2026-01-08
2026-01-08 10:15Z
HIGH

CVE-2025-14431 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-14431

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in THEMELOGI Navian navian allows PHP Local File Inclusion.This issue affects Navian: from n/a through <= 1.5.4. CVSSv3.1 8.1 (HIGH)

CWECWE 98TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-01-08
2026-01-08 10:15Z
HIGH

CVE-2025-14430 — Thememove Brook: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-14430

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove Brook brook allows PHP Local File Inclusion.This issue affects Brook: from n/a through <= 2.9.0. CVSSv3.1 8.1 (HIGH)

CWECWE 98VNDThememoveTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-01-08
2026-01-08 10:15Z
HIGH

CVE-2025-14429 — Thememove Aeroland: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-14429

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove AeroLand aeroland allows PHP Local File Inclusion.This issue affects AeroLand: from n/a through <= 1.6.6. CVSSv3.1 8.1 (HIGH)

CWECWE 98VNDThememoveTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-01-08
2026-01-08 10:15Z
HIGH

CVE-2025-14359 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-14359

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in brandexponents Oshine oshin allows PHP Local File Inclusion.This issue affects Oshine: from n/a through <= 7.2.7. CVSSv3.1 8.1 (HIGH)

CWECWE 98TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-01-08
2026-01-08 10:15Z
HIGH

CVE-2025-12550 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-12550

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jwsthemes OchaHouse ochahouse allows PHP Local File Inclusion.This issue affects OchaHouse: from n/a through <= 2.2.8. CVSSv3.1 8.1 (HIGH)

CWECWE 98TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-01-08
2026-01-08 10:15Z
HIGH

CVE-2025-12549 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-12549

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in magentech Rozy - Flower Shop rozy allows PHP Local File Inclusion.This issue affects Rozy - Flower Shop: from n/a through <= 1.2.25. CVSSv3.1 8.1 (HIGH)

CWECWE 98TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-01-07
2026-01-07 22:15Z
HIGH

CVE-2025-69264 — Pnpm Pnpm: Versions 10.0.0 through 10.25 allow git-hosted dependencies to execute arbitrary code during pnpm install

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-69264

pnpm is a package manager. Versions 10.0.0 through 10.25 allow git-hosted dependencies to execute arbitrary code during pnpm install, circumventing the v10 security feature "Dependency lifecycle scripts execution disabled by default". While pnpm v10 blocks postinstall scripts via the onlyBuiltDependencies mechanism, git dependencies can still execute prepare, prepublish, and prepack scripts during the fetch phase, enabling remote code execution without user consent or approva CVSSv3.1 8.8 (HIGH)

CWECWE 693VNDPnpmTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
728 × 90 / responsive · programmatic ad slot
2026-01-07
2026-01-07 21:16Z
CRIT

CVE-2026-22189 — Cmu Panda3d: The egg-mkfont utility in Panda3D versions up to and including 1.10.16 contains a stack-based

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-22189

The egg-mkfont utility in Panda3D versions up to and including 1.10.16 contains a stack-based buffer overflow vulnerability due to use of an unbounded sprintf() call with attacker-controlled input. When constructing glyph filenames, egg-mkfont formats a user-supplied glyph pattern (-gp) into a fixed-size stack buffer without length validation. Supplying an excessively long glyph pattern string can overflow the stack buffer, resulting in memory corruption and a deterministic c CVSSv3.1 9.8 (CRITICAL) · EPSS 32th percentile

CWECWE 787CWECWE 121VNDCmuVNDPanda3dTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-01-07
2026-01-07 19:09Z
HIGH

Breaking Down the Attack Surface of the Kenwood DNR1007XR – Part One

Zero Day Initiative·thezdi.com

Zero Day Initiative published a detailed hardware teardown and attack surface analysis of the Kenwood DNR1007XR in-vehicle infotainment (IVI) unit ahead of Pwn2Own Automotive 2026. The analysis identifies multiple attack vectors including an SD card slot, USB ports, and critically, an exposed UART debug connector providing unauthenticated Linux shell access at 115200bps. The device runs a Dolphin+ TCC8034 ARM SoC with Linux, eMMC storage, and Murata WiFi/Bluetooth radio.

SRFHardwareVNDKenwoodTYPResearchTYPWriteupSTGInitial AccessSTGRecon
72
Edit Score
2026-01-07
2026-01-07 17:15Z
CRIT

CVE-2025-12543 — Redhat Build_of_apache_camel: A flaw was found in the Undertow HTTP server core, which is used in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-12543

A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fails to properly validate the Host header in incoming HTTP requests.As a result, requests containing malformed or malicious Host headers are processed without rejection, enabling attackers to poison caches, perform internal network scans, or hijack user sessions. CVSSv3.1 9.6 (CRITICAL) · EPSS 64th percentile

CWECWE 20TYPVulnerability
9.6
CVSS v3.1
98
Edit Score
2026-01-07
2026-01-07 13:15Z
CRIT

CVE-2025-47552 — Deserialization: of Untrusted Data vulnerability in Digital zoom studio DZS Video Gallery dzs-videogallery allows

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-47552

Deserialization of Untrusted Data vulnerability in Digital zoom studio DZS Video Gallery dzs-videogallery allows Object Injection.This issue affects DZS Video Gallery: from n/a through <= 12.39. CVSSv3.1 9.8 (CRITICAL)

CWECWE 502TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-01-07
2026-01-07 13:15Z
CRIT

CVE-2025-32303 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-32303

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mojoomla WPCHURCH church-management allows Blind SQL Injection.This issue affects WPCHURCH: from n/a through <= 2.7.0. CVSSv3.1 9.3 (CRITICAL)

CWECWE 89TYPVulnerability
9.3
CVSS v3.1
97
Edit Score
2026-01-07
2026-01-07 12:17Z
HIGH

CVE-2025-69081 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-69081

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Hope charity-is-hope allows PHP Local File Inclusion.This issue affects Hope: from n/a through <= 3.0.0. CVSSv3.1 8.1 (HIGH)

CWECWE 98TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-01-07
2026-01-07 12:17Z
HIGH

CVE-2025-69080 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-69080

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in JanStudio Gecko gecko allows PHP Local File Inclusion.This issue affects Gecko: from n/a through <= 1.9.8. CVSSv3.1 8.1 (HIGH)

CWECWE 98TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-01-07
2026-01-07 12:17Z
HIGH

CVE-2025-31643 — Incorrect: Privilege Assignment vulnerability in Dasinfomedia WPCHURCH church-management allows Privilege Escalation.This issue affects WPCHURCH

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-31643

Incorrect Privilege Assignment vulnerability in Dasinfomedia WPCHURCH church-management allows Privilege Escalation.This issue affects WPCHURCH: from n/a through <= 2.7.0. CVSSv3.1 8.8 (HIGH)

CWECWE 266TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-01-07
2026-01-07 12:16Z
HIGH

CVE-2025-13371 — MoneySpace: The MoneySpace plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-13371

The MoneySpace plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.13.9. This is due to the plugin storing full payment card details (PAN, card holder name, expiry month/year, and CVV) in WordPress post_meta using base64_encode(), and then embedding these values into the publicly accessible mspaylink page's inline JavaScript without any authentication or authorization check. This makes it possible for unauthenticated at CVSSv3.1 8.6 (HIGH)

CWECWE 200VNDMoneyspaceTYPVulnerability
8.6
CVSS v3.1
93
Edit Score
2026-01-06
2026-01-06 21:15Z
CRIT

CVE-2025-30996 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in Themify Themify Newsy newsy allows

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-30996

Unrestricted Upload of File with Dangerous Type vulnerability in Themify Themify Newsy newsy allows Upload a Web Shell to a Web Server.This issue affects Themify Newsy: from n/a through <= 1.9.9. CVSSv3.1 9.9 (CRITICAL)

CWECWE 434TYPVulnerability
9.9
CVSS v3.1
100
Edit Score
2026-01-06
2026-01-06 21:15Z
HIGH

CVE-2025-29004 — Incorrect: Privilege Assignment vulnerability in AA-Team Responsive Coming Soon Landing Page / Holding Page

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-29004

Incorrect Privilege Assignment vulnerability in AA-Team Responsive Coming Soon Landing Page / Holding Page for WordPress wordpress-flat-countdown allows Privilege Escalation.This issue affects Responsive Coming Soon Landing Page / Holding Page for WordPress: from n/a through <= 3.0. CVSSv3.1 8.8 (HIGH)

CWECWE 266TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-01-06
2026-01-06 18:15Z
HIGH

CVE-2025-32304 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-32304

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mojoomla WPCHURCH church-management allows PHP Local File Inclusion.This issue affects WPCHURCH: from n/a through <= 2.7.0. CVSSv3.1 8.1 (HIGH)

CWECWE 98TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-01-06
2026-01-06 17:15Z
HIGH

CVE-2025-69351 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-69351

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Shahjahan Jewel Ninja Tables ninja-tables allows Blind SQL Injection.This issue affects Ninja Tables: from n/a through <= 5.2.4. CVSSv3.1 8.5 (HIGH)

CWECWE 89TYPVulnerability
8.5
CVSS v3.1
93
Edit Score
2026-01-06
2026-01-06 17:15Z
HIGH

CVE-2025-69086 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-69086

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jwsthemes Issabella issabella allows PHP Local File Inclusion.This issue affects Issabella: from n/a through <= 1.1.2. CVSSv3.1 8.1 (HIGH)

CWECWE 98TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-01-06
2026-01-06 17:15Z
HIGH

CVE-2025-69083 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-69083

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Frappé frappe allows PHP Local File Inclusion.This issue affects Frappé: from n/a through <= 1.8. CVSSv3.1 8.1 (HIGH)

CWECWE 98TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-01-06
2026-01-06 17:15Z
CRIT

CVE-2025-60534 — Blueaccesstech Cobalt_x1: Blue Access Cobalt v02.000.195 suffers from an authentication bypass vulnerability, which allows an attacker

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-60534

Blue Access Cobalt v02.000.195 suffers from an authentication bypass vulnerability, which allows an attacker to selectively proxy requests in order to operate functionality on the web application without the need to authenticate with legitimate credentials. CVSSv3.1 9.8 (CRITICAL) · EPSS 48th percentile

CWECWE 287VNDBlueaccesstechVNDBlueTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-01-06
2026-01-06 17:15Z
HIGH

CVE-2025-47553 — Deserialization: of Untrusted Data vulnerability in Digital zoom studio DZS Video Gallery dzs-videogallery allows

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-47553

Deserialization of Untrusted Data vulnerability in Digital zoom studio DZS Video Gallery dzs-videogallery allows Object Injection.This issue affects DZS Video Gallery: from n/a through <= 12.39. CVSSv3.1 8.8 (HIGH)

CWECWE 502TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-01-06
2026-01-06 17:15Z
CRIT

CVE-2025-39477 — Authorization: Missing Authorization vulnerability in Sfwebservice InWave Jobs iwjob allows Exploiting Incorrectly Configured Access Control

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-39477

Missing Authorization vulnerability in Sfwebservice InWave Jobs iwjob allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects InWave Jobs: from n/a through <= 3.5.8. CVSSv3.1 9.8 (CRITICAL)

CWECWE 862TYPVulnerability
9.8
CVSS v3.1
99
Edit Score