Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2025-14431 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in THEMELOGI Navian navian allows PHP Local File Inclusion.This issue affects Navian: from n/a through <= 1.5.4. CVSSv3.1 8.1 (HIGH)
CVE-2025-14430 — Thememove Brook: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove Brook brook allows PHP Local File Inclusion.This issue affects Brook: from n/a through <= 2.9.0. CVSSv3.1 8.1 (HIGH)
CVE-2025-14429 — Thememove Aeroland: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove AeroLand aeroland allows PHP Local File Inclusion.This issue affects AeroLand: from n/a through <= 1.6.6. CVSSv3.1 8.1 (HIGH)
CVE-2025-14359 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in brandexponents Oshine oshin allows PHP Local File Inclusion.This issue affects Oshine: from n/a through <= 7.2.7. CVSSv3.1 8.1 (HIGH)
CVE-2025-12550 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jwsthemes OchaHouse ochahouse allows PHP Local File Inclusion.This issue affects OchaHouse: from n/a through <= 2.2.8. CVSSv3.1 8.1 (HIGH)
CVE-2025-12549 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in magentech Rozy - Flower Shop rozy allows PHP Local File Inclusion.This issue affects Rozy - Flower Shop: from n/a through <= 1.2.25. CVSSv3.1 8.1 (HIGH)
CVE-2025-69264 — Pnpm Pnpm: Versions 10.0.0 through 10.25 allow git-hosted dependencies to execute arbitrary code during pnpm install
pnpm is a package manager. Versions 10.0.0 through 10.25 allow git-hosted dependencies to execute arbitrary code during pnpm install, circumventing the v10 security feature "Dependency lifecycle scripts execution disabled by default". While pnpm v10 blocks postinstall scripts via the onlyBuiltDependencies mechanism, git dependencies can still execute prepare, prepublish, and prepack scripts during the fetch phase, enabling remote code execution without user consent or approva CVSSv3.1 8.8 (HIGH)
CVE-2026-22189 — Cmu Panda3d: The egg-mkfont utility in Panda3D versions up to and including 1.10.16 contains a stack-based
The egg-mkfont utility in Panda3D versions up to and including 1.10.16 contains a stack-based buffer overflow vulnerability due to use of an unbounded sprintf() call with attacker-controlled input. When constructing glyph filenames, egg-mkfont formats a user-supplied glyph pattern (-gp) into a fixed-size stack buffer without length validation. Supplying an excessively long glyph pattern string can overflow the stack buffer, resulting in memory corruption and a deterministic c CVSSv3.1 9.8 (CRITICAL) · EPSS 32th percentile
Breaking Down the Attack Surface of the Kenwood DNR1007XR – Part One
Zero Day Initiative published a detailed hardware teardown and attack surface analysis of the Kenwood DNR1007XR in-vehicle infotainment (IVI) unit ahead of Pwn2Own Automotive 2026. The analysis identifies multiple attack vectors including an SD card slot, USB ports, and critically, an exposed UART debug connector providing unauthenticated Linux shell access at 115200bps. The device runs a Dolphin+ TCC8034 ARM SoC with Linux, eMMC storage, and Murata WiFi/Bluetooth radio.
CVE-2025-12543 — Redhat Build_of_apache_camel: A flaw was found in the Undertow HTTP server core, which is used in
A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fails to properly validate the Host header in incoming HTTP requests.As a result, requests containing malformed or malicious Host headers are processed without rejection, enabling attackers to poison caches, perform internal network scans, or hijack user sessions. CVSSv3.1 9.6 (CRITICAL) · EPSS 64th percentile
CVE-2025-47552 — Deserialization: of Untrusted Data vulnerability in Digital zoom studio DZS Video Gallery dzs-videogallery allows
Deserialization of Untrusted Data vulnerability in Digital zoom studio DZS Video Gallery dzs-videogallery allows Object Injection.This issue affects DZS Video Gallery: from n/a through <= 12.39. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-32303 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mojoomla WPCHURCH church-management allows Blind SQL Injection.This issue affects WPCHURCH: from n/a through <= 2.7.0. CVSSv3.1 9.3 (CRITICAL)
CVE-2025-69081 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Hope charity-is-hope allows PHP Local File Inclusion.This issue affects Hope: from n/a through <= 3.0.0. CVSSv3.1 8.1 (HIGH)
CVE-2025-69080 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in JanStudio Gecko gecko allows PHP Local File Inclusion.This issue affects Gecko: from n/a through <= 1.9.8. CVSSv3.1 8.1 (HIGH)
CVE-2025-31643 — Incorrect: Privilege Assignment vulnerability in Dasinfomedia WPCHURCH church-management allows Privilege Escalation.This issue affects WPCHURCH
Incorrect Privilege Assignment vulnerability in Dasinfomedia WPCHURCH church-management allows Privilege Escalation.This issue affects WPCHURCH: from n/a through <= 2.7.0. CVSSv3.1 8.8 (HIGH)
CVE-2025-13371 — MoneySpace: The MoneySpace plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions
The MoneySpace plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.13.9. This is due to the plugin storing full payment card details (PAN, card holder name, expiry month/year, and CVV) in WordPress post_meta using base64_encode(), and then embedding these values into the publicly accessible mspaylink page's inline JavaScript without any authentication or authorization check. This makes it possible for unauthenticated at CVSSv3.1 8.6 (HIGH)
CVE-2025-30996 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in Themify Themify Newsy newsy allows
Unrestricted Upload of File with Dangerous Type vulnerability in Themify Themify Newsy newsy allows Upload a Web Shell to a Web Server.This issue affects Themify Newsy: from n/a through <= 1.9.9. CVSSv3.1 9.9 (CRITICAL)
CVE-2025-29004 — Incorrect: Privilege Assignment vulnerability in AA-Team Responsive Coming Soon Landing Page / Holding Page
Incorrect Privilege Assignment vulnerability in AA-Team Responsive Coming Soon Landing Page / Holding Page for WordPress wordpress-flat-countdown allows Privilege Escalation.This issue affects Responsive Coming Soon Landing Page / Holding Page for WordPress: from n/a through <= 3.0. CVSSv3.1 8.8 (HIGH)
CVE-2025-32304 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mojoomla WPCHURCH church-management allows PHP Local File Inclusion.This issue affects WPCHURCH: from n/a through <= 2.7.0. CVSSv3.1 8.1 (HIGH)
CVE-2025-69351 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Shahjahan Jewel Ninja Tables ninja-tables allows Blind SQL Injection.This issue affects Ninja Tables: from n/a through <= 5.2.4. CVSSv3.1 8.5 (HIGH)
CVE-2025-69086 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jwsthemes Issabella issabella allows PHP Local File Inclusion.This issue affects Issabella: from n/a through <= 1.1.2. CVSSv3.1 8.1 (HIGH)
CVE-2025-69083 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Frappé frappe allows PHP Local File Inclusion.This issue affects Frappé: from n/a through <= 1.8. CVSSv3.1 8.1 (HIGH)
CVE-2025-60534 — Blueaccesstech Cobalt_x1: Blue Access Cobalt v02.000.195 suffers from an authentication bypass vulnerability, which allows an attacker
Blue Access Cobalt v02.000.195 suffers from an authentication bypass vulnerability, which allows an attacker to selectively proxy requests in order to operate functionality on the web application without the need to authenticate with legitimate credentials. CVSSv3.1 9.8 (CRITICAL) · EPSS 48th percentile
CVE-2025-47553 — Deserialization: of Untrusted Data vulnerability in Digital zoom studio DZS Video Gallery dzs-videogallery allows
Deserialization of Untrusted Data vulnerability in Digital zoom studio DZS Video Gallery dzs-videogallery allows Object Injection.This issue affects DZS Video Gallery: from n/a through <= 12.39. CVSSv3.1 8.8 (HIGH)
CVE-2025-39477 — Authorization: Missing Authorization vulnerability in Sfwebservice InWave Jobs iwjob allows Exploiting Incorrectly Configured Access Control
Missing Authorization vulnerability in Sfwebservice InWave Jobs iwjob allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects InWave Jobs: from n/a through <= 3.5.8. CVSSv3.1 9.8 (CRITICAL)