Skip to main content
CVE-2025-56704 HIGH POC This Week

Arbitrary code execution in LeptonCMS 7.3.0 lets an authenticated attacker upload a crafted ZIP or PHP file that bypasses the application's missing file-type validation and runs as server-side PHP. Publicly available exploit code (three PoC write-ups) exists, though the flaw is not listed in CISA KEV and EPSS is low (0.66%, 47th percentile), indicating no evidence of widespread active exploitation yet. Exploitation requires a valid low-privilege account (PR:L), placing this in the post-authentication RCE category.

PHP RCE File Upload Leptoncms
NVD GitHub
CVSS 3.1
8.8
EPSS
0.7%
CVE-2025-10655 HIGH POC This Week

SQL injection in Frappe HelpDesk 1.14.0 dashboard functionality allows authenticated attackers to execute arbitrary SQL queries via the get_dashboard_data endpoint. Unsafe concatenation of user-controlled parameters into dynamic SQL statements enables data exfiltration and database manipulation. Publicly available exploit code exists. With CVSS 8.6 (Network/Low Complexity/Low Privilege Required), this represents a high-severity risk for organizations running the affected version, though no active exploitation (CISA KEV) has been confirmed.

SQLi Helpdesk
NVD GitHub
CVSS 4.0
8.6
EPSS
0.1%
CVE-2025-65594 HIGH POC This Week

Broken access control in OpenSIS 9.2 and earlier lets an authenticated low-privilege user (e.g. a student account) issue unauthorized database writes against other users' records via Student.php, enabling horizontal privilege escalation and tampering with data they should not control. Publicly available exploit code exists for this issue, though it is not listed in CISA KEV and carries a low EPSS score (0.26%, 18th percentile), indicating no confirmed widespread exploitation yet.

Authentication Bypass PHP Opensis
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2025-67515 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Wilmër wilmer allows PHP Local File Inclusion.This issue affects Wilmër: from n/a through < 3.5.

PHP Information Disclosure LFI
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-14323 HIGH PATCH This Week

Privilege escalation in Mozilla Firefox and Thunderbird's DOM Notifications component enables unauthenticated remote attackers to achieve high-severity impacts (confidentiality, integrity, availability) via user interaction. Affects Firefox <146, Firefox ESR <115.31 and <140.6, Thunderbird <146 and <140.6. EPSS exploitation probability is low (0.08%, 23rd percentile), and no public exploit or active exploitation (CISA KEV) has been identified at time of analysis. Vendor-released patches are available across all affected product lines.

Mozilla Privilege Escalation Thunderbird Red Hat Suse
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-14329 HIGH PATCH This Week

Privilege escalation in Mozilla Firefox and Thunderbird Netmonitor component allows remote attackers to execute arbitrary code with elevated privileges when users interact with malicious content. Affects Firefox versions prior to 146, Firefox ESR prior to 140.6, Thunderbird prior to 146, and Thunderbird ESR prior to 140.6. Mozilla released patches in January 2025 across all product lines. EPSS score of 0.07% (22nd percentile) indicates low current exploitation probability, with no confirmed active exploitation (not in CISA KEV) and no public exploit code identified at time of analysis. CVSS 8.8 reflects the high impact potential despite requiring user interaction.

Mozilla Privilege Escalation Thunderbird Red Hat Suse
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-14328 HIGH PATCH This Week

Privilege escalation in Mozilla Firefox and Thunderbird's Netmonitor component allows unauthenticated remote attackers to gain elevated privileges via user interaction. Affects Firefox <146, Firefox ESR <140.6, Thunderbird <146, and Thunderbird ESR <140.6. With an 8.8 CVSS score but only 0.07% EPSS (22nd percentile), no public exploit identified at time of analysis, and vendor-released patches available. Not listed in CISA KEV, indicating no confirmed active exploitation.

Mozilla Privilege Escalation Thunderbird Red Hat Suse
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-67518 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup Accordion Slider PRO accordion_slider_pro allows Blind SQL Injection.This issue affects Accordion Slider PRO: from n/a through <= 1.2.

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.1%
CVE-2025-67517 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in artplacer ArtPlacer Widget artplacer-widget allows Blind SQL Injection.This issue affects ArtPlacer Widget: from n/a through <= 2.22.9.2.

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.1%
CVE-2025-67516 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Agile Logix Store Locator WordPress agile-store-locator allows Blind SQL Injection.This issue affects Store Locator WordPress: from n/a through <= 1.6.2.

WordPress SQLi
NVD
CVSS 3.1
8.5
EPSS
0.1%
CVE-2025-62093 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup Image&Video FullScreen Background lbg_fullscreen_fullwidth_slider allows SQL Injection.This issue affects Image&Video FullScreen Background: from n/a through <= 1.6.7.

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.0%
CVE-2025-62557 HIGH This Week

Local code execution in Microsoft Office (365 Apps, Office 2016/2019, and Office LTSC 2021 across Windows, macOS, and Android) stems from a use-after-free memory corruption flaw tracked as CVE-2025-62557. An attacker who entices a user to open a crafted document can achieve arbitrary code execution with the privileges of the current user, with no public exploit identified at time of analysis. The CVSS 8.4 rating reflects high impact across confidentiality, integrity, and availability despite the local attack vector.

Memory Corruption Microsoft Denial Of Service Use After Free 365 Apps +2
NVD
CVSS 3.1
8.4
EPSS
0.1%
CVE-2025-62554 HIGH This Week

Local code execution in Microsoft Office (365 Apps, Office 2016/2019, Office LTSC 2021, and Office for Android/macOS) stems from a type confusion flaw (CWE-843) that lets an attacker run arbitrary code in the context of the current user. Despite PR:N/UI:N in the CVSS vector, the AV:L attack vector means the attacker must deliver a malicious document to be opened on the target host. No public exploit has been identified at time of analysis and the CVE is not on the CISA KEV list.

Memory Corruption Microsoft Authentication Bypass 365 Apps Office +1
NVD
CVSS 3.1
8.4
EPSS
0.1%
CVE-2025-14333 HIGH PATCH This Week

Multiple memory corruption flaws in Firefox and Thunderbird enable remote code execution via network-accessible attack vectors. Mozilla Firefox ESR 140.5, Firefox 145, Thunderbird ESR 140.5, and Thunderbird 145 contain memory safety bugs with evidence of corruption that Mozilla presumes exploitable for arbitrary code execution. Authentication requirements not confirmed from available data (CVSS vector shows PR:N). Vendor-released patches available: Firefox 146, Firefox ESR 140.6, Thunderbird 146, Thunderbird 140.6. EPSS probability is low (0.09%, 25th percentile), and no public exploit identified at time of analysis.

Memory Corruption Mozilla RCE Buffer Overflow Thunderbird +2
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-14322 HIGH PATCH This Week

Sandbox escape in Mozilla Firefox and Thunderbird's CanvasWebGL component allows remote attackers to bypass security boundaries via crafted web content with user interaction. Affects Firefox <146, Firefox ESR <115.31 and <140.6, Thunderbird <146 and Thunderbird ESR <140.6. EPSS probability is low (0.06%, 20th percentile), and no public exploit identified at time of analysis. The CVSS score of 8.0 reflects high confidentiality and integrity impact with scope change, though attack complexity is high and requires user interaction.

Mozilla Information Disclosure Thunderbird Red Hat Suse
NVD VulDB
CVSS 3.1
8.0
EPSS
0.1%
CVE-2025-64785 HIGH This Week

Arbitrary code execution in Adobe Acrobat Reader DC and Acrobat DC (all editions through versions 25.001.20982, 24.001.30273, and 20.005.30803) occurs when malicious files manipulate the application's DLL search path. Attackers achieve full code execution with current user privileges through local attack requiring social engineering to open a crafted PDF or related file. Adobe confirms the vulnerability in security bulletin APSB25-119 with patches released for all affected product lines. EPSS data not provided, but the local vector with required user interaction (AV:L/UI:R) and lack of CISA KEV listing suggest lower probability of widespread automated exploitation compared to remote vulnerabilities, though targeted attacks via phishing remain viable.

RCE Adobe
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2025-67520 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Tiny Solutions Media Library Tools media-library-tools allows SQL Injection.This issue affects Media Library Tools: from n/a through <= 1.6.15.

SQLi
NVD
CVSS 3.1
7.6
EPSS
0.1%
CVE-2025-67519 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Shahjahan Jewel Ninja Tables ninja-tables allows SQL Injection.This issue affects Ninja Tables: from n/a through <= 5.2.3.

SQLi
NVD
CVSS 3.1
7.6
EPSS
0.1%
CVE-2025-67532 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Hara hara allows PHP Local File Inclusion.This issue affects Hara: from n/a through <= 1.2.17.

PHP Information Disclosure LFI
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-67531 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in trippleS Turitor turitor allows PHP Local File Inclusion.This issue affects Turitor: from n/a through < 1.5.3.

PHP Information Disclosure LFI
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-67530 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Besa besa allows PHP Local File Inclusion.This issue affects Besa: from n/a through <= 2.3.15.

PHP Information Disclosure LFI
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-67529 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Opal_WP Fashion fashion2 allows PHP Local File Inclusion.This issue affects Fashion: from n/a through < 5.3.0.

PHP Information Disclosure LFI
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-67527 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in trippleS Digiqole digiqole allows PHP Local File Inclusion.This issue affects Digiqole: from n/a through < 2.2.7.

PHP Information Disclosure LFI
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-67526 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThimPress Sailing sailing allows PHP Local File Inclusion.This issue affects Sailing: from n/a through < 4.4.6.

PHP Information Disclosure LFI
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-67525 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Opal_WP ekommart ekommart allows PHP Local File Inclusion.This issue affects ekommart: from n/a through < 4.3.1.

PHP Information Disclosure LFI
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-67524 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NooTheme Jobmonster Elementor Addon jobmonster-addon allows PHP Local File Inclusion.This issue affects Jobmonster Elementor Addon: from n/a through <= 1.1.4.

PHP Information Disclosure LFI
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-67523 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in trippleS Exhibz exhibz allows PHP Local File Inclusion.This issue affects Exhibz: from n/a through <= 3.0.9.

PHP Information Disclosure LFI
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-67522 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NooTheme Jobmonster noo-jobmonster allows PHP Local File Inclusion.This issue affects Jobmonster: from n/a through <= 4.8.2.

PHP Information Disclosure LFI
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-67521 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Select Core select-core allows PHP Local File Inclusion.This issue affects Select Core: from n/a through < 2.6.

PHP Information Disclosure LFI
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-63074 HIGH This Week

Local File Inclusion in Dream-Theme's The7 WordPress theme (versions prior to 12.8.1.1) allows authenticated attackers with low privileges to read arbitrary server files through improper filename validation in PHP include statements. With a 0.17% EPSS score and no confirmed active exploitation, this represents a moderate risk primarily in shared hosting environments where authenticated users exist. The 7.5 CVSS score reflects high confidentiality and integrity impact, though exploitation requires high attack complexity and authenticated access.

WordPress PHP LFI
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-63062 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AndonDesign UDesign Core u-design-core allows PHP Local File Inclusion.This issue affects UDesign Core: from n/a through <= 4.14.0.

PHP Information Disclosure LFI
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-63036 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in DFDevelopment Ronneby Theme Core ronneby-core allows PHP Local File Inclusion.This issue affects Ronneby Theme Core: from n/a through <= 1.5.68.

PHP Information Disclosure LFI
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-67528 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Urna urna allows PHP Local File Inclusion.This issue affects Urna: from n/a through <= 2.5.12.

PHP Information Disclosure LFI
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-66622 HIGH PATCH This Week

A serialization bug in matrix-sdk-base allows remote attackers to cause denial-of-service by sending rooms with custom m.room.join_rules values, which stalls the sync process and prevents all room processing. The vulnerability affects matrix-sdk-base versions 0.14.1 and prior and has a high availability impact (CVSS 7.5) with a patch available in version 0.16.0. With a low EPSS score of 0.06% and no KEV listing, this represents a moderate real-world risk primarily concerning service availability rather than active exploitation.

Denial Of Service Deserialization Python Matrix Rust Sdk
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-14327 HIGH PATCH This Week

Downloads Panel in Mozilla Firefox and Thunderbird allows remote spoofing attacks enabling integrity compromise without authentication. Affects Firefox <146, Thunderbird <146, Firefox ESR <140.7, and Thunderbird ESR <140.7. The authentication bypass flaw (CWE-290) permits network-based attackers to manipulate download information displayed to users with low attack complexity and no user interaction required. Despite CVSS 7.5 (High), EPSS score of 0.02% (3rd percentile) indicates minimal real-world exploitation likelihood. No active exploitation confirmed (not in CISA KEV), and no public exploit identified at time of analysis.

Mozilla Authentication Bypass Thunderbird Red Hat Suse
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-64666 HIGH This Week

Privilege escalation in Microsoft Exchange Server 2016 (and Subscription Edition per vendor tagging) allows an authenticated attacker on the network to elevate privileges through improper input validation (CWE-20). The flaw carries a CVSS 7.5 score with high impact to confidentiality, integrity, and availability, though attack complexity is rated High. No public exploit identified at time of analysis.

Microsoft Information Disclosure Exchange Server Exchange Server Subscription Edition
NVD
CVSS 3.1
7.5
EPSS
1.0%
CVE-2025-14325 HIGH PATCH This Week

JIT compiler miscompilation in Mozilla Firefox and Thunderbird's JavaScript engine enables remote attackers to achieve limited confidentiality, integrity, and availability impact without authentication or user interaction. Affects Firefox < 146, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird ESR < 140.6. Vendor-released patches available in Firefox 146, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6. No public exploit identified at time of analysis, with EPSS score of 0.11% (30th percentile) indicating low predicted exploitation probability.

Memory Corruption Mozilla Information Disclosure Thunderbird Red Hat +1
NVD VulDB
CVSS 3.1
7.3
EPSS
0.1%
CVE-2025-14332 HIGH PATCH This Week

Memory corruption vulnerabilities in Mozilla Firefox 145 and Thunderbird 145 enable remote code execution via multiple memory safety bugs. Unauthenticated remote attackers can exploit these flaws (CWE-787 buffer overflow) through network-based attack vectors with low complexity, requiring no user interaction. Mozilla has released patches in Firefox 146 and Thunderbird 146. EPSS score of 0.07% (21st percentile) suggests low observed exploitation probability, and no public exploit identified at time of analysis, though the vendor's assessment indicates memory corruption with exploitable potential.

Memory Corruption Mozilla RCE Buffer Overflow Thunderbird +2
NVD VulDB
CVSS 3.1
7.3
EPSS
0.1%
CVE-2025-66631 HIGH PATCH This Week

A critical remote code execution vulnerability exists in CSLA .NET framework versions 5.5.4 and below due to insecure deserialization when using WcfProxy with the obsolete NetDataContractSerializer. This vulnerability allows unauthenticated remote attackers to execute arbitrary code on affected systems without user interaction, potentially leading to complete system compromise. While no active exploitation has been reported in CISA KEV and no public POC is mentioned, the vulnerability's network-exposed nature and low attack complexity make it a high-priority security concern.

RCE Deserialization
NVD GitHub VulDB
CVSS 4.0
7.2
EPSS
0.5%
CVE-2025-53679 HIGH This Week

Authenticated OS command injection in Fortinet FortiSandbox (versions 5.0.0-5.0.2, 4.4.0-4.4.7, all 4.2.x, all 4.0.x) and FortiSandbox Cloud (24.1 and all 23.x) allows a high-privileged remote attacker to execute arbitrary commands by sending crafted HTTP/HTTPS requests to the management interface. No public exploit identified at time of analysis and the issue is not currently listed in CISA KEV, but the breadth of affected major versions and the network-reachable attack surface make this a notable post-authentication risk for security appliance operators.

Command Injection Fortinet Fortisandbox Fortisandbox Cloud
NVD
CVSS 3.1
7.2
EPSS
0.7%
CVE-2025-67533 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themifyme Themify Portfolio Post themify-portfolio-post allows Stored XSS.This issue affects Themify Portfolio Post: from n/a through <= 1.3.0.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-67534 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in Jacques Malgrange Rencontre rencontre allows Stored XSS.This issue affects Rencontre: from n/a through <= 3.13.7.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-63030 HIGH This Week

Cross-Site Request Forgery in WordPress New User Approve plugin (versions ≤3.2.3) enables unauthenticated remote attackers to trick authenticated administrators into executing unauthorized actions via crafted requests. With EPSS probability of 0.02% (5th percentile) and no evidence of active exploitation (not in CISA KEV), this represents a moderate real-world risk despite a CVSS 7.1 score. The vulnerability requires user interaction (UI:R) but no attacker privileges (PR:N), making it viable through social engineering tactics like phishing emails containing malicious links.

CSRF
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-49351 HIGH This Week

Cross-site request forgery (CSRF) in Create Posts & Terms WordPress plugin through version 1.3.1 enables attackers to inject malicious scripts that persist in the application database. Exploitation requires tricking an authenticated administrator into visiting a malicious page while logged into WordPress. The vulnerability chains CSRF with stored XSS, allowing attackers to execute arbitrary JavaScript in victims' browsers across sessions with potential for privilege escalation, data theft, and site compromise. EPSS score and exploitation data not available, but Patchstack database listing indicates security researcher disclosure.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy