Skip to main content
CVE-2025-63693 MEDIUM POC This Month

The comment editing template (dzz/comment/template/edit_form.htm) in DzzOffice 2.3.x lacks adequate security escaping for user-controllable data in multiple contexts, including HTML and JavaScript. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection Dzzoffice
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-63225 CRITICAL POC Act Now

The Eurolab ELTS100_UBX device (firmware version ELTS100v1.UBX) is vulnerable to Broken Access Control due to missing authentication on critical administrative endpoints. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Elts 100 Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
0.7%
CVE-2025-60455 HIGH POC PATCH This Week

Unsafe Deserialization vulnerability in Modular Max Serve before 25.6, specifically when the "--experimental-enable-kvcache-agent" feature is used allowing attackers to execute arbitrary code. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Deserialization RCE Max
NVD GitHub
CVSS 3.1
8.4
EPSS
0.1%
CVE-2025-56499 MEDIUM POC This Week

Incorrect access control in mihomo v1.19.11 allows authenticated attackers with low-level privileges to read arbitrary files with elevated privileges via obtaining the external control key from the. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Mihomo
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-54321 CRITICAL This Week

In Ascertia SigningHub through 8.6.8, there is a lack of rate limiting on the reset password function, leading to an email bombing vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Signinghub
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-54320 MEDIUM Monitor

In Ascertia SigningHub through 8.6.8, there is a lack of rate limiting on the invite user function, leading to an email bombing vulnerability. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Signinghub
NVD GitHub
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-52639 LOW Monitor

HCL Connections is vulnerable to a sensitive information disclosure vulnerability which could allow a user to obtain sensitive information they are not entitled to, caused by improper rendering of. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Connections
NVD
CVSS 3.1
3.5
EPSS
0.1%
CVE-2025-37163 HIGH This Month

A command injection vulnerability has been identified in the command line interface of the HPE Aruba Networking Airwave Platform. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Aruba Command Injection Airwave
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2025-37160 MEDIUM This Month

A broken access control (BAC) vulnerability in the web-based management interface could allow an authenticated remote attacker with low privileges to view sensitive information. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Arubaos Cx
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-37159 MEDIUM This Month

A vulnerability in the web management interface of the AOS-CX OS user authentication service could allow an authenticated remote attacker to hijack an active user session. Rated medium severity (CVSS 5.8), this vulnerability is low attack complexity. No vendor patch available.

Session Fixation Authentication Bypass Arubaos Cx
NVD
CVSS 3.1
5.8
EPSS
0.1%
CVE-2025-37158 MEDIUM This Month

A command injection vulnerability exists in the AOS-CX Operating System. Rated medium severity (CVSS 6.7), this vulnerability is no authentication required. No vendor patch available.

Command Injection RCE Arubaos Cx
NVD
CVSS 3.1
6.7
EPSS
0.1%
CVE-2025-37157 MEDIUM This Month

A command injection vulnerability exists in the AOS-CX Operating System. Rated medium severity (CVSS 6.7), this vulnerability is no authentication required. No vendor patch available.

Command Injection RCE Code Injection Arubaos Cx
NVD
CVSS 3.1
6.7
EPSS
0.1%
CVE-2025-37156 MEDIUM This Month

A platform-level denial-of-service (DoS) vulnerability exists in ArubaOS-CX software. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Arubaos Cx
NVD
CVSS 3.1
6.8
EPSS
0.1%
CVE-2025-37155 HIGH This Month

A vulnerability in the SSH restricted shell interface of the network management services allows improper access control for authenticated read-only users. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass Arubaos Cx
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-64076 HIGH POC PATCH This Month

Multiple vulnerabilities exist in cbor2 through version 5.7.0 in the decode_definite_long_string() function of the C extension decoder (source/decoder.c): (1) Integer Underflow Leading to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Integer Overflow Buffer Overflow Python Cbor2 +2
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2025-63994 CRITICAL POC Act Now

An arbitrary file upload vulnerability in the /php/UploadHandler.php component of RichFilemanager v2.7.6 allows attackers to execute arbitrary code via uploading a crafted file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload PHP RCE Richfilemanager
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-63828 MEDIUM POC This Month

Host Header Injection vulnerability in Backdrop CMS 1.32.1 allows attackers to manipulate the Host header in password reset requests, leading to redirects to malicious domains and potential session. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Open Redirect Backdrop Cms
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-63695 CRITICAL POC Act Now

DzzOffice v2.3.7 and before is vulnerable to Arbitrary File Upload in /dzz/system/ueditor/php/controller.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload PHP Dzzoffice
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-63694 CRITICAL POC Act Now

DzzOffice v2.3.7 and before is vulnerable to SQL Injection in explorer/groupmanage. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Dzzoffice
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-63514 MEDIUM POC This Month

kishan0725 Hospital Management System has a Cross-Site Scripting (XSS) vulnerability in appsearch.php via the email parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Hospital Management System
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-56643 CRITICAL This Week

Requarks Wiki.js 2.5.307 does not properly revoke or invalidate active JWT tokens when a user logs out. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Wiki Js
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-63829 HIGH POC This Month

eProsima Fast-DDS v3.3 and before has an infinite loop vulnerability caused by integer overflow in the Time_t:: fraction() function. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Integer Overflow Fast Dds
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-63513 MEDIUM POC This Week

kishan0725 Hospital Management System v4 has an Insecure Direct Object Reference (IDOR) vulnerability in the appointment cancellation functionality. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Hospital Management System
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-63512 MEDIUM POC This Week

kishan0725 Hospital Management System/ v4 is vulnerable to SQL Injection in admin-panel1.php, specifically in the deleting doctor logic. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Hospital Management System
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-61713 MEDIUM Monitor

A Cleartext Storage of Sensitive Information in Memory vulnerability [CWE-316] in Fortinet FortiPAM 1.6.0, FortiPAM 1.5 all versions, FortiPAM 1.4 all versions, FortiPAM 1.3 all versions, FortiPAM. Rated medium severity (CVSS 4.2), this vulnerability is low attack complexity. No vendor patch available.

Fortinet Information Disclosure Fortipam
NVD
CVSS 3.1
4.2
EPSS
0.0%
CVE-2025-59669 MEDIUM This Month

A use of hard-coded credentials vulnerability in Fortinet FortiWeb 7.6.0, FortiWeb 7.4 all versions, FortiWeb 7.2 all versions, FortiWeb 7.0 all versions may allow an authenticated attacker with. Rated medium severity (CVSS 5.3), this vulnerability is low attack complexity. No vendor patch available.

Redis Fortinet Authentication Bypass Fortiweb
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-58692 HIGH This Month

An improper neutralization of special elements used in an SQL Command ("SQL Injection") vulnerability [CWE-89] vulnerability in Fortinet FortiVoice 7.2.0 through 7.2.2, FortiVoice 7.0.0 through 7.0.7. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Fortinet Fortivoice
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-56527 HIGH POC PATCH This Month

Plaintext password storage in Kotaemon 0.11.0 in the client's localStorage. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Kotaemon
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-56526 MEDIUM POC PATCH This Month

Cross site scripting (XSS) vulnerability in Kotaemon 0.11.0 allowing attackers to execute arbitrary code via a crafted PDF. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE XSS Kotaemon
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-55796 HIGH POC This Month

The openml/openml.org web application version v2.0.20241110 uses predictable MD5-based tokens for critical user workflows such as signup confirmation, password resets, email confirmation resends, and. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Openml Org
NVD GitHub
CVSS 3.1
7.5
EPSS
1.6%
CVE-2025-54972 MEDIUM Monitor

An improper neutralization of crlf sequences ('crlf injection') vulnerability in Fortinet FortiMail 7.6.0 through 7.6.3, FortiMail 7.4.0 through 7.4.5, FortiMail 7.2 all versions, FortiMail 7.0 all. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Fortinet Code Injection Fortimail
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-54971 MEDIUM Monitor

An exposure of sensitive information to an unauthorized actor vulnerability in Fortinet FortiADC 7.4.0, FortiADC 7.2 all versions, FortiADC 7.1 all versions, FortiADC 7.0 all versions, FortiADC 6.2. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Fortinet Fortiadc
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-54660 MEDIUM This Month

An active debug code vulnerability in Fortinet FortiClientWindows 7.4.0 through 7.4.3, FortiClientWindows 7.2.0 through 7.2.10, FortiClientWindows 7.0 all versions may allow a local attacker to run. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Fortinet Information Disclosure Forticlient Windows
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-53360 MEDIUM Monitor

pluginsGLPI's Database Inventory Plugin "manages" the Teclib' inventory agents in order to perform an inventory of the databases present on the workstation. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass
NVD GitHub
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-48839 MEDIUM This Month

An Out-of-bounds Write vulnerability [CWE-787] in FortiADC 8.0.0, 7.6.0 through 7.6.2, 7.4.0 through 7.4.7, 7.2 all versions, 7.1 all versions, 7.0 all versions, 6.2 all versions may allow an. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable. No vendor patch available.

Memory Corruption Buffer Overflow RCE Fortiadc
NVD
CVSS 3.1
6.6
EPSS
0.1%
CVE-2025-47761 HIGH This Month

An Exposed IOCTL with Insufficient Access Control vulnerability [CWE-782] vulnerability in Fortinet FortiClientWindows 7.4.0 through 7.4.3, FortiClientWindows 7.2.0 through 7.2.9 may allow an. Rated high severity (CVSS 7.8). No vendor patch available.

Fortinet Microsoft Authentication Bypass Forticlient Windows
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-46776 MEDIUM This Month

A buffer copy without checking size of input ('classic buffer overflow') vulnerability in Fortinet FortiExtender 7.6.0 through 7.6.1, FortiExtender 7.4.0 through 7.4.6, FortiExtender 7.2 all. Rated medium severity (CVSS 6.4). No vendor patch available.

RCE Buffer Overflow Fortinet Fortiextender Firmware
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-46775 MEDIUM This Month

A debug messages revealing unnecessary information vulnerability in Fortinet FortiExtender 7.6.0 through 7.6.1, FortiExtender 7.4.0 through 7.4.6, FortiExtender 7.2 all versions, FortiExtender 7.0. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Fortinet Information Disclosure Fortiextender Firmware
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-46373 HIGH This Month

A Heap-based Buffer Overflow vulnerability [CWE-122] vulnerability in Fortinet FortiClientWindows 7.4.0 through 7.4.3, FortiClientWindows 7.2.0 through 7.2.8 may allow an authenticated local IPSec. Rated high severity (CVSS 7.8). No vendor patch available.

Buffer Overflow RCE Microsoft Heap Overflow Fortinet +2
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-46215 MEDIUM This Month

An Improper Isolation or Compartmentalization vulnerability [CWE-653] in Fortinet FortiSandbox 5.0.0 through 5.0.1, FortiSandbox 4.4.0 through 4.4.7, FortiSandbox 4.2 all versions, FortiSandbox 4.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Fortinet Information Disclosure Fortisandbox
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-34324 HIGH POC This Month

GoSign Desktop versions 2.4.0 and earlier use an unsigned update manifest for distributing application updates. Rated high severity (CVSS 7.0), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Jwt Attack RCE Apple Microsoft Gosign +2
NVD
CVSS 4.0
7.0
EPSS
0.0%
CVE-2025-33184 HIGH This Month

NVIDIA Isaac-GR00T for all platforms contains a vulnerability in a Python component, where an attacker could cause a code injection issue. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure RCE Nvidia Python Code Injection
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-33183 HIGH This Month

NVIDIA Isaac-GR00T for all platforms contains a vulnerability in a Python component, where an attacker could cause a code injection issue. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure RCE Nvidia Python Code Injection
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-13083 LOW PATCH Monitor

Use of Web Browser Cache Containing Sensitive Information vulnerability in Drupal Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels.0.0 before 10.4.9, from 10.5.0. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Drupal
NVD HeroDevs
CVSS 3.1
3.7
EPSS
0.0%
CVE-2025-13082 MEDIUM PATCH Monitor

User Interface (UI) Misrepresentation of Critical Information vulnerability in Drupal Drupal core allows Content Spoofing.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Drupal
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-13081 MEDIUM PATCH This Month

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable. No vendor patch available.

Code Injection Drupal
NVD
CVSS 3.1
5.9
EPSS
0.2%
CVE-2025-13080 MEDIUM PATCH This Month

Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Drupal core allows Forceful Browsing.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Drupal
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-12761 LOW PATCH Monitor

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Simple multi step form allows Cross-Site Scripting (XSS).0.0 before 2.0.0. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity.

XSS Simple Multi Step Form Drupal
NVD
CVSS 3.1
3.5
EPSS
0.1%
CVE-2025-12760 MEDIUM PATCH This Month

Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Email TFA allows Functionality Bypass.0.0 before 2.0.6. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass Email Tfa Drupal
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-9977 MEDIUM This Month

Value provided in one of POST parameters sent during the process of logging in to Times Software E-Payroll is not sanitized properly, which allows an unauthenticated attacker to perform DoS attacks. Rated medium severity (CVSS 5.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

SQLi Command Injection
NVD
CVSS 4.0
5.3
EPSS
4.1%
Prev Page 2 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy