THREAT ALERT

ACT NOW CVE-2025-43510 7.8 Apple kernel lock state checking flaw allows a malicious application to cause unexpected changes in memory shared between processes, potentially enabling cross-process data manipulation on iOS, macOS, and other Apple platforms. | ACT NOW CVE-2025-48633 5.5 CVE-2025-48633 is a security vulnerability (CVSS 5.5). Risk factors: actively exploited (KEV-listed). Vendor patch is available. | ACT NOW CVE-2025-48572 7.8 Android contains a missing authentication vulnerability (CVE-2025-48572, CVSS 7.8) in multiple locations that allows background activity launches through a permissions bypass, enabling local privilege escalation without user interaction. KEV-listed, this vulnerability enables malicious apps to perform privileged operations silently in the background, bypassing Android's activity launch restrictions. | EMERGENCY CVE-2025-34291 9.4 Langflow versions up to and including 1.6.9 contain a chained vulnerability that enables account tak | ACT NOW CVE-2025-66644 7.2 Array Networks ArrayOS AG before 9.4.5.9 contains an OS command injection vulnerability (CVE-2025-66644, CVSS 7.2) that has been actively exploited in the wild from August through December 2025. KEV-listed, this vulnerability in the VPN/SSL-VPN appliance enables authenticated attackers to execute arbitrary commands on the network edge device. | ACT NOW CVE-2025-55182 10.0 React Server Components in React 19.x contain a critical pre-authentication remote code execution vulnerability (CVE-2025-55182, CVSS 10.0) through unsafe deserialization of HTTP request payloads. With EPSS 71.1% and KEV listing, this vulnerability affects any application using React Server Components with react-server-dom-webpack, react-server-dom-turbopack, or react-server-dom-parcel — enabling complete server compromise through a single HTTP request. | EMERGENCY CVE-2025-66301 9.6 Grav is a file-based Web platform. Prior to 1.8.0-beta.27, due to improper authorization checks when modifying critical fields on a POST request to /admin/pages/{page_name}, an editor with only permissions to change basic content on the form is now able to change the functioning of the form through modifying the content of the data[_json][header][form] which is the YAML frontmatter which includes the process section which dictates what happens after a user submits the form which include some important actions that could lead to further vulnerabilities. This vulnerability is fixed in 1.8.0-beta.27. | ACT NOW CVE-2025-66294 8.8 Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Server-Side Template Injection (SSTI) vulnerability exists in Grav that allows authenticated attackers with editor permissions to execute arbitrary commands on the server and, under certain conditions, may also be exploited by unauthenticated attackers. This vulnerability stems from weak regex validation in the cleanDangerousTwig method. This vulnerability is fixed in 1.8.0-beta.27. | ACT NOW CVE-2025-58360 8.2 GeoServer contains an XXE vulnerability in the WMS GetMap operation allowing unauthenticated attackers to read server files and perform SSRF attacks. | ACT NOW CVE-2025-13315 9.3 Twonky Server 8.5.2 on Linux and Windows allows unauthenticated access to the admin log file through a web service API bypass. The exposed log contains the administrator's username and encrypted password, which can be decrypted using hard-coded keys (CVE-2025-13316) to gain full administrative control. | ACT NOW CVE-2025-58034 7.2 Fortinet FortiWeb contains an authenticated OS command injection allowing privilege escalation to execute unauthorized commands on the web application firewall. | ACT NOW CVE-2025-13223 8.8 Google Chrome V8 contains a type confusion vulnerability in the JavaScript engine, the second V8 type confusion zero-day in 2025, exploited in targeted attacks. | ACT NOW CVE-2025-64446 9.8 Fortinet FortiWeb contains a relative path traversal allowing unauthenticated attackers to execute administrative commands through crafted HTTP/HTTPS requests. |

Daily vulnerability intelligence for defenders – fresh CVEs with exploitability signals, patch status, and action-oriented priorities from 17 sources.

CVEs published

Get CVEs that hit your stack — not 200/day

Pick your technologies, get a weekly digest by email. Free, no spam.

React Python Postgres +200 more

React Next.js Python Postgres AWS +200 more

Trending Now See all

Critical Watch See all

Attack Technique Trend

Prediction based on ZDI Disclosures & CVE data · 30 days

Analytics

Vendor Today – Quick Filter

Techniques

results

Sort:

Base Score

Vector String

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

0 | 3.9| 6.9| 8.9| 10

NONE LOW MEDIUM HIGH CRITICAL

CVSS Filter – CVEs match

No CVEs match the selected criteria

Incoming 20

Pre-NVD – not yet scored

Browse older vulnerabilities in Archive

Live Feed auto-refresh 60s

Vulnerability Intelligence — December 13, 2025

21 CVEs tracked today. 1 Critical, 1 High, 14 Medium, 5 Low.

CVE-2025-14440 CRITICAL CVSS 9.8
Authentication bypass in JAY Login & Register plugin for WordPress versions ≤2.4.01 allows unauthenticated remote attackers to impersonate any site user, including administrators, by exploiting flawed cookie validation in the user-switching function. Attackers require only knowledge of target user IDs to gain complete account access without credentials. No public exploit identified at time of analysis.

WordPress Authentication Bypass
CVE-2025-14476 HIGH CVSS 8.8
PHP object injection in Doubly Cross Domain Copy Paste plugin (≤1.0.46) allows authenticated attackers with Subscriber-level privileges to execute arbitrary code via deserialized untrusted input from uploaded ZIP archives. Exploitation requires administrators to explicitly enable Subscriber access. Available POP chains enable code execution, file deletion, and sensitive data retrieval. Attack vector requires low privilege (PR:L) authentication with network accessibility and no user interaction. No public exploit identified at time of analysis.

PHP WordPress RCE Information Disclosure Deserialization
CVE-2025-14637 MEDIUM CVSS 5.5
A weakness has been identified in itsourcecode Online Pet Shop Management System 1.0. This vulnerability affects unknown code of the file /pet1/addcnp.php. This manipulation of the argument cnpname causes sql injection. The attack can be initiated remotely. The exploit has been made available to the...

PHP SQLi Online Pet Shop Management System
CVE-2025-14623 MEDIUM CVSS 5.5
A weakness has been identified in code-projects Student File Management System 1.0. This issue affects some unknown processing of the file /admin/update_student.php. This manipulation of the argument stud_id causes sql injection. The attack is possible to be carried out remotely. The exploit has bee...

PHP SQLi Student File Management System
CVE-2025-14622 MEDIUM CVSS 5.5
A security flaw has been discovered in code-projects Student File Management System 1.0. This vulnerability affects unknown code of the file /admin/save_user.php. The manipulation of the argument firstname results in sql injection. The attack can be executed remotely. The exploit has been released t...

PHP SQLi Student File Management System
CVE-2025-14621 MEDIUM CVSS 5.5
A vulnerability was identified in code-projects Student File Management System 1.0. This affects an unknown part of the file /admin/update_user.php. The manipulation of the argument user_id leads to sql injection. Remote exploitation of the attack is possible. The exploit is publicly available and m...

PHP SQLi Student File Management System
CVE-2025-14620 MEDIUM CVSS 5.5
A vulnerability was determined in code-projects Student File Management System 1.0. Affected by this issue is some unknown functionality of the file /admin/login_query.php. Executing manipulation of the argument Username can lead to sql injection. The attack may be launched remotely. The exploit has...

PHP SQLi Student File Management System
CVE-2025-14619 MEDIUM CVSS 5.5
A vulnerability was found in code-projects Student File Management System 1.0. Affected by this vulnerability is an unknown functionality of the file login_query.php. Performing manipulation of the argument stud_no results in sql injection. The attack may be initiated remotely. The exploit has been ...

PHP SQLi Student File Management System
CVE-2025-14590 MEDIUM CVSS 5.5
A security vulnerability has been detected in code-projects Prison Management System 2.0. Impacted is an unknown function of the file /admin/search1.php. The manipulation of the argument keyname leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed pu...

PHP SQLi Prison Management System
CVE-2025-14588 MEDIUM CVSS 5.5
A security flaw has been discovered in itsourcecode Student Management System 1.0. This vulnerability affects unknown code of the file /update_program.php. Performing manipulation of the argument ID results in sql injection. The attack is possible to be carried out remotely. The exploit has been rel...

PHP SQLi Student Management System
CVE-2025-14587 MEDIUM CVSS 5.5
A vulnerability was identified in itsourcecode Online Pet Shop Management System 1.0. This affects an unknown part of the file /pet1/available.php. Such manipulation of the argument Name leads to sql injection. The attack can be executed remotely. The exploit is publicly available and might be used.

PHP SQLi Online Pet Shop Management System
CVE-2025-14581 MEDIUM CVSS 4.3
The HAPPY Helpdesk Support Ticket System WordPress plugin up to version 1.0.9 allows authenticated attackers with Subscriber-level access to submit replies to arbitrary support tickets by bypassing authorization checks on the 'submit_form_reply' AJAX action. The vulnerability stems from missing capability validation before processing ticket replies, enabling low-privileged users to manipulate the 'happy_topic_id' parameter and interact with tickets they do not own or are not assigned to. While the CVSS score of 4.3 reflects low-to-medium severity with integrity impact only, the EPSS percentile of 13% and absence of evidence of active exploitation suggest this is not an immediate critical priority, though it should be patched to prevent unauthorized ticket interference.

WordPress Authentication Bypass
CVE-2025-14447 MEDIUM CVSS 4.3
Unauthorized data modification in AnnunciFunebri Impresa WordPress plugin through version 4.7.0 allows authenticated subscribers to reset all plugin options via the missing capability check on annfu_reset_options() function. Attackers with Subscriber-level access can delete all 29 plugin configuration options, reverting the plugin to default state without administrative authorization. No public exploit code or active exploitation has been identified at time of analysis.

WordPress Authentication Bypass
CVE-2025-14446 MEDIUM CVSS 5.4
Popup Builder (Easy Notify Lite) plugin for WordPress versions up to 1.1.37 allows authenticated attackers with Subscriber-level access to reset plugin settings to default values due to missing capability checks in the easynotify_cp_reset() function. The vulnerability requires user authentication and does not grant elevated privileges or information disclosure, resulting in a CVSS score of 5.4 (medium severity). No public exploit code or active exploitation has been identified at time of analysis, though the issue poses moderate risk to WordPress installations relying on plugin configuration integrity.

WordPress Authentication Bypass
CVE-2025-13403 MEDIUM CVSS 4.3
Authenticated attackers with Subscriber-level access can modify tracking settings in the Employee Spotlight WordPress plugin (versions up to 5.1.3) due to missing authorization checks in the employee_spotlight_check_optin() function. The vulnerability allows privilege escalation to perform account integrity modifications that should require administrator approval, affecting all installations of this plugin without patches applied.

WordPress Authentication Bypass
CVE-2025-9116 MEDIUM CVSS 5.8
Reflected cross-site scripting (XSS) in WPS Visitor Counter WordPress plugin through version 1.4.8 allows remote attackers to inject malicious scripts via the REQUEST_URI parameter, which is output without sanitization in HTML attributes. The vulnerability has a CVSS score of 5.8 and requires user interaction (clicking a crafted link), with exploitation limited primarily to older web browsers due to modern XSS protections. No public exploit code or active exploitation has been identified at the time of analysis.

PHP WordPress XSS
CVE-2025-14636 LOW CVSS 2.9
Weak cryptographic hashing in the image_check function of Tenda AX9 firmware 22.03.01.46 allows remote attackers to compromise firmware integrity validation without authentication. The vulnerability has a CVSS score of 2.9 (very low severity) and publicly available exploit code exists, but the high attack complexity and difficult exploitability rating indicate practical barriers to successful exploitation. Real-world risk is minimal: while the vulnerability permits information disclosure related to hash values, it does not enable remote code execution or device takeover.

Information Disclosure Tenda Ax9 Firmware
CVE-2025-14617 LOW CVSS 1.9
Path traversal vulnerability in JW Library App for Android up to version 15.5.1 allows local authenticated users to access files outside intended directories via manipulation of the SiloContainer component. CVSS score of 1.9 reflects low confidentiality impact with no integrity or availability consequences; however, publicly available exploit code exists. Real-world risk is minimal given requirement for local access and prior authentication, EPSS score of 0.03% indicates negligible exploitation probability.

Path Traversal Google
CVE-2025-14606 LOW CVSS 1.3
Deserialization vulnerability in Tiny RDM up to version 1.2.5 allows authenticated remote attackers to trigger unsafe pickle deserialization via the Pickle Decoding component, potentially leading to code execution. The attack requires high complexity and prior authentication, making practical exploitation difficult. Public exploit code is available, but the low EPSS score (0.10%) and absence of active exploitation tracking suggest limited real-world risk at present.

Deserialization
CVE-2025-14589 LOW CVSS 2.1
SQL injection in code-projects Prison Management System 2.0 allows authenticated remote attackers to execute arbitrary SQL commands via the keyname parameter in /admin/search.php, with publicly available exploit code but limited real-world impact due to authentication requirement and restricted scope (confidentiality only, CVSS 2.1).

PHP SQLi Prison Management System
CVE-2025-14586 LOW CVSS 2.1
OS command injection in TOTOLINK X5000R firmware 9.1.0cu.2089_B20211224 allows authenticated remote attackers to execute arbitrary system commands via the User parameter in the /cgi-bin/cstecgi.cgi exportOvpn function. The vulnerability requires valid login credentials but results in complete system compromise once authenticated. Public exploit code is available, and the CVSS score of 2.1 significantly underrepresents the true risk due to the low-impact scoring parameters masking the severity of unauthenticated command execution in a network-accessible management interface.

Command Injection X5000r Firmware

Track CVEs for your stack Sign up free →

Today's Vulnerabilities Vulnerabilities