Skip to main content
CVE-2025-0987 CRITICAL Act Now

CVLand versions 2.1.0 through 20251103 by CB Project Ltd. Co. permit authenticated attackers to bypass authorization controls via parameter injection, enabling elevated privilege actions and unauthorized access to sensitive data. The CVSS score of 9.9 reflects network-based exploitation with low complexity and scope change allowing high confidentiality and integrity impact. EPSS probability is 0.07% (22nd percentile), indicating relatively low observed exploitation likelihood despite the critical severity rating. No public exploit identified at time of analysis, though the vendor was notified and did not respond.

Authentication Bypass
NVD VulDB
CVSS 3.1
9.9
EPSS
0.1%
CVE-2024-13997 CRITICAL This Week

Nagios XI versions prior to 2024R1.1.3 contain a privilege escalation vulnerability in which an authenticated administrator could leverage the Migrate Server feature to obtain root privileges on the. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Nagios Xi
NVD
CVSS 4.0
9.4
EPSS
0.2%
CVE-2025-12463 CRITICAL This Week

An unauthenticated SQL Injection was discovered within the Geutebruck G-Cam E-Series Cameras through the `Group` parameter in the `/uapi-cgi/viewer/Param.cgi` script. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-11953 CRITICAL POC KEV PATCH THREAT Act Now

React Native Metro Development Server binds to external interfaces by default and contains an OS command injection endpoint, allowing unauthenticated network attackers to execute arbitrary code.

Command Injection Microsoft React Native Community Cli Windows Red Hat
NVD GitHub
CVSS 3.1
9.8
EPSS
3.4%
CVE-2025-63453 CRITICAL POC Act Now

Car-Booking-System-PHP v.1.0 is vulnerable to SQL Injection in /carlux/contact.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Car Booking System Php
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-63452 CRITICAL POC Act Now

Car-Booking-System-PHP v.1.0 is vulnerable to SQL Injection in /carlux/forgot-pass.php. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Car Booking System Php
NVD GitHub
CVSS 3.1
9.4
EPSS
0.1%
CVE-2025-63451 CRITICAL POC Act Now

Car-Booking-System-PHP v.1.0 is vulnerable to SQL Injection in /carlux/sign-in.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Car Booking System Php
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-8900 CRITICAL This Week

The Doccure Core plugin for WordPress is vulnerable to privilege escalation in versions up to, and excluding, 1.5.4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Privilege Escalation PHP
NVD
CVSS 3.1
9.8
EPSS
0.2%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy