Skip to main content
CVE-2025-63674 MEDIUM POC This Month

An issue in Blurams Lumi Security Camera (A31C) v23.1227.472.2926 allows local physical attackers to execute arbitrary code via overriding the bootloader on the SD card. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection RCE A31C Firmware
NVD
CVSS 3.1
6.8
EPSS
0.0%
CVE-2025-63914 MEDIUM POC This Month

An issue was discovered in Cinnamon kotaemon 0.11.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Kotaemon
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-63953 MEDIUM POC This Month

A Cross-Site Request Forgery (CSRF) in the /usapi?method=add-user component of Magewell Pro Convert v1.2.213 allows attackers to arbitrarily create accounts via a crafted GET request. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Ultra Encode Hdmi Firmware Ultra Encode Sdi Firmware Ultra Encode Hdmi Plus Firmware Ultra Encode Sdi Plus Firmware +1
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-63498 MEDIUM POC PATCH This Month

alinto SOGo 5.12.3 is vulnerable to Cross Site Scripting (XSS) via the "userName" parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Sogo Debian Linux
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-63952 MEDIUM POC This Month

A Cross-Site Request Forgery (CSRF) in the /mwapi?method=add-user component of Magewell Pro Convert v1.2.213 allows attackers to arbitrarily create accounts via a crafted GET request. Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Pro Convert Hdmi 4K Plus Firmware Pro Convert Hdmi Plus Firmware Pro Convert Hdmi Tx Firmware Pro Convert 12G Sdi 4K Plus Firmware +9
NVD GitHub
CVSS 3.1
5.7
EPSS
0.0%
CVE-2025-13585 MEDIUM POC This Month

A vulnerability was detected in itsourcecode COVID Tracking System 1.0.php. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-13583 MEDIUM POC This Month

A weakness has been identified in code-projects Question Paper Generator 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-13582 MEDIUM POC This Month

A security flaw has been discovered in code-projects Jonnys Liquor 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-13578 MEDIUM POC This Month

A vulnerability has been found in code-projects Library System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-63433 MEDIUM POC This Month

Xtooltech Xtool AnyScan Android Application 4.40.40 and prior uses a hardcoded cryptographic key and IV to decrypt update metadata. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Google Authentication Bypass Xtool Anyscan Android
NVD GitHub
CVSS 3.1
4.6
EPSS
0.0%
CVE-2025-63432 MEDIUM POC This Month

Xtooltech Xtool AnyScan Android Application 4.40.40 and prior is Missing SSL Certificate Validation. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Google RCE Xtool Anyscan Android
NVD GitHub
CVSS 3.1
4.6
EPSS
0.1%
CVE-2025-63435 MEDIUM POC This Month

Xtooltech Xtool AnyScan Android Application 4.40.40 is Missing Authentication for Critical Function. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Google Authentication Bypass Xtool Anyscan Android
NVD GitHub
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-10144 MEDIUM This Month

The Perfect Brands for WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the `brands` attribute of the `products` shortcode in all versions up to, and including, 3.6.2. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress SQLi PHP
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-60633 MEDIUM PATCH This Month

An issue was discovered in Free5GC v4.0.0 and v4.0.1 allowing an attacker to cause a denial of service via the Nudm_SubscriberDataManagement API. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Free5gc Suse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.2%
CVE-2025-60632 MEDIUM PATCH This Month

An issue was discovered in Free5GC v4.0.0 and v4.0.1 allowing an attacker to cause a denial of service via crafted POST request to the Npcf_BDTPolicyControl API. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Free5gc Suse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-64048 MEDIUM This Month

YCCMS 3.4 contains a stored cross-site scripting (XSS) vulnerability in the article management functionality. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP XSS Yccms
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-64047 MEDIUM This Month

OpenRapid RapidCMS 1.3.1 is vulnerable to Cross Site Scripting (XSS) in /user/user-move.php. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP XSS Rapidcms
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-36150 MEDIUM This Month

IBM Concert 1.0.0 through 2.0.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure IBM Concert
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-0007 MEDIUM This Month

Insufficient validation within Xilinx Run Time framework could allow a local attacker to escalate privileges from user space to kernel space, potentially compromising confidentiality, integrity,. Rated medium severity (CVSS 5.7), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation
NVD
CVSS 3.1
5.7
EPSS
0.0%
CVE-2025-48511 MEDIUM This Month

Improper input validation within AMD uprof can allow a local attacker to write to an arbitrary physical address, potentially resulting in crash or denial of service. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Denial Of Service Amd Uprof
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-29933 MEDIUM This Month

Improper input validation within AMD uProf can allow a local attacker to write out of bounds, potentially resulting in a crash or denial of service. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Memory Corruption Denial Of Service Buffer Overflow Amd Uprof
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-13466 MEDIUM PATCH This Month

body-parser 2.2.0 is vulnerable to denial of service due to inefficient handling of URL-encoded bodies with very large numbers of parameters. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Red Hat
NVD GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-60916 MEDIUM This Month

A reflected cross-site scripting (XSS) vulnerability in the /overview/network/ endpoint of Austrian Archaeological Institute Openatlas before v8.12.0 allows attackers to execute arbitrary code in the. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE XSS Openatlas
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-54341 MEDIUM This Month

A vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Pingalert Application Server
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-36112 MEDIUM This Month

IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.0.0.0 through 6.1.2.7 and 6.2.0.0 through 6.2.0.5 and 6.2.1.1 could reveal sensitive server IP configuration information to an unauthorized. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure IBM Sterling B2b Integrator Sterling File Gateway
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-56423 MEDIUM This Month

An issue in Austrian Academy of Sciences (AW) Austrian Archaeological Institute OpenAtlas v.8.12.0 allows a remote attacker to obtain sensitive information via the login error messages. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Openatlas
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-60917 MEDIUM This Month

A reflected cross-site scripting (XSS) vulnerability in the /overview/network/ endpoint of Austrian Archaeological Institute Openatlas before v8.12.0 allows attackers to execute arbitrary code in the. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE XSS Openatlas
NVD
CVSS 3.1
4.6
EPSS
0.1%
CVE-2025-60914 MEDIUM This Month

Incorrect access control in Austrian Archaeological Institute Openatlas before v8.12.0 allows attackers to access sensitive information via sending a crafted GET request to the /display_logo endpoint. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Openatlas
NVD
CVSS 3.1
4.6
EPSS
0.1%
CVE-2025-12978 MEDIUM This Month

Fluent Bit in_http, in_splunk, and in_elasticsearch input plugins contain a flaw in the tag_key validation logic that fails to enforce exact key-length matching. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection Fluent Bit
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2025-12972 MEDIUM This Month

Fluent Bit out_file plugin does not properly sanitize tag values when deriving output file names. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Fluent Bit
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-12969 MEDIUM This Month

Fluent Bit in_forward input plugin does not properly enforce the security.users authentication mechanism under certain configuration conditions. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Fluent Bit
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-65503 MEDIUM POC PATCH This Month

Use after free in endpoint destructors in Redboltz async_mqtt 10.2.5 allows local users to cause a denial of service via triggering SSL initialization failure that results in incorrect destruction. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available.

Memory Corruption Denial Of Service Use After Free Async Mqtt
NVD GitHub
CVSS 3.1
5.5
EPSS
0.1%
CVE-2025-65502 MEDIUM POC PATCH Monitor

Null pointer dereference in add_ca_certs() in Cesanta Mongoose before 7.2 allows remote attackers to cause a denial of service via TLS initialization where SSL_CTX_get_cert_store() returns NULL. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Null Pointer Dereference Mongoose
NVD GitHub
CVSS 3.1
4.3
EPSS
0.3%
CVE-2025-65501 MEDIUM PATCH Monitor

Null pointer dereference in coap_dtls_info_callback() in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a DTLS handshake where SSL_get_app_data() returns NULL. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Null Pointer Dereference Libcoap Suse
NVD GitHub
CVSS 3.1
4.3
EPSS
0.2%
CVE-2025-65500 MEDIUM PATCH Monitor

NULL pointer dereference in coap_dtls_generate_cookie() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted DTLS handshake that triggers. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Null Pointer Dereference Libcoap Suse
NVD GitHub
CVSS 3.1
4.3
EPSS
0.2%
CVE-2025-65499 MEDIUM PATCH Monitor

Array index error in tls_verify_call_back() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted DTLS handshake that triggers. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Libcoap Suse
NVD GitHub
CVSS 3.1
4.3
EPSS
0.2%
CVE-2025-65498 MEDIUM PATCH Monitor

NULL pointer dereference in coap_dtls_generate_cookie() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted DTLS handshake that triggers. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Null Pointer Dereference Libcoap Suse
NVD GitHub
CVSS 3.1
4.3
EPSS
0.2%
CVE-2025-65497 MEDIUM PATCH Monitor

NULL pointer dereference in coap_dtls_generate_cookie() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted DTLS handshake that triggers. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Null Pointer Dereference Libcoap Suse
NVD GitHub
CVSS 3.1
4.3
EPSS
0.2%
CVE-2025-65496 MEDIUM PATCH Monitor

NULL pointer dereference in coap_dtls_generate_cookie() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted DTLS handshake that triggers. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Null Pointer Dereference Libcoap Suse
NVD GitHub
CVSS 3.1
4.3
EPSS
0.2%
CVE-2025-41017 MEDIUM This Month

Inadequate access control vulnerability in Davantis DDFUSION v6.177.7, which allows unauthorised actors to retrieve perspective parameters from security camera settings by accessing. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD
CVSS 4.0
6.9
EPSS
0.1%
CVE-2025-12628 MEDIUM This Month

The WP 2FA WordPress plugin does not generate backup codes with enough entropy, which could allow attackers to bypass the second factor by brute forcing them. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Authentication Bypass PHP
NVD WPScan
CVSS 3.1
6.3
EPSS
0.1%
CVE-2025-41087 MEDIUM This Month

Cross-Site Scripting (XSS) vulnerability stored in tha Taclia web application, where the uploaded SVG images are not properly sanitized. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 4.0
5.1
EPSS
0.1%
CVE-2025-12569 MEDIUM Monitor

The Guest posting / Frontend Posting / Front Editor WordPress plugin before 5.0.0 does not validate a parameter before redirecting the user to its value, leading to an Open Redirect issue. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Open Redirect PHP
NVD WPScan
CVSS 3.1
4.7
EPSS
0.1%
CVE-2025-12394 MEDIUM This Month

The Backup Migration WordPress plugin before 2.0.0 does not properly generate its backup path in certain server configurations, allowing unauthenticated users to fetch a log that discloses the backup. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

WordPress Information Disclosure PHP
NVD WPScan
CVSS 3.1
5.9
EPSS
0.1%
CVE-2025-13589 MEDIUM This Month

FMS developed by Otsuka Information Technology has a Reflected Cross-site Scripting vulnerability, allowing unauthenticated remote attackers to execute arbitrary JavaScript codes in user's browser. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 4.0
5.1
EPSS
0.3%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy