Skip to main content
CVE-2025-67644 HIGH POC PATCH This Week

A SQL injection vulnerability exists in LangGraph SQLite Checkpoint, an implementation of LangGraph CheckpointSaver for SQLite databases. The vulnerability affects versions 3.0.0 and below of the langgraph-checkpoint-sqlite Python package, allowing attackers with local access and low privileges to manipulate SQL queries through unvalidated metadata filter keys in checkpoint search operations. A proof-of-concept exploit is publicly available, though the EPSS score of 0.02% (6th percentile) suggests minimal active exploitation in the wild currently.

SQLi Langgraph Checkpoint Sqlite
NVD GitHub VulDB
CVSS 3.1
7.3
EPSS
0.0%
CVE-2025-66590 HIGH This Week

Out-of-bounds write in AzeoTech DAQFactory release 20.7 (Build 2555) enables arbitrary code execution or denial of service when a local user opens or interacts with attacker-supplied content. The flaw was reported through CISA ICS-CERT and disclosed in ICS advisory ICSA-25-345-03, indicating ICS/SCADA operational technology impact, though no public exploit identified at time of analysis and no CISA KEV listing exists.

Memory Corruption Buffer Overflow RCE Daqfactory
NVD GitHub VulDB
CVSS 4.0
8.4
EPSS
0.2%
CVE-2025-66588 HIGH This Week

Arbitrary code execution in AzeoTech DAQFactory release 20.7 (Build 2555) is possible when a local user opens or interacts with attacker-supplied content that triggers an access-of-uninitialized-pointer condition. The flaw was reported through CISA ICS-CERT and is tracked in ICS advisory ICSA-25-345-03; no public exploit identified at time of analysis and the CVSS 4.0 vector (AV:L/AC:L/PR:N/UI:A) indicates local vector with required user interaction rather than remote network exploitation.

Memory Corruption RCE Daqfactory
NVD GitHub VulDB
CVSS 4.0
8.4
EPSS
0.2%
CVE-2025-14523 HIGH PATCH This Week

HTTP request smuggling in libsoup, GNOME's HTTP client/server library, lets remote unauthenticated attackers exploit inconsistent Host header parsing: libsoup accepts multiple Host: headers and processes the last occurrence, while common front-end proxies honor the first. Supplying duplicate Host headers creates a proxy/backend mismatch enabling vhost confusion, request smuggling, cache poisoning, and bypass of host-based access controls. No public exploit is identified at time of analysis and it is not listed in CISA KEV, but Red Hat has shipped fixes across numerous products (15 RHSA errata).

Request Smuggling Authentication Bypass
NVD
CVSS 3.1
8.2
EPSS
0.5%
CVE-2025-13124 HIGH This Week

Authorization bypass in Netiket Information Technologies' ApplyLogic platform (all versions through 01.12.2025) allows authenticated remote attackers to manipulate user-controlled identifiers to access or modify resources belonging to other users. The flaw is classified as an Insecure Direct Object Reference (IDOR) pattern with high integrity impact, and no public exploit has been identified at time of analysis. EPSS exploitation probability is low (0.07%, 22nd percentile), and the CVE is not on the CISA KEV list.

Authentication Bypass
NVD VulDB
CVSS 3.1
7.6
EPSS
0.1%
CVE-2025-13003 HIGH This Week

Authorization bypass in Aksis AxOnboard versions 3.2.0 through 3.2.x allows authenticated low-privileged users to manipulate user-controlled identifiers (IDOR pattern) and access or modify resources belonging to other users or tenants. Türkiye's national CSIRT USOM (TR-25-0446) coordinated disclosure, and while no public exploit code has been identified, the high integrity impact in a multi-tenant onboarding platform makes this a meaningful escalation-of-privilege risk for organizations using version 3.2.x.

Authentication Bypass
NVD VulDB
CVSS 3.1
7.6
EPSS
0.0%
CVE-2025-66586 HIGH This Week

Type confusion in AzeoTech DAQFactory 20.7 (Build 2555) enables arbitrary code execution when a user opens a maliciously crafted .ctl project file, corrupting memory in the parser and running attacker-controlled code in the process context. Reported through CISA ICS-CERT and tracked in ICS advisory ICSA-25-345-03, the flaw affects industrial data acquisition and HMI deployments; no public exploit identified at time of analysis and EPSS data was not provided.

Memory Corruption Buffer Overflow Daqfactory
NVD GitHub VulDB
CVSS 4.0
7.3
EPSS
0.0%
CVE-2025-66585 HIGH This Week

Local code execution in AzeoTech DAQFactory release 20.7 (Build 2555) is possible when a user opens a maliciously crafted .ctl project file, triggering a use-after-free condition (CWE-416) in the parser. The flaw was reported by ICS-CERT (DHS) and documented in CISA ICS advisory ICSA-25-345-03, but there is no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

Denial Of Service Use After Free Memory Corruption Buffer Overflow Daqfactory
NVD GitHub VulDB
CVSS 4.0
7.3
EPSS
0.0%
CVE-2025-67648 HIGH PATCH This Week

Shopware, an open commerce platform, contains a reflected cross-site scripting (XSS) vulnerability in its authentication controller where the 'waitTime' URL parameter from the login page is rendered directly into the Twig template without validation or sanitization. Versions 6.4.6.0 through 6.6.10.9 and 6.7.0.0 through 6.7.5.0 are affected, allowing attackers to inject malicious JavaScript code through crafted URLs. With an EPSS score of only 0.04% (11th percentile), active exploitation appears low despite the availability of patches and public advisories.

XSS PHP Shopware
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy