Skip to main content
CVE-2025-65020 MEDIUM POC This Week

Rallly is an open-source scheduling and collaboration tool. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Rallly
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-63210 CRITICAL POC Act Now

The Newtec Celox UHD (models: CELOXA504, CELOXA820) running firmware version celox-21.6.13 is vulnerable to an authentication bypass. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Celoxa504 Firmware Celoxa820 Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-63209 HIGH POC This Month

The ELCA Star Transmitter Remote Control firmware 1.25 for STAR150, BP1000, STAR300, STAR2000, STAR1000, STAR500, and possibly other models, contains an information disclosure vulnerability allowing. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Star150 Firmware Bp1000 Firmware Star300 Firmware Star2000 Firmware +2
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-63208 HIGH POC This Month

An issue was discovered in bridgetech VB288 Objective QoE Content Extractor, firmware version 5.6.0-8, allowing attackers to gain sensitive information such as administrator passwords via the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Vb288 Firmware
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-63207 CRITICAL POC Act Now

The R.V.R Elettronica TEX product (firmware TEXL-000400, Web GUI TLAN-000400) is vulnerable to broken access control due to improper authentication checks on the /_Passwd.html endpoint. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Tex30Lcd S Firmware Tex50Lcd S Firmware Tex100Lcd S Firmware Tex150Lcd S Firmware +7
NVD GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2025-63206 CRITICAL POC Act Now

An authentication bypass issue was discovered in Dasan Switch DS2924 web based interface, firmware versions 1.01.18 and 1.02.00, allowing attackers to gain escalated privileges via storing crafted. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Ds2924 Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-63205 HIGH POC This Month

An issue was discovered in bridgetech probes VB220 IP Network Probe,VB120 Embedded IP + RF Probe, VB330 High-Capacity Probe, VB440 ST 2110 Production Analytics Probe, and NOMAD, firmware versions. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Vb220 Firmware Vb120 Firmware Vb330 Firmware Vb440 Firmware +1
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-65019 MEDIUM POC PATCH This Month

Astro is a web framework. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Astro
NVD GitHub
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-64765 MEDIUM POC PATCH This Week

Astro is a web framework. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Path Traversal Astro
NVD GitHub
CVSS 4.0
6.9
EPSS
0.0%
CVE-2025-64757 LOW POC PATCH Monitor

Astro is a web framework. Rated low severity (CVSS 3.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Node.js Path Traversal Astro
NVD GitHub
CVSS 3.1
3.5
EPSS
0.0%
CVE-2025-64708 MEDIUM PATCH This Month

authentik is an open-source Identity Provider. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Authentik Suse
NVD GitHub
CVSS 3.1
5.8
EPSS
0.1%
CVE-2025-64521 MEDIUM PATCH Monitor

authentik is an open-source Identity Provider. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Authentik Suse
NVD GitHub
CVSS 3.1
4.8
EPSS
0.1%
CVE-2025-34335 HIGH POC This Week

AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 expose an authenticated command injection vulnerability in the license activation workflow handled by. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Command Injection Fax Server Interactive Voice Response Tenda
NVD
CVSS 4.0
8.7
EPSS
0.7%
CVE-2025-34334 HIGH POC This Week

AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 are vulnerable to an authenticated command injection in the fax test functionality implemented by. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Command Injection Fax Server Interactive Voice Response Tenda
NVD
CVSS 4.0
8.7
EPSS
0.3%
CVE-2025-34333 HIGH POC This Week

AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 configure the web document root at C:\\F2MAdmin\\F2E with overly permissive file system permissions. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

RCE Privilege Escalation Fax Server Interactive Voice Response Tenda
NVD
CVSS 4.0
8.5
EPSS
0.0%
CVE-2025-34332 HIGH POC This Week

AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 include a web administration component that controls back-end Windows services using helper batch scripts. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

PHP Microsoft Privilege Escalation Fax Server Interactive Voice Response +2
NVD
CVSS 4.0
8.5
EPSS
0.0%
CVE-2025-34331 HIGH POC This Week

AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 contain an unauthenticated file read vulnerability via the download.php script. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Authentication Bypass Fax Server Interactive Voice Response Tenda
NVD
CVSS 4.0
8.7
EPSS
0.1%
CVE-2025-34330 MEDIUM POC This Week

AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 include a web administration component (F2MAdmin) that exposes an unauthenticated prompt upload endpoint at. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload PHP Fax Server Interactive Voice Response Tenda
NVD
CVSS 4.0
6.9
EPSS
0.7%
CVE-2025-34329 CRITICAL POC Act Now

AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 expose an unauthenticated backup upload endpoint at AudioCodes_files/ajaxBackupUploadFile.php in the. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload PHP Microsoft Fax Server Interactive Voice Response +2
NVD
CVSS 4.0
9.3
EPSS
3.1%
CVE-2025-34328 CRITICAL POC Act Now

AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 include a web administration component (F2MAdmin) that exposes an unauthenticated script-management. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload PHP Microsoft Fax Server Interactive Voice Response +2
NVD
CVSS 4.0
9.3
EPSS
0.6%
CVE-2025-13400 HIGH POC This Month

A vulnerability was detected in Tenda CH22 1.0.0.1. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Tenda Buffer Overflow Ch22 Firmware
NVD GitHub VulDB
CVSS 4.0
7.4
EPSS
0.2%
CVE-2025-12766 MEDIUM This Month

An Insecure Direct Object Reference (IDOR) vulnerability in the Management Console of BlackBerry® AtHoc® (OnPrem) version 7.21 could allow an attacker to potentially gain unauthorized knowledge about. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Athoc
NVD
CVSS 3.1
5.0
EPSS
0.0%
CVE-2025-12743 MEDIUM This Month

The Looker endpoint for generating new projects from database connections allows users to specify "looker" as a connection name, which is a reserved internal name for Looker's internal MySQL. Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi
NVD
CVSS 4.0
6.0
EPSS
0.0%
CVE-2025-65024 HIGH POC PATCH This Month

i-Educar is free, fully online school management software. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

SQLi PHP I Educar
NVD GitHub
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-65023 HIGH POC PATCH This Month

i-Educar is free, fully online school management software. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

SQLi PHP I Educar
NVD GitHub
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-65022 HIGH PATCH This Month

i-Educar is free, fully online school management software. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This SQL Injection vulnerability could allow attackers to execute arbitrary SQL commands against the database.

SQLi PHP I Educar
NVD GitHub
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-63879 MEDIUM POC This Month

A reflected cross-site scripted (XSS) vulnerability in the /ecommerce/products.php component of E-commerce Project v1.0 and earlier allows attackers to execute arbitrary Javascript in the context of. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Php Ecommerce Project
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-63878 MEDIUM POC This Week

Github Restaurant Website Restoran v1.0 was discovered to contain a SQL injection vulnerability via the Contact Form page. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Restaurant Website Restoran
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-63224 CRITICAL POC Act Now

The Itel DAB Encoder (IDEnc build 25aec8d) is vulnerable to Authentication Bypass due to improper JWT validation across devices. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Idenc Firmware
NVD GitHub
CVSS 3.1
10.0
EPSS
0.2%
CVE-2025-63223 CRITICAL POC Act Now

The Axel Technology StreamerMAX MK II devices (firmware versions 0.8.5 to 1.0.3) are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Streamermax Mk Ii Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
1.0%
CVE-2025-63221 CRITICAL POC Act Now

The Axel Technology puma devices (firmware versions 0.8.5 to 1.0.3) are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Puma Firmware
NVD GitHub
CVSS 3.1
9.1
EPSS
0.2%
CVE-2025-63220 HIGH POC This Month

The Sound4 FIRST web-based management interface is vulnerable to Remote Code Execution (RCE) via a malicious firmware update package. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE First Firmware
NVD GitHub
CVSS 3.1
7.2
EPSS
0.3%
CVE-2025-13397 MEDIUM PATCH Monitor

A security vulnerability has been detected in mrubyc up to 3.4. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity.

Denial Of Service Mruby C
NVD GitHub VulDB
CVSS 4.0
4.8
EPSS
0.0%
CVE-2025-10703 HIGH This Month

Improper Control of Generation of Code ('Code Injection') vulnerability in Progress DataDirect Connect for JDBC drivers, Progress DataDirect Open Access JDBC driver and Hybrid Data Pipeline allows. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Docker Oracle Apache Google SAP +5
NVD
CVSS 4.0
8.6
EPSS
0.4%
CVE-2025-10702 HIGH This Month

Improper Control of Generation of Code ('Code Injection') vulnerability in Progress DataDirect Connect for JDBC drivers, Progress DataDirect Open Access JDBC driver and Hybrid Data Pipeline allows. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Docker Oracle Apache Google SAP +4
NVD
CVSS 4.0
8.6
EPSS
0.4%
CVE-2025-63243 MEDIUM POC Monitor

A reflected cross-site scripting (XSS) vulnerability exists in the password change functionality of Pixeon WebLaudos 25.1 (01). Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Weblaudos
NVD
CVSS 3.1
4.6
EPSS
0.1%
CVE-2025-63219 HIGH POC This Month

The ITEL ISO FM SFN Adapter (firmware ISO2 2.0.0.0, WebServer 2.0) is vulnerable to session hijacking due to improper session management on the /home.html endpoint. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Iso Fm Firmware
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-63218 CRITICAL POC Act Now

The Axel Technology WOLF1MS and WOLF2MS devices (firmware versions 0.8.5 to 1.0.3) are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Wolf1Ms Firmware Wolf2Ms Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
1.1%
CVE-2024-8528 MEDIUM This Month

Reflected XSS using a specific URL in Automated Logic WebCTRL and Carrier i-VU can allow delivery of malicious payload due to a specific GET parameter not being sanitized. Rated medium severity (CVSS 5.4). No vendor patch available.

XSS
NVD
CVSS 4.0
5.4
EPSS
0.0%
CVE-2024-8527 HIGH This Month

Open Redirect in URL parameter in Automated Logic WebCTRL and Carrier i-Vu versions 6.0, 6.5, 7.0, 8.0, 8.5, 9.0 may allow attackers to exploit user sessions. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Open Redirect
NVD
CVSS 4.0
8.6
EPSS
0.0%
CVE-2025-12592 CRITICAL This Week

Legacy Vivotek Device firmware uses default credetials for the root and user login accounts. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD
CVSS 4.0
9.3
EPSS
0.1%
CVE-2025-64408 MEDIUM PATCH This Month

Apache Causeway faces Java deserialization vulnerabilities that allow remote code execution (RCE) through user-controllable URL parameters. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization RCE Apache Java Causeway
NVD
CVSS 3.1
6.3
EPSS
0.8%
CVE-2025-12472 HIGH This Month

An attacker with a Looker Developer role could manipulate a LookML project to exploit a race condition during Git directory deletion, leading to arbitrary command execution on the Looker instance. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. No vendor patch available.

Race Condition Information Disclosure
NVD
CVSS 4.0
7.1
EPSS
0.1%
CVE-2025-58412 MEDIUM Monitor

A improper neutralization of script-related html tags in a web page (basic xss) vulnerability in Fortinet FortiADC 8.0.0, FortiADC 7.6.0 through 7.6.3, FortiADC 7.4 all versions, FortiADC 7.2 all. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Fortinet XSS Fortiadc
NVD
CVSS 3.1
4.7
EPSS
0.1%
CVE-2025-11230 HIGH PATCH This Month

Inefficient algorithm complexity in mjson in HAProxy allows remote attackers to cause a denial of service via specially crafted JSON requests. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Aloha Appliance Haproxy Haproxy Enterprise Kubernetes Ingress Controller +2
NVD
CVSS 3.1
7.5
EPSS
0.4%

Rejected reason: Voluntarily withdrawn. No vendor patch available.

Information Disclosure
NVD
CVE-2025-11446 HIGH This Month

Insertion of Sensitive Information into Log File vulnerability in upKeeper Solutions upKeeper Manager allows Use of Known Domain Credentials.2.0 before 5.2.12. Rated high severity (CVSS 7.3). No vendor patch available.

Information Disclosure Upkeeper Manager
NVD
CVSS 4.0
7.3
EPSS
0.0%
CVE-2025-13206 HIGH PATCH This Month

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘name’ parameter in all versions up to, and including, 4.13.0 due to. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

WordPress XSS Givewp PHP
NVD
CVSS 3.1
7.2
EPSS
0.3%
CVE-2025-13035 HIGH This Month

The Code Snippets plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 3.9.1. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable. No vendor patch available.

WordPress PHP RCE Code Injection
NVD
CVSS 3.1
8.0
EPSS
0.1%
CVE-2025-12484 HIGH This Month

The Giveaways and Contests by RafflePress - Get More Website Traffic, Email Subscribers, and Social Followers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple social. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress XSS PHP
NVD
CVSS 3.1
7.2
EPSS
0.5%
Prev Page 2 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy