Skip to main content
CVE-2025-55182 CRITICAL POC KEV EUVD KEV PATCH THREAT Act Now

React Server Components in React 19.x contain a critical pre-authentication remote code execution vulnerability (CVE-2025-55182, CVSS 10.0) through unsafe deserialization of HTTP request payloads. With EPSS 71.1% and KEV listing, this vulnerability affects any application using React Server Components with react-server-dom-webpack, react-server-dom-turbopack, or react-server-dom-parcel — enabling complete server compromise through a single HTTP request.

Deserialization RCE React Next.Js Red Hat +1
NVD GitHub Exploit-DB VulDB
CVSS 3.1
10.0
EPSS
71.1%
Threat
9.1
CVE-2025-13486 CRITICAL POC THREAT Emergency

The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution in versions 0.9.0.5 through 0.9.1.1 via the prepare_form() function. This is due to the function accepting user input and then passing that through call_user_func_array(). This makes it possible for unauthenticated attackers to execute arbitrary code on the server, which can be leveraged to inject backdoors or create new administrative user accounts.

WordPress Code Injection RCE PHP
NVD
CVSS 3.1
9.8
EPSS
75.3%
Threat
5.7
CVE-2025-13390 CRITICAL POC PATCH Act Now

The WP Directory Kit plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.4.4 due to incorrect implementation of the authentication algorithm in the "wdk_generate_auto_login_link" function. This is due to the feature using a cryptographically weak token generation mechanism. This makes it possible for unauthenticated attackers to gain administrative access and achieve full site takeover via the auto-login endpoint with a predictable token.

Authentication Bypass WordPress Wp Directory Kit PHP
NVD GitHub
CVSS 3.1
10.0
EPSS
0.7%
CVE-2024-32641 CRITICAL POC PATCH Act Now

Masa CMS is an open source Enterprise Content Management platform. Masa CMS versions prior to 7.2.8, 7.3.13, and 7.4.6 are vulnerable to remote code execution. The vulnerability exists in the addParam function, which accepts user input via the criteria parameter. This input is subsequently evaluated by setDynamicContent, allowing an unauthenticated attacker to execute arbitrary code via the m tag. The vulnerability is patched in versions 7.2.8, 7.3.13, and 7.4.6.

Code Injection RCE Masacms
NVD GitHub
CVSS 3.1
9.8
EPSS
1.0%
CVE-2025-64055 CRITICAL POC Act Now

An issue was discovered in Fanvil x210 V2 2.12.20 allowing unauthenticated attackers on the local network to access administrative functions of the device (e.g. file upload, firmware update, reboot...) via a crafted authentication bypass.

File Upload Authentication Bypass X210 Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
0.6%
CVE-2025-66489 CRITICAL POC PATCH Act Now

A remote code execution vulnerability in Cal.com (CVSS 9.8) that allows an attacker. Risk factors: public PoC available.

Authentication Bypass Cal.Com
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-66222 CRITICAL POC PATCH Act Now

DeepChat is a smart assistant uses artificial intelligence. In 0.5.0 and earlier, there is a Stored Cross-Site Scripting (XSS) vulnerability in the Mermaid diagram renderer allows an attacker to execute arbitrary JavaScript within the application context. By leveraging the exposed Electron IPC bridge, this XSS can be escalated to Remote Code Execution (RCE) by registering and starting a malicious MCP (Model Context Protocol) server.

Code Injection XSS RCE Deepchat
NVD GitHub
CVSS 3.1
9.6
EPSS
0.3%
CVE-2025-34319 CRITICAL Act Now

TOTOLINK N300RT wireless router firmware versions prior to V3.4.0-B20250430 (discovered in V2.1.8-B20201030.1539) contain an OS command injection vulnerability in the Boa formWsc handling functionality. An unauthenticated attacker can send specially crafted requests to trigger command execution via the targetAPSsid request parameter.

Command Injection TOTOLINK
NVD
CVSS 4.0
9.3
EPSS
3.4%
CVE-2025-66208 CRITICAL PATCH Act Now

Collabora Online - Built-in CODE Server (richdocumentscode) provides a built-in server with all of the document editing features of Collabora Online. In versions prior to 25.04.702, Collabora Online has a Configuration-Dependent RCE (OS Command Injection) in richdocumentscode proxy. Users of Nextcloud with Collabora Online - Built-in CODE Server app can be vulnerable to attack via proxy.php and an intermediate reverse proxy. This vulnerability is fixed in 25.04.702.

PHP Command Injection Online Nextcloud
NVD GitHub
CVSS 3.1
9.8
EPSS
0.5%
CVE-2025-13342 CRITICAL Act Now

A security vulnerability in Frontend Admin by DynamiApps (CVSS 9.8). Critical severity with potential for significant impact on affected systems.

Authentication Bypass WordPress PHP
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-66032 CRITICAL POC PATCH Act Now

Claude Code is an agentic coding tool. Prior to 1.0.93, Due to errors in parsing shell commands related to $IFS and short CLI flags, it was possible to bypass the Claude Code read-only validation and trigger arbitrary code execution. Reliably exploiting this requires the ability to add untrusted content into a Claude Code context window. This vulnerability is fixed in 1.0.93.

Command Injection RCE Claude Code
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-64443 CRITICAL PATCH Act Now

A security vulnerability in MCP Gateway (CVSS 9.6). Critical severity with potential for significant impact on affected systems. Vendor patch is available.

Information Disclosure Mcp Gateway Suse
NVD GitHub
CVSS 3.1
9.6
EPSS
0.0%
CVE-2025-65267 CRITICAL Act Now

In ERPNext v15.83.2 and Frappe Framework v15.86.0, improper validation of uploaded SVG avatar images allows attackers to embed malicious JavaScript. The payload executes when an administrator clicks the image link to view the avatar, resulting in stored cross-site scripting (XSS). Successful exploitation may lead to account takeover, privilege escalation, or full compromise of the affected ERPNext instance.

Privilege Escalation XSS Erpnext Frappe
NVD GitHub
CVSS 3.1
9.0
EPSS
0.1%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy