Skip to main content
CVE-2025-65015 CRITICAL POC PATCH Act Now

joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption (JOSE) standards. Rated critical severity (CVSS 9.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Python Joserfc Red Hat Suse
NVD GitHub
CVSS 4.0
9.2
EPSS
0.1%
CVE-2025-63217 CRITICAL POC Act Now

The Itel DAB MUX (IDMUX build c041640a) is vulnerable to Authentication Bypass due to improper JWT validation across devices. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Id Mux Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-63216 CRITICAL POC Act Now

The Itel DAB Gateway (IDGat build c041640a) is vulnerable to Authentication Bypass due to improper JWT validation across devices. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Idgateway Firmware
NVD GitHub
CVSS 3.1
10.0
EPSS
0.2%
CVE-2025-63228 CRITICAL POC Act Now

The Mozart FM Transmitter web management interface on version WEBMOZZI-00287, contains an unauthenticated file upload vulnerability in the /upload_file.php endpoint. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload PHP RCE Mozart Next 100 Firmware Mozart Next 1000 Firmware +20
NVD GitHub
CVSS 3.1
9.8
EPSS
0.7%
CVE-2025-63225 CRITICAL POC Act Now

The Eurolab ELTS100_UBX device (firmware version ELTS100v1.UBX) is vulnerable to Broken Access Control due to missing authentication on critical administrative endpoints. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Elts 100 Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
0.7%
CVE-2025-54321 CRITICAL This Week

In Ascertia SigningHub through 8.6.8, there is a lack of rate limiting on the reset password function, leading to an email bombing vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Signinghub
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-63994 CRITICAL POC Act Now

An arbitrary file upload vulnerability in the /php/UploadHandler.php component of RichFilemanager v2.7.6 allows attackers to execute arbitrary code via uploading a crafted file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload PHP RCE Richfilemanager
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-63695 CRITICAL POC Act Now

DzzOffice v2.3.7 and before is vulnerable to Arbitrary File Upload in /dzz/system/ueditor/php/controller.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload PHP Dzzoffice
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-63694 CRITICAL POC Act Now

DzzOffice v2.3.7 and before is vulnerable to SQL Injection in explorer/groupmanage. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Dzzoffice
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-56643 CRITICAL This Week

Requarks Wiki.js 2.5.307 does not properly revoke or invalidate active JWT tokens when a user logs out. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Wiki Js
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-12383 CRITICAL PATCH This Week

In Eclipse Jersey versions 2.45, 3.0.16, 3.1.9 a race condition can cause ignoring of critical SSL configurations - such as mutual authentication, custom key/trust stores, and other security. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Race Condition Authentication Bypass Jersey
NVD
CVSS 4.0
9.4
EPSS
0.1%
CVE-2025-9312 CRITICAL This Week

A missing authentication enforcement vulnerability exists in the mutual TLS (mTLS) implementation used by System REST APIs and SOAP services in multiple WSO2 products. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Api Control Plane Api Manager Identity Server Identity Server As Key Manager +5
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-41734 CRITICAL This Week

An unauthenticated remote attacker can execute arbitrary php files and gain full access of the affected devices. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

LFI PHP Information Disclosure Ewio2 M Firmware Ewio2 M Bm Firmware +1
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-41733 CRITICAL This Week

The commissioning wizard on the affected devices does not validate if the device is already initialized. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Ewio2 M Firmware Ewio2 M Bm Firmware Ewio2 Bm Firmware
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-41346 CRITICAL This Week

Faulty authorization control in software WinPlus v24.11.27 by Informática del Este that allows another user to be impersonated simply by knowing their 'numerical ID', meaning that an attacker could. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Winplus
NVD
CVSS 4.0
9.3
EPSS
0.1%
CVE-2025-40549 CRITICAL PATCH This Week

A Path Restriction Bypass vulnerability exists in Serv-U that when abused, could give a malicious actor with access to admin privileges the ability to execute code on a directory. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Microsoft Serv U Windows
NVD
CVSS 3.1
9.1
EPSS
0.3%
CVE-2025-40548 CRITICAL PATCH This Week

A missing validation process exists in Serv U when abused, could give a malicious actor with access to admin privileges the ability to execute code. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.

Microsoft Privilege Escalation Serv U Windows
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-40547 CRITICAL This Week

A logic error vulnerability exists in Serv-U which when abused could give a malicious actor with access to admin privileges the ability to execute code. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Microsoft Serv U Windows
NVD
CVSS 3.1
9.1
EPSS
0.2%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy