Skip to main content
CVE-2025-56157 CRITICAL POC Act Now

Hard-coded default PostgreSQL credentials shipped in the docker-compose.yaml of langgenius Dify through version 1.5.1 allow anyone who can reach the database port to authenticate with full read/write access to the backend datastore. Publicly available exploit code exists, though EPSS remains low (0.81%) and the vendor states the database port is not network-exposed by default in 1.0.1 and later, limiting realistic reach. There is no public exploit identified as actively used in the wild (not in CISA KEV).

Authentication Bypass PostgreSQL Docker Dify
NVD GitHub
CVSS 3.1
9.8
EPSS
0.8%
CVE-2025-64231 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in RedefiningTheWeb WordPress Contact Form 7 PDF, Google Sheet & Database rtwwcfp-wordpress-contact-form-7-pdf allows Using Malicious Files.This issue affects WordPress Contact Form 7 PDF, Google Sheet & Database: from n/a through <= 3.0.0.

Google File Upload WordPress
NVD
CVSS 3.1
9.9
EPSS
0.1%
CVE-2025-64236 CRITICAL Act Now

Authentication Bypass Using an Alternate Path or Channel vulnerability in AmentoTech Tuturn tuturn allows Authentication Abuse.This issue affects Tuturn: from n/a through < 3.6.

Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-14860 CRITICAL PATCH Act Now

Remote code execution in Mozilla Firefox via use-after-free in Disability Access APIs allows unauthenticated network attackers to compromise browser integrity with high impact. The vulnerability (CWE-416) affects Firefox versions prior to 146.0.1 and requires no user interaction or special privileges. With CVSS 9.8 (Critical) but low EPSS (0.07%, 21st percentile), real-world exploitation probability remains limited despite theoretical severity. No public exploit identified at time of analysis, and vendor-released patch 146.0.1 available.

Memory Corruption Mozilla Use After Free Information Disclosure Suse
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-60062 CRITICAL Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mmetrodw tPlayer tplayer-html5-audio-player-with-playlist allows SQL Injection.This issue affects tPlayer: from n/a through <= 1.2.1.6.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.1%
CVE-2025-58951 CRITICAL Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in smartcms Advance Seat Reservation Management for WooCommerce scw-seat-reservation allows SQL Injection.This issue affects Advance Seat Reservation Management for WooCommerce: from n/a through <= 3.1.

WordPress SQLi
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2025-66078 CRITICAL Act Now

Improper Control of Generation of Code ('Code Injection') vulnerability in jetmonsters Hotel Booking Lite motopress-hotel-booking-lite allows Remote Code Inclusion.This issue affects Hotel Booking Lite: from n/a through <= 5.2.3.

Code Injection RCE
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-66074 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in Cozmoslabs WP Webhooks wp-webhooks allows Path Traversal.This issue affects WP Webhooks: from n/a through <= 3.3.8.

File Upload Path Traversal
NVD
CVSS 3.1
9.0
EPSS
0.1%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy