Skip to main content
CVE-2025-56399 HIGH This Week

Remote code execution in alexusmai laravel-file-manager (versions 3.3.1 and earlier) lets an authenticated user with file-manager access run arbitrary PHP on the server by uploading a PHP payload disguised with a .png extension, then abusing the rename API to give it a .php extension so it executes when requested via a public URL. The flaw stems from client-side-only upload validation combined with an unrestricted rename operation and web-accessible storage. No CISA KEV listing; EPSS is a modest 0.55% (42nd percentile), but a dedicated GitHub repository referencing this CVE indicates public proof-of-concept material likely exists.

Code Injection PHP File Upload RCE
NVD GitHub
CVSS 3.1
8.8
EPSS
0.5%
CVE-2025-60349 HIGH This Week

Denial of service in Prevx 3.0.5.220 lets a local attacker terminate protected processes by sending IOCTL code 0x22E044 to the pxscan.sys kernel driver, which force-kills every process enumerated under the HKLM\System\CurrentControlSet\Services\pxscan\Files registry key. A GitHub repository named for the CVE indicates publicly available exploit code exists, though the vulnerability is not in CISA KEV and carries a low EPSS score of 0.34% (26th percentile). Prevx is a long-retired anti-malware product (absorbed into Webroot circa 2011), so real-world exposure is minimal.

Denial Of Service
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2025-60805 HIGH This Week

Information disclosure in BESSystem (Baolande) BES Application Server through version 9.5.x lets remote unauthenticated attackers retrieve sensitive data by abusing the "pre-resource" option in the bes-web.xml deployment descriptor. The flaw exposes protected resources or configuration content over the network with no authentication (CVSS 7.5, C:H). No public exploit identified at time of analysis, though a third-party gist referencing the issue is linked in NVD; EPSS is low at 0.34% (26th percentile).

Information Disclosure
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2025-12341 HIGH This Week

Link following vulnerability in AntiDupl.NET.WinForms.exe (versions through 2.3.12) allows local authenticated users to manipulate file operations during duplicate image deletion, potentially achieving unauthorized file access or modification with elevated integrity. Proof-of-concept exploit code exists (CVSS E:P). The vendor (ermig1979) was notified but has not responded, leaving users without an official patch.

Information Disclosure
NVD VulDB
CVSS 4.0
7.1
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy