Skip to main content
CVE-2025-15556 HIGH KEV PATCH THREAT Act Now

Notepad++ versions prior to 8.8.9 contain an update integrity verification vulnerability (CVE-2025-15556) when using the WinGUp updater. The update mechanism fails to cryptographically verify downloaded metadata and installers, allowing man-in-the-middle attackers to serve malicious executables during the update process. KEV-listed, this supply chain risk affects one of the most widely used text editors on Windows.

RCE Notepad
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
4.3%
CVE-2025-69971 CRITICAL POC PATCH GHSA Act Now

FUXA v1.2.7 has hard-coded JWT credentials (EPSS 4.8%) that allow attackers to forge authentication tokens and bypass all access controls on the SCADA interface.

Authentication Bypass Fuxa
NVD GitHub
CVSS 3.1
9.8
EPSS
4.8%
CVE-2025-10878 CRITICAL POC Act Now

AdminPando 1.0.1 by Fikir Odalari has a CVSS 10.0 SQL injection in the login functionality allowing complete authentication bypass and database takeover.

SQLi Authentication Bypass Fikir Odalari Adminpando
NVD GitHub
CVSS 3.1
10.0
EPSS
0.1%
CVE-2025-70841 CRITICAL POC Act Now

Dokans SaaS e-commerce platform v3.9.2 has a CVSS 10.0 authentication bypass allowing unauthenticated attackers to obtain sensitive application secrets and tenant data.

Laravel Authentication Bypass Dokans
NVD GitHub
CVSS 3.1
10.0
EPSS
0.1%
CVE-2020-37090 CRITICAL POC Act Now

School ERP Pro 1.0 allows students to upload arbitrary PHP files, enabling remote code execution from a low-privileged student account.

PHP RCE School Erp Pro
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
0.9%
CVE-2026-25510 CRITICAL POC PATCH Act Now

CI4MS (CodeIgniter 4 CMS skeleton) has a code injection vulnerability (CVSS 9.9) allowing authenticated users to execute arbitrary PHP code through the CMS module system.

PHP RCE Ci4ms
NVD GitHub
CVSS 3.1
9.9
EPSS
0.4%
CVE-2025-67186 CRITICAL POC Act Now

TOTOLINK A950RG router firmware has a buffer overflow in setUrlFilterRules that allows remote attackers to execute code through the router's management interface.

Buffer Overflow Denial Of Service A950rg Firmware RCE TOTOLINK
NVD GitHub
CVSS 3.1
9.8
EPSS
0.8%
CVE-2025-67188 CRITICAL POC Act Now

TOTOLINK A950RG has a third buffer overflow in setRadvdCfg providing yet another RCE vector through the router's IPv6 configuration interface.

Buffer Overflow A950rg Firmware TOTOLINK
NVD GitHub
CVSS 3.1
9.8
EPSS
0.6%
CVE-2020-37071 CRITICAL POC Act Now

CraftCMS 3 vCard Plugin 1.0.0 has an insecure deserialization vulnerability allowing unauthenticated remote code execution through crafted vCard data.

PHP RCE Deserialization
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
0.5%
CVE-2020-37082 CRITICAL POC Act Now

webERP 4.15.1 has an unauthenticated file access vulnerability allowing remote attackers to download sensitive files including configuration and database credentials.

Path Traversal Information Disclosure Weberp
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
0.3%
CVE-2020-37075 CRITICAL POC Act Now

LanSend 3.2 has a buffer overflow in the Add Computers Wizard file import enabling code execution through crafted computer list files.

Buffer Overflow
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
0.3%
CVE-2020-37070 CRITICAL POC Act Now

CloudMe 1.11.2 cloud sync application has a buffer overflow enabling remote code execution through the network sync protocol.

RCE Buffer Overflow
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
0.3%
CVE-2025-63624 CRITICAL POC Act Now

Kede Electronics IoT smart water meter monitoring platform v1.0 has a SQL injection allowing attackers to compromise the industrial monitoring database.

IoT Industrial SQLi Iot Smart Water Meter Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-67187 CRITICAL POC Act Now

TOTOLINK A950RG has a stack-based buffer overflow in a second endpoint, providing an additional RCE vector through the router's CGI interface.

Buffer Overflow Stack Overflow A950rg Firmware TOTOLINK
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-61506 CRITICAL POC Act Now

MediaCrush through version 1.0.1 allows unauthenticated arbitrary file upload without file type restrictions, enabling web shell deployment and remote code execution.

File Upload Mediacrush
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-57529 CRITICAL POC Act Now

YouDataSum CPAS Audit Management System v4.9 has a SQL injection in the archive report endpoint allowing extraction of audit and compliance data.

SQLi Cpas Audit Management System
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2020-37069 CRITICAL POC Act Now

Konica Minolta FTP Utility 1.0 has a second buffer overflow in the NLST command, providing an additional RCE vector alongside the LIST vulnerability.

Buffer Overflow Denial Of Service Ftp Utility
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2020-37068 CRITICAL POC Act Now

Konica Minolta FTP Utility 1.0 has a buffer overflow in the LIST command allowing remote attackers to execute code on systems running the utility.

Buffer Overflow Denial Of Service Ftp Utility
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2020-37074 CRITICAL POC Act Now

Remote Desktop Audit 2.3.0.157 has a buffer overflow enabling code execution through crafted RDP scan responses.

Buffer Overflow
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2020-37065 CRITICAL POC Act Now

StreamRipper32 2.6 has a buffer overflow in the Station/Song Section allowing remote code execution through crafted audio stream metadata.

Buffer Overflow
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2020-37066 CRITICAL POC Act Now

GoldWave 5.70 audio editor has a buffer overflow enabling code execution through crafted audio files.

Buffer Overflow Stack Overflow
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2020-37080 CRITICAL POC Act Now

webTareas 2.0.p8 has an arbitrary file deletion vulnerability in the print_layout.php admin component enabling system disruption.

PHP
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2020-37067 CRITICAL POC Act Now

Filetto 1.0 FTP server has a denial of service vulnerability in FEAT command processing causing uncontrolled resource consumption.

Buffer Overflow Denial Of Service
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2020-37113 HIGH POC This Week

Open Eclass Platform versions up to 1.7.3 is affected by unrestricted upload of file with dangerous type (CVSS 8.8).

PHP RCE Open Eclass Platform
NVD Exploit-DB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2020-37073 HIGH POC This Week

Victor Cms versions up to 1.0 is affected by unrestricted upload of file with dangerous type (CVSS 8.8).

PHP Victor Cms
NVD GitHub Exploit-DB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2020-37116 HIGH POC This Week

GUnet OpenEclass 1.7.3 includes phpMyAdmin 2.10.0.2 by default, which allows remote logins. Attackers with access to the platform can remotely access phpMyAdmin and, after uploading a shell, view the config.php file to obtain the MySQL password, leading to full database compromise. [CVSS 8.8 HIGH]

PHP MySQL Open Eclass Platform
NVD Exploit-DB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2020-37078 HIGH POC This Week

import module contains a vulnerability that allows attackers to delete arbitrary files by manipulating the delete_import parameter (CVSS 8.8).

Information Disclosure
NVD Exploit-DB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-24665 HIGH POC This Week

The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. [CVSS 8.7 HIGH]

XSS Open Eclass Platform
NVD GitHub
CVSS 3.1
8.7
EPSS
0.0%
CVE-2020-37094 HIGH POC This Week

Authorization bypass in EspoCRM 5.8.5 lets an authenticated low-privilege user reuse or manipulate Basic-Authorization and Espo-Authorization tokens to authenticate as a different user, including administrators, and inherit their privileges. The flaw stems from the login path never binding an auth token to its owning user, so a token valid for one account is accepted for another when passwords collide, also defeating two-factor authentication. Publicly available exploit code exists (Exploit-DB 48376); EPSS is low at 0.35%, and the issue is not listed in CISA KEV.

Authentication Bypass Espocrm
NVD Exploit-DB GitHub VulDB
CVSS 4.0
8.6
EPSS
0.4%
CVE-2020-37088 HIGH POC This Week

School ERP Pro 1.0 contains a file disclosure vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the 'document' parameter in download.php. [CVSS 7.5 HIGH]

PHP Path Traversal School Erp Pro
NVD Exploit-DB
CVSS 3.1
7.5
EPSS
5.4%
CVE-2020-37076 HIGH POC This Week

Victor CMS version 1.0 contains a SQL injection vulnerability in the 'post' parameter on post.php that allows remote attackers to manipulate database queries. [CVSS 8.2 HIGH]

PHP SQLi Victor Cms
NVD GitHub Exploit-DB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2020-37083 HIGH POC This Week

PHP AddressBook 9.0.0.1 contains a time-based blind SQL injection vulnerability that allows remote attackers to manipulate database queries through the 'id' parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2020-37110 HIGH POC This Week

60CycleCMS 2.5.2 contains an SQL injection vulnerability in news.php and common/lib.php that allows attackers to manipulate database queries through unvalidated user input. [CVSS 8.2 HIGH]

PHP SQLi XSS 60cyclecms
NVD Exploit-DB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2020-37089 HIGH POC This Week

School ERP Pro 1.0 contains a SQL injection vulnerability in the 'es_messagesid' parameter that allows attackers to manipulate database queries through GET requests. [CVSS 8.2 HIGH]

SQLi School Erp Pro
NVD Exploit-DB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2019-25260 HIGH POC This Week

OXID eShop versions 6.x prior to 6.3.4 contains a SQL injection vulnerability in the 'sorting' parameter that allows attackers to insert malicious database content. [CVSS 8.2 HIGH]

PHP SQLi
NVD GitHub Exploit-DB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-1803 HIGH POC This Week

Ziroom ZHOME A0101 devices running version 1.0.1.0 use hardcoded default credentials in the Dropbear SSH service, enabling unauthenticated remote attackers to gain unauthorized access with high impact to confidentiality, integrity, and availability. Public exploit code exists for this vulnerability, and the vendor has not provided a patch or response. While exploitation requires specific conditions, security professionals should prioritize assessment and credential rotation for affected systems.

SSH
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2020-37102 HIGH POC This Week

WCAssistantService contains a vulnerability that allows attackers to potentially execute arbitrary code (CVSS 7.8).

RCE
NVD Exploit-DB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2020-37100 HIGH POC This Week

Syncbreeze versions up to 12.4.18 contains a vulnerability that allows attackers to execute arbitrary code with elevated system privileges (CVSS 7.8).

RCE Syncbreeze
NVD Exploit-DB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-69875 HIGH POC This Week

A vulnerability exists in Quick Heal Total Security 23.0.0 in the quarantine management component where insufficient validation of restore paths and improper permission handling allow a low-privileged local user to restore quarantined files into protected system directories. [CVSS 7.8 HIGH]

Privilege Escalation Total Security
NVD GitHub
CVSS 3.1
7.8
EPSS
0.0%
CVE-2020-37101 HIGH POC This Week

VPN Unlimited 6.1 contains an unquoted service path vulnerability that allows local attackers to inject malicious executables into the service binary path. [CVSS 7.8 HIGH]

Code Injection
NVD Exploit-DB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2020-37099 HIGH POC This Week

its service configuration contains a vulnerability that allows attackers to potentially execute arbitrary code (CVSS 7.8).

RCE
NVD Exploit-DB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2019-25261 HIGH POC This Week

Anydesk versions up to 5.4.0 contains a vulnerability that allows attackers to potentially inject malicious executables (CVSS 7.8).

Windows Anydesk
NVD Exploit-DB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-24669 HIGH POC This Week

The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. [CVSS 7.8 HIGH]

Authentication Bypass Open Eclass Platform
NVD GitHub
CVSS 3.1
7.8
EPSS
0.0%
CVE-2020-37098 HIGH POC This Week

Disk Sorter Enterprise 12.4.16 contains an unquoted service path vulnerability that allows local attackers to execute arbitrary code with elevated system privileges. [CVSS 7.8 HIGH]

RCE
NVD Exploit-DB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-60865 HIGH POC This Week

Pc Helpsoft Driver Updater versions up to 9.1.57803.1174 is affected by improper access control (CVSS 7.8).

Windows Pc Helpsoft Driver Updater
NVD GitHub
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-25502 HIGH POC PATCH This Week

Arbitrary code execution in iccDEV versions prior to 2.3.1.2 via stack-based buffer overflow in the icFixXml() function when parsing malformed ICC color profiles with crafted NamedColor2 tags. Local attackers with user interaction can exploit this vulnerability to execute arbitrary code with high impact on confidentiality, integrity, and availability. Public exploit code exists and a patch is available in version 2.3.1.2 and later.

Buffer Overflow Stack Overflow Iccdev
NVD GitHub
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-24773 HIGH POC This Week

Open Eclass Platform versions up to 4.2 is affected by authorization bypass through user-controlled key (CVSS 7.5).

Authentication Bypass Open Eclass Platform
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2020-37092 HIGH POC This Week

Netis E1+ version 1.2.32533 contains a hardcoded root account vulnerability that allows unauthenticated attackers to access the device with predefined credentials. Attackers can leverage the embedded root account with a crackable password to gain full administrative access to the network device. [CVSS 7.5 HIGH]

Authentication Bypass
NVD Exploit-DB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2020-37093 HIGH POC This Week

Netis E1+ 1.2.32533 contains an information disclosure vulnerability that allows unauthenticated attackers to retrieve WiFi passwords through the netcore_get.cgi endpoint. [CVSS 7.5 HIGH]

Information Disclosure
NVD Exploit-DB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2020-37085 HIGH POC This Week

VirtualTablet Server 3.0.2 contains a denial of service vulnerability that allows attackers to crash the service by sending oversized string payloads through the Thrift protocol. [CVSS 7.5 HIGH]

Denial Of Service
NVD Exploit-DB
CVSS 3.1
7.5
EPSS
0.1%
Page 1 of 7 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy