Skip to main content
CVE-2025-15499 HIGH POC This Week

Operation And Maintenance Management System versions up to 3.0.8. is affected by command injection (CVSS 8.8).

Java Command Injection Operation And Maintenance Management System
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.4%
CVE-2025-66744 HIGH POC This Week

In Yonyou YonBIP v3 and before, the LoginWithV8 interface in the series data application service system is vulnerable to path traversal, allowing unauthorized access to sensitive information within the system [CVSS 7.5 HIGH]

Path Traversal
NVD GitHub
CVSS 3.1
7.5
EPSS
6.6%
CVE-2025-67133 HIGH POC This Week

Vida V1 Pro Firmware versions up to 2.0.7 is affected by uncontrolled resource consumption (CVSS 7.5).

Denial Of Service Vida V1 Pro Firmware
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-56225 HIGH POC PATCH This Week

fluidsynth-2.4.6 and earlier versions is vulnerable to Null pointer dereference in fluid_synth_monopoly.c, that can be triggered when loading an invalid midi file. [CVSS 7.5 HIGH]

Null Pointer Dereference Fluidsynth Suse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-69194 HIGH PATCH This Week

A security issue was discovered in GNU Wget2 when handling Metalink documents. The application fails to properly validate file paths provided in Metalink <file name> elements. [CVSS 8.8 HIGH]

Path Traversal Wget2 Red Hat Suse
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-22194 HIGH This Week

GestSup through version 3.2.60 fails to implement CSRF protections, enabling attackers to forge requests that execute actions with a victim's privileges when they visit a malicious site. An unauthenticated attacker can exploit this to create privileged administrative accounts by targeting logged-in users, with no patch currently available to remediate the vulnerability.

CSRF Gestsup
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-64091 HIGH This Week

This vulnerability allows authenticated attackers to execute commands via the NTP-configuration of the device. [CVSS 8.6 HIGH]

Command Injection Tcis 3 Firmware
NVD
CVSS 3.1
8.6
EPSS
0.1%
CVE-2026-0830 HIGH This Week

Kiro IDE versions before 0.6.18 are vulnerable to command injection when processing maliciously named workspace folders in the GitLab Merge-Request helper, allowing local attackers with user interaction to execute arbitrary commands with high impact on confidentiality, integrity, and availability. The vulnerability requires local access and user interaction to open a crafted workspace, but no patch is currently available and exploitation requires minimal complexity. Users should restrict workspace access and avoid opening untrusted workspace folders until an update is released.

Gitlab Command Injection
NVD
CVSS 4.0
8.4
EPSS
0.0%
CVE-2025-67070 HIGH This Week

A vulnerability exists in Intelbras CFTV IP NVD 9032 R Ftd V2.800.00IB00C.0.T, which allows an unauthenticated attacker to bypass the multi-factor authentication (MFA) mechanism during the password recovery process. [CVSS 8.2 HIGH]

Authentication Bypass
NVD GitHub
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-22197 HIGH This Week

GestSup versions before 3.2.60 allow authenticated attackers to execute SQL injection attacks through insufficiently sanitized filtering and sorting parameters in the asset list functionality, potentially enabling unauthorized database access or modification. The vulnerability requires valid credentials to exploit but has no available patch, leaving affected installations vulnerable to data breach or manipulation depending on database permissions.

SQLi Gestsup
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-22196 HIGH This Week

GestSup prior to version 3.2.60 is vulnerable to SQL injection in the ticket creation feature, allowing authenticated attackers to execute arbitrary database queries through unsanitized user input. An attacker with valid credentials can read or modify sensitive database contents depending on the database permission level. No patch is currently available.

SQLi Gestsup
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-22195 HIGH This Week

Authenticated attackers can exploit SQL injection in GestSup's search functionality (versions before 3.2.60) to manipulate database queries and access or modify sensitive data. The vulnerability stems from insufficient input validation on user-controlled search parameters in SQL statements. With no patch currently available, affected organizations should implement database access controls and monitor for suspicious search activity.

SQLi Gestsup
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-20976 HIGH This Week

Galaxy Store versions up to 4.6.02 contains a vulnerability that allows attackers to execute arbitrary script (CVSS 7.8).

RCE Samsung Galaxy Store
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-20971 HIGH POC This Week

Arbitrary code execution in the Android PROCA driver before the January 2026 security update results from a use-after-free vulnerability accessible to local attackers with basic privileges. An attacker with local access can exploit this memory safety flaw to execute arbitrary code with elevated privileges on affected devices. No patch is currently available for this high-severity vulnerability.

Use After Free Android
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-20970 HIGH This Week

Android versions up to 15.0 contains a vulnerability that allows attackers to execute the privileged APIs (CVSS 7.8).

Authentication Bypass Android
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-69195 HIGH PATCH This Week

A flaw was found in GNU Wget2. This vulnerability, a stack-based buffer overflow, occurs in the filename sanitization logic when processing attacker-controlled URL paths, particularly when filename restriction options are active. [CVSS 7.6 HIGH]

Buffer Overflow Stack Overflow Memory Corruption Denial Of Service Wget2 +2
NVD
CVSS 3.1
7.6
EPSS
0.1%
CVE-2025-66049 HIGH This Week

Vivotek IP7137 camera with firmware version 0200a is vulnerable to an information disclosure issue where live camera footage can be accessed through the RTSP protocol on port 8554 without requiring authentication. This allows unauthorized users with network access to view the camera's feed, potentially compromising user privacy and security.  The vendor has not replied to the CNA. Possibly all firmware versions are affected. Since the product has met End-Of-Life phase, a fix is not expected t...

Information Disclosure Ip7137 Firmware
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-64092 HIGH This Week

This vulnerability allows unauthenticated attackers to inject an SQL request into GET request parameters and directly query the underlying database. [CVSS 7.5 HIGH]

SQLi Icx500 Firmware Icx510 Firmware
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-15035 HIGH This Week

Improper Input Validation vulnerability in TP-Link Archer AXE75 v1.6 (vpn modules) allows an authenticated adjacent attacker to delete arbitrary server file, leading to possible loss of critical system files and service interruption or degraded functionality.This issue affects Archer AXE75 v1.6: ≤ build 20250107. [CVSS 7.3 HIGH]

TP-Link Archer Axe75 Firmware
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2025-66052 HIGH This Week

Vivotek IP7137 camera with firmware version 0200a is vulnerable to command injection. Parameter "system_ntpIt" used by "/cgi-bin/admin/setparam.cgi" endpoint is not sanitized properly, allowing a user with administrative privileges to perform an attack. [CVSS 7.2 HIGH]

Command Injection Ip7137 Firmware
NVD
CVSS 3.1
7.2
EPSS
0.3%
CVE-2025-14937 HIGH This Week

Frontend Admin by DynamiApps (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 7.2).

WordPress XSS PHP
NVD
CVSS 3.1
7.2
EPSS
0.0%
CVE-2025-15057 HIGH This Week

The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `fh` (fingerprint) parameter in all versions up to, and including, 5.3.3. This is due to insufficient input sanitization and output escaping on the fingerprint value stored in the database. [CVSS 7.2 HIGH]

WordPress Industrial XSS PHP
NVD
CVSS 3.1
7.2
EPSS
0.0%
CVE-2025-15055 HIGH This Week

The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'notes' and 'resource' parameters in all versions up to, and including, 5.3.4 due to insufficient input sanitization and output escaping. [CVSS 7.2 HIGH]

WordPress Industrial XSS PHP
NVD
CVSS 3.1
7.2
EPSS
0.0%
CVE-2025-14657 HIGH This Week

The Eventin - Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. [CVSS 7.2 HIGH]

WordPress PHP
NVD
CVSS 3.1
7.2
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy