THREAT ALERT

ACT NOW CVE-2025-43529 8.8 WebKit arbitrary code execution via use-after-free memory corruption affects Safari 26.2, iOS/iPadOS 18.7.3 through 26.2, macOS Tahoe 26.2, tvOS 26.2, visionOS 26.2, and watchOS 26.2, allowing remote attackers to execute arbitrary code by convincing users to visit malicious websites. This vulnerability is confirmed actively exploited (CISA KEV) in extremely sophisticated targeted attacks against specific individuals on iOS versions prior to iOS 26, per Apple's security bulletin. EPSS score of 0.12% (32nd percentile) significantly understates real-world risk given confirmed exploitation. Related vulnerability CVE-2025-14174 was issued for the same exploitation campaign, suggesting a complex attack chain targeting Apple ecosystem users. | ACT NOW CVE-2025-43510 7.8 Apple kernel lock state checking flaw allows a malicious application to cause unexpected changes in memory shared between processes, potentially enabling cross-process data manipulation on iOS, macOS, and other Apple platforms. | ACT NOW CVE-2025-48633 5.5 CVE-2025-48633 is a security vulnerability (CVSS 5.5). Risk factors: actively exploited (KEV-listed). Vendor patch is available. | ACT NOW CVE-2025-48572 7.8 Android contains a missing authentication vulnerability (CVE-2025-48572, CVSS 7.8) in multiple locations that allows background activity launches through a permissions bypass, enabling local privilege escalation without user interaction. KEV-listed, this vulnerability enables malicious apps to perform privileged operations silently in the background, bypassing Android's activity launch restrictions. | ACT NOW CVE-2025-34291 8.8 Langflow versions up to and including 1.6.9 contain a chained vulnerability that enables account takeover and remote code execution. An overly permissive CORS configuration (allow_origins='*' with allow_credentials=True) combined with a refresh token cookie configured as SameSite=None allows a malicious webpage to perform cross-origin requests that include credentials and successfully call the refresh endpoint. An attacker-controlled origin can therefore obtain fresh access_token / refresh_token pairs for a victim session. Obtained tokens permit access to authenticated endpoints - including built-in code-execution functionality - allowing the attacker to execute arbitrary code and achieve full system compromise. | ACT NOW CVE-2025-66644 7.2 Array Networks ArrayOS AG before 9.4.5.9 contains an OS command injection vulnerability (CVE-2025-66644, CVSS 7.2) that has been actively exploited in the wild from August through December 2025. KEV-listed, this vulnerability in the VPN/SSL-VPN appliance enables authenticated attackers to execute arbitrary commands on the network edge device. | ACT NOW CVE-2025-55182 10.0 React Server Components in React 19.x contain a critical pre-authentication remote code execution vulnerability (CVE-2025-55182, CVSS 10.0) through unsafe deserialization of HTTP request payloads. With EPSS 71.1% and KEV listing, this vulnerability affects any application using React Server Components with react-server-dom-webpack, react-server-dom-turbopack, or react-server-dom-parcel — enabling complete server compromise through a single HTTP request. | EMERGENCY CVE-2025-66301 9.6 Grav is a file-based Web platform. Prior to 1.8.0-beta.27, due to improper authorization checks when modifying critical fields on a POST request to /admin/pages/{page_name}, an editor with only permissions to change basic content on the form is now able to change the functioning of the form through modifying the content of the data[_json][header][form] which is the YAML frontmatter which includes the process section which dictates what happens after a user submits the form which include some important actions that could lead to further vulnerabilities. This vulnerability is fixed in 1.8.0-beta.27. | ACT NOW CVE-2025-66294 8.8 Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Server-Side Template Injection (SSTI) vulnerability exists in Grav that allows authenticated attackers with editor permissions to execute arbitrary commands on the server and, under certain conditions, may also be exploited by unauthenticated attackers. This vulnerability stems from weak regex validation in the cleanDangerousTwig method. This vulnerability is fixed in 1.8.0-beta.27. | ACT NOW CVE-2025-58360 8.2 GeoServer contains an XXE vulnerability in the WMS GetMap operation allowing unauthenticated attackers to read server files and perform SSRF attacks. |

Daily vulnerability intelligence for defenders – fresh CVEs with exploitability signals, patch status, and action-oriented priorities from 17 sources.

CVEs published

Track vulnerabilities that matter to your stack

Personalized alerts, dashboards, and weekly digests – free.

Trending Now

Critical Watch

Attack Technique Trend

Prediction based on ZDI Disclosures & CVE data · 30 days

Analytics

Vendor Today – Quick Filter

Techniques

results

Sort:

Base Score

Vector String

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

0 | 3.9| 6.9| 8.9| 10

NONE LOW MEDIUM HIGH CRITICAL

CVSS Filter – CVEs match

No CVEs match the selected criteria

Browse older vulnerabilities in Archive

Live Feed auto-refresh 60s

Vulnerability Intelligence — December 24, 2025

23 CVEs tracked today. 4 Critical, 12 High, 5 Medium, 0 Low.

CVE-2025-68600 CRITICAL CVSS 9.1
Server-Side Request Forgery in WordPress Link Library plugin versions up to 7.8.7 allows unauthenticated remote attackers to make arbitrary HTTP requests from the server, potentially accessing internal resources, cloud metadata endpoints, or conducting reconnaissance of internal network infrastructure. CVSS score of 9.1 indicates high severity, though EPSS of 0.04% (14th percentile) suggests limited observed exploitation attempts. No active exploitation confirmed (not in CISA KEV) and no public exploit identified at time of analysis.

WordPress PHP SSRF
CVE-2025-68496 CRITICAL CVSS 9.8
Blind SQL injection in User Feedback WordPress plugin (versions ≤1.10.0) allows unauthenticated remote attackers to extract database contents, modify data, or execute administrative commands. The vulnerability carries a critical CVSS score of 9.8 due to network-based exploitation requiring no privileges or user interaction. While EPSS probability is low (0.05%, 14th percentile) and no active exploitation is confirmed at time of analysis, the severity and unauthenticated attack vector make this a priority for WordPress administrators using this plugin. Patchstack security audit identified this flaw as CWE-89 SQL injection stemming from improper input sanitization.

WordPress PHP SQLi
CVE-2025-68038 CRITICAL CVSS 9.8
PHP object injection in Icegram Express Pro (WordPress email marketing plugin) through version 5.9.13 enables unauthenticated remote attackers to execute arbitrary code via unsafe deserialization of user-controlled data. With CVSS 9.8 (critical severity) and network-accessible attack vector requiring no authentication or user interaction, this represents a severe pre-authentication RCE risk. EPSS score of 0.06% (19th percentile) suggests low immediate exploitation probability, and no public exploit or CISA KEV listing identified at time of analysis, though Patchstack disclosure increases attacker awareness.

WordPress PHP Deserialization
CVE-2025-67623 CRITICAL CVSS 9.1
Server-Side Request Forgery (SSRF) in 6Storage Rentals WordPress plugin versions ≤2.20.2 allows unauthenticated remote attackers to send crafted requests from the vulnerable server to arbitrary internal or external systems. With CVSS 9.1 (critical) due to network-accessible attack vector requiring no authentication or user interaction, attackers can achieve high confidentiality and integrity impact by potentially accessing internal services, cloud metadata endpoints, or exfiltrating sensitive data. EPSS score of 0.04% (14th percentile) indicates relatively low observed exploitation probability despite the critical severity rating. No confirmed active exploitation (not in CISA KEV) and no public exploit code identified at time of analysis.

SSRF PHP
CVE-2025-68601 HIGH CVSS 8.8
Cross-Site Request Forgery (CSRF) in Five Star Restaurant Reservations WordPress plugin versions ≤2.7.8 enables unauthenticated attackers to perform unauthorized administrative actions through social engineering. With CVSS 8.8 (High), the vulnerability requires no privileges and low attack complexity, though user interaction is necessary. EPSS probability is minimal (0.02%, 6th percentile), indicating low observed exploitation likelihood despite the high CVSS score. No confirmed active exploitation (not in CISA KEV) or public exploit code identified at time of analysis.

WordPress PHP CSRF
CVE-2025-68595 HIGH CVSS 8.8
Broken access control in Trustindex Widgets for Social Photo Feed (WordPress plugin) through version 1.8 allows authenticated attackers with low privileges to bypass authorization controls and execute high-impact actions. The vulnerability has low attack complexity (CVSS:3.1 AV:N/AC:L/PR:L) enabling compromise of confidentiality, integrity, and availability. EPSS score of 0.06% (18th percentile) indicates relatively low observed exploitation probability, and no public exploit or CISA KEV listing exists at time of analysis, suggesting this remains a patch-priority issue rather than an active threat.

WordPress PHP Authentication Bypass
CVE-2025-68594 HIGH CVSS 8.1
Broken access control in Opinion Stage Poll, Survey & Quiz Maker Plugin for WordPress versions through 19.12.0 allows authenticated attackers with low-level privileges to bypass authorization checks and access or modify high-sensitivity data. The vulnerability (CWE-862: Missing Authorization) enables privilege escalation through improperly configured access control mechanisms. EPSS probability is low at 0.04% (13th percentile), and no public exploit identified at time of analysis, though authentication bypass tags indicate established attack patterns exist for this vulnerability class.

WordPress PHP Authentication Bypass
CVE-2025-68591 HIGH CVSS 8.1
Missing authorization in Simple File List WordPress plugin 6.1.18 and earlier allows authenticated low-privilege users to bypass access controls and gain unauthorized read/write access to file list data. Tagged as an authentication bypass vulnerability with EPSS score of 0.04% (13th percentile), indicating low observed exploitation probability. No active exploitation confirmed (not in CISA KEV), and no public exploit code identified at time of analysis.

WordPress PHP Authentication Bypass
CVE-2025-68589 HIGH CVSS 8.1
Broken access control in WP Telegram Widget and Join Link plugin versions up to 2.2.12 allows authenticated users with low privileges to bypass authorization checks and access high-sensitivity configuration or data. The vulnerability enables unauthorized read and write operations (CVSS C:H/I:H) without requiring user interaction. EPSS score of 0.04% suggests low observed exploitation probability, and no public exploit code or active exploitation (CISA KEV) has been identified at time of analysis.

WordPress PHP Authentication Bypass
CVE-2025-68588 HIGH CVSS 8.1
Access control bypass in TS Poll WordPress plugin (versions ≤2.5.5) allows low-privileged authenticated users to escalate privileges and gain unauthorized read/write access to poll data. Attackers with basic subscriber accounts can exploit misconfigured authorization checks to access or modify content beyond their intended permission level. EPSS exploitation probability is low (0.04%, 13th percentile), with no public exploit identified at time of analysis, suggesting limited immediate risk despite the 8.1 CVSS score.

WordPress PHP Authentication Bypass
CVE-2025-68586 HIGH CVSS 8.8
Broken access control in Cooked WordPress plugin versions ≤1.11.3 allows authenticated attackers with low-level privileges to bypass authorization checks and gain unauthorized access to high-privilege functions. The vulnerability stems from missing authorization validation (CWE-862), enabling privilege escalation and unauthorized data manipulation. With CVSS 8.8 and EPSS probability of 0.06% (18th percentile), real-world exploitation risk is moderate; no public exploit identified at time of analysis.

Information Disclosure
CVE-2025-68575 HIGH CVSS 8.8
Authorization bypass in Wappointment WordPress plugin versions ≤2.7.6 enables low-privileged authenticated attackers to perform unauthorized actions with high impact to confidentiality, integrity, and availability. The vulnerability stems from missing authorization checks (CWE-862), allowing authenticated users to access or modify data beyond their intended permission level. EPSS score of 0.06% (18th percentile) indicates low observed exploitation probability, and no confirmed active exploitation (CISA KEV) or public exploit code is identified at time of analysis.

Information Disclosure
CVE-2025-68571 HIGH CVSS 8.8
Broken access control in SALESmanago WordPress plugin allows authenticated attackers with low-level privileges to bypass authorization checks and gain unauthorized access to high-privilege functions. Affects versions up to 3.9.0. The vulnerability enables complete compromise of confidentiality, integrity, and availability within the plugin's scope. EPSS score of 0.06% (18th percentile) suggests low observed exploitation probability, and no public exploit identified at time of analysis.

Information Disclosure
CVE-2025-68569 HIGH CVSS 8.8
Broken access control in WP Time Slots Booking Form plugin (≤1.2.39) allows authenticated attackers with low-level privileges to escalate permissions and execute unauthorized administrative actions. The vulnerability stems from missing authorization checks (CWE-862), enabling privilege escalation to access, modify, or delete sensitive booking data and configuration settings. While CVSS scores 8.8 (High), real-world risk appears moderate with EPSS at 0.06% (18th percentile) and no public exploit identified at time of analysis.

WordPress PHP Authentication Bypass
CVE-2025-68568 HIGH CVSS 7.5
Missing authorization in Claspo WordPress plugin through version 1.0.7 allows unauthenticated remote attackers to modify data via incorrectly configured access controls. With CVSS 7.5 (High integrity impact) but only 0.04% EPSS probability, this represents elevated exposure in vulnerable installations despite low observed exploitation likelihood. No public exploit identified at time of analysis, though the authentication bypass tag indicates potential for unauthorized actions without credentials.

WordPress PHP Authentication Bypass
CVE-2025-68567 HIGH CVSS 8.8
Cross-Site Request Forgery in WordPress plugin My Auctions Allegro (versions ≤3.6.33) allows unauthenticated remote attackers to perform unauthorized actions on behalf of authenticated users through social engineering. CVSS 8.8 severity stems from potential high confidentiality, integrity, and availability impact if victims are tricked into clicking malicious links while authenticated. EPSS score of 0.02% (6th percentile) indicates very low probability of exploitation in the wild. No active exploitation confirmed (not in CISA KEV), and no public exploit identified at time of analysis, suggesting this remains a theoretical high-severity issue requiring user interaction.

WordPress PHP CSRF
CVE-2025-68605 MEDIUM CVSS 5.4
Stored XSS in PickPlugins Post Grid and Gutenberg Blocks WordPress plugin (versions <= 2.3.23) allows authenticated users with limited privileges to inject malicious scripts that execute in the browsers of site visitors, potentially compromising site integrity and user data. The vulnerability requires user interaction (viewing a page with the injected content) and affects the site's security context (SameSite:Changed per CVSS:3.1/S:C). EPSS score of 0.04% indicates low real-world exploitation probability despite CVE publication.

WordPress PHP XSS
CVE-2025-68602 MEDIUM CVSS 6.1
Open redirect vulnerability in Scott Paterson Accept Donations with PayPal & Stripe WordPress plugin (versions <= 1.5.2) enables attackers to craft malicious URLs that redirect users to untrusted sites, facilitating phishing attacks. The vulnerability requires user interaction (UI:R) but affects the plugin's core donation handling, allowing an unauthenticated attacker to chain this with social engineering to compromise user credentials or distribute malware through redirects to fraudulent payment pages.

WordPress PHP Open Redirect
CVE-2025-68598 MEDIUM CVSS 5.4
Stored cross-site scripting (XSS) in Live Composer page builder plugin for WordPress (versions through 2.1.11) allows authenticated users with low privileges to inject malicious scripts that execute in the browsers of other users viewing affected pages. An attacker with contributor or editor access can store XSS payloads that persist in the database and execute when administrators or other site visitors interact with the affected content, potentially leading to session hijacking, credential theft, or malware distribution.

WordPress PHP XSS
CVE-2025-68597 MEDIUM CVSS 5.4
Stored cross-site scripting (XSS) in BlueGlass Interactive AG Jobs for WordPress plugin versions 2.8.1 and earlier allows authenticated users with low privileges to inject malicious scripts into job postings that execute in the browsers of other site visitors. The vulnerability requires user interaction (clicking a crafted link) and affects website visitors with cross-site request forgery capabilities, resulting in limited confidentiality and integrity impact but no availability impact. The issue has a low exploitation probability (EPSS 0.04%) despite publicly disclosed details.

WordPress PHP XSS
CVE-2025-68566 MEDIUM CVSS 5.4
Stored cross-site scripting (XSS) in WordPress plugin My auctions allegro (versions up to 3.6.35) allows authenticated users to inject malicious scripts that execute in other users' browsers when viewing auction content. The vulnerability requires user interaction (UI:R) and affects the confidentiality and integrity of affected WordPress installations, though with limited scope within the plugin context. No public exploit code or active exploitation has been identified; real-world risk is moderate given the requirement for authenticated access and user interaction.

WordPress PHP XSS
CVE-2025-68736 None
Linux kernel Landlock security module fails to properly enforce access controls on disconnected directories (files or directories visible through bind mounts but inaccessible from the mount point after rename/move operations), potentially widening access rights and causing inconsistent access results when sandboxed tasks interact with such paths. The vulnerability affects the Landlock mandatory access control framework's ability to prevent privilege escalation through filesystem operations on out-of-scope paths, requiring the sandboxed task to already possess write access to the bind mount source and read access to the mount point to trigger the issue.

Linux Linux Kernel Privilege Escalation
CVE-2025-68357 None
Linux kernel iomap subsystem fails to allocate the s_dio_done_wq workqueue for asynchronous read operations, causing read error completions deferred by commit 222f2c7c6d14 to lack proper execution context and potentially leading to information disclosure or system instability. The vulnerability affects Linux kernel versions where the read error completion deferral was implemented without corresponding workqueue allocation for async reads. With an EPSS score of 0.01% and no evidence of active exploitation, this is a low-probability but correctness-critical issue affecting async I/O error handling on affected kernel versions.

Linux Linux Kernel Denial Of Service

Today's Vulnerabilities Vulnerabilities