THREAT ALERT

ACT NOW CVE-2025-43529 8.8 WebKit arbitrary code execution via use-after-free memory corruption affects Safari 26.2, iOS/iPadOS 18.7.3 through 26.2, macOS Tahoe 26.2, tvOS 26.2, visionOS 26.2, and watchOS 26.2, allowing remote attackers to execute arbitrary code by convincing users to visit malicious websites. This vulnerability is confirmed actively exploited (CISA KEV) in extremely sophisticated targeted attacks against specific individuals on iOS versions prior to iOS 26, per Apple's security bulletin. EPSS score of 0.12% (32nd percentile) significantly understates real-world risk given confirmed exploitation. Related vulnerability CVE-2025-14174 was issued for the same exploitation campaign, suggesting a complex attack chain targeting Apple ecosystem users. | ACT NOW CVE-2025-43510 7.8 Apple kernel lock state checking flaw allows a malicious application to cause unexpected changes in memory shared between processes, potentially enabling cross-process data manipulation on iOS, macOS, and other Apple platforms. | ACT NOW CVE-2025-48633 5.5 CVE-2025-48633 is a security vulnerability (CVSS 5.5). Risk factors: actively exploited (KEV-listed). Vendor patch is available. | ACT NOW CVE-2025-48572 7.8 Android contains a missing authentication vulnerability (CVE-2025-48572, CVSS 7.8) in multiple locations that allows background activity launches through a permissions bypass, enabling local privilege escalation without user interaction. KEV-listed, this vulnerability enables malicious apps to perform privileged operations silently in the background, bypassing Android's activity launch restrictions. | EMERGENCY CVE-2025-34291 9.4 Langflow versions up to and including 1.6.9 contain a chained vulnerability that enables account tak | ACT NOW CVE-2025-66644 7.2 Array Networks ArrayOS AG before 9.4.5.9 contains an OS command injection vulnerability (CVE-2025-66644, CVSS 7.2) that has been actively exploited in the wild from August through December 2025. KEV-listed, this vulnerability in the VPN/SSL-VPN appliance enables authenticated attackers to execute arbitrary commands on the network edge device. | ACT NOW CVE-2025-55182 10.0 React Server Components in React 19.x contain a critical pre-authentication remote code execution vulnerability (CVE-2025-55182, CVSS 10.0) through unsafe deserialization of HTTP request payloads. With EPSS 71.1% and KEV listing, this vulnerability affects any application using React Server Components with react-server-dom-webpack, react-server-dom-turbopack, or react-server-dom-parcel — enabling complete server compromise through a single HTTP request. | EMERGENCY CVE-2025-66301 9.6 Grav is a file-based Web platform. Prior to 1.8.0-beta.27, due to improper authorization checks when modifying critical fields on a POST request to /admin/pages/{page_name}, an editor with only permissions to change basic content on the form is now able to change the functioning of the form through modifying the content of the data[_json][header][form] which is the YAML frontmatter which includes the process section which dictates what happens after a user submits the form which include some important actions that could lead to further vulnerabilities. This vulnerability is fixed in 1.8.0-beta.27. | ACT NOW CVE-2025-66294 8.8 Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Server-Side Template Injection (SSTI) vulnerability exists in Grav that allows authenticated attackers with editor permissions to execute arbitrary commands on the server and, under certain conditions, may also be exploited by unauthenticated attackers. This vulnerability stems from weak regex validation in the cleanDangerousTwig method. This vulnerability is fixed in 1.8.0-beta.27. |

Daily vulnerability intelligence for defenders – fresh CVEs with exploitability signals, patch status, and action-oriented priorities from 17 sources.

CVEs published

Get CVEs that hit your stack — not 200/day

Pick your technologies, get a weekly digest by email. Free, no spam.

React Python Postgres +200 more

React Next.js Python Postgres AWS +200 more

Trending Now See all

Critical Watch See all

Attack Technique Trend

Prediction based on ZDI Disclosures & CVE data · 30 days

Analytics

Vendor Today – Quick Filter

Techniques

results

Sort:

Base Score

Vector String

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

0 | 3.9| 6.9| 8.9| 10

NONE LOW MEDIUM HIGH CRITICAL

CVSS Filter – CVEs match

No CVEs match the selected criteria

Incoming 20

Pre-NVD – not yet scored

Browse older vulnerabilities in Archive

Live Feed auto-refresh 60s

Vulnerability Intelligence — December 28, 2025

32 CVEs tracked today. 0 Critical, 0 High, 3 Medium, 29 Low.

CVE-2025-15142 MEDIUM CVSS 5.5
A vulnerability was identified in 9786 phpok3w up to 901d96a06809fb28b17f3a4362c59e70411c933c. Impacted is an unknown function of the file show.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might...

PHP SQLi
CVE-2025-15140 MEDIUM CVSS 5.5
A vulnerability was found in saiftheboss7 onlinemcqexam up to 0e56806132971e49721db3ef01868098c7b42ada. This vulnerability affects unknown code of the file /admin/quesadd.php. Performing manipulation of the argument ans1/ans2 results in sql injection. The attack is possible to be carried out remotel...

PHP SQLi
CVE-2025-15127 MEDIUM CVSS 5.5
A security vulnerability has been detected in FantasticLBP Hotels_Server up to 67b44df162fab26df209bd5d5d542875fcbec1d0. Affected by this issue is some unknown functionality of the file /controller/api/Room.php. Such manipulation of the argument hotelId leads to sql injection. The attack may be laun...

PHP SQLi Hotels Server
CVE-2025-15156 LOW CVSS 2.1
A flaw has been found in omec-project UPF up to 2.1.3-dev. This affects the function handleSessionEstablishmentRequest of the file /pfcpiface/pfcpiface/messages_session.go of the component PFCP Session Establishment Request Handler. This manipulation causes null pointer dereference. The attack may b...

Denial Of Service
CVE-2025-15155 LOW CVSS 1.9
A vulnerability was detected in floooh sokol up to 16cbcc864012898793cd2bc57f802499a264ea40. The impacted element is the function _sg_pipeline_desc_defaults in the library sokol_gfx.h. The manipulation results in stack-based buffer overflow. The attack requires a local approach. The exploit is now p...

Buffer Overflow Sokol
CVE-2025-15153 LOW CVSS 2.9
A weakness has been identified in PbootCMS up to 3.2.12. Impacted is an unknown function of the file /data/pbootcms.db of the component SQLite Database. Executing a manipulation can lead to files or directories accessible. It is possible to launch the attack remotely. Attacks of this nature are high...

Information Disclosure Pbootcms
CVE-2025-15151 LOW CVSS 2.9
Authentication bypass in TaleLin Lin-CMS up to version 0.6.0 allows remote attackers to manipulate username and password arguments in the /tests/config.py Tests Folder component, potentially exposing credentials stored in the configuration file. The attack requires high complexity and has been publicly disclosed, but exploitation is considered difficult with an EPSS score of 0.04% indicating very low real-world exploitation probability.

Authentication Bypass
CVE-2025-15149 LOW CVSS 1.9
A vulnerability has been found in rawchen ecms up to b59d7feaa9094234e8aa6c8c6b290621ca575ded. Affected by this vulnerability is the function updateProductServlet of the file src/servlet/product/updateProductServlet.java of the component Add New Product Page. The manipulation of the argument product...

XSS Java
CVE-2025-15148 LOW CVSS 2.0
A flaw has been found in CmsEasy up to 7.7.7. Affected is the function savetemp_action in the library /lib/admin/template_admin.php of the component Backend Template Management Page. Executing a manipulation of the argument content/tempdata can lead to code injection. The attack may be launched remo...

PHP Code Injection Cmseasy
CVE-2025-15146 LOW CVSS 1.9
A vulnerability was detected in SohuTV CacheCloud up to 3.2.0. This impacts the function doUserList of the file src/main/java/com/sohu/cache/web/controller/UserManageController.java. Performing manipulation results in cross site scripting. The attack may be initiated remotely. The exploit is now pub...

XSS Java Cachecloud
CVE-2025-15145 LOW CVSS 1.9
Stored cross-site scripting (XSS) in SohuTV CacheCloud up to version 3.2.0 allows high-privilege authenticated users to inject malicious scripts via the doTotalList function in TotalManageController.java, which are executed in the browsers of users viewing the affected page. The vulnerability requires user interaction (UI:P) and high privileges (PR:H), limiting real-world impact despite network accessibility. Public exploit code is available, but EPSS probability remains very low (0.04%) due to the authentication and interaction requirements.

XSS Java Cachecloud
CVE-2025-15144 LOW CVSS 2.1
A weakness has been identified in dayrui XunRuiCMS up to 4.7.1. The impacted element is the function dr_show_error/dr_exit_msg of the file /dayrui/Fcms/Init.php of the component JSONP Callback Handler. This manipulation of the argument callback causes cross site scripting. The attack can be initiate...

PHP XSS Xunruicms
CVE-2025-15143 LOW CVSS 2.0
A security flaw has been discovered in EyouCMS up to 1.7.6. The affected element is an unknown function of the file /application/admin/logic/FilemanagerLogic.php of the component Backend Template Management. The manipulation of the argument content results in sql injection. It is possible to launch ...

PHP SQLi Eyoucms
CVE-2025-15141 LOW CVSS 1.3
A vulnerability was determined in Halo up to 2.21.10. This issue affects some unknown processing of the file /actuator of the component Configuration Handler. Executing a manipulation can lead to information disclosure. The attack may be performed from remote. This attack is characterized by high co...

Information Disclosure Halo
CVE-2025-15139 LOW CVSS 2.1
A vulnerability has been found in TRENDnet TEW-822DRE 1.00B21/1.01B06. This affects the function sub_43ACF4 of the file /boafrm/formWsc. Such manipulation of the argument peerPin leads to command injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be...

Command Injection Tew 822Dre Firmware
CVE-2025-15138 LOW CVSS 2.0
A flaw has been found in prasathmani TinyFileManager up to 2.6. Affected by this issue is some unknown functionality of the file tinyfilemanager.php. This manipulation of the argument fullpath causes path traversal. Remote exploitation of the attack is possible. The exploit has been published and ma...

PHP Path Traversal Tiny File Manager
CVE-2025-15135 LOW CVSS 2.1
A weakness has been identified in joey-zhou xiaozhi-esp32-server-java up to 3.0.0. This impacts the function tryAuthenticateWithCookies of the file AuthenticationInterceptor.java of the component Cookie Handler. Executing manipulation can lead to improper authentication. The attack can be launched r...

Authentication Bypass Java
CVE-2025-15134 LOW CVSS 2.0
A security flaw has been discovered in yourmaileyes MOOC up to 1.17. This affects the function subreview of the file mooc/controller/MainController.java of the component Submission Handler. Performing manipulation of the argument review results in cross site scripting. The attack can be initiated re...

XSS Java
CVE-2025-15133 LOW CVSS 2.1
A vulnerability was identified in ZSPACE Z4Pro+ 1.0.0440024. The impacted element is the function zfilev2_api_CloseSafe of the file /v2/file/safe/close of the component HTTP POST Request Handler. Such manipulation leads to command injection. It is possible to launch the attack remotely. The exploit ...

Command Injection Z4Pro Firmware
CVE-2025-15132 LOW CVSS 2.1
Command injection in ZSPACE Z4Pro+ 1.0.0440024 via the /v2/file/safe/open HTTP POST endpoint allows authenticated remote attackers to execute arbitrary commands with limited impact on confidentiality, integrity, and availability. The vulnerability affects the zfilev2_api_open function and has been publicly disclosed with exploit code available; however, the EPSS score of 0.38% (59th percentile) and CVSS scope constraint (SC:N) suggest limited real-world exploitation risk despite authenticated remote access capability.

Command Injection Z4Pro Firmware
CVE-2025-15131 LOW CVSS 2.1
A vulnerability was found in ZSPACE Z4Pro+ 1.0.0440024. Impacted is the function zfilev2_api_SafeStatus of the file /v2/file/safe/status of the component HTTP POST Request Handler. The manipulation results in command injection. The attack may be performed from remote. The exploit has been made publi...

Command Injection Z4Pro Firmware
CVE-2025-15130 LOW CVSS 2.0
A vulnerability has been found in shanyu SyCms up to a242ef2d194e8bb249dc175e7c49f2c1673ec921. This issue affects the function addPost of the file Application/Admin/Controller/FileManageController.class.php of the component Administrative Panel. The manipulation leads to code injection. The attack i...

PHP Information Disclosure
CVE-2025-15129 LOW CVSS 2.1
A flaw has been found in ChenJinchuang Lin-CMS-TP5 up to 0.3.3. This vulnerability affects the function Upload of the file application/lib/file/LocalUploader.php of the component File Upload Handler. Executing manipulation of the argument File can lead to code injection. The attack can be executed r...

PHP File Upload
CVE-2025-15126 LOW CVSS 1.3
A weakness has been identified in JeecgBoot up to 3.9.0. Affected by this vulnerability is the function getPositionUserList of the file /sys/position/getPositionUserList. This manipulation of the argument positionId causes improper authorization. The attack may be initiated remotely. The complexity ...

Information Disclosure Jeecg Boot
CVE-2025-15125 LOW CVSS 1.3
A security flaw has been discovered in JeecgBoot up to 3.9.0. Affected is the function queryDepartPermission of the file /sys/permission/queryDepartPermission. The manipulation of the argument departId results in improper authorization. The attack can be launched remotely. This attack is characteriz...

Information Disclosure Jeecg Boot
CVE-2025-15124 LOW CVSS 1.3
A vulnerability was identified in JeecgBoot up to 3.9.0. This impacts the function getParameterMap of the file /sys/sysDepartPermission/list. The manipulation of the argument departId leads to improper authorization. The attack can be initiated remotely. The attack's complexity is rated as high. The...

Information Disclosure Jeecg Boot
CVE-2025-15123 LOW CVSS 1.3
A vulnerability was determined in JeecgBoot up to 3.9.0. This affects an unknown function of the file /sys/sysDepartPermission/datarule/. Executing manipulation can lead to improper authorization. It is possible to launch the attack remotely. The attack requires a high level of complexity. The explo...

Information Disclosure Jeecg Boot
CVE-2025-15122 LOW CVSS 1.3
Improper authorization in JeecgBoot up to version 3.9.0 allows authenticated remote attackers to manipulate departId and roleId parameters in the /sys/sysDepartRole/datarule/ endpoint to disclose sensitive information. The vulnerability requires legitimate user access and high exploitation complexity, but publicly available exploit code exists and the vendor did not respond to early disclosure attempts.

Information Disclosure Jeecg Boot
CVE-2025-15120 LOW CVSS 1.3
Improper authorization in JeecgBoot up to version 3.9.0 allows authenticated remote attackers to access unauthorized department role data via manipulation of the departId parameter in the getDeptRoleList endpoint, resulting in information disclosure of sensitive role assignments. The vulnerability requires login credentials and high attack complexity but has publicly available exploit code; however, real-world exploitation risk remains minimal given the 0.03% EPSS score and authentication prerequisite.

Information Disclosure Jeecg Boot
CVE-2025-15119 LOW CVSS 1.3
A vulnerability was detected in JeecgBoot up to 3.9.0. This issue affects the function queryPageList of the file /sys/sysDepartRole/list. The manipulation of the argument deptId results in improper authorization. The attack can be executed remotely. A high complexity level is associated with this at...

Information Disclosure Jeecg Boot
CVE-2025-15118 LOW CVSS 2.1
Improper authorization in macrozheng mall up to version 1.0.3 allows authenticated remote attackers to modify member address information via the /member/address/update/ endpoint, resulting in unauthorized data manipulation. The vulnerability affects the Member Endpoint component and has publicly available exploit code, though real-world exploitation risk is low based on EPSS scoring (0.05%, 14th percentile) and the requirement for prior authentication.

Information Disclosure Mall
CVE-2025-15116 LOW CVSS 2.9
OpenCart versions up to 4.1.0.3 are vulnerable to a race condition in the Single-Use Coupon Handler component that allows remote attackers to perform unauthorized manipulation resulting in information disclosure. The attack requires high complexity and no authentication, with a CVSS score of 2.9 indicating low impact. Publicly available exploit code exists, though the vendor did not respond to early disclosure notification.

Information Disclosure Race Condition Opencart

Track CVEs for your stack Sign up free →

Today's Vulnerabilities Vulnerabilities