Skip to main content
CVE-2023-53888 HIGH POC This Week

Zomplog 3.9 contains a remote code execution vulnerability that allows authenticated attackers to inject and execute arbitrary PHP code through file manipulation endpoints. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE PHP Zomplog
NVD Exploit-DB VulDB
CVSS 4.0
8.6
EPSS
0.9%
CVE-2025-14704 MEDIUM POC This Month

A vulnerability was found in Shiguangwu sgwbox N3 2.0.25. The impacted element is an unknown function of the file /eshell of the component API. The manipulation results in path traversal. It is possible to launch the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

Path Traversal N3 Firmware
NVD VulDB
CVSS 4.0
5.5
EPSS
0.4%
CVE-2025-14711 MEDIUM POC This Month

A flaw has been found in FantasticLBP Hotels Server up to 67b44df162fab26df209bd5d5d542875fcbec1d0. This vulnerability affects unknown code of the file /controller/api/hotelList.php. This manipulation of the argument pickedHotelName/type causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may be used. This product adopts a rolling release strategy to maintain continuous delivery The vendor was contacted early about this disclosure but did not respond in any way.

PHP SQLi Hotels Server
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-14710 MEDIUM POC This Month

A vulnerability was detected in FantasticLBP Hotels Server up to 67b44df162fab26df209bd5d5d542875fcbec1d0. This affects an unknown part of the file /controller/api/OrderList.php. The manipulation of the argument telephone results in sql injection. The attack can be executed remotely. The exploit is now public and may be used. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The vendor was contacted early about this disclosure but did not respond in any way.

PHP SQLi Hotels Server
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-67906 CRITICAL PATCH Act Now

Stored cross-site scripting in MISP (Malware Information Sharing Platform) versions before 2.5.28 allows authenticated users with workflow privileges to inject arbitrary JavaScript via the workflow execution path view (executionPath.ctp), where doT.js template expressions used unescaped interpolation. Successful exploitation against a user who views the affected page (UI:R) results in scope-changed compromise of the victim's MISP session, including high-confidentiality/integrity/availability impact (CVSS 9.0). Publicly available exploit code exists in researcher-published repositories; no CISA KEV listing at time of analysis.

XSS Misp
NVD GitHub
CVSS 3.1
9.0
EPSS
0.3%
CVE-2024-44598 HIGH This Week

FNT Command 13.4.0 is vulnerable to Code Execution via the C Base Module. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload RCE Fnt Command
NVD GitHub
CVSS 3.1
8.8
EPSS
0.4%
CVE-2025-11393 HIGH PATCH This Week

Privilege escalation in Red Hat's runtimes-inventory-rhel8-operator lets a standard cluster user act with full cluster-administrator authority on the Red Hat management platform. A misconfigured internal proxy attaches the cluster's main administrative credentials to every command it relays - not just the report traffic it should handle - so any authenticated user can issue admin-level instructions and alter cluster configuration or status. There is no public exploit identified at time of analysis, EPSS is low (0.21%, 12th percentile), and the issue is not in CISA KEV, but the impact is a classic confused-deputy authentication bypass and Red Hat has shipped a fix.

Authentication Bypass Red Hat Suse
NVD
CVSS 3.1
8.7
EPSS
0.2%
CVE-2024-44599 HIGH This Week

FNT Command 13.4.0 is vulnerable to Directory Traversal. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal File Upload Fnt Command
NVD GitHub
CVSS 3.1
8.3
EPSS
0.4%
CVE-2025-14692 LOW POC PATCH Monitor

A flaw has been found in Mayan EDMS up to 4.10.1. The impacted element is an unknown function of the file /authentication/. This manipulation causes open redirect. It is possible to initiate the attack remotely. The exploit has been published and may be used. Upgrading to version 4.10.2 is sufficient to resolve this issue. The affected component should be upgraded. The vendor confirms that this is "[f]ixed in version 4.10.2". Furthermore, that "[b]ackports for older versions in process and will be out as soon as their respective CI pipelines complete."

Open Redirect Mayan Edms
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.2%
CVE-2025-14730 LOW POC Monitor

Code injection in CTCMS up to version 2.1.2 allows high-privilege authenticated remote attackers to inject arbitrary code via manipulation of the Cj_Add or Cj_Edit arguments in the Backend System Configuration Module (/ctcms/libs/Ct_Config.php). Public exploit code is available, but exploitation requires administrative credentials and produces only low confidentiality impact without scope expansion. EPSS score of 0.07% indicates minimal real-world exploitation probability despite public POC availability.

PHP Code Injection Ctcms
NVD VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2025-14729 LOW POC Monitor

Code injection in CTCMS up to version 2.1.2 allows high-privileged remote attackers to inject arbitrary code via the CT_App_Paytype parameter in the Backend App Configuration Module's Save function. The vulnerability has a low CVSS score (2.0) due to requiring high administrative privileges (PR:H), but publicly available exploit code exists. Real-world risk is limited to authenticated administrators with backend access.

PHP Code Injection Ctcms
NVD VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2025-66963 MEDIUM This Month

Sensitive information disclosure in Hitron HI3120 firmware 7.2.4.5.2b1 exposes credentials or session data to a local low-privileged attacker through the device's web management interface Logout function in index.html. The root cause, indicated by the 'Insufficient Session Expiration' tag, is that the logout action fails to fully invalidate or clear sensitive session artifacts, leaving them recoverable post-logout. No active exploitation is confirmed (EPSS 0.11%, 1st percentile), and the attack surface is constrained to local access with low privileges, significantly limiting real-world impact despite the High confidentiality rating.

Information Disclosure Hi3120 Firmware
NVD GitHub
CVSS 3.1
5.5
EPSS
0.1%
CVE-2025-14693 MEDIUM This Month

A vulnerability has been found in Ugreen DH2100+ up to 5.3.0. This affects an unknown function of the component USB Handler. Such manipulation leads to symlink following. The attack can be executed directly on the physical device. The exploit has been disclosed to the public and may be used. It is suggested to upgrade the affected component.

Information Disclosure
NVD VulDB
CVSS 4.0
5.2
EPSS
0.0%
CVE-2025-14697 LOW Monitor

Sixun Shanghui Group Business Management System 4.10.24.3 allows unauthenticated remote attackers to access files and directories through the /ExportFiles/ endpoint due to improper access controls, resulting in information disclosure of sensitive data. The vulnerability requires high attack complexity and has publicly available exploit code, but remains difficult to exploit in practice with an EPSS score of 0.06% indicating minimal real-world exploitation probability.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.9
EPSS
0.1%
CVE-2025-14695 LOW Monitor

Remote code execution via dynamic code resource manipulation in SamuNatsu HaloBot's Inter-plugin API allows authenticated remote attackers to execute arbitrary code by manipulating the action argument in the html_renderer plugin. The vulnerability affects unsupported legacy versions of the product (commit hash 026b01d4a896d93eaaf9d5163a287dc9f267515b and earlier), with publicly available exploit code disclosed but no vendor-released patch, as the maintainer has abandoned the project and did not respond to early disclosure.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-14694 LOW Monitor

SQL injection in ketr JEPaaS up to version 7.2.8 allows high-privileged remote attackers to manipulate the keyWord argument in the readAllPostil function (/je/postil/postil/readAllPostil), resulting in limited confidentiality, integrity, and availability impact. Publicly available exploit code exists, though the CVSS score of 2.0 reflects the requirement for high-level privileges (PR:H), significantly limiting real-world exploitation scope.

SQLi
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2025-14722 LOW Monitor

Stored cross-site scripting (XSS) vulnerability in vion707 DMadmin backend allows high-privilege authenticated users to inject malicious scripts via the Add function in AddonsController, affecting the application's integrity. The vulnerability requires user interaction (UI:P) and high-privilege access (PR:H), limiting real-world exploitation risk despite a network attack vector. Public exploit code is available, but the extremely low CVSS score (1.9) and EPSS probability (0.05th percentile) suggest minimal practical risk in typical deployments.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.1%
CVE-2025-14702 LOW Monitor

Path traversal vulnerability in Smartbit CommV Smartschool App up to version 10.4.4 allows local authenticated attackers to manipulate the SplashActivity component and access or modify files outside intended directories. The vendor has not responded to early disclosure notification, and public exploit code is available.

Path Traversal
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-14699 LOW Monitor

Path traversal vulnerability in Municorn FAX App 3.27.0 on Android allows local authenticated users to access files outside intended directories with low confidentiality, integrity, and availability impact. The vulnerability affects the biz.faxapp.app component and has been publicly disclosed with exploit code available, though EPSS exploitation probability remains very low at 0.04%, suggesting limited real-world attack likelihood despite public availability.

Google Path Traversal
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-14698 LOW Monitor

Path traversal vulnerability in atlaszz AI Photo Team Galleryit App version 1.3.8.2 on Android allows authenticated local attackers to manipulate the gallery.photogallery.pictures.vault.album component and access files outside intended directories. The vulnerability requires local access and authenticated user privileges; public exploit code exists. The vendor has not responded to early disclosure notification, leaving the application unpatched.

Google Hashicorp Path Traversal
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy