Skip to main content
CVE-2025-13315 CRITICAL POC THREAT Emergency

Twonky Server 8.5.2 on Linux and Windows allows unauthenticated access to the admin log file through a web service API bypass. The exposed log contains the administrator's username and encrypted password, which can be decrypted using hard-coded keys (CVE-2025-13316) to gain full administrative control.

Information Disclosure Microsoft Twonky Server Windows
NVD
CVSS 4.0
9.3
EPSS
82.4%
Threat
5.8
CVE-2025-10437 CRITICAL Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Eksagate Electronic Engineering and Computer Industry Trade Inc. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi
NVD VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-63213 CRITICAL POC Act Now

The QVidium Opera11 device (firmware version 2.9.0-Ax4x-opera11) is vulnerable to Remote Code Execution (RCE) due to improper input validation on the /cgi-bin/net_ping.cgi endpoint. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Opera11 Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
0.6%
CVE-2025-65095 CRITICAL This Week

Lookyloo is a web interface that allows users to capture a website page and then display a tree of domains that call each other. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
NVD GitHub
CVSS 4.0
9.4
EPSS
0.1%
CVE-2025-65021 CRITICAL POC Act Now

Rallly is an open-source scheduling and collaboration tool. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Rallly
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-63210 CRITICAL POC Act Now

The Newtec Celox UHD (models: CELOXA504, CELOXA820) running firmware version celox-21.6.13 is vulnerable to an authentication bypass. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Celoxa504 Firmware Celoxa820 Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-63207 CRITICAL POC Act Now

The R.V.R Elettronica TEX product (firmware TEXL-000400, Web GUI TLAN-000400) is vulnerable to broken access control due to improper authentication checks on the /_Passwd.html endpoint. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Tex30Lcd S Firmware Tex50Lcd S Firmware Tex100Lcd S Firmware Tex150Lcd S Firmware +7
NVD GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2025-63206 CRITICAL POC Act Now

An authentication bypass issue was discovered in Dasan Switch DS2924 web based interface, firmware versions 1.01.18 and 1.02.00, allowing attackers to gain escalated privileges via storing crafted. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Ds2924 Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-34329 CRITICAL POC Act Now

AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 expose an unauthenticated backup upload endpoint at AudioCodes_files/ajaxBackupUploadFile.php in the. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload PHP Microsoft Fax Server Interactive Voice Response +2
NVD
CVSS 4.0
9.3
EPSS
3.1%
CVE-2025-34328 CRITICAL POC Act Now

AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 include a web administration component (F2MAdmin) that exposes an unauthenticated script-management. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload PHP Microsoft Fax Server Interactive Voice Response +2
NVD
CVSS 4.0
9.3
EPSS
0.6%
CVE-2025-63224 CRITICAL POC Act Now

The Itel DAB Encoder (IDEnc build 25aec8d) is vulnerable to Authentication Bypass due to improper JWT validation across devices. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Idenc Firmware
NVD GitHub
CVSS 3.1
10.0
EPSS
0.2%
CVE-2025-63223 CRITICAL POC Act Now

The Axel Technology StreamerMAX MK II devices (firmware versions 0.8.5 to 1.0.3) are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Streamermax Mk Ii Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
1.0%
CVE-2025-63221 CRITICAL POC Act Now

The Axel Technology puma devices (firmware versions 0.8.5 to 1.0.3) are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Puma Firmware
NVD GitHub
CVSS 3.1
9.1
EPSS
0.2%
CVE-2025-63218 CRITICAL POC Act Now

The Axel Technology WOLF1MS and WOLF2MS devices (firmware versions 0.8.5 to 1.0.3) are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Wolf1Ms Firmware Wolf2Ms Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
1.1%
CVE-2025-12592 CRITICAL This Week

Legacy Vivotek Device firmware uses default credetials for the root and user login accounts. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD
CVSS 4.0
9.3
EPSS
0.1%
CVE-2025-12057 CRITICAL This Week

The WavePlayer WordPress plugin before 3.8.0 does not have authorization in an AJAX action as well as does not validate the file to be copied locally, allowing unauthenticated users to upload. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload WordPress PHP
NVD WPScan
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-13051 CRITICAL This Week

When the service of ABP and AES is installed in a directory writable by non-administrative users, an attacker can replace or plant a DLL with the same name as one loaded by the service. Rated critical severity (CVSS 9.3), this vulnerability is low attack complexity. No vendor patch available.

RCE
NVD
CVSS 4.0
9.3
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy