Skip to main content
CVE-2025-6520 CRITICAL Act Now

Blind SQL injection in Abis Technology BAPSIS versions prior to 202510271606 allows unauthenticated remote attackers to manipulate backend database queries over the network with no user interaction. The CVSS 9.8 rating reflects full compromise of confidentiality, integrity, and availability, though EPSS remains very low at 0.04% (13th percentile) and no public exploit identified at time of analysis. Disclosure originates from Turkey's national CERT (USOM), suggesting regional product exposure rather than mass-market footprint.

SQLi
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-60749 HIGH This Week

Local privilege-agnostic code execution in Trimble SketchUp desktop 2025 for Windows occurs when its helper process sketchup_webhelper.exe loads an attacker-supplied libcef.dll from an insecure search path (CWE-427). A local attacker who can drop a crafted DLL into a directory searched by the helper gains full confidentiality, integrity, and availability impact in the context of the running process. No public exploit identified in the provided data, though a third-party technical writeup (yawataa.github.io) documenting the issue exists; EPSS is low at 0.17% (7th percentile), indicating negligible measured exploitation activity.

Information Disclosure
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2025-64366 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Stylemix MasterStudy LMS masterstudy-lms-learning-management-system allows Blind SQL Injection.This issue affects MasterStudy LMS: from n/a through <= 3.6.27.

SQLi
NVD
CVSS 3.1
7.6
EPSS
0.0%
CVE-2025-64360 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in StylemixThemes Consulting Elementor Widgets consulting-elementor-widgets allows PHP Local File Inclusion.This issue affects Consulting Elementor Widgets: from n/a through <= 1.4.2.

PHP Information Disclosure LFI
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-64359 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in StylemixThemes Consulting consulting allows PHP Local File Inclusion.This issue affects Consulting: from n/a through < 6.7.5.

PHP Information Disclosure LFI
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-30189 HIGH PATCH This Week

Authentication cache collision in Dovecot mail server allows remote attackers to gain unauthorized access to other users' accounts under specific caching configurations. When passdb/userdb caching is enabled, certain drivers incorrectly use identical cache keys for multiple distinct users, causing authentication data from one user to be applied to subsequent login attempts by different users. This vulnerability enables attackers to authenticate as other users after the legitimate user's credentials are cached, with no public exploit identified at time of analysis. Despite low EPSS probability (0.03%), the network-accessible attack vector and potential for unauthorized email access warrants immediate remediation in environments using affected caching configurations.

Dovecot Authentication Bypass Information Disclosure Suse
NVD
CVSS 3.1
7.4
EPSS
0.0%
CVE-2025-64348 HIGH PATCH This Week

Configuration file manipulation in ELOG electronic logbook system allows authenticated attackers to trigger denial of service by modifying or overwriting the configuration file. If the rarely-used execute facility is enabled via '-x' command line flag, the vulnerability escalates to remote code execution on the underlying host. Vendor patches are available via Bitbucket commits 7092ff6 and f81e569. EPSS data not available; no CISA KEV listing indicates targeted rather than widespread exploitation. The 7.1 CVSS 4.0 score reflects high availability impact and low integrity impact under default configurations, with significantly higher risk in non-default deployments using the execute facility.

Authentication Bypass Denial Of Service Elog
NVD
CVSS 4.0
7.1
EPSS
0.1%
CVE-2025-12547 LOW POC Monitor

LogicalDOC Community Edition up to 9.2.1 fails to implement rate limiting on the admin login page (/login.jsp), allowing remote attackers to conduct brute-force authentication attacks with high complexity but difficult exploitability. Publicly available exploit code exists, though the vendor has not responded to early disclosure notification, and real-world exploitation risk remains low given the EPSS score of 0.16% and high attack complexity.

Information Disclosure Logicaldoc
NVD GitHub VulDB
CVSS 4.0
2.9
EPSS
0.2%
CVE-2025-12357 MEDIUM This Month

This vulnerability in the Signal Level Attenuation Characterization (SLAC) protocol allows attackers to conduct man-in-the-middle attacks against electric vehicles and ISO 15118-2 compliant chargers by injecting spoofed signal level measurements. An attacker within close electromagnetic proximity can intercept and manipulate the wireless communication between EVs and chargers, potentially compromising the confidentiality and integrity of charging transactions. While the CVSS score of 6.3 indicates medium severity with low complexity exploitation, the EPSS score of 0.03% (6th percentile) suggests minimal real-world exploitation likelihood despite the critical nature of EV charging infrastructure.

Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.0%
CVE-2025-12464 MEDIUM PATCH This Month

Stack-based buffer overflow in QEMU's e1000 network device emulation allows local guest users to crash the QEMU process via crafted short frames in loopback mode, causing denial of service on the host. The vulnerability exists in the e1000_receive_iov() function where frame padding logic was removed from the device layer but loopback mode still processes short frames unsafely. No public exploit code or active exploitation in KEV has been reported at time of analysis.

Stack Overflow Denial Of Service Buffer Overflow
NVD
CVSS 3.1
6.2
EPSS
0.0%
CVE-2025-12546 LOW POC Monitor

Stored cross-site scripting (XSS) in LogicalDOC Community Edition up to 9.2.1 allows authenticated users to inject malicious scripts via the API Key creation UI, affecting the integrity of user data and potentially enabling credential theft or session hijacking. The vulnerability requires user interaction (UI:P) and authenticated access (PR:L), but publicly available exploit code exists and the vendor has not responded to early disclosure notification.

XSS Logicaldoc
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2025-64368 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Mikado-Themes Bard bardwp allows Cross Site Request Forgery.This issue affects Bard: from n/a through <= 1.6.

CSRF
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-64358 MEDIUM This Month

Missing Authorization vulnerability in WebToffee Smart Coupons for WooCommerce wt-smart-coupons-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Smart Coupons for WooCommerce: from n/a through <= 2.2.3.

WordPress Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-64357 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Younes JFR. Advanced Database Cleaner advanced-database-cleaner allows Cross Site Request Forgery.This issue affects Advanced Database Cleaner: from n/a through <= 3.1.6.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-64350 LOW Monitor

Missing Authorization vulnerability in Rank Math SEO Rank Math SEO seo-by-rank-math allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Rank Math SEO: from n/a through <= 1.0.252.1.

Authentication Bypass
NVD
CVSS 3.1
3.8
EPSS
0.0%
CVE-2025-64352 LOW Monitor

Missing Authorization vulnerability in WPDeveloper Essential Addons for Elementor essential-addons-for-elementor-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Essential Addons for Elementor: from n/a through <= 6.2.4.

Authentication Bypass Elementor
NVD
CVSS 3.1
2.7
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy