Skip to main content
CVE-2023-50897 CRITICAL Act Now

Media File Renamer WordPress plugin (through 5.7.7) by Meow Apps allows administrators to upload files with dangerous types, achieving OS-level code execution with scope change. While admin access is required, the scope break makes this critical.

File Upload
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-67397 CRITICAL Act Now

Passy v1.6.3 password manager allows authenticated administrators to execute arbitrary OS commands via crafted HTTP requests. The scope change from application to OS makes this critical despite requiring high privileges.

Command Injection RCE Passy
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-27807 CRITICAL Act Now

Samsung Exynos processors (multiple models including 980, 990, 2100, 2200, 2400) and modems have an out-of-bounds write via malformed NAS (Non-Access Stratum) packets. This baseband vulnerability can be exploited over the cellular network without user interaction, potentially affecting millions of devices.

Samsung Exynos 1080 Firmware Modem 5300 Firmware Exynos 2200 Firmware Exynos 980 Firmware +15
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-15240 HIGH This Week

QOCA aim AI Medical Cloud Platform developed by Quanta Computer has an Arbitrary File Upload vulnerability, allowing authenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. [CVSS 8.8 HIGH]

File Upload RCE AI / ML Qoca Aim
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-21633 HIGH This Week

UniFi Protect Camera versions 6.1.79 and earlier contain an authentication bypass in their discovery protocol that allows adjacent network attackers to gain unauthorized access without credentials. An attacker on the local network can exploit this vulnerability to compromise camera systems and obtain full control. No patch is currently available, though updating to version 6.2.72 or later is recommended as mitigation.

Authentication Bypass Unifi Protect
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-31047 HIGH This Week

Deserialization of Untrusted Data vulnerability in Themify Themify Edmin allows Object Injection.This issue affects Themify Edmin: from n/a through 2.0.0. [CVSS 8.8 HIGH]

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-66518 HIGH PATCH This Week

Any client who can access to Apache Kyuubi Server via Kyuubi frontend protocols can bypass server-side config kyuubi.session.local.dir.allow.list and use local files which are not listed in the config. This issue affects Apache Kyuubi: from 1.6.0 through 1.10.2. [CVSS 8.8 HIGH]

Apache Kyuubi
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-68044 HIGH This Week

Authorization Bypass Through User-Controlled Key vulnerability in Rustaurius Five Star Restaurant Reservations allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Five Star Restaurant Reservations: from n/a through 2.7.8. [CVSS 8.6 HIGH]

Authentication Bypass
NVD
CVSS 3.1
8.6
EPSS
0.1%
CVE-2025-31044 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AA-Team Premium SEO Pack allows SQL Injection.This issue affects Premium SEO Pack: from n/a through 3.3.2. [CVSS 8.5 HIGH]

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.0%
CVE-2025-53966 HIGH This Week

An issue was discovered in Samsung Mobile Processor Exynos 1380, 1480, 2400, and 1580. Incorrect Handling of the NL80211 vendor command leads to a buffer overflow during handling of an IOCTL message. [CVSS 8.4 HIGH]

Samsung Buffer Overflow Exynos 1380 Firmware Exynos 1580 Firmware Exynos 1480 Firmware +1
NVD
CVSS 3.1
8.4
EPSS
0.0%
CVE-2025-49495 HIGH This Week

An issue was discovered in the WiFi driver in Samsung Mobile Processor Exynos 1380, 1480, 2400, 1580. Mishandling of an NL80211 vendor command leads to a buffer overflow. [CVSS 8.4 HIGH]

Samsung Buffer Overflow Exynos 1580 Firmware Exynos 1380 Firmware Exynos 2400 Firmware +1
NVD
CVSS 3.1
8.4
EPSS
0.0%
CVE-2025-64422 MEDIUM POC This Month

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify vstarting with version 4.0.0-beta.434, the /login endpoint advertises a rate limit of 5 requests but can be trivially bypassed by rotating the X-Forwarded-For header. [CVSS 4.3 MEDIUM]

Denial Of Service Coolify
NVD GitHub
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-69087 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jwsthemes FreeAgent allows PHP Local File Inclusion.This issue affects FreeAgent: from n/a through 2.1.2. [CVSS 8.1 HIGH]

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-61916 HIGH PATCH This Week

Spinnaker is an open source, multi-cloud continuous delivery platform. Versions prior to 2025.1.6, 2025.2.3, and 2025.3.0 are vulnerable to server-side request forgery. [CVSS 7.9 HIGH]

Docker Kubernetes AWS Gitlab Github +2
NVD GitHub
CVSS 3.1
7.9
EPSS
0.0%
CVE-2025-57836 HIGH This Week

An issue was discovered in Samsung Magician 6.3.0 through 8.3.2 on Windows. The installer creates a temporary folder with weak permissions during installation, allowing a non-admin user to perform DLL hijacking and escalate privileges. [CVSS 7.8 HIGH]

Samsung Windows Magician
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2024-30516 HIGH This Week

Improper Validation of Specified Quantity in Input vulnerability in SaasProject Booking Package allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Booking Package: from n/a through 1.6.27. [CVSS 7.5 HIGH]

Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-67419 HIGH This Week

Evershop contains a vulnerability that allows attackers to exhaust the application server's resources via the "GET /images" API (CVSS 7.5).

Denial Of Service Evershop
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-68953 HIGH PATCH This Week

Frappe is a full-stack web application framework. Versions 14.99.5 and below and 15.0.0 through 15.80.1 include requests that are vulnerable to path traversal attacks. [CVSS 7.5 HIGH]

Path Traversal Frappe
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-43706 HIGH This Week

An issue was discovered in L2 in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2400, 1580, 9110, W920, W930, Modem 5123, and Modem 5400. Incorrect handling of RRC packets leads to a Denial of Service. [CVSS 7.5 HIGH]

Samsung Denial Of Service Exynos 990 Firmware Exynos 850 Firmware Modem 5400 Firmware +8
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-69223 HIGH PATCH This Week

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the AIOHTTP server. [CVSS 7.5 HIGH]

Python Aiohttp Information Disclosure
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-59467 HIGH This Week

A Cross-Site Scripting (XSS) vulnerability in the UCRM Argentina AFIP invoices Plugin (v1.2.0 and earlier) could allow privilege escalation if an Administrator is tricked into visiting a crafted malicious page. This plugin is disabled by default. [CVSS 7.5 HIGH]

XSS Privilege Escalation Argentina Afip Invoices
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-68850 HIGH This Week

Missing Authorization vulnerability in Codepeople Sell Downloads allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sell Downloads: from n/a through 1.1.12. [CVSS 7.5 HIGH]

Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-68033 HIGH This Week

Insertion of Sensitive Information Into Sent Data vulnerability in Brecht Custom Related Posts allows Retrieve Embedded Sensitive Data.This issue affects Custom Related Posts: from n/a through 1.8.0. [CVSS 7.5 HIGH]

Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-68547 HIGH This Week

Missing Authorization vulnerability in WPweb Follow My Blog Post allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Follow My Blog Post: from n/a through 2.4.0. [CVSS 7.5 HIGH]

Authentication Bypass Follow My Blog Post
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-46255 HIGH This Week

Missing Authorization vulnerability in Marketing Fire LLC LoginWP - Pro allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects LoginWP - Pro: from n/a through 4.0.8.5. [CVSS 7.5 HIGH]

Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-5965 HIGH PATCH This Week

In the backup parameters, a user with high privilege is able to concatenate custom instructions to the backup setup. [CVSS 7.2 HIGH]

Command Injection Centreon Web
NVD GitHub
CVSS 3.1
7.2
EPSS
0.2%
CVE-2025-61781 HIGH PATCH This Week

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.8.1, the GraphQL mutation "WorkspacePopoverDeletionMutation" allows users to delete workspace-related objects such as dashboards and investigation cases. [CVSS 7.1 HIGH]

Authentication Bypass Opencti
NVD GitHub
CVSS 3.1
7.1
EPSS
0.1%
CVE-2024-30461 HIGH This Week

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Tumult Inc Tumult Hype Animations allows DOM-Based XSS.This issue affects Tumult Hype Animations: from n/a through 1.9.11. [CVSS 7.1 HIGH]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2023-49186 HIGH This Week

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in KlbTheme Machic Core allows DOM-Based XSS.This issue affects Machic Core: from n/a through 1.2.6. [CVSS 7.1 HIGH]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2024-53735 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Corourke iPhone Webclip Manager allows Stored XSS.This issue affects iPhone Webclip Manager: from n/a through 0.5. [CVSS 7.1 HIGH]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-52519 HIGH This Week

An issue was discovered in the Camera in Samsung Mobile Processor and Wearable Processor Exynos 1330, 1380, 1480, 2400, 1580, and 2500. Improper validation of user-space input in the issimian device driver leads to information disclosure and a denial of service. [CVSS 7.1 HIGH]

Samsung Denial Of Service Information Disclosure Exynos 1580 Firmware Exynos 2500 Firmware +4
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-12513 MEDIUM PATCH This Month

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (Hosts configuration form modules) allows Stored XSS to users with high privileges. [CVSS 6.8 MEDIUM]

XSS Centreon Web
NVD GitHub
CVSS 3.1
6.8
EPSS
0.0%
CVE-2025-12511 MEDIUM PATCH This Month

Dynamic Service Management versions up to 25.10.1 is affected by cross-site scripting (xss) (CVSS 6.8).

XSS Dynamic Service Management
NVD GitHub
CVSS 3.1
6.8
EPSS
0.0%
CVE-2025-13056 MEDIUM PATCH This Month

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (Administration ACL menu configuration modules) allows Stored XSS to users with high privileges. [CVSS 6.8 MEDIUM]

XSS Centreon Web
NVD GitHub
CVSS 3.1
6.8
EPSS
0.0%
CVE-2024-23511 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in POSIMYTH The Plus Addons for Elementor Page Builder Lite allows DOM-Based XSS.This issue affects The Plus Addons for Elementor Page Builder Lite: from n/a through 5.3.3. [CVSS 6.5 MEDIUM]

XSS
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-39561 MEDIUM This Month

Missing Authorization vulnerability in Marketing Fire, LLC LoginWP - Pro allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects LoginWP - Pro: from n/a through 4.0.8.5. [CVSS 6.5 MEDIUM]

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-15235 MEDIUM This Month

QOCA aim AI Medical Cloud Platform developed by Quanta Computer has a Missing Authorization vulnerability, allowing authenticated remote attackers to modify specific network packet parameters, enabling certain system functions to access other users' files. [CVSS 6.5 MEDIUM]

Authentication Bypass AI / ML Qoca Aim
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-67427 MEDIUM This Month

A Blind Server-Side Request Forgery (SSRF) vulnerability in evershop 2.1.0 and prior allows unauthenticated attackers to force the server to initiate an HTTP request via the "GET /images" API. [CVSS 6.5 MEDIUM]

SSRF Evershop
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-68280 MEDIUM PATCH This Month

Improper Restriction of XML External Entity Reference vulnerability in Apache SIS. It is possible to write XML files in such a way that, when parsed by Apache SIS, an XML file reveals to the attacker the content of a local file on the server running Apache SIS. This vulnerability impacts the following SIS services: * Reading of GeoTIFF files having the GEO_METADATA tag defined by the Defense Geospatial Information Working Group (DGIWG). * Parsing of ISO 19115 metadata in XML for...

Apache Java XXE Spatial Information System
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-15239 MEDIUM This Month

QOCA aim AI Medical Cloud Platform developed by Quanta Computer has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents. [CVSS 6.5 MEDIUM]

SQLi AI / ML Qoca Aim
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-15238 MEDIUM This Month

QOCA aim AI Medical Cloud Platform developed by Quanta Computer has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents. [CVSS 6.5 MEDIUM]

SQLi AI / ML Qoca Aim
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-69224 MEDIUM PATCH This Month

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below of the Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters. [CVSS 6.5 MEDIUM]

Python Aiohttp Red Hat Suse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-68436 MEDIUM PATCH This Month

Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, authenticated users on a Craft installation could potentially expose sensitive assets via their user profile photo via maliciously crafted requests. [CVSS 6.5 MEDIUM]

Information Disclosure Craft Cms
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-68014 MEDIUM This Month

Insertion of Sensitive Information Into Sent Data vulnerability in Awethemes AweBooking allows Retrieve Embedded Sensitive Data.This issue affects AweBooking: from n/a through 3.2.26. [CVSS 6.5 MEDIUM]

Information Disclosure
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2023-51513 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in INTINITUM FORM Geo Controller allows DOM-Based XSS.This issue affects Geo Controller: from n/a through 8.5.2. [CVSS 6.5 MEDIUM]

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-21634 MEDIUM This Month

UniFi Protect Application versions 6.1.79 and earlier suffer from a buffer overflow in the discovery protocol that allows adjacent network attackers to trigger denial of service by causing the application to restart. The vulnerability requires network proximity but no authentication or user interaction, making it exploitable by any attacker on the same network segment. Administrators should upgrade to version 6.2.72 or later to remediate this issue.

Buffer Overflow Unifi Protect
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-39497 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dokan Dokan Pro allows Stored XSS.This issue affects Dokan Pro: from n/a through 3.14.5. [CVSS 6.5 MEDIUM]

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-0581 LOW POC Monitor

Ac1206 Firmware versions up to 15.03.06.23 contains a vulnerability that allows attackers to command injection (CVSS 6.3).

Command Injection Tenda
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
1.3%
CVE-2025-68029 MEDIUM This Month

Insertion of Sensitive Information Into Sent Data vulnerability in WP Swings Wallet System for WooCommerce allows Retrieve Embedded Sensitive Data.This issue affects Wallet System for WooCommerce: from n/a through 2.7.2. [CVSS 6.3 MEDIUM]

WordPress Information Disclosure
NVD
CVSS 3.0
6.3
EPSS
0.0%
CVE-2025-52516 MEDIUM This Month

An issue was discovered in the Camera in Samsung Mobile Processor and Wearable Processor Exynos 1330, 1380, 1480, 2400, 1580, 2500. An invalid kernel address dereference in the issimian device driver leads to a denial of service. [CVSS 6.2 MEDIUM]

Samsung Linux Denial Of Service Exynos 1330 Firmware Exynos 1480 Firmware +4
NVD
CVSS 3.1
6.2
EPSS
0.0%
Prev Page 2 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy