Skip to main content
CVE-2025-69971 CRITICAL POC PATCH GHSA Act Now

FUXA v1.2.7 has hard-coded JWT credentials (EPSS 4.8%) that allow attackers to forge authentication tokens and bypass all access controls on the SCADA interface.

Authentication Bypass Fuxa
NVD GitHub
CVSS 3.1
9.8
EPSS
4.8%
CVE-2025-10878 CRITICAL POC Act Now

AdminPando 1.0.1 by Fikir Odalari has a CVSS 10.0 SQL injection in the login functionality allowing complete authentication bypass and database takeover.

SQLi Authentication Bypass Fikir Odalari Adminpando
NVD GitHub
CVSS 3.1
10.0
EPSS
0.1%
CVE-2025-70841 CRITICAL POC Act Now

Dokans SaaS e-commerce platform v3.9.2 has a CVSS 10.0 authentication bypass allowing unauthenticated attackers to obtain sensitive application secrets and tenant data.

Laravel Authentication Bypass Dokans
NVD GitHub
CVSS 3.1
10.0
EPSS
0.1%
CVE-2020-37090 CRITICAL POC Act Now

School ERP Pro 1.0 allows students to upload arbitrary PHP files, enabling remote code execution from a low-privileged student account.

PHP RCE School Erp Pro
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
0.9%
CVE-2026-25510 CRITICAL POC PATCH Act Now

CI4MS (CodeIgniter 4 CMS skeleton) has a code injection vulnerability (CVSS 9.9) allowing authenticated users to execute arbitrary PHP code through the CMS module system.

PHP RCE Ci4ms
NVD GitHub
CVSS 3.1
9.9
EPSS
0.4%
CVE-2025-67186 CRITICAL POC Act Now

TOTOLINK A950RG router firmware has a buffer overflow in setUrlFilterRules that allows remote attackers to execute code through the router's management interface.

Buffer Overflow Denial Of Service A950rg Firmware RCE TOTOLINK
NVD GitHub
CVSS 3.1
9.8
EPSS
0.8%
CVE-2025-67188 CRITICAL POC Act Now

TOTOLINK A950RG has a third buffer overflow in setRadvdCfg providing yet another RCE vector through the router's IPv6 configuration interface.

Buffer Overflow A950rg Firmware TOTOLINK
NVD GitHub
CVSS 3.1
9.8
EPSS
0.6%
CVE-2020-37071 CRITICAL POC Act Now

CraftCMS 3 vCard Plugin 1.0.0 has an insecure deserialization vulnerability allowing unauthenticated remote code execution through crafted vCard data.

PHP RCE Deserialization
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
0.5%
CVE-2020-37082 CRITICAL POC Act Now

webERP 4.15.1 has an unauthenticated file access vulnerability allowing remote attackers to download sensitive files including configuration and database credentials.

Path Traversal Information Disclosure Weberp
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
0.3%
CVE-2020-37075 CRITICAL POC Act Now

LanSend 3.2 has a buffer overflow in the Add Computers Wizard file import enabling code execution through crafted computer list files.

Buffer Overflow
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
0.3%
CVE-2020-37070 CRITICAL POC Act Now

CloudMe 1.11.2 cloud sync application has a buffer overflow enabling remote code execution through the network sync protocol.

RCE Buffer Overflow
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
0.3%
CVE-2025-63624 CRITICAL POC Act Now

Kede Electronics IoT smart water meter monitoring platform v1.0 has a SQL injection allowing attackers to compromise the industrial monitoring database.

IoT Industrial SQLi Iot Smart Water Meter Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-67187 CRITICAL POC Act Now

TOTOLINK A950RG has a stack-based buffer overflow in a second endpoint, providing an additional RCE vector through the router's CGI interface.

Buffer Overflow Stack Overflow A950rg Firmware TOTOLINK
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-61506 CRITICAL POC Act Now

MediaCrush through version 1.0.1 allows unauthenticated arbitrary file upload without file type restrictions, enabling web shell deployment and remote code execution.

File Upload Mediacrush
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-57529 CRITICAL POC Act Now

YouDataSum CPAS Audit Management System v4.9 has a SQL injection in the archive report endpoint allowing extraction of audit and compliance data.

SQLi Cpas Audit Management System
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2020-37069 CRITICAL POC Act Now

Konica Minolta FTP Utility 1.0 has a second buffer overflow in the NLST command, providing an additional RCE vector alongside the LIST vulnerability.

Buffer Overflow Denial Of Service Ftp Utility
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2020-37068 CRITICAL POC Act Now

Konica Minolta FTP Utility 1.0 has a buffer overflow in the LIST command allowing remote attackers to execute code on systems running the utility.

Buffer Overflow Denial Of Service Ftp Utility
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2020-37074 CRITICAL POC Act Now

Remote Desktop Audit 2.3.0.157 has a buffer overflow enabling code execution through crafted RDP scan responses.

Buffer Overflow
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2020-37065 CRITICAL POC Act Now

StreamRipper32 2.6 has a buffer overflow in the Station/Song Section allowing remote code execution through crafted audio stream metadata.

Buffer Overflow
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2020-37066 CRITICAL POC Act Now

GoldWave 5.70 audio editor has a buffer overflow enabling code execution through crafted audio files.

Buffer Overflow Stack Overflow
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2020-37080 CRITICAL POC Act Now

webTareas 2.0.p8 has an arbitrary file deletion vulnerability in the print_layout.php admin component enabling system disruption.

PHP
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2020-37067 CRITICAL POC Act Now

Filetto 1.0 FTP server has a denial of service vulnerability in FEAT command processing causing uncontrolled resource consumption.

Buffer Overflow Denial Of Service
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-69983 CRITICAL Act Now

FUXA v1.2.7 allows remote code execution through the project import functionality by importing crafted project files containing malicious code.

RCE Fuxa
NVD GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-24936 CRITICAL Act Now

ASUSTOR ADM has an input validation vulnerability when joining AD Domain that allows unauthenticated attackers to compromise the NAS device.

Code Injection Data Master
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-25237 CRITICAL Act Now

PEAR PHP framework has a code execution vulnerability through unsafe use of preg_replace() that allows attackers to execute arbitrary PHP code.

PHP Pearweb
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-25241 CRITICAL Act Now

PEAR PHP framework has a seventh SQL injection with higher EPSS (0.12%), indicating more active scanning for this particular injection vector.

PHP SQLi Pearweb
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-69981 CRITICAL Act Now

FUXA v1.2.7 has an unrestricted file upload in the /api/upload endpoint that lacks authentication and file type validation, enabling web shell deployment on SCADA systems.

SQLi Fuxa
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-25240 CRITICAL Act Now

PEAR PHP framework has another SQL injection vulnerability prior to version 1.33.0, the sixth in a series of critical security flaws in the PHP component distribution system.

PHP SQLi Pearweb
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-25238 CRITICAL Act Now

PEAR PHP framework prior to 1.33.0 has a fifth SQL injection vulnerability, part of a comprehensive security audit that found multiple injection points across the framework.

PHP SQLi Pearweb
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-25236 CRITICAL Act Now

PEAR PHP framework has a second SQL injection vulnerability in a different code path, providing an alternate database compromise vector.

PHP SQLi Pearweb
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-25234 CRITICAL Act Now

PEAR PHP framework prior to 1.33.0 has a SQL injection vulnerability allowing attackers to extract data from the component distribution database.

PHP SQLi Pearweb
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-62799 CRITICAL PATCH Act Now

Fast DDS (eProsima) has a heap buffer overflow in its C++ DDS implementation that allows remote attackers to execute code through crafted DDS protocol messages.

Buffer Overflow Memory Corruption Denial Of Service Debian Linux Fast Dds
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-5319 CRITICAL Act Now

Emit Informatics product has a SQL injection vulnerability allowing unauthenticated database compromise through unsanitized input parameters.

SQLi
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-1568 CRITICAL Act Now

Rapid7 InsightVM before 8.34.0 has a SAML signature verification bypass (CVSS 9.6) allowing attackers to forge authentication assertions and gain unauthorized access.

Authentication Bypass
NVD
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-25150 CRITICAL PATCH Act Now

Qwik JavaScript framework prior to 1.19.0 has a prototype pollution vulnerability that can lead to server-side code execution in SSR applications.

Denial Of Service Privilege Escalation Authentication Bypass Qwik
NVD GitHub
CVSS 3.1
9.3
EPSS
0.1%
CVE-2025-69970 CRITICAL Act Now

FUXA v1.2.7 SCADA/HMI system has insecure default configuration with security disabled by default, exposing industrial control interfaces without authentication.

Information Disclosure Fuxa
NVD GitHub
CVSS 3.1
9.3
EPSS
0.1%
CVE-2026-24465 CRITICAL Act Now

ELECOM wireless LAN access point devices have a stack-based buffer overflow that allows remote attackers to execute code or crash the device via crafted packets.

Buffer Overflow Stack Overflow RCE Wab S300Iw Pd Firmware Wab S733Iw Pd Firmware +6
NVD
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-1341 CRITICAL Act Now

Avation Light Engine Pro exposes its configuration and control interface without any authentication or access control.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-1632 CRITICAL Act Now

MOMA Seismic Station v2.4.2520 exposes its web management interface without authentication, allowing unauthenticated control of seismological monitoring equipment.

Authentication Bypass
NVD GitHub
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-25233 CRITICAL Act Now

PEAR PHP framework prior to 1.33.0 has a logic bug in the roadmap feature allowing unauthorized access through incorrect operator comparison.

PHP Pearweb
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy