Skip to main content
CVE-2025-59718 CRITICAL KEV EUVD KEV THREAT Emergency

Authentication bypass in Fortinet FortiOS, FortiProxy, and FortiSwitchManager allows unauthenticated remote attackers to defeat FortiCloud SSO login by submitting a crafted SAML response, due to improper verification of the response's cryptographic signature. The flaw is confirmed actively exploited (CISA KEV), with Arctic Wolf observing malicious SSO logins in the wild, and EPSS rates it at the 93rd percentile of likelihood. Combined with a 9.8 CVSS score and CWE-347 root cause, this is a top-priority patching target for any organization running affected Fortinet management planes.

Fortinet Authentication Bypass Jwt Attack
NVD VulDB
CVSS 3.1
9.8
EPSS
9.5%
CVE-2025-65882 CRITICAL POC PATCH Act Now

OS command injection in OpenMPTCProuter through version 0.64 lets attackers write arbitrary files or execute arbitrary commands via the create_xor_ipad_opad function in the sysupgrade helper (common/package/utils/sys-upgrade-helper/src/tools/sysupgrade.c). Publicly available exploit code exists (published as a GitHub gist), and a vendor fix is available as an upstream commit; the flaw is not listed in CISA KEV and carries a modest EPSS of 0.59% (44th percentile), indicating no confirmed active exploitation at time of analysis. The submitted CVSS of 9.8 assumes remote unauthenticated access, but because the vulnerable code path is a firmware-upgrade helper, real-world exploitation likely depends on access to the router's upgrade functionality — verify against your deployment.

Command Injection Openmptcprouter
NVD GitHub
CVSS 3.1
9.8
EPSS
0.6%
CVE-2025-56704 HIGH POC This Week

Arbitrary code execution in LeptonCMS 7.3.0 lets an authenticated attacker upload a crafted ZIP or PHP file that bypasses the application's missing file-type validation and runs as server-side PHP. Publicly available exploit code (three PoC write-ups) exists, though the flaw is not listed in CISA KEV and EPSS is low (0.66%, 47th percentile), indicating no evidence of widespread active exploitation yet. Exploitation requires a valid low-privilege account (PR:L), placing this in the post-authentication RCE category.

PHP RCE File Upload Leptoncms
NVD GitHub
CVSS 3.1
8.8
EPSS
0.7%
CVE-2025-10655 HIGH POC This Week

SQL injection in Frappe HelpDesk 1.14.0 dashboard functionality allows authenticated attackers to execute arbitrary SQL queries via the get_dashboard_data endpoint. Unsafe concatenation of user-controlled parameters into dynamic SQL statements enables data exfiltration and database manipulation. Publicly available exploit code exists. With CVSS 8.6 (Network/Low Complexity/Low Privilege Required), this represents a high-severity risk for organizations running the affected version, though no active exploitation (CISA KEV) has been confirmed.

SQLi Helpdesk
NVD GitHub
CVSS 4.0
8.6
EPSS
0.1%
CVE-2025-65594 HIGH POC This Week

Broken access control in OpenSIS 9.2 and earlier lets an authenticated low-privilege user (e.g. a student account) issue unauthorized database writes against other users' records via Student.php, enabling horizontal privilege escalation and tampering with data they should not control. Publicly available exploit code exists for this issue, though it is not listed in CISA KEV and carries a low EPSS score (0.26%, 18th percentile), indicating no confirmed widespread exploitation yet.

Authentication Bypass PHP Opensis
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2025-59719 CRITICAL EUVD KEV Act Now

Authentication bypass in Fortinet FortiWeb 8.0.0, 7.6.0-7.6.4, and 7.4.0-7.4.9 allows unauthenticated remote attackers to circumvent FortiCloud SSO login by sending a crafted SAML response message. The flaw stems from improper cryptographic signature verification (CWE-347), enabling forgery of authentication assertions. No public exploit identified at time of analysis, EPSS sits at 0.26% (50th percentile), and the issue is not currently listed in CISA KEV, though Fortinet products have historically been high-value targets.

Fortinet Authentication Bypass Jwt Attack Fortiweb
NVD VulDB
CVSS 3.1
9.8
EPSS
0.3%
CVE-2025-14324 CRITICAL PATCH Act Now

JIT compiler miscompilation in Mozilla's JavaScript engine allows remote code execution without authentication in Firefox (versions <146, <115.31 ESR, <140.6 ESR) and Thunderbird (versions <146, <140.6 ESR). The CVSS 9.8 critical score reflects network-based exploitation requiring no user interaction. EPSS score of 0.10% (27th percentile) suggests low predicted exploitation probability despite severity. No public exploit identified at time of analysis, and vendor-released patches are available across all affected product lines per Mozilla security advisories MFSA2025-92 through MFSA2025-96.

Mozilla RCE Code Injection Thunderbird Red Hat +1
NVD VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-14330 CRITICAL PATCH Act Now

Just-In-Time (JIT) compilation flaws in Mozilla's JavaScript engine allow unauthenticated remote attackers to achieve arbitrary code execution with high integrity and availability impact across Firefox and Thunderbird. Affects Firefox <146, Firefox ESR <140.6, Thunderbird <146, and Thunderbird ESR <140.6. Despite a critical CVSS 9.8 score, EPSS probability remains low at 0.09% (25th percentile), and no public exploit or active exploitation (CISA KEV) has been identified at time of analysis. Vendor-released patches are available across all affected product lines.

Mozilla Buffer Overflow Thunderbird Red Hat Suse
NVD VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-14321 CRITICAL PATCH Act Now

Remote code execution via use-after-free in Mozilla Firefox and Thunderbird WebRTC signaling allows unauthenticated network attackers to execute arbitrary code without user interaction. Affects Firefox <146, Firefox ESR <140.6, Thunderbird <146, and Thunderbird ESR <140.6. Vendor-released patches available (Firefox 146, Firefox ESR 140.6, Thunderbird 146, Thunderbird 140.6). CVSS 9.8 (critical) reflects maximum technical severity, though EPSS 0.09% (25th percentile) and absence from CISA KEV suggest limited real-world exploitation at time of analysis. No public exploit identified at time of analysis.

Memory Corruption Mozilla Use After Free Information Disclosure Thunderbird +2
NVD VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-14326 CRITICAL PATCH Act Now

Remote code execution in Mozilla Firefox and Thunderbird (pre-146) allows unauthenticated network attackers to execute arbitrary code via a use-after-free flaw in the GMP (Gecko Media Plugin) audio/video component. Despite a critical CVSS 9.8 rating, EPSS probability remains low (0.08%, 23rd percentile), and no public exploit identified at time of analysis. Mozilla patched both products in version 146, with vendor advisories and technical details available via Bugzilla.

Memory Corruption Mozilla Use After Free Information Disclosure Thunderbird +2
NVD VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-12504 CRITICAL Act Now

Unauthenticated SQL injection in Talent Software UNIS versions prior to 42321 allows remote attackers to manipulate backend database queries over the network without any authentication or user interaction. The vulnerability carries a CVSS 9.8 rating reflecting full compromise potential across confidentiality, integrity, and availability, and was reported by Turkey's national CSIRT (USOM), though no public exploit code or CISA KEV listing has been identified at time of analysis.

SQLi
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-11022 CRITICAL Act Now

Cross-site request forgery in Panilux versions before 0.10.0 can be chained to command injection, allowing remote attackers to execute arbitrary operating system commands when an authenticated user is tricked into visiting a malicious page. The CVSS 9.6 (AV:N/AC:L/PR:N/UI:R/S:C) reflects scope change and full CIA impact, though exploitation requires user interaction and the affected vendor has denied ownership of the product, complicating disclosure. EPSS is very low at 0.04% (11th percentile) and no public exploit is identified at time of analysis.

CSRF Command Injection
NVD VulDB
CVSS 3.1
9.6
EPSS
0.0%
CVE-2025-14337 MEDIUM POC This Month

A vulnerability was determined in itsourcecode Student Management System 1.0. This affects an unknown part of the file /new_grade.php. This manipulation of the argument grade causes sql injection. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized.

PHP SQLi Student Management System
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-14336 MEDIUM POC This Month

A vulnerability was found in itsourcecode Student Management System 1.0. Affected by this issue is some unknown functionality of the file /promote.php. The manipulation of the argument sy results in sql injection. It is possible to launch the attack remotely. The exploit has been made public and could be used.

PHP SQLi Student Management System
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-14335 MEDIUM POC This Month

A vulnerability has been found in itsourcecode Student Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /new_school_year.php. The manipulation of the argument sy leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi Student Management System
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-14334 MEDIUM POC This Month

A flaw has been found in itsourcecode Student Management System 1.0. Affected is an unknown function of the file /new_adviser.php. Executing manipulation of the argument Name can lead to sql injection. The attack may be performed from remote. The exploit has been published and may be used.

PHP SQLi Student Management System
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-14285 MEDIUM POC This Month

A vulnerability was found in code-projects Employee Profile Management System 1.0. Affected is an unknown function of the file edit_personnel.php. The manipulation of the argument per_id results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used.

PHP SQLi Employee Profile Management System
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-67586 MEDIUM POC This Month

Missing Authorization vulnerability in Ronald Huereca Highlight and Share highlight-and-share allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Highlight and Share: from n/a through <= 5.2.0.

Authentication Bypass
NVD Exploit-DB VulDB
CVSS 3.1
4.7
EPSS
1.7%
CVE-2025-67515 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Wilmër wilmer allows PHP Local File Inclusion.This issue affects Wilmër: from n/a through < 3.5.

PHP Information Disclosure LFI
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-14323 HIGH PATCH This Week

Privilege escalation in Mozilla Firefox and Thunderbird's DOM Notifications component enables unauthenticated remote attackers to achieve high-severity impacts (confidentiality, integrity, availability) via user interaction. Affects Firefox <146, Firefox ESR <115.31 and <140.6, Thunderbird <146 and <140.6. EPSS exploitation probability is low (0.08%, 23rd percentile), and no public exploit or active exploitation (CISA KEV) has been identified at time of analysis. Vendor-released patches are available across all affected product lines.

Mozilla Privilege Escalation Thunderbird Red Hat Suse
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-14329 HIGH PATCH This Week

Privilege escalation in Mozilla Firefox and Thunderbird Netmonitor component allows remote attackers to execute arbitrary code with elevated privileges when users interact with malicious content. Affects Firefox versions prior to 146, Firefox ESR prior to 140.6, Thunderbird prior to 146, and Thunderbird ESR prior to 140.6. Mozilla released patches in January 2025 across all product lines. EPSS score of 0.07% (22nd percentile) indicates low current exploitation probability, with no confirmed active exploitation (not in CISA KEV) and no public exploit code identified at time of analysis. CVSS 8.8 reflects the high impact potential despite requiring user interaction.

Mozilla Privilege Escalation Thunderbird Red Hat Suse
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-14328 HIGH PATCH This Week

Privilege escalation in Mozilla Firefox and Thunderbird's Netmonitor component allows unauthenticated remote attackers to gain elevated privileges via user interaction. Affects Firefox <146, Firefox ESR <140.6, Thunderbird <146, and Thunderbird ESR <140.6. With an 8.8 CVSS score but only 0.07% EPSS (22nd percentile), no public exploit identified at time of analysis, and vendor-released patches available. Not listed in CISA KEV, indicating no confirmed active exploitation.

Mozilla Privilege Escalation Thunderbird Red Hat Suse
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-67518 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup Accordion Slider PRO accordion_slider_pro allows Blind SQL Injection.This issue affects Accordion Slider PRO: from n/a through <= 1.2.

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.1%
CVE-2025-67517 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in artplacer ArtPlacer Widget artplacer-widget allows Blind SQL Injection.This issue affects ArtPlacer Widget: from n/a through <= 2.22.9.2.

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.1%
CVE-2025-67516 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Agile Logix Store Locator WordPress agile-store-locator allows Blind SQL Injection.This issue affects Store Locator WordPress: from n/a through <= 1.6.2.

WordPress SQLi
NVD
CVSS 3.1
8.5
EPSS
0.1%
CVE-2025-62093 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup Image&Video FullScreen Background lbg_fullscreen_fullwidth_slider allows SQL Injection.This issue affects Image&Video FullScreen Background: from n/a through <= 1.6.7.

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.0%
CVE-2025-62557 HIGH This Week

Local code execution in Microsoft Office (365 Apps, Office 2016/2019, and Office LTSC 2021 across Windows, macOS, and Android) stems from a use-after-free memory corruption flaw tracked as CVE-2025-62557. An attacker who entices a user to open a crafted document can achieve arbitrary code execution with the privileges of the current user, with no public exploit identified at time of analysis. The CVSS 8.4 rating reflects high impact across confidentiality, integrity, and availability despite the local attack vector.

Memory Corruption Microsoft Denial Of Service Use After Free 365 Apps +2
NVD
CVSS 3.1
8.4
EPSS
0.1%
CVE-2025-62554 HIGH This Week

Local code execution in Microsoft Office (365 Apps, Office 2016/2019, Office LTSC 2021, and Office for Android/macOS) stems from a type confusion flaw (CWE-843) that lets an attacker run arbitrary code in the context of the current user. Despite PR:N/UI:N in the CVSS vector, the AV:L attack vector means the attacker must deliver a malicious document to be opened on the target host. No public exploit has been identified at time of analysis and the CVE is not on the CISA KEV list.

Memory Corruption Microsoft Authentication Bypass 365 Apps Office +1
NVD
CVSS 3.1
8.4
EPSS
0.1%
CVE-2025-14333 HIGH PATCH This Week

Multiple memory corruption flaws in Firefox and Thunderbird enable remote code execution via network-accessible attack vectors. Mozilla Firefox ESR 140.5, Firefox 145, Thunderbird ESR 140.5, and Thunderbird 145 contain memory safety bugs with evidence of corruption that Mozilla presumes exploitable for arbitrary code execution. Authentication requirements not confirmed from available data (CVSS vector shows PR:N). Vendor-released patches available: Firefox 146, Firefox ESR 140.6, Thunderbird 146, Thunderbird 140.6. EPSS probability is low (0.09%, 25th percentile), and no public exploit identified at time of analysis.

Memory Corruption Mozilla RCE Buffer Overflow Thunderbird +2
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-14322 HIGH PATCH This Week

Sandbox escape in Mozilla Firefox and Thunderbird's CanvasWebGL component allows remote attackers to bypass security boundaries via crafted web content with user interaction. Affects Firefox <146, Firefox ESR <115.31 and <140.6, Thunderbird <146 and Thunderbird ESR <140.6. EPSS probability is low (0.06%, 20th percentile), and no public exploit identified at time of analysis. The CVSS score of 8.0 reflects high confidentiality and integrity impact with scope change, though attack complexity is high and requires user interaction.

Mozilla Information Disclosure Thunderbird Red Hat Suse
NVD VulDB
CVSS 3.1
8.0
EPSS
0.1%
CVE-2025-64785 HIGH This Week

Arbitrary code execution in Adobe Acrobat Reader DC and Acrobat DC (all editions through versions 25.001.20982, 24.001.30273, and 20.005.30803) occurs when malicious files manipulate the application's DLL search path. Attackers achieve full code execution with current user privileges through local attack requiring social engineering to open a crafted PDF or related file. Adobe confirms the vulnerability in security bulletin APSB25-119 with patches released for all affected product lines. EPSS data not provided, but the local vector with required user interaction (AV:L/UI:R) and lack of CISA KEV listing suggest lower probability of widespread automated exploitation compared to remote vulnerabilities, though targeted attacks via phishing remain viable.

RCE Adobe
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2025-67520 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Tiny Solutions Media Library Tools media-library-tools allows SQL Injection.This issue affects Media Library Tools: from n/a through <= 1.6.15.

SQLi
NVD
CVSS 3.1
7.6
EPSS
0.1%
CVE-2025-67519 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Shahjahan Jewel Ninja Tables ninja-tables allows SQL Injection.This issue affects Ninja Tables: from n/a through <= 5.2.3.

SQLi
NVD
CVSS 3.1
7.6
EPSS
0.1%
CVE-2025-67532 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Hara hara allows PHP Local File Inclusion.This issue affects Hara: from n/a through <= 1.2.17.

PHP Information Disclosure LFI
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-67531 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in trippleS Turitor turitor allows PHP Local File Inclusion.This issue affects Turitor: from n/a through < 1.5.3.

PHP Information Disclosure LFI
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-67530 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Besa besa allows PHP Local File Inclusion.This issue affects Besa: from n/a through <= 2.3.15.

PHP Information Disclosure LFI
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-67529 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Opal_WP Fashion fashion2 allows PHP Local File Inclusion.This issue affects Fashion: from n/a through < 5.3.0.

PHP Information Disclosure LFI
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-67527 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in trippleS Digiqole digiqole allows PHP Local File Inclusion.This issue affects Digiqole: from n/a through < 2.2.7.

PHP Information Disclosure LFI
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-67526 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThimPress Sailing sailing allows PHP Local File Inclusion.This issue affects Sailing: from n/a through < 4.4.6.

PHP Information Disclosure LFI
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-67525 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Opal_WP ekommart ekommart allows PHP Local File Inclusion.This issue affects ekommart: from n/a through < 4.3.1.

PHP Information Disclosure LFI
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-67524 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NooTheme Jobmonster Elementor Addon jobmonster-addon allows PHP Local File Inclusion.This issue affects Jobmonster Elementor Addon: from n/a through <= 1.1.4.

PHP Information Disclosure LFI
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-67523 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in trippleS Exhibz exhibz allows PHP Local File Inclusion.This issue affects Exhibz: from n/a through <= 3.0.9.

PHP Information Disclosure LFI
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-67522 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NooTheme Jobmonster noo-jobmonster allows PHP Local File Inclusion.This issue affects Jobmonster: from n/a through <= 4.8.2.

PHP Information Disclosure LFI
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-67521 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Select Core select-core allows PHP Local File Inclusion.This issue affects Select Core: from n/a through < 2.6.

PHP Information Disclosure LFI
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-63074 HIGH This Week

Local File Inclusion in Dream-Theme's The7 WordPress theme (versions prior to 12.8.1.1) allows authenticated attackers with low privileges to read arbitrary server files through improper filename validation in PHP include statements. With a 0.17% EPSS score and no confirmed active exploitation, this represents a moderate risk primarily in shared hosting environments where authenticated users exist. The 7.5 CVSS score reflects high confidentiality and integrity impact, though exploitation requires high attack complexity and authenticated access.

WordPress PHP LFI
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-63062 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AndonDesign UDesign Core u-design-core allows PHP Local File Inclusion.This issue affects UDesign Core: from n/a through <= 4.14.0.

PHP Information Disclosure LFI
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-63036 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in DFDevelopment Ronneby Theme Core ronneby-core allows PHP Local File Inclusion.This issue affects Ronneby Theme Core: from n/a through <= 1.5.68.

PHP Information Disclosure LFI
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-67528 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Urna urna allows PHP Local File Inclusion.This issue affects Urna: from n/a through <= 2.5.12.

PHP Information Disclosure LFI
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-66622 HIGH PATCH This Week

A serialization bug in matrix-sdk-base allows remote attackers to cause denial-of-service by sending rooms with custom m.room.join_rules values, which stalls the sync process and prevents all room processing. The vulnerability affects matrix-sdk-base versions 0.14.1 and prior and has a high availability impact (CVSS 7.5) with a patch available in version 0.16.0. With a low EPSS score of 0.06% and no KEV listing, this represents a moderate real-world risk primarily concerning service availability rather than active exploitation.

Denial Of Service Deserialization Python Matrix Rust Sdk
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-14327 HIGH PATCH This Week

Downloads Panel in Mozilla Firefox and Thunderbird allows remote spoofing attacks enabling integrity compromise without authentication. Affects Firefox <146, Thunderbird <146, Firefox ESR <140.7, and Thunderbird ESR <140.7. The authentication bypass flaw (CWE-290) permits network-based attackers to manipulate download information displayed to users with low attack complexity and no user interaction required. Despite CVSS 7.5 (High), EPSS score of 0.02% (3rd percentile) indicates minimal real-world exploitation likelihood. No active exploitation confirmed (not in CISA KEV), and no public exploit identified at time of analysis.

Mozilla Authentication Bypass Thunderbird Red Hat Suse
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
Page 1 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy