Skip to main content
CVE-2025-65828 MEDIUM POC This Month

Unauthenticated Bluetooth Low Energy (BLE) command execution against the Meatmeet Pro WiFi & Bluetooth Meat Thermometer firmware 1.0.34.4 allows any proximity attacker to issue shutdown, restart, or factory-reset commands without credentials, resulting in a denial of service. The clear-config command is particularly disruptive: it dissociates the device from its owner account, severing the connection to the Meatmeet cloud backend and requiring full device re-provisioning before temperature data can be received again. A public proof-of-concept is available via a GitHub gist, though EPSS sits at 0.27% (19th percentile), reflecting the niche consumer IoT footprint rather than low technical reproducibility.

Authentication Bypass Denial Of Service Meatmeet Pro Wifi Bluetooth Meat Thermometer Firmware
NVD GitHub
CVSS 3.1
6.5
EPSS
0.3%
CVE-2025-61821 MEDIUM This Month

Arbitrary file read in Adobe ColdFusion 2025.4, 2023.16, 2021.22 and earlier stems from an XML External Entity (XXE) flaw (CWE-611) that lets remote unauthenticated attackers retrieve sensitive files from the server. Adobe rates the issue 8.6 (CVSS 3.1) with a scope change, and no public exploit is identified at time of analysis, though the description notes exploitation depends on conditions beyond the attacker's control.

XXE Coldfusion
NVD VulDB
CVSS 3.1
6.8
EPSS
0.5%
CVE-2025-67499 MEDIUM PATCH This Month

The CNI portmap plugin versions 1.6.0 through 1.8.0 contain a traffic interception vulnerability when configured with the nftables backend, allowing containers to receive and intercept all traffic destined for their configured HostPort regardless of destination IP address. This affects Linux Foundation's CNI Network Plugins, and an attacker with local privileges and control over a container can intercept traffic intended for other containers or services on the same node. The vulnerability has a published patch available in version 1.9.0, an extremely low EPSS score of 0.02% indicates minimal real-world exploitation likelihood, and there is no indication of active exploitation in the wild.

Information Disclosure Cni Network Plugins Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
6.6
EPSS
0.0%
CVE-2025-64898 MEDIUM This Month

Insufficiently Protected Credentials in Adobe ColdFusion (versions 2025.4, 2023.16, and 2021.22 and earlier) enables unauthenticated remote attackers to gain limited unauthorized write access by exploiting improperly stored or transmitted credentials. The CVSS vector confirms network-accessible, zero-complexity exploitation with no privileges or user interaction required, producing limited integrity impact. Tagged as an Authentication Bypass vector, this vulnerability is distinct from a simple credential disclosure - it permits write operations, making it a meaningful integrity risk despite the moderate CVSS score. No public exploit or CISA KEV listing has been identified at time of analysis.

Authentication Bypass Coldfusion
NVD VulDB
CVSS 3.1
5.3
EPSS
0.3%
CVE-2025-34430 MEDIUM This Month

Cross-site request forgery in 1Panel versions 1.10.33 through 2.0.15 allows a remote attacker to change an authenticated user's panel name by luring them to a malicious webpage. The panel name management endpoint omits both anti-CSRF tokens and Origin/Referer header validation, so the victim's browser automatically includes valid session cookies when the forged request fires. No public exploit code and no CISA KEV listing exist at time of analysis; real-world impact is limited to low-integrity panel configuration tampering.

CSRF 1panel
NVD GitHub
CVSS 4.0
5.1
EPSS
0.2%
CVE-2025-13125 MEDIUM This Month

DijiDemi, a platform by Im Park Information Technology, contains an authorization bypass vulnerability (CWE-639) that allows authenticated low-privileged users to access data belonging to other users by manipulating user-controlled identifier keys. Affecting all versions through 28.11.2025, the flaw enables horizontal privilege escalation - an attacker with a valid low-privilege account can exploit trusted identifiers to read confidential data outside their authorized scope. No public exploit code exists and no KEV listing is present; with an EPSS of 0.03% (10th percentile), active exploitation is not currently anticipated.

Authentication Bypass
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy