Skip to main content
CVE-2025-11749 CRITICAL POC THREAT Emergency

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint when the No-Auth URL feature is enabled. Unauthenticated attackers can extract this token to gain full API access, compromising AI assistant configurations and potentially accessing connected LLM provider API keys.

WordPress Information Disclosure Privilege Escalation PHP
NVD
CVSS 3.1
9.8
EPSS
85.9%
Threat
6.0
CVE-2025-56231 CRITICAL POC Act Now

Tonec Internet Download Manager 6.42.41.1 and earlier suffers from Missing SSL Certificate Validation, which allows attackers to bypass update protections. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Internet Download Manager
NVD
CVSS 3.1
9.1
EPSS
0.0%
CVE-2025-63334 CRITICAL POC PATCH Act Now

PocketVJ CP PocketVJ-CP-v3 pvj version 3.9.1 contains an unauthenticated remote code execution vulnerability in the submit_opacity.php component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Command Injection RCE Pocketvj Control Panel Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2025-63416 CRITICAL POC Act Now

** exclusively-hosted-service ** A Stored Cross-Site Scripting (XSS) vulnerability in the chat functionality of the SelfBest platform 2023.3 allows authenticated low-privileged attackers to execute. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Privilege Escalation Selfbest
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-55343 CRITICAL This Week

Quipux 4.0.1 through e1774ac allows authenticated users to conduct SQL injection attacks via busqueda/busqueda.php txt_depe_codi, busqueda/busqueda.php txt_usua_codi, anexos_lista.php radi_temp,. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi PHP Quipux
NVD
CVSS 3.1
9.9
EPSS
0.1%
CVE-2025-46364 CRITICAL This Week

Dell CloudLink, versions prior to 8.1.1, contain a vulnerability where a privileged user with known password can run CLI Escape Vulnerability to gain control of system. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Dell Privilege Escalation Cloudlink D-Link
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-45378 CRITICAL This Week

Dell CloudLink, versions 8.0 through 8.1.2, contain vulnerability on restricted shell. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Dell Command Injection Authentication Bypass Cloudlink D-Link
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-20358 CRITICAL This Week

A vulnerability in the Contact Center Express (CCX) Editor application of Cisco Unified CCX could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Cisco Authentication Bypass Unified Contact Center Express
NVD
CVSS 3.1
9.4
EPSS
0.6%
CVE-2025-20354 CRITICAL This Week

A vulnerability in the Java Remote Method Invocation (RMI) process of Cisco Unified CCX could allow an unauthenticated, remote attacker to upload arbitrary files and execute arbitrary commands with. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload Cisco Authentication Bypass Java Unified Contact Center Express
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-63601 CRITICAL PATCH This Week

Snipe-IT before version 8.3.3 contains a remote code execution vulnerability that allows an authenticated attacker to upload a malicious backup file containing arbitrary files and execute system. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

File Upload RCE Snipe It
NVD GitHub
CVSS 3.1
9.9
EPSS
0.6%
CVE-2025-61304 CRITICAL POC Act Now

OS command injection vulnerability in Dynatrace ActiveGate ping extension up to 1.016 via crafted ip address. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Activegate Ping Extension
NVD GitHub
CVSS 3.1
9.8
EPSS
0.8%
CVE-2025-64459 CRITICAL POC PATCH GHSA Act Now

An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Python Django Red Hat Suse
NVD Exploit-DB
CVSS 3.1
9.1
EPSS
0.2%
CVE-2025-47151 CRITICAL POC PATCH Act Now

A type confusion vulnerability exists in the lasso_node_impl_init_from_xml functionality of Entr'ouvert Lasso 2.5.1 and 2.8.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption RCE Lasso Red Hat Suse
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-55108 CRITICAL This Week

The Control-M/Agent is vulnerable to unauthenticated remote code execution, arbitrary file read and write and similar unauthorized actions when mutual SSL/TLS authentication is not enabled (i.e. Rated critical severity (CVSS 9.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Authentication Bypass
NVD
CVSS 4.0
9.5
EPSS
0.5%
CVE-2025-12674 CRITICAL This Week

The KiotViet Sync plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the create_media() function in all versions up to, and including, 1.8.5. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload RCE WordPress PHP
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2025-12735 CRITICAL POC PATCH This Week

The expr-eval library is a JavaScript expression parser and evaluator designed to safely evaluate mathematical expressions with user-defined variables. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

RCE Code Injection Javascript Expression Evaluator Red Hat
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy