THREAT ALERT

ACT NOW CVE-2025-11953 9.8 React Native Metro Development Server binds to external interfaces by default and contains an OS command injection endpoint, allowing unauthenticated network attackers to execute arbitrary code. | EMERGENCY CVE-2025-53521 9.3 F5 BIG-IP APM (Access Policy Manager) contains a remote code execution vulnerability triggered by specific malicious traffic when an access policy is configured on a virtual server. |

Daily vulnerability intelligence for defenders – fresh CVEs with exploitability signals, patch status, and action-oriented priorities from 17 sources.

CVEs published

Track vulnerabilities that matter to your stack

Personalized alerts, dashboards, and weekly digests – free.

Trending Now

Critical Watch

Attack Technique Trend

Prediction based on ZDI Disclosures & CVE data · 30 days

Analytics

Vendor Today – Quick Filter

Techniques

results

Sort:

Base Score

Vector String

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

0 | 3.9| 6.9| 8.9| 10

NONE LOW MEDIUM HIGH CRITICAL

CVSS Filter – CVEs match

No CVEs match the selected criteria

Browse older vulnerabilities in Archive

Live Feed auto-refresh 60s

Vulnerability Intelligence — November 03, 2025

61 CVEs tracked today. 8 Critical, 15 High, 33 Medium, 3 Low.

CVE-2025-63453 CRITICAL CVSS 9.8
Car-Booking-System-PHP v.1.0 is vulnerable to SQL Injection in /carlux/contact.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Car Booking System Php
CVE-2025-63452 CRITICAL CVSS 9.4
Car-Booking-System-PHP v.1.0 is vulnerable to SQL Injection in /carlux/forgot-pass.php. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Car Booking System Php
CVE-2025-63451 CRITICAL CVSS 9.8
Car-Booking-System-PHP v.1.0 is vulnerable to SQL Injection in /carlux/sign-in.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Car Booking System Php
CVE-2025-11953 CRITICAL CVSS 9.8
React Native Metro Development Server binds to external interfaces by default and contains an OS command injection endpoint, allowing unauthenticated network attackers to execute arbitrary code.

Command Injection Microsoft React Native Community Cli Windows Redhat
CVE-2025-0987 CRITICAL CVSS 9.9
CVLand versions 2.1.0 through 20251103 by CB Project Ltd. Co. permit authenticated attackers to bypass authorization controls via parameter injection, enabling elevated privilege actions and unauthorized access to sensitive data. The CVSS score of 9.9 reflects network-based exploitation with low complexity and scope change allowing high confidentiality and integrity impact. EPSS probability is 0.07% (22nd percentile), indicating relatively low observed exploitation likelihood despite the critical severity rating. No public exploit identified at time of analysis, though the vendor was notified and did not respond.

Authentication Bypass
CVE-2025-12463 CRITICAL CVSS 9.8
An unauthenticated SQL Injection was discovered within the Geutebruck G-Cam E-Series Cameras through the `Group` parameter in the `/uapi-cgi/viewer/Param.cgi` script. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi
CVE-2025-8900 CRITICAL CVSS 9.8
The Doccure Core plugin for WordPress is vulnerable to privilege escalation in versions up to, and excluding, 1.5.4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Privilege Escalation PHP
CVE-2024-13997 CRITICAL CVSS 9.4
Nagios XI versions prior to 2024R1.1.3 contain a privilege escalation vulnerability in which an authenticated administrator could leverage the Migrate Server feature to obtain root privileges on the. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Nagios Xi
CVE-2025-63441 HIGH CVSS 7.3
Open Source Social Network (OSSN) 8.6 is vulnerable to Cross Site Scripting (XSS) via the parameter param` at endpoint u/administrator/friends. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Open Source Social Network
CVE-2025-60785 HIGH CVSS 8.8
A remote code execution (RCE) vulnerability in the Postgres Drivers component of iceScrum v7.54 Pro On-prem allows attackers to execute arbitrary code via a crafted HTML page. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PostgreSQL Code Injection Icescrum
CVE-2025-60503 HIGH CVSS 8.7
A cross-site scripting (XSS) vulnerability exists in the administrative interface of ultimatefosters UltimatePOS 4.8 where input submitted in the purchase functionality is reflected without proper. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Ultimatepos
CVE-2025-50735 HIGH CVSS 7.5
Directory traversal vulnerability in NextChat thru 2.16.0 due to the WebDAV proxy failing to canonicalize or reject dot path segments in its catch-all route, allowing attackers to gain sensitive. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Nextchat
CVE-2025-48397 HIGH CVSS 7.1
The privileged user could log in without sufficient credentials after enabling an application protocol. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. No vendor patch available.

Authentication Bypass
CVE-2025-48396 HIGH CVSS 8.3
Arbitrary code execution is possible due to improper validation of the file upload functionality in Eaton BLSS. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload RCE
CVE-2025-34501 HIGH CVSS 7.0
Deck Mate 2 is distributed with static, hard-coded credentials for the root shell and web user interface, while multiple management services (SSH, HTTP, Telnet, SMB, X11) are enabled by default. Rated high severity (CVSS 7.0), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
CVE-2025-12622 HIGH CVSS 7.4
A vulnerability was determined in Tenda AC10 16.03.10.13. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Tenda Buffer Overflow Ac10 Firmware
CVE-2025-12619 HIGH CVSS 7.4
A vulnerability was found in Tenda A15 15.13.07.13. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Tenda Buffer Overflow A15 Firmware
CVE-2025-12618 HIGH CVSS 7.4
A vulnerability has been found in Tenda AC8 16.03.34.06. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Tenda Buffer Overflow Ac8 Firmware
CVE-2025-12611 HIGH CVSS 7.4
A vulnerability was identified in Tenda AC21 16.03.08.16. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Tenda Buffer Overflow Ac21 Firmware
CVE-2025-12531 HIGH CVSS 7.1
IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE IBM Infosphere Information Server
CVE-2025-12503 HIGH CVSS 7.1
EasyFlow .NET and EasyFlow AiNet developed by Digiwin has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi
CVE-2025-11761 HIGH CVSS 8.5
A potential security vulnerability has been identified in the HP Client Management Script Library software, which might allow escalation of privilege during the installation process. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Hp Client Management Script Library
CVE-2025-10280 HIGH CVSS 7.1
IdentityIQ 8.5, IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p4, IdentityIQ 8.3 and all 8.3 patch levels including 8.3p5, and all prior versions allows some IdentityIQ web services that. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. No vendor patch available.

XSS Identityiq
CVE-2025-64294 MEDIUM CVSS 5.3
Missing Authorization vulnerability in d3wp WP Snow Effect allows Accessing Functionality Not Properly Constrained by ACLs.1.15. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
CVE-2025-63593 MEDIUM CVSS 6.1
Grav CMS1.7.49.5 is vulnerable to Cross Site Scripting (XSS). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Grav
CVE-2025-63450 MEDIUM CVSS 5.4
Car-Booking-System-PHP v.1.0 is vulnerable to Cross Site Scripting (XSS) in /carlux/booking.php. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Car Booking System Php
CVE-2025-63449 MEDIUM CVSS 5.4
Water Management System v1.0 is vulnerable to Cross Site Scripting (XSS) in /orders.php. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Water Management System
CVE-2025-63448 MEDIUM CVSS 6.1
Water Management System v1.0 is vulnerable to Cross Site Scripting (XSS) in /edit_product.php?id=1. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Water Management System
CVE-2025-63447 MEDIUM CVSS 6.1
Water Management System v1.0 is vulnerable to Cross Site Scripting (XSS) in /add_customer.php. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Water Management System
CVE-2025-63446 MEDIUM CVSS 6.1
Water Management System v1.0 is vulnerable to Cross Site Scripting (XSS) in /add_vendor.php. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Water Management System
CVE-2025-63443 MEDIUM CVSS 5.4
School Management System PHP v1.0 is vulnerable to Cross Site Scripting (XSS) in /login.php via the password parameter. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS School Management System Php
CVE-2025-63442 MEDIUM CVSS 4.6
Simple User Management System with PHP-MySQL v1.0 is vulnerable to Cross-Site Scripting (XSS) via the Profile Section. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Simple User Management System
CVE-2025-63293 MEDIUM CVSS 6.5
FairSketch Rise Ultimate Project Manager & CRM 3.9.4 is vulnerable to Insecure Permissions. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Rise Ultimate Project Manager
CVE-2025-60892 MEDIUM CVSS 6.8
An issue in Raspberry Pi Imager version 1.9.6 for Windows, affecting its OS customization feature. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Microsoft Windows
CVE-2025-50363 MEDIUM CVSS 5.4
Phpgurukul Maid Hiring Management System 1.0 is vulnerable to Cross Site Scripting (XSS) in /maid-hiring.php va the name field. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Maid Hiring Management System
CVE-2025-45663 MEDIUM CVSS 6.5
An issue in NetSurf v3.11 causes the application to read uninitialized heap memory when creating a dom_event structure. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Netsurf
CVE-2025-36172 MEDIUM CVSS 6.4
IBM Cloud Pak for Business Automation 25.0.0 through 25.0.0 Interim Fix 001, 24.0.1 through 24.0.1 Interim Fix 004, 24.0.0 through 24.0.0 Interim Fix 006, and earlier unsupported releases IBM. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS IBM Cloud Pak For Business Automation
CVE-2025-36093 MEDIUM CVSS 4.8
IBM Cloud Pak For Business Automation 25.0.0, 24.0.1, and 24.0.0 could allow an attacker to access unauthorized content or perform unauthorized actions using man in the middle techniques due to. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Authentication Bypass IBM Cloud Pak For Business Automation
CVE-2025-36092 MEDIUM CVSS 6.5
IBM Cloud Pak For Business Automation 25.0.0, 24.0.1, and 24.0.0 could allow an authenticated user to cause a denial of service due to the improper validation of input length. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service IBM Cloud Pak For Business Automation
CVE-2025-36091 MEDIUM CVSS 4.3
IBM Cloud Pak For Business Automation 25.0.0, 24.0.1, and 24.0.0 could allow an authenticated user to cause dashboards to become inaccessible to legitimate users due to invalid ownership assignment. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure IBM Cloud Pak For Business Automation
CVE-2025-29699 MEDIUM CVSS 6.5
NetSurf 3.11 is vulnerable to Use After Free in dom_node_set_text_content function. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption Denial Of Service Use After Free Netsurf
CVE-2025-12657 MEDIUM CVSS 5.9
The KMIP response parser built into mongo binaries is overly tolerant of certain malformed packets, and may parse them into invalid objects. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure MongoDB
CVE-2025-12642 MEDIUM CVSS 6.9
lighttpd1.4.80 incorrectly merged trailer fields into headers after http request parsing. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Request Smuggling Authentication Bypass Lighttpd
CVE-2025-12626 MEDIUM CVSS 5.3
A security flaw has been discovered in jeecgboot jeewx-boot up to 641ab52c3e1845fec39996d7794c33fb40dad1dd. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal
CVE-2025-12617 MEDIUM CVSS 6.9
A flaw has been found in itsourcecode Billing System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Billing System
CVE-2025-12616 MEDIUM CVSS 6.3
A vulnerability was detected in PHPGurukul News Portal 1.0. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Information Disclosure News Portal
CVE-2025-12614 MEDIUM CVSS 5.1
A weakness has been identified in SourceCodester Best House Rental Management System 1.0. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Best House Rental Management System
CVE-2025-12612 MEDIUM CVSS 5.3
A security flaw has been discovered in Campcodes School Fees Payment Management System 1.0.php?action=delete_course. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP School Fees Payment Management System
CVE-2025-12610 MEDIUM CVSS 5.1
A vulnerability was determined in CodeAstro Gym Management System 1.0. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Gym Management System
CVE-2025-12609 MEDIUM CVSS 5.1
A vulnerability was found in CodeAstro Gym Management System 1.0. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Gym Management System
CVE-2025-12608 MEDIUM CVSS 6.9
A security flaw has been discovered in itsourcecode Online Loan Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Online Loan Management System
CVE-2025-12607 MEDIUM CVSS 6.9
A vulnerability was identified in itsourcecode Online Loan Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Online Loan Management System
CVE-2025-12606 MEDIUM CVSS 6.9
A vulnerability was determined in itsourcecode Online Loan Management System 1.0.php. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Online Loan Management System
CVE-2025-11193 MEDIUM CVSS 6.8
A potential vulnerability was reported in some Lenovo Tablets that could allow a local authenticated user or application to gain access to sensitive device specific information. Rated medium severity (CVSS 6.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Lenovo
CVE-2024-51317 MEDIUM CVSS 6.5
An issue in NetSurf v.3.11 allows a remote attacker to execute arbitrary code via the dom_node_normalize function. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection RCE Netsurf
CVE-2024-13998 MEDIUM CVSS 6.0
Nagios XI versions prior to 2024R1.1.3, under certain circumstances, disclose sensitive user account information (including API keys and hashed passwords) to authenticated users who should not have. Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Nagios Xi
CVE-2025-45959 None
Rejected reason: DO NOT USE THIS CVE RECORD. No vendor patch available.

Information Disclosure
CVE-2025-40107 None
In the Linux kernel, the following vulnerability has been resolved: can: hi311x: fix null pointer dereference when resuming from sleep before interface was enabled This issue is similar to the.

Denial Of Service Linux Linux Kernel
CVE-2025-12623 LOW CVSS 2.3
A vulnerability was identified in fushengqian fuint up to 41e26be8a2c609413a0feaa69bdad33a71ae8032. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable. No vendor patch available.

Java Authentication Bypass
CVE-2025-12615 LOW CVSS 2.3
A security vulnerability has been detected in PHPGurukul News Portal 1.0. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Information Disclosure News Portal
CVE-2025-8558 LOW CVSS 2.3
Insider Threat Management (ITM) Server versions prior to 7.17.2 contain an authentication bypass vulnerability that allows unauthenticated users on an adjacent network to perform agent unregistration. Rated low severity (CVSS 2.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Insider Threat Management Server

Today's Vulnerabilities Vulnerabilities