THREAT ALERT

ACT NOW CVE-2025-58360 8.2 GeoServer contains an XXE vulnerability in the WMS GetMap operation allowing unauthenticated attackers to read server files and perform SSRF attacks. | ACT NOW CVE-2025-13315 9.3 Twonky Server 8.5.2 on Linux and Windows allows unauthenticated access to the admin log file through a web service API bypass. The exposed log contains the administrator's username and encrypted password, which can be decrypted using hard-coded keys (CVE-2025-13316) to gain full administrative control. | ACT NOW CVE-2025-58034 7.2 Fortinet FortiWeb contains an authenticated OS command injection allowing privilege escalation to execute unauthorized commands on the web application firewall. | ACT NOW CVE-2025-13223 8.8 Google Chrome V8 contains a type confusion vulnerability in the JavaScript engine, the second V8 type confusion zero-day in 2025, exploited in targeted attacks. | ACT NOW CVE-2025-64446 9.8 Fortinet FortiWeb contains a relative path traversal allowing unauthenticated attackers to execute administrative commands through crafted HTTP/HTTPS requests. | ACT NOW CVE-2025-62215 7.0 Windows Kernel contains a race condition vulnerability enabling local privilege escalation through concurrent resource access with improper synchronization. | ACT NOW CVE-2025-12480 9.1 Triofox versions before 16.7.10368.56560 contain an improper access control flaw allowing access to initial setup pages after setup is complete, enabling reconfiguration attacks. | ACT NOW CVE-2025-34299 9.3 Monsta FTP web-based file manager versions 2.11 and earlier allow unauthenticated arbitrary file uploads. The vulnerability enables attackers to upload malicious files from a compromised FTP server, which are then executed on the Monsta FTP server, achieving remote code execution. | ACT NOW CVE-2025-64328 8.6 FreePBX Endpoint Manager contains a post-authentication command injection via the testconnection/check_ssh_connect function, allowing authenticated users to execute OS commands. | ACT NOW CVE-2025-11953 9.8 React Native Metro Development Server binds to external interfaces by default and contains an OS command injection endpoint, allowing unauthenticated network attackers to execute arbitrary code. |

Daily vulnerability intelligence for defenders – fresh CVEs with exploitability signals, patch status, and action-oriented priorities from 17 sources.

CVEs published

Track vulnerabilities that matter to your stack

Personalized alerts, dashboards, and weekly digests – free.

Trending Now

Critical Watch

Attack Technique Trend

Prediction based on ZDI Disclosures & CVE data · 30 days

Analytics

Vendor Today – Quick Filter

Techniques

results

Sort:

Base Score

Vector String

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

0 | 3.9| 6.9| 8.9| 10

NONE LOW MEDIUM HIGH CRITICAL

CVSS Filter – CVEs match

No CVEs match the selected criteria

Browse older vulnerabilities in Archive

Live Feed auto-refresh 60s

Vulnerability Intelligence — November 28, 2025

45 CVEs tracked today. 2 Critical, 14 High, 27 Medium, 2 Low.

CVE-2025-66385 CRITICAL CVSS 9.4
UsersController::edit in Cerebrate before 1.30 allows an authenticated non-privileged user to escalate their privileges (e.g., obtain a higher role such as admin) via the user-edit endpoint by. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation
CVE-2025-64314 CRITICAL CVSS 9.3
Permission control vulnerability in the memory management module. Rated critical severity (CVSS 9.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Memory Corruption Information Disclosure Harmonyos
CVE-2025-66384 HIGH CVSS 8.2
app/Controller/EventsController.php in MISP before 2.5.24 has invalid logic in checking for uploaded file validity, related to tmp_name. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP Information Disclosure
CVE-2025-66359 HIGH CVSS 8.5
An issue was discovered in Logpoint before 7.7.0. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable. No vendor patch available.

XSS Siem
CVE-2025-58316 HIGH CVSS 7.3
DoS vulnerability in the video-related system service module. Rated high severity (CVSS 7.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Race Condition Information Disclosure Harmonyos
CVE-2025-58310 HIGH CVSS 8.0
Permission control vulnerability in the distributed component. Rated high severity (CVSS 8.0), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Memory Corruption Information Disclosure Harmonyos
CVE-2025-58308 HIGH CVSS 7.3
Vulnerability of improper criterion security check in the call module. Rated high severity (CVSS 7.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Harmonyos
CVE-2025-58303 HIGH CVSS 8.4
UAF vulnerability in the screen recording framework module. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Race Condition Information Disclosure Harmonyos
CVE-2025-58302 HIGH CVSS 8.4
Permission control vulnerability in the Settings module. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Emui Harmonyos
CVE-2025-51735 HIGH CVSS 7.5
CSV formula injection vulnerability in HCL Technologies Ltd. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Unica
CVE-2025-13771 HIGH CVSS 7.1
WebITR developed by Uniong has an Arbitrary File Read vulnerability, allowing authenticated remote attackers to exploit Relative Path Traversal to download arbitrary system files. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Webitr
CVE-2025-13770 HIGH CVSS 7.1
WebITR developed by Uniong has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Webitr
CVE-2025-13769 HIGH CVSS 7.1
WebITR developed by Uniong has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Webitr
CVE-2025-13768 HIGH CVSS 7.7
WebITR developed by Uniong has an Authentication Bypass vulnerability, allowing authenticated remote attackers to log into the system as any user by modifying a specific parameter. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Webitr
CVE-2025-12638 HIGH CVSS 8.0
Keras version 3.11.3 is affected by a path traversal vulnerability in the keras.utils.get_file() function when extracting tar archives. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal RCE Python Redhat
CVE-2025-12183 HIGH CVSS 8.8
Out-of-bounds memory operations in org.lz4:lz4-java 1.8.0 and earlier allow remote attackers to cause denial of service and read adjacent memory via untrusted compressed input. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Buffer Overflow Java Information Disclosure Redhat
CVE-2025-66386 MEDIUM CVSS 4.1
app/Model/EventReport.php in MISP before 2.5.27 allows path traversal in view picture for a site-admin. Rated medium severity (CVSS 4.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal PHP
CVE-2025-66371 MEDIUM CVSS 5.0
Peppol-py before 1.1.1 allows XXE attacks because of the Saxon configuration. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE
CVE-2025-66370 MEDIUM CVSS 5.0
Kivitendo before 3.9.2 allows XXE injection. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE
CVE-2025-66361 MEDIUM CVSS 6.9
An issue was discovered in Logpoint before 7.7.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Ssti Siem
CVE-2025-66360 MEDIUM CVSS 6.9
An issue was discovered in Logpoint before 7.7.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Redis Authentication Bypass Privilege Escalation Siem
CVE-2025-64315 MEDIUM CVSS 4.4
Configuration defect vulnerability in the file management module. Rated medium severity (CVSS 4.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Harmonyos
CVE-2025-64313 MEDIUM CVSS 5.3
Denial of service (DoS) vulnerability in the office service. Rated medium severity (CVSS 5.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Race Condition Microsoft Harmonyos
CVE-2025-64312 MEDIUM CVSS 4.9
Permission control vulnerability in the file management module. Rated medium severity (CVSS 4.9), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Harmonyos
CVE-2025-64311 MEDIUM CVSS 5.1
Permission control vulnerability in the Notepad module. Rated medium severity (CVSS 5.1), this vulnerability is no authentication required. No vendor patch available.

Information Disclosure Harmonyos
CVE-2025-59792 MEDIUM CVSS 5.3
Reveals plaintext credentials in the MONITOR command vulnerability in Apache Kvrocks.0.0 through 2.13.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Apache Kvrocks
CVE-2025-59790 MEDIUM CVSS 5.4
Improper Privilege Management vulnerability in Apache Kvrocks.9.0 through v2.13.0. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Privilege Escalation Kvrocks
CVE-2025-58315 MEDIUM CVSS 5.5
Permission control vulnerability in the Wi-Fi module. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Harmonyos
CVE-2025-58314 MEDIUM CVSS 6.6
Vulnerability of accessing invalid memory in the component driver module. Rated medium severity (CVSS 6.6), this vulnerability is low attack complexity. No vendor patch available.

Buffer Overflow Information Disclosure Emui Harmonyos
CVE-2025-58312 MEDIUM CVSS 5.1
Permission control vulnerability in the App Lock module. Rated medium severity (CVSS 5.1), this vulnerability is no authentication required. No vendor patch available.

Privilege Escalation Harmonyos
CVE-2025-58311 MEDIUM CVSS 5.8
UAF vulnerability in the USB driver module. Rated medium severity (CVSS 5.8). No vendor patch available.

Memory Corruption Information Disclosure Use After Free Emui Harmonyos
CVE-2025-58309 MEDIUM CVSS 6.8
Permission control vulnerability in the startup recovery module. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Harmonyos
CVE-2025-58307 MEDIUM CVSS 6.4
UAF vulnerability in the screen recording framework module. Rated medium severity (CVSS 6.4). No vendor patch available.

Memory Corruption Information Disclosure Use After Free Harmonyos
CVE-2025-58305 MEDIUM CVSS 6.2
Identity authentication bypass vulnerability in the Gallery app. Rated medium severity (CVSS 6.2), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Authentication Bypass Harmonyos
CVE-2025-58304 MEDIUM CVSS 4.9
Permission control vulnerability in the file management module. Rated medium severity (CVSS 4.9), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Harmonyos
CVE-2025-58294 MEDIUM CVSS 6.2
Permission control vulnerability in the print module. Rated medium severity (CVSS 6.2), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Harmonyos
CVE-2025-51736 MEDIUM CVSS 6.3
File upload vulnerability in HCL Technologies Ltd. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload Unica
CVE-2025-51734 MEDIUM CVSS 5.4
Cross-site scripting (XSS) vulnerability in HCL Technologies Ltd. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Unica
CVE-2025-51733 MEDIUM CVSS 5.5
Cross-Site Request Forgery (CSRF) vulnerability in HCL Technologies Ltd. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

CSRF Unica
CVE-2025-13737 MEDIUM CVSS 4.3
The Nextend Social Login and Register plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.21. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF PHP
CVE-2025-13683 MEDIUM CVSS 6.5
Exposure of credentials in unintended requests in Devolutions Server, Remote Desktop Manager on Windows.3.8.0; Remote Desktop Manager: through 2025.3.23.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Microsoft Devolutions Server Remote Desktop Manager Windows
CVE-2025-12143 MEDIUM CVSS 6.9
Stack-based Buffer Overflow vulnerability in ABB Terra AC wallbox.8.33. Rated medium severity (CVSS 6.9), this vulnerability is low attack complexity. No vendor patch available.

Stack Overflow Buffer Overflow Abb
CVE-2025-11156 MEDIUM CVSS 5.9
Netskope was notified about a potential gap in its agent (NS Client) on Windows systems. Rated medium severity (CVSS 5.9), this vulnerability is low attack complexity. No vendor patch available.

Denial Of Service Null Pointer Dereference Microsoft Windows
CVE-2025-66382 LOW CVSS 2.9
In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time. Rated low severity (CVSS 2.9), this vulnerability is no authentication required. No vendor patch available.

Information Disclosure Libexpat
CVE-2025-66372 LOW CVSS 2.8
Mustang before 2.16.3 allows exfiltrating files via XXE attacks. Rated low severity (CVSS 2.8). No vendor patch available.

XXE

Today's Vulnerabilities Vulnerabilities