Skip to main content
CVE-2025-66376 HIGH KEV THREAT Act Now

Zimbra Collaboration Suite (ZCS) 10.x contains a stored XSS vulnerability in the Classic UI that allows attackers to execute arbitrary JavaScript through CSS @import directives in HTML emails. KEV-listed, this vulnerability (CVE-2025-66376) enables session hijacking and account takeover when administrators or users view malicious emails, making it a high-value target for email-based espionage campaigns.

XSS Zimbra Collaboration Suite
NVD VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2025-64424 HIGH POC This Week

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. [CVSS 8.8 HIGH]

Command Injection Coolify
NVD GitHub
CVSS 3.1
8.8
EPSS
0.5%
CVE-2025-68454 HIGH POC PATCH This Week

Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via Twig SSTI. [CVSS 8.8 HIGH]

RCE Craft Cms
NVD GitHub
CVSS 3.1
8.8
EPSS
0.4%
CVE-2025-59156 HIGH POC This Week

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.420.7, a Remote Code Execution (RCE)*vulnerability exists in Coolify's application deployment workflow. [CVSS 8.8 HIGH]

Docker RCE Coolify
NVD GitHub
CVSS 3.1
8.8
EPSS
0.4%
CVE-2025-55204 HIGH POC This Week

muffon is a cross-platform music streaming client for desktop. Versions prior to 2.3.0 have a one-click Remote Code Execution (RCE) vulnerability in. [CVSS 8.8 HIGH]

RCE Muffon
NVD GitHub
CVSS 3.1
8.8
EPSS
0.3%
CVE-2025-64423 HIGH POC This Week

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, a low privileged user (member) can see and use invitation links sent to an administrator. [CVSS 8.8 HIGH]

Authentication Bypass Coolify
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-15462 HIGH POC This Week

A vulnerability has been found in UTT 进取 520W 1.7.7-180627. This issue affects the function strcpy of the file /goform/ConfigAdvideo. [CVSS 8.8 HIGH]

Buffer Overflow 520w Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-15461 HIGH POC This Week

A flaw has been found in UTT 进取 520W 1.7.7-180627. This vulnerability affects the function strcpy of the file /goform/formTaskEdit. [CVSS 8.8 HIGH]

Buffer Overflow 520w Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-15459 HIGH POC This Week

A security vulnerability has been detected in UTT 进取 520W 1.7.7-180627. Affected by this issue is the function strcpy of the file /goform/formUser. [CVSS 8.8 HIGH]

Buffer Overflow 520w Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-15460 HIGH POC This Week

A vulnerability was detected in UTT 进取 520W 1.7.7-180627. This affects the function strcpy of the file /goform/formPptpClientConfig. [CVSS 8.8 HIGH]

Buffer Overflow 520w Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-0621 HIGH POC PATCH GHSA This Week

Denial of service in Anthropic's Model Context Protocol (MCP) TypeScript SDK versions up to and including 1.25.1 allows remote attackers to hang the Node.js event loop by submitting a crafted URI to the UriTemplate matcher. The dynamically built regex for RFC 6570 exploded array patterns contains nested quantifiers that trigger catastrophic backtracking, pinning CPU and rendering the process unresponsive. Publicly available exploit code exists, though EPSS is very low (0.02%) and it is not listed in CISA KEV, so real-world exploitation currently appears theoretical rather than widespread.

Node.js Denial Of Service Mcp Typescript Sdk
NVD GitHub
CVSS 4.0
8.7
EPSS
0.0%
CVE-2025-14124 HIGH POC This Week

The Team WordPress plugin before 5.0.11 does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection. [CVSS 8.6 HIGH]

WordPress SQLi PHP
NVD WPScan
CVSS 3.1
8.6
EPSS
0.0%
CVE-2025-65110 HIGH POC PATCH This Week

Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. Prior to versions 6.1.2 and 5.6.3, applications meeting two conditions are at risk of arbitrary JavaScript code execution, even if "safe mode" expressionInterpreter is used. [CVSS 8.1 HIGH]

RCE XSS Vega Red Hat
NVD GitHub
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-64425 HIGH POC This Week

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, an attacker can initiate a password reset for a victim, and modify the host header of the request to a malicious value. [CVSS 8.1 HIGH]

Information Disclosure Coolify
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-59158 HIGH POC This Week

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Coolify versions prior to and including v4.0.0-beta.420.6 are vulnerable to a stored cross-site scripting (XSS) attack in the project creation workflow. [CVSS 8.0 HIGH]

XSS Coolify
NVD GitHub
CVSS 3.1
8.0
EPSS
0.1%
CVE-2025-64421 HIGH POC This Week

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, a low privileged user (member) can invite a high privileged user. [CVSS 8.0 HIGH]

Authentication Bypass Coolify
NVD GitHub
CVSS 3.1
8.0
EPSS
0.0%
CVE-2025-67303 HIGH POC PATCH GHSA This Week

An issue in ComfyUI-Manager prior to version 3.38 allowed remote attackers to potentially manipulate its configuration and critical data. This was due to the application storing its files in an insufficiently protected location that was accessible via the web interface [CVSS 7.5 HIGH]

Information Disclosure AI / ML Comfyui Manager
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-68455 HIGH POC PATCH This Week

Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior. [CVSS 7.2 HIGH]

RCE Craft Cms
NVD GitHub
CVSS 3.1
7.2
EPSS
1.1%
CVE-2025-66648 HIGH POC PATCH This Week

vega-functions provides function implementations for the Vega expression language. Prior to version 6.1.1, for sites that allow users to supply untrusted user input, malicious use of an internal function (not part of the public API) could be used to run unintentional javascript (XSS). [CVSS 7.2 HIGH]

XSS Vega Functions Red Hat
NVD GitHub
CVSS 3.1
7.2
EPSS
0.0%
CVE-2025-15240 HIGH This Week

QOCA aim AI Medical Cloud Platform developed by Quanta Computer has an Arbitrary File Upload vulnerability, allowing authenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. [CVSS 8.8 HIGH]

File Upload RCE AI / ML Qoca Aim
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-21633 HIGH This Week

UniFi Protect Camera versions 6.1.79 and earlier contain an authentication bypass in their discovery protocol that allows adjacent network attackers to gain unauthorized access without credentials. An attacker on the local network can exploit this vulnerability to compromise camera systems and obtain full control. No patch is currently available, though updating to version 6.2.72 or later is recommended as mitigation.

Authentication Bypass Unifi Protect
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-31047 HIGH This Week

Deserialization of Untrusted Data vulnerability in Themify Themify Edmin allows Object Injection.This issue affects Themify Edmin: from n/a through 2.0.0. [CVSS 8.8 HIGH]

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-66518 HIGH PATCH This Week

Any client who can access to Apache Kyuubi Server via Kyuubi frontend protocols can bypass server-side config kyuubi.session.local.dir.allow.list and use local files which are not listed in the config. This issue affects Apache Kyuubi: from 1.6.0 through 1.10.2. [CVSS 8.8 HIGH]

Apache Kyuubi
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-68044 HIGH This Week

Authorization Bypass Through User-Controlled Key vulnerability in Rustaurius Five Star Restaurant Reservations allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Five Star Restaurant Reservations: from n/a through 2.7.8. [CVSS 8.6 HIGH]

Authentication Bypass
NVD
CVSS 3.1
8.6
EPSS
0.1%
CVE-2025-31044 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AA-Team Premium SEO Pack allows SQL Injection.This issue affects Premium SEO Pack: from n/a through 3.3.2. [CVSS 8.5 HIGH]

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.0%
CVE-2025-53966 HIGH This Week

An issue was discovered in Samsung Mobile Processor Exynos 1380, 1480, 2400, and 1580. Incorrect Handling of the NL80211 vendor command leads to a buffer overflow during handling of an IOCTL message. [CVSS 8.4 HIGH]

Samsung Buffer Overflow Exynos 1380 Firmware Exynos 1580 Firmware Exynos 1480 Firmware +1
NVD
CVSS 3.1
8.4
EPSS
0.0%
CVE-2025-49495 HIGH This Week

An issue was discovered in the WiFi driver in Samsung Mobile Processor Exynos 1380, 1480, 2400, 1580. Mishandling of an NL80211 vendor command leads to a buffer overflow. [CVSS 8.4 HIGH]

Samsung Buffer Overflow Exynos 1580 Firmware Exynos 1380 Firmware Exynos 2400 Firmware +1
NVD
CVSS 3.1
8.4
EPSS
0.0%
CVE-2025-69087 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jwsthemes FreeAgent allows PHP Local File Inclusion.This issue affects FreeAgent: from n/a through 2.1.2. [CVSS 8.1 HIGH]

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-61916 HIGH PATCH This Week

Spinnaker is an open source, multi-cloud continuous delivery platform. Versions prior to 2025.1.6, 2025.2.3, and 2025.3.0 are vulnerable to server-side request forgery. [CVSS 7.9 HIGH]

Docker Kubernetes AWS Gitlab Github +2
NVD GitHub
CVSS 3.1
7.9
EPSS
0.0%
CVE-2025-57836 HIGH This Week

An issue was discovered in Samsung Magician 6.3.0 through 8.3.2 on Windows. The installer creates a temporary folder with weak permissions during installation, allowing a non-admin user to perform DLL hijacking and escalate privileges. [CVSS 7.8 HIGH]

Samsung Windows Magician
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2024-30516 HIGH This Week

Improper Validation of Specified Quantity in Input vulnerability in SaasProject Booking Package allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Booking Package: from n/a through 1.6.27. [CVSS 7.5 HIGH]

Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-67419 HIGH This Week

Evershop contains a vulnerability that allows attackers to exhaust the application server's resources via the "GET /images" API (CVSS 7.5).

Denial Of Service Evershop
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-68953 HIGH PATCH This Week

Frappe is a full-stack web application framework. Versions 14.99.5 and below and 15.0.0 through 15.80.1 include requests that are vulnerable to path traversal attacks. [CVSS 7.5 HIGH]

Path Traversal Frappe
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-43706 HIGH This Week

An issue was discovered in L2 in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2400, 1580, 9110, W920, W930, Modem 5123, and Modem 5400. Incorrect handling of RRC packets leads to a Denial of Service. [CVSS 7.5 HIGH]

Samsung Denial Of Service Exynos 990 Firmware Exynos 850 Firmware Modem 5400 Firmware +8
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-69223 HIGH PATCH This Week

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the AIOHTTP server. [CVSS 7.5 HIGH]

Python Aiohttp Information Disclosure
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-59467 HIGH This Week

A Cross-Site Scripting (XSS) vulnerability in the UCRM Argentina AFIP invoices Plugin (v1.2.0 and earlier) could allow privilege escalation if an Administrator is tricked into visiting a crafted malicious page. This plugin is disabled by default. [CVSS 7.5 HIGH]

XSS Privilege Escalation Argentina Afip Invoices
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-68850 HIGH This Week

Missing Authorization vulnerability in Codepeople Sell Downloads allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sell Downloads: from n/a through 1.1.12. [CVSS 7.5 HIGH]

Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-68033 HIGH This Week

Insertion of Sensitive Information Into Sent Data vulnerability in Brecht Custom Related Posts allows Retrieve Embedded Sensitive Data.This issue affects Custom Related Posts: from n/a through 1.8.0. [CVSS 7.5 HIGH]

Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-68547 HIGH This Week

Missing Authorization vulnerability in WPweb Follow My Blog Post allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Follow My Blog Post: from n/a through 2.4.0. [CVSS 7.5 HIGH]

Authentication Bypass Follow My Blog Post
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-46255 HIGH This Week

Missing Authorization vulnerability in Marketing Fire LLC LoginWP - Pro allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects LoginWP - Pro: from n/a through 4.0.8.5. [CVSS 7.5 HIGH]

Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-5965 HIGH PATCH This Week

In the backup parameters, a user with high privilege is able to concatenate custom instructions to the backup setup. [CVSS 7.2 HIGH]

Command Injection Centreon Web
NVD GitHub
CVSS 3.1
7.2
EPSS
0.2%
CVE-2025-61781 HIGH PATCH This Week

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.8.1, the GraphQL mutation "WorkspacePopoverDeletionMutation" allows users to delete workspace-related objects such as dashboards and investigation cases. [CVSS 7.1 HIGH]

Authentication Bypass Opencti
NVD GitHub
CVSS 3.1
7.1
EPSS
0.1%
CVE-2024-30461 HIGH This Week

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Tumult Inc Tumult Hype Animations allows DOM-Based XSS.This issue affects Tumult Hype Animations: from n/a through 1.9.11. [CVSS 7.1 HIGH]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2023-49186 HIGH This Week

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in KlbTheme Machic Core allows DOM-Based XSS.This issue affects Machic Core: from n/a through 1.2.6. [CVSS 7.1 HIGH]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2024-53735 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Corourke iPhone Webclip Manager allows Stored XSS.This issue affects iPhone Webclip Manager: from n/a through 0.5. [CVSS 7.1 HIGH]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-52519 HIGH This Week

An issue was discovered in the Camera in Samsung Mobile Processor and Wearable Processor Exynos 1330, 1380, 1480, 2400, 1580, and 2500. Improper validation of user-space input in the issimian device driver leads to information disclosure and a denial of service. [CVSS 7.1 HIGH]

Samsung Denial Of Service Information Disclosure Exynos 1580 Firmware Exynos 2500 Firmware +4
NVD
CVSS 3.1
7.1
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy