Skip to main content
CVE-2025-55754 CRITICAL PATCH CISA Act Now

ANSI escape sequence injection in Apache Tomcat log messages enables console manipulation and social engineering attacks against administrators on Windows systems. Attackers can craft malicious URLs that inject escape sequences into Tomcat logs, potentially manipulating console output and clipboard contents to trick administrators into executing attacker-controlled commands. This affects Tomcat 9.0.40-9.0.108, 10.1.0-M1-10.1.44, and 11.0.0-M1-11.0.10, with highest risk when Tomcat runs in ANSI-capable Windows consoles. Despite the 9.6 CVSS score, real-world risk is lower as exploitation requires user interaction (administrator viewing logs in console), scope change indicating console compromise beyond Tomcat process, and specific Windows deployment configuration. No active exploitation confirmed (not in CISA KEV), and EPSS data not available at time of analysis.

Microsoft Apache Tomcat Code Injection Red Hat +1
NVD
CVSS 3.1
9.6
EPSS
0.1%
CVE-2025-34292 CRITICAL Act Now

Remote code execution in Rox, the PHP platform powering the BeWelcome hospitality-exchange community, arises from unsafe unserialize() calls on attacker-controllable input: the POST parameter `formkit_memory_recovery` handled by RoxPostHandler::getCallbackAction and the `bwRemember` 'memory cookie' read by RoxModelBase::getMemoryCookie. Because usable PHP gadget chains ship in Rox and its bundled libraries, an attacker with low-level access can trigger PHP object injection to write arbitrary files or execute code, resulting in full site compromise. The issue carries a CVSS 4.0 base score of 9.4 and was fixed in commit c60bf04 (2025-06-16); no public exploit identified at time of analysis, though a referenced technical gist may contain exploitation detail.

PHP RCE Deserialization
NVD GitHub
CVSS 4.0
9.4
EPSS
0.5%
CVE-2025-62959 CRITICAL Act Now

Remote code execution in the VideoWhisper Paid Videochat Turnkey Site WordPress plugin (versions up to 7.3.23) allows authenticated administrators to inject and execute arbitrary code through code injection vulnerabilities. The CVSS 9.1 severity reflects scope change and high impact across confidentiality, integrity, and availability. EPSS exploitation probability is low at 0.04% (13th percentile), and no public exploit identified at time of analysis, suggesting this remains a theoretical high-severity issue requiring privileged access rather than an imminent mass-exploitation threat.

WordPress PHP Code Injection RCE
NVD
CVSS 3.1
9.1
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy