4, Thunderbird <144, and Thunderbird <140.4 exclusively on Windows platforms. No public exploit identified at time of analysis, but attack vector requires only user interaction (CVSS PR:N/UI:R) with no privileges needed.

Mozilla Information Disclosure Microsoft Thunderbird Red Hat +1
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-59234 HIGH This Week

Local code execution in Microsoft Office (including 365 Apps Enterprise, Office 2016/2019, and Office LTSC 2021 across Windows, macOS, and Android) is possible when a victim opens a maliciously crafted document that triggers a use-after-free condition. An unauthorized attacker who convinces a user to open the file can execute arbitrary code in the context of the current user, with no public exploit identified at time of analysis. CVSS is 7.8 reflecting local attack vector with required user interaction but full confidentiality, integrity, and availability impact.

Memory Corruption Microsoft Denial Of Service Use After Free 365 Apps +2
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2025-59227 HIGH This Week

Local code execution in Microsoft Office (including Microsoft 365 Apps Enterprise, Office 2016/2019, and Office LTSC 2021 across Windows x86/x64, macOS, and Android) arises from a use-after-free memory corruption (CWE-416) that an attacker can trigger by convincing a user to open a crafted document. Exploitation runs in the context of the current user with high impact on confidentiality, integrity, and availability. No public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.

Memory Corruption Microsoft Denial Of Service Use After Free 365 Apps +2
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2025-53782 HIGH This Week

Local privilege escalation in Microsoft Exchange Server 2016 (and Subscription Edition) stems from an incorrect implementation of an authentication algorithm (CWE-303), allowing a low-privileged local user to gain high-impact control over confidentiality, integrity, and availability of the mail platform. The flaw was reported by Microsoft (MSRC) and carries a CVSS 3.1 base of 7.8 (AV:L/AC:L/PR:L/UI:N). At time of analysis, no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but exploitation by an authenticated insider on an Exchange host would yield full server compromise.

Microsoft Authentication Bypass Exchange Server Exchange Server Subscription Edition
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2025-59248 HIGH This Week

Spoofing in Microsoft Exchange Server (including 2016 cumulative updates and Subscription Edition) allows remote unauthenticated attackers to impersonate trusted entities over the network due to improper input validation. The flaw carries a CVSS 7.5 with integrity-only impact, and no public exploit identified at time of analysis. Defenders should treat it as a credible spoofing/authentication-bypass primitive that may be chained with downstream phishing or follow-on Exchange attacks.

Microsoft Authentication Bypass Exchange Server Exchange Server Subscription Edition
NVD
CVSS 3.1
7.5
EPSS
0.9%
CVE-2025-57740 HIGH This Week

Authenticated remote code execution in Fortinet FortiOS, FortiProxy, and FortiPAM enables low-privileged users to trigger a heap-based buffer overflow through crafted RDP bookmark connection requests. The flaw affects multiple major release trains across all three product families, including FortiOS 7.6.2 and earlier, 7.4.7 and earlier, 7.2.10 and earlier, and all 6.4/7.0 versions. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV.

Fortinet Heap Overflow Buffer Overflow Fortiproxy Fortipam +1
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-25253 HIGH This Week

Man-in-the-middle interception is possible against the ZTNA proxy in FortiProxy 7.6.1 and earlier, 7.4.8 and earlier, and all 7.2/7.0 versions, as well as FortiOS 7.6.2 and earlier, 7.4.8 and earlier, and all 7.2/7.0 versions, due to improper certificate-host validation (CWE-297). An adjacent network attacker in a privileged path-position can intercept and tamper with ZTNA proxy connections, undermining a control specifically deployed to enforce zero-trust authentication. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV.

Fortinet Information Disclosure Fortiproxy Fortios
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-60535 HIGH This Week

Cross-Site Request Forgery in Wallos v4.1.1 lets remote attackers trick an authenticated user's browser into submitting a crafted GET request to the /endpoints/currency/currency component, performing unwanted currency operations without the victim's consent. The flaw stems from missing anti-CSRF token validation on state-changing requests. There is no public exploit identified at time of analysis, and the EPSS score is low (0.17%, 6th percentile), indicating little observed exploitation interest.

CSRF
NVD GitHub
CVSS 3.1
7.3
EPSS
0.2%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy