THREAT ALERT

ACT NOW CVE-2025-43529 8.8 WebKit arbitrary code execution via use-after-free memory corruption affects Safari 26.2, iOS/iPadOS 18.7.3 through 26.2, macOS Tahoe 26.2, tvOS 26.2, visionOS 26.2, and watchOS 26.2, allowing remote attackers to execute arbitrary code by convincing users to visit malicious websites. This vulnerability is confirmed actively exploited (CISA KEV) in extremely sophisticated targeted attacks against specific individuals on iOS versions prior to iOS 26, per Apple's security bulletin. EPSS score of 0.12% (32nd percentile) significantly understates real-world risk given confirmed exploitation. Related vulnerability CVE-2025-14174 was issued for the same exploitation campaign, suggesting a complex attack chain targeting Apple ecosystem users. | ACT NOW CVE-2025-43510 7.8 Apple kernel lock state checking flaw allows a malicious application to cause unexpected changes in memory shared between processes, potentially enabling cross-process data manipulation on iOS, macOS, and other Apple platforms. | ACT NOW CVE-2025-48633 5.5 CVE-2025-48633 is a security vulnerability (CVSS 5.5). Risk factors: actively exploited (KEV-listed). Vendor patch is available. | ACT NOW CVE-2025-48572 7.8 Android contains a missing authentication vulnerability (CVE-2025-48572, CVSS 7.8) in multiple locations that allows background activity launches through a permissions bypass, enabling local privilege escalation without user interaction. KEV-listed, this vulnerability enables malicious apps to perform privileged operations silently in the background, bypassing Android's activity launch restrictions. | ACT NOW CVE-2025-34291 8.8 Langflow versions up to and including 1.6.9 contain a chained vulnerability that enables account takeover and remote code execution. An overly permissive CORS configuration (allow_origins='*' with allow_credentials=True) combined with a refresh token cookie configured as SameSite=None allows a malicious webpage to perform cross-origin requests that include credentials and successfully call the refresh endpoint. An attacker-controlled origin can therefore obtain fresh access_token / refresh_token pairs for a victim session. Obtained tokens permit access to authenticated endpoints - including built-in code-execution functionality - allowing the attacker to execute arbitrary code and achieve full system compromise. | ACT NOW CVE-2025-66644 7.2 Array Networks ArrayOS AG before 9.4.5.9 contains an OS command injection vulnerability (CVE-2025-66644, CVSS 7.2) that has been actively exploited in the wild from August through December 2025. KEV-listed, this vulnerability in the VPN/SSL-VPN appliance enables authenticated attackers to execute arbitrary commands on the network edge device. | ACT NOW CVE-2025-55182 10.0 React Server Components in React 19.x contain a critical pre-authentication remote code execution vulnerability (CVE-2025-55182, CVSS 10.0) through unsafe deserialization of HTTP request payloads. With EPSS 71.1% and KEV listing, this vulnerability affects any application using React Server Components with react-server-dom-webpack, react-server-dom-turbopack, or react-server-dom-parcel — enabling complete server compromise through a single HTTP request. | EMERGENCY CVE-2025-66301 9.6 Grav is a file-based Web platform. Prior to 1.8.0-beta.27, due to improper authorization checks when modifying critical fields on a POST request to /admin/pages/{page_name}, an editor with only permissions to change basic content on the form is now able to change the functioning of the form through modifying the content of the data[_json][header][form] which is the YAML frontmatter which includes the process section which dictates what happens after a user submits the form which include some important actions that could lead to further vulnerabilities. This vulnerability is fixed in 1.8.0-beta.27. | ACT NOW CVE-2025-66294 8.8 Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Server-Side Template Injection (SSTI) vulnerability exists in Grav that allows authenticated attackers with editor permissions to execute arbitrary commands on the server and, under certain conditions, may also be exploited by unauthenticated attackers. This vulnerability stems from weak regex validation in the cleanDangerousTwig method. This vulnerability is fixed in 1.8.0-beta.27. |

Daily vulnerability intelligence for defenders – fresh CVEs with exploitability signals, patch status, and action-oriented priorities from 17 sources.

CVEs published

Track vulnerabilities that matter to your stack

Personalized alerts, dashboards, and weekly digests – free.

Trending Now

Critical Watch

Attack Technique Trend

Prediction based on ZDI Disclosures & CVE data · 30 days

Analytics

Vendor Today – Quick Filter

Techniques

results

Sort:

Base Score

Vector String

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

0 | 3.9| 6.9| 8.9| 10

NONE LOW MEDIUM HIGH CRITICAL

CVSS Filter – CVEs match

No CVEs match the selected criteria

Browse older vulnerabilities in Archive

Live Feed auto-refresh 60s

Vulnerability Intelligence — December 29, 2025

14 CVEs tracked today. 0 Critical, 0 High, 0 Medium, 0 Low.

CVE-2025-68897 None
Remote code injection in IF AS Shortcode WordPress plugin versions up to 1.2 allows attackers to execute arbitrary code through improper handling of shortcode parameters. The vulnerability stems from CWE-94 (Improper Control of Code Generation) and affects WordPress installations using this plugin. Patchstack reported the vulnerability; however, no CVSS vector is provided and EPSS probability is low at 0.07%, suggesting limited real-world exploit activity at the time of analysis.

WordPress PHP Code Injection
CVE-2025-68893 None
Server-Side Request Forgery (SSRF) in WordPress Image Shrinker plugin versions up to 1.1.0 enables unauthenticated remote attackers to forge requests from the affected server to internal or external resources, potentially exposing sensitive data or enabling lateral movement within network infrastructure. The vulnerability has extremely low exploitation probability (EPSS 0.04th percentile) and no public exploit code identified, suggesting limited real-world threat despite the technical severity of SSRF vulnerabilities.

WordPress PHP SSRF
CVE-2025-68879 None
Reflected cross-site scripting (XSS) in the Content Grid Slider WordPress plugin through version 1.5 allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. An attacker can craft a malicious URL containing script payloads that execute in the victim's browser when the page is rendered, potentially enabling session hijacking, credential theft, or malware distribution. No public exploit code or active exploitation has been confirmed; the EPSS score of 0.04% indicates minimal real-world exploitation likelihood despite the vulnerability's technical severity.

WordPress PHP XSS
CVE-2025-68878 None
Reflected cross-site scripting (XSS) in Advanced Custom CSS WordPress plugin versions through 1.1.0 allows unauthenticated remote attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during web page generation, enabling attackers to steal session tokens, credentials, or perform actions on behalf of victims through crafted URLs. No public exploit code or active exploitation has been confirmed at the time of analysis, though the low EPSS score (0.04th percentile) suggests limited real-world exploitation risk despite the straightforward attack vector.

WordPress PHP XSS
CVE-2025-68877 None
Local file inclusion in CedCommerce Integration for Good Market WordPress plugin versions 1.0.6 and earlier allows unauthenticated attackers to read arbitrary files from the server via improper filename validation in PHP include/require statements. The vulnerability affects a popular e-commerce integration plugin used by WooCommerce merchants, exposing sensitive configuration files, database credentials, and other sensitive data accessible to the web server process. EPSS probability of 0.14% suggests low real-world exploitation likelihood despite the information disclosure impact.

WordPress PHP Lfi
CVE-2025-68876 None
Reflected cross-site scripting (XSS) in INVELITY Invelity SPS connect WordPress plugin through version 1.0.8 allows unauthenticated remote attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during web page generation and carries an extremely low exploitation probability (EPSS 0.04th percentile), suggesting minimal real-world attack motivation despite the CVSS scoring absence.

XSS Information Disclosure
CVE-2025-68870 None
Local file inclusion in reDim GmbH CookieHint WP plugin versions up to 1.0.0 allows unauthenticated attackers to read arbitrary files from the server filesystem through improper handling of filename parameters in PHP include/require statements. The vulnerability enables information disclosure by permitting attackers to access sensitive configuration files, source code, and other locally stored data without authentication. EPSS score of 0.14% indicates relatively low exploitation probability at time of analysis, and no public exploit code or active exploitation has been confirmed.

Information Disclosure PHP
CVE-2025-68868 None
Stored cross-site scripting (XSS) in codeaffairs Wp Text Slider Widget plugin for WordPress versions 1.0 and earlier enables authenticated attackers to inject malicious scripts that execute in the browsers of site administrators and other users. The vulnerability arises from improper input sanitization during widget configuration, allowing persistent code injection through the plugin's admin interface.

WordPress PHP XSS
CVE-2025-68861 None
Missing authorization in Plugin Optimizer WordPress plugin through version 1.3.7 allows attackers to exploit incorrectly configured access controls to perform unauthorized actions. The vulnerability stems from improper authentication validation (CWE-862), enabling attackers to bypass security restrictions without proper administrative privileges. While EPSS scoring (0.06%, 17th percentile) indicates low exploitation probability, the authentication bypass classification warrants prompt patching.

WordPress PHP Authentication Bypass
CVE-2025-68860 None
Mobile Builder WordPress plugin versions 1.4.2 and earlier contain an authentication bypass vulnerability that allows attackers to circumvent authentication mechanisms through alternate paths or channels. The plugin fails to properly validate user credentials or session tokens, potentially enabling unauthorized access to sensitive functionality. With an EPSS score of 0.10% indicating low exploitation probability and no confirmed active exploitation, this represents a lower-priority vulnerability that should still be addressed through patching.

Authentication Bypass
CVE-2025-68607 None
Stored cross-site scripting (XSS) in WordPress Custom Field Template plugin through version 2.7.7 allows authenticated users to inject malicious scripts that execute in the browsers of other users who view affected content, potentially compromising site security and user data. The vulnerability has an EPSS score of 0.04% (14th percentile), indicating low real-world exploitation probability despite the high-impact nature of stored XSS on WordPress sites.

WordPress PHP XSS
CVE-2025-68504 None
DOM-based cross-site scripting (XSS) in Crocoblock JetSearch WordPress plugin through version 3.5.16 allows attackers to inject malicious scripts into the search interface that execute in users' browsers. The vulnerability affects the plugin's web page generation when processing search input, enabling attackers to steal session tokens, redirect users, or perform actions on behalf of authenticated users without requiring authentication themselves. No CVSS score was available at analysis time, but the low EPSS score (0.04%, 14th percentile) suggests limited real-world exploitation likelihood despite the XSS vector.

WordPress PHP XSS
CVE-2025-68503 None
Missing authorization in Crocoblock JetBlog plugin versions up to 2.4.7 allows unauthenticated attackers to exploit incorrectly configured access control, potentially bypassing intended security restrictions on blog content and administrative functions. The vulnerability stems from broken access control mechanisms that fail to properly validate user permissions before granting access to sensitive operations, with an EPSS score of 0.04% indicating low real-world exploitation probability despite the authorization defect.

WordPress PHP Authentication Bypass
CVE-2025-68502 None
Authorization Bypass in Crocoblock JetPopup WordPress plugin through version 2.0.20.1 allows attackers to exploit incorrectly configured access control security levels via user-controlled keys, enabling unauthorized access to protected popup content and functionality. EPSS score of 0.04% indicates low exploitation probability despite the authorization flaw; no public exploit code or active exploitation has been identified.

WordPress PHP Authentication Bypass

Today's Vulnerabilities Vulnerabilities