Skip to main content
CVE-2025-43510 HIGH POC KEV THREAT Act Now

Apple kernel lock state checking flaw allows a malicious application to cause unexpected changes in memory shared between processes, potentially enabling cross-process data manipulation on iOS, macOS, and other Apple platforms.

Apple Buffer Overflow
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
Threat
4.6
CVE-2025-12968 HIGH This Week

Authenticated arbitrary file upload in Infility Global WordPress plugin versions ≤2.14.42 permits remote code execution. The upload_file function accepts spoofed MIME types without verifying file extensions, while import_data lacks capability checks, allowing subscriber-level users to upload malicious files (e.g., PHP webshells) to the server. CVSS:3.1 score 8.8 (High) reflects network-accessible, low-complexity exploitation requiring only low-privilege authentication. No public exploit identified at time of analysis. EPSS 0.35% indicates low observed exploitation activity.

RCE WordPress File Upload
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2025-65530 HIGH This Week

Arbitrary root file overwrite in CloudLinux ai-bolit before v32.7.4 occurs when the scanner's malware de-obfuscation routines evaluate attacker-controlled content, enabling code injection that runs with the scanner's root privileges. A crafted file placed where ai-bolit will scan it triggers the flaw, letting an attacker overwrite arbitrary files as root and effectively take over the host. There is no public exploit identified at time of analysis, EPSS risk is modest (0.29%, 21st percentile), and it is not listed in CISA KEV.

Code Injection Ai Bolit
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2025-13506 HIGH This Week

Privilege escalation in Nebim V3 ERP versions 2.0.59 through 3.0.0 lets an authenticated database-level attacker pivot from SQL access to operating-system control because the application stack executes with unnecessary privileges (CWE-250). Reported through Turkey's USOM/CERT-TR (advisory TR-25-0450), the issue carries CVSS 8.8 (AV:N/AC:L/PR:L/UI:N/C:H/I:H/A:H), and there is no public exploit identified at time of analysis, with EPSS at 0.09% (26th percentile).

Privilege Escalation
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-43539 HIGH This Week

Memory corruption via out-of-bounds write in Apple operating systems allows remote attackers to execute arbitrary code when victims process a malicious file. The vulnerability affects macOS (Sonoma 14.x, Sequoia 15.x, Tahoe 26.x), iOS/iPadOS (18.x, 26.x), tvOS, visionOS, and watchOS 26.x. Despite a high CVSS score of 8.8, EPSS data indicates only 0.05% exploitation probability (15th percentile), and no public exploit code or active exploitation is confirmed. The flaw stems from inadequate bounds checking (CWE-787) in file processing routines, requiring user interaction but no authentication, making it a realistic phishing or malicious download target.

Apple iOS macOS Memory Corruption
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-67508 HIGH PATCH This Week

A command injection vulnerability in gardenctl allows attackers with administrative privileges in a Gardener project to inject malicious commands through crafted credential values when non-POSIX shells (Fish, PowerShell) are used by service operators. The vulnerability affects gardenctl versions 2.11.0 and below, enabling attackers to break out of string contexts and execute arbitrary commands with potentially high impact on confidentiality, integrity, and availability. With an EPSS score of only 0.06% and no known exploitation in the wild or public POC, this represents a lower real-world risk despite the high CVSS score of 8.4.

Command Injection Privilege Escalation Gardenctl Suse
NVD GitHub VulDB
CVSS 3.1
8.4
EPSS
0.1%
CVE-2025-43320 HIGH This Week

macOS launch constraint bypass enables authenticated local users to execute code with elevated privileges on macOS Sequoia (up to 15.7.2) and macOS Tahoe (pre-26). The vulnerability requires low-complexity exploitation by a user with existing local access, allowing them to circumvent Apple's launch constraint security framework and achieve full system compromise (high confidentiality, integrity, and availability impact). No public exploit identified at time of analysis, with EPSS indicating only 0.02% probability of exploitation in the wild (5th percentile).

Apple macOS Privilege Escalation RCE
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-46285 HIGH This Week

Local privilege escalation to root on Apple platforms via integer overflow in timestamp handling allows authenticated users with low-level access to fully compromise system integrity and confidentiality. Affects iOS, iPadOS, macOS (Sequoia, Sonoma, Tahoe), tvOS, visionOS, and watchOS prior to February 2025 security updates. Vendor-released patches available across all platforms. EPSS probability is minimal (0.02%, 4th percentile), and no public exploit identified at time of analysis, though the local attack vector with low complexity and authenticated requirement reduces remote exploitation risk but creates insider threat exposure.

Apple iOS macOS Integer Overflow Privilege Escalation
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-43527 HIGH This Week

Local privilege escalation in macOS Sequoia (pre-15.7.3) and macOS Tahoe (pre-26.2) allows authenticated users with low-level privileges to gain root access via a permissions flaw. Apple addressed the issue with additional restrictions in the latest updates. EPSS score of 0.01% indicates minimal observed exploitation activity, and no public exploit identified at time of analysis.

Apple macOS Privilege Escalation
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-43512 HIGH This Week

Local privilege escalation in Apple macOS (Sonoma 14.x, Sequoia 15.x, Tahoe 26.x) and iOS/iPadOS 18.x allows authenticated users to gain elevated system privileges through malicious applications exploiting a logic flaw in privilege checking mechanisms. Apple has released patches across all affected platforms (iOS 18.7.3, iPadOS 18.7.3, macOS Sequoia 15.7.3, Sonoma 14.8.3, Tahoe 26.2). No public exploit identified at time of analysis, with EPSS score of 0.01% (3rd percentile) indicating minimal observed exploitation activity.

Apple iOS macOS Privilege Escalation
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-43402 HIGH This Week

Memory corruption in macOS kernel allows authenticated local users to execute arbitrary code or crash the system. Apple fixed the vulnerability via improved memory handling in macOS Sequoia 15.7.4, Sonoma 14.8.4, and Tahoe 26.1. With CVSS 7.8 (High severity) reflecting local attack vector requiring low privileges, and EPSS at 0.01% (2nd percentile), this represents a moderate real-world risk despite high CVSS scoring. No public exploit identified at time of analysis, and no evidence of active exploitation (not in CISA KEV).

Apple macOS Memory Corruption Denial Of Service
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-67721 HIGH PATCH This Week

A buffer information disclosure vulnerability exists in the Aircompressor Java compression library affecting Snappy and LZ4 decompressor implementations. Versions 3.3 and below of Airlift Aircompressor allow remote attackers to read previous buffer contents through crafted compressed input, potentially leaking sensitive data from applications that reuse output buffers across multiple decompression operations. With an EPSS score of 0.19% (41st percentile), active exploitation appears low probability despite the network-accessible attack vector, and no public proof-of-concept is currently documented.

Java Information Disclosure Buffer Overflow Aircompressor
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-43494 HIGH This Week

Mail header parsing flaw in Apple operating systems allows unauthenticated remote attackers to trigger persistent denial-of-service conditions across iOS, iPadOS, macOS, visionOS, and watchOS platforms. The vulnerability affects all major Apple OS releases prior to January 2025 patches (iOS/iPadOS 18.7.2/26.1, macOS Sequoia 15.7.2/Sonoma 14.8.2/Tahoe 26.1, visionOS 26.1, watchOS 26.1). With EPSS exploitation probability at 0.19% (41st percentile) and no public exploit identified at time of analysis, real-world risk appears moderate despite the 7.5 CVSS score.

Apple iOS macOS Denial Of Service Ipados +3
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-67731 HIGH PATCH This Week

Servify Express, a Node.js package for starting Express servers, contains a denial of service vulnerability caused by the absence of size limits on JSON request bodies parsed by express.json(). Attackers can exploit this by sending extremely large payloads to cause memory exhaustion and crash the application process. With an EPSS score of 0.07% (21st percentile), active exploitation remains low-probability, though a patch is available and the vulnerability affects any internet-facing application using affected versions.

Node.js Express Denial Of Service Servify Express
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-43542 HIGH This Week

Password field disclosure in Apple operating systems allows remote observation of credentials during FaceTime screen sharing sessions. Affects iOS/iPadOS 18.x through 18.7.2, iOS/iPadOS 26.0-26.1, macOS Sequoia through 15.7.2, macOS Tahoe through 26.1, and visionOS through 26.1. Attackers with network access to FaceTime sessions can view password fields that should be masked, creating credential exposure risk during remote support or collaboration scenarios. EPSS score of 0.03% (10th percentile) indicates low automated exploitation probability, and no public exploit identified at time of analysis.

Apple iOS Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-36745 HIGH This Week

Physical access to SolarEdge SE3680H solar inverters allows privilege escalation, remote code execution, and information disclosure through unpatched Linux kernel vulnerabilities. Reported by DIVD CSIRT, this affects SE3680H firmware running outdated kernel subsystems. While CVSS 4.0 scores 7.0 with physical attack vector (AV:P), the presence of RCE and privilege escalation tags indicates high impact once physical proximity is achieved. No EPSS score, KEV listing, or public exploit identified at time of analysis, suggesting limited current exploitation risk for typical deployment scenarios.

RCE Privilege Escalation Linux Se3680H Firmware
NVD
CVSS 4.0
7.0
EPSS
0.4%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy