Skip to main content
CVE-2025-48572 HIGH KEV THREAT Act Now

Android contains a missing authentication vulnerability (CVE-2025-48572, CVSS 7.8) in multiple locations that allows background activity launches through a permissions bypass, enabling local privilege escalation without user interaction. KEV-listed, this vulnerability enables malicious apps to perform privileged operations silently in the background, bypassing Android's activity launch restrictions.

Privilege Escalation Authentication Bypass Android Google
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2025-63721 HIGH POC This Week

HummerRisk thru v1.5.0 is using a vulnerable Snakeyaml component, allowing attackers with normal user privileges to hit the /rule/add API and thereby achieve RCE and take over the server.

Deserialization Hummerrisk
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-65795 HIGH POC PATCH This Week

Incorrect access control in the /api/v1/user endpoint of usememos memos v0.25.2 allows unauthorized attackers to create arbitrary accounts via a crafted request.

Authentication Bypass Memos
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-65271 HIGH PATCH This Week

Client-side template injection (CSTI) in Azuriom CMS admin dashboard allows a low-privilege user to execute arbitrary template code in the context of an administrator's session. This can occur via plugins or dashboard components that render untrusted user input, potentially enabling privilege escalation to an administrative account. Fixed in Azuriom 1.2.7.

Privilege Escalation Code Injection RCE Azuriom
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-12956 HIGH This Week

A reflected Cross-site Scripting (XSS) vulnerability affecting ENOVIA Collaborative Industry Innovator from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session.

XSS 3dexperience Enovia
NVD
CVSS 3.1
8.7
EPSS
0.0%
CVE-2025-26487 HIGH This Week

Server-Side Request Forgery (SSRF) vulnerability in Infinera MTC-9 version allows remote unauthenticated users to gain access to other network resources using HTTPS requests through the appliance used as a bridge.

SSRF Infinera Mtc 9 Firmware
NVD
CVSS 3.1
8.6
EPSS
0.1%
CVE-2025-66324 HIGH This Week

Input verification vulnerability in the compression and decompression module. Impact: Successful exploitation of this vulnerability may affect app data integrity.

Privilege Escalation Harmonyos
NVD
CVSS 3.1
8.4
EPSS
0.0%
CVE-2025-66328 HIGH This Week

Multi-thread race condition vulnerability in the network management module. Impact: Successful exploitation of this vulnerability may affect availability.

Information Disclosure Race Condition Harmonyos
NVD
CVSS 3.1
8.4
EPSS
0.0%
CVE-2025-42620 HIGH PATCH This Week

In affected versions, vulnerability-lookup handled user-controlled content in comments and bundles in an unsafe way, which could lead to stored Cross-Site Scripting (XSS). On the backend, the related_vulnerabilities field of bundles accepted arbitrary strings without format validation or proper sanitization. On the frontend, comment and bundle descriptions were converted from Markdown to HTML and then injected directly into the DOM using string templates and innerHTML. This combination allowed an attacker who could create or edit comments or bundles to store crafted HTML/JavaScript payloads which would later be rendered and executed in the browser of any user visiting the affected profile page (user.html).  This issue affects Vulnerability-Lookup: before 2.18.0.

XSS
NVD
CVSS 4.0
8.3
EPSS
0.1%
CVE-2025-42615 HIGH PATCH This Week

A security vulnerability in affected (CVSS 8.1). High severity vulnerability requiring prompt remediation.

RCE
NVD
CVSS 4.0
8.1
EPSS
0.1%
CVE-2025-48566 HIGH PATCH This Week

In multiple locations, there is a possible bypass of user profile boundary with a forwarded intent due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Privilege Escalation Android Google
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-48565 HIGH PATCH This Week

CVE-2025-48565 is a security vulnerability (CVSS 7.8). High severity vulnerability requiring prompt remediation. Vendor patch is available.

Privilege Escalation Android Google
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-48638 HIGH This Week

In __pkvm_load_tracing of trace.c, there is a possible out-of-bounds write due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Buffer Overflow Privilege Escalation Memory Corruption Android Google
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-48623 HIGH PATCH This Week

In init_pkvm_hyp_vcpu of pkvm.c, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Buffer Overflow Privilege Escalation Memory Corruption Android Google
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-48525 HIGH PATCH This Week

In disassociate of DisassociationProcessor.java, there is a possible way for an app to continue reading notifications when not associated to a companion device due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Privilege Escalation Android Google
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-48632 HIGH PATCH This Week

In setDisplayName of AssociationRequest.java, there is a possible way to cause CDM associations to persist after the user has disassociated them due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Privilege Escalation Android Google
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-48624 HIGH This Week

In multiple functions of arm-smmu-v3.c, there is a possible out-of-bounds write due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Buffer Overflow Privilege Escalation Memory Corruption Android Google
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-48612 HIGH PATCH This Week

In multiple locations, there is a possible way for an application on a work profile to set the main user's default NFC payment setting due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Privilege Escalation
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-48606 HIGH This Week

CVE-2025-48606 is a security vulnerability (CVSS 7.8). High severity vulnerability requiring prompt remediation.

Privilege Escalation Android Google
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-48637 HIGH This Week

In multiple functions of mem_protect.c, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Buffer Overflow Privilege Escalation Integer Overflow Android Google
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-48620 HIGH PATCH This Week

CVE-2025-48620 is a security vulnerability (CVSS 7.8). High severity vulnerability requiring prompt remediation. Vendor patch is available.

Privilege Escalation Android Google
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-48629 HIGH This Week

CVE-2025-48629 is a security vulnerability (CVSS 7.8). High severity vulnerability requiring prompt remediation.

Privilege Escalation Android Google
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-48627 HIGH PATCH This Week

CVE-2025-48627 is a security vulnerability (CVSS 7.8). High severity vulnerability requiring prompt remediation. Vendor patch is available.

Privilege Escalation Android Google
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-48615 HIGH PATCH This Week

In getComponentName of MediaButtonReceiverHolder.java, there is a possible desync in persistence due to resource exhaustion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Privilege Escalation Denial Of Service
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-48596 HIGH PATCH This Week

In appendFrom of Parcel.cpp, there is a possible out of bounds read due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Buffer Overflow Privilege Escalation Information Disclosure Android Google
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-48588 HIGH PATCH This Week

CVE-2025-48588 is a security vulnerability (CVSS 7.8). High severity vulnerability requiring prompt remediation. Vendor patch is available.

Privilege Escalation Android Google
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-48583 HIGH PATCH This Week

A remote code execution vulnerability (CVSS 7.8). High severity vulnerability requiring prompt remediation. Vendor patch is available.

Privilege Escalation RCE Android Google
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-48628 HIGH PATCH This Week

CVE-2025-48628 is a security vulnerability (CVSS 7.8). High severity vulnerability requiring prompt remediation. Vendor patch is available.

Privilege Escalation Android Google
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-48599 HIGH PATCH This Week

In multiple functions of WifiScanModeActivity.java, there is a possible way to bypass a device config restriction due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Privilege Escalation Authentication Bypass Android Google
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-48597 HIGH PATCH This Week

In multiple locations, there is a possible way to trick a user into accepting a permission due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Privilege Escalation XSS Android Google
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-48589 HIGH PATCH This Week

CVE-2025-48589 is a security vulnerability (CVSS 7.8). High severity vulnerability requiring prompt remediation. Vendor patch is available.

Privilege Escalation Android Google
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-48586 HIGH PATCH This Week

CVE-2025-48586 is a security vulnerability (CVSS 7.8). High severity vulnerability requiring prompt remediation. Vendor patch is available.

Privilege Escalation Android Google
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-48580 HIGH PATCH This Week

CVE-2025-48580 is a security vulnerability (CVSS 7.8). High severity vulnerability requiring prompt remediation. Vendor patch is available.

Privilege Escalation Android Google
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-48573 HIGH PATCH This Week

In sendCommand of MediaSessionRecord.java, there is a possible way to launch the foreground service while the app is in the background due to FGS while-in-use abuse. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Privilege Escalation Android Google
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-48555 HIGH PATCH This Week

In multiple functions of NotificationStation.java, there is a possible cross-profile information disclosure due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Privilege Escalation Information Disclosure Android Google
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-48536 HIGH PATCH This Week

CVE-2025-48536 is a security vulnerability (CVSS 7.8). High severity vulnerability requiring prompt remediation. Vendor patch is available.

Privilege Escalation Android Google
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-32329 HIGH PATCH This Week

CVE-2025-32329 is a security vulnerability (CVSS 7.8). High severity vulnerability requiring prompt remediation. Vendor patch is available.

Privilege Escalation Android Google
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-32328 HIGH PATCH This Week

CVE-2025-32328 is a security vulnerability (CVSS 7.8). High severity vulnerability requiring prompt remediation. Vendor patch is available.

Privilege Escalation Android Google
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-22420 HIGH PATCH This Week

CVE-2025-22420 is a security vulnerability (CVSS 7.8). High severity vulnerability requiring prompt remediation. Vendor patch is available.

Privilege Escalation Android Google
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-48575 HIGH PATCH This Week

In multiple functions of CertInstaller.java, there is a possible way to install certificates due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Privilege Escalation Authentication Bypass Android Google
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-26488 HIGH This Week

Improper Input Validation vulnerability in Infinera MTC-9 allows remote unauthenticated users to crash the service and cause a reboot of the appliance, thus causing a DoS condition, via crafted XML payloads.This issue affects MTC-9: from R22.1.1.0275 before R23.0.

Denial Of Service Infinera Mtc 9 Firmware
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-48592 HIGH PATCH This Week

In initDecoder of C2SoftDav1dDec.cpp, there is a possible out of bounds read due to a heap buffer overflow. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

Buffer Overflow Information Disclosure Android Google
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-48639 HIGH This Week

In DefaultTransitionHandler.java, there is a possible way to unknowingly grant permissions to an app due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.

Privilege Escalation XSS Android Google
NVD
CVSS 3.1
7.3
EPSS
0.0%
CVE-2025-48594 HIGH PATCH This Week

In onUidImportance of DisassociationProcessor.java, there is a possible way to retain companion application privileges after disassociation due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.

Privilege Escalation Android Google
NVD
CVSS 3.1
7.3
EPSS
0.0%
CVE-2025-48621 HIGH PATCH This Week

CVE-2025-48621 is a security vulnerability (CVSS 7.3) that allows a tapjacking attack due. High severity vulnerability requiring prompt remediation. Vendor patch is available.

Privilege Escalation Android Google
NVD
CVSS 3.1
7.3
EPSS
0.0%
CVE-2025-65363 HIGH This Week

Authenticated append-style command-injection Ruijie APs (AP_RGOS 11.1.x) allows an authenticated web user to execute appended shell expressions as root, enabling file disclosure, device disruption, and potential network pivoting via the command parameter to the web_action.do endpoint.

Command Injection Rg Ap720 L Firmware
NVD GitHub
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-14261 HIGH PATCH This Week

CVE-2025-14261 is a security vulnerability (CVSS 7.1). High severity vulnerability requiring prompt remediation.

Information Disclosure
NVD GitHub
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-66327 HIGH This Week

Race condition vulnerability in the network module. Impact: Successful exploitation of this vulnerability may affect service confidentiality.

Information Disclosure Race Condition Harmonyos
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-42616 HIGH PATCH This Week

Some endpoints in vulnerability-lookup that modified application state (e.g. changing database entries, user data, configurations, or other privileged actions) may have been accessible via HTTP GET requests without requiring a CSRF token. This flaw leaves the application vulnerable to Cross-Site Request Forgery (CSRF) attacks: an attacker who tricks a logged-in user into visiting a malicious website could cause the user’s browser to issue GET requests that perform unintended state-changing operations in the context of their authenticated session. Because the server would treat these GET requests as valid (since no CSRF protection or POST method enforcement was in place), the attacker could exploit this to escalate privileges, change settings, or carry out other unauthorized actions without needing the user’s explicit consent or awareness.  The fix ensures that all state-changing endpoints now require HTTP POST requests and include a valid CSRF token. This enforces that state changes cannot be triggered by arbitrary cross-site GET requests. This issue affects Vulnerability-Lookup: before 2.18.0.

CSRF
NVD
CVSS 4.0
7.0
EPSS
0.0%
CVE-2025-48564 HIGH PATCH This Week

In multiple locations, there is a possible intent filter bypass due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Privilege Escalation Race Condition Android Google
NVD
CVSS 3.1
7.0
EPSS
0.0%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy