2025-11-11
2025-11-11 18:15Z
CRIT

CVE-2025-60724 — Microsoft Office: Heap-based buffer overflow in Microsoft Graphics Component allows an unauthorized attacker to execute code

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-60724

Heap-based buffer overflow in Microsoft Graphics Component allows an unauthorized attacker to execute code over a network. CVSSv3.1 9.8 (CRITICAL) · EPSS 37th percentile

CWECWE 122VNDMicrosoftVNDHeapTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-11-11
2025-11-11 18:15Z
HIGH

CVE-2025-30398 — Microsoft Nuance_powerscribe_360: Missing authorization in Nuance PowerScribe allows an unauthorized attacker to disclose information over a

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-30398

Missing authorization in Nuance PowerScribe allows an unauthorized attacker to disclose information over a network. CVSSv3.1 8.1 (HIGH) · EPSS 51th percentile

CWECWE 862VNDMicrosoftVNDNuanceTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-11-11
2025-11-11 16:15Z
HIGH

CVE-2025-13027 — Mozilla Firefox: Some of these bugs showed evidence of memory corruption and we presume that with

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-13027

Memory safety bugs present in Firefox 144 and Thunderbird 144. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 145 and Thunderbird 145. CVSSv3.1 8.1 (HIGH)

CWECWE 119VNDMozillaTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-11-11
2025-11-11 16:15Z
CRIT

CVE-2025-13026 — Mozilla Firefox: Sandbox escape due to incorrect boundary conditions in the Graphics: WebGPU component.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-13026

Sandbox escape due to incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 145 and Thunderbird 145. CVSSv3.1 9.8 (CRITICAL)

CWECWE 703VNDMozillaTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-11-11
2025-11-11 16:15Z
CRIT

CVE-2025-13024 — Mozilla Firefox: JIT miscompilation in the JavaScript Engine: JIT component.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-13024

JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 145 and Thunderbird 145. CVSSv3.1 9.8 (CRITICAL)

CWECWE 733VNDMozillaVNDJitTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-11-11
2025-11-11 16:15Z
CRIT

CVE-2025-13023 — Mozilla Firefox: Sandbox escape due to incorrect boundary conditions in the Graphics: WebGPU component.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-13023

Sandbox escape due to incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 145 and Thunderbird 145. CVSSv3.1 9.8 (CRITICAL)

CWECWE 703VNDMozillaTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-11-11
2025-11-11 16:15Z
CRIT

CVE-2025-13022 — Mozilla Firefox: Incorrect boundary conditions in the Graphics: WebGPU component.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-13022

Incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 145 and Thunderbird 145. CVSSv3.1 9.8 (CRITICAL)

CWECWE 703VNDMozillaTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
728 × 90 / responsive · programmatic ad slot
2025-11-11
2025-11-11 16:15Z
CRIT

CVE-2025-13021 — Mozilla Firefox: Incorrect boundary conditions in the Graphics: WebGPU component.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-13021

Incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 145 and Thunderbird 145. CVSSv3.1 9.8 (CRITICAL)

CWECWE 703VNDMozillaTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-11-11
2025-11-11 16:15Z
HIGH

CVE-2025-13020 — Mozilla Firefox: Use-after-free in the WebRTC: Audio/Video component.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-13020

Use-after-free in the WebRTC: Audio/Video component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5. CVSSv3.1 8.8 (HIGH)

CWECWE 416VNDMozillaTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2025-11-11
2025-11-11 16:15Z
HIGH

CVE-2025-13019 — Mozilla Firefox: Same-origin policy bypass in the DOM: Workers component.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-13019

Same-origin policy bypass in the DOM: Workers component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5. CVSSv3.1 8.1 (HIGH)

CWECWE 942VNDMozillaTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-11-11
2025-11-11 16:15Z
HIGH

CVE-2025-13018 — Mozilla Firefox: Mitigation bypass in the DOM: Security component.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-13018

Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5. CVSSv3.1 8.1 (HIGH)

CWECWE 288VNDMozillaVNDMitigationTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-11-11
2025-11-11 16:15Z
HIGH

CVE-2025-13017 — Mozilla Firefox: Same-origin policy bypass in the DOM: Notifications component.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-13017

Same-origin policy bypass in the DOM: Notifications component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5. CVSSv3.1 8.1 (HIGH)

CWECWE 942VNDMozillaTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-11-11
2025-11-11 16:15Z
HIGH

CVE-2025-13014 — Mozilla Firefox: Use-after-free in the Audio/Video component.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-13014

Use-after-free in the Audio/Video component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Firefox ESR 115.30, Thunderbird 145, and Thunderbird 140.5. CVSSv3.1 8.8 (HIGH)

CWECWE 416VNDMozillaTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2025-11-11
2025-11-11 15:15Z
HIGH

CVE-2025-11959 — Files: or Directories Accessible to External Parties, Exposure of Private Personal Information to an

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-11959

Files or Directories Accessible to External Parties, Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Premierturk Information Technologies Inc. Excavation Management Information System allows Footprinting, Functionality Misuse. This issue affects Excavation Management Information System: before v.10.2025.01. CVSSv3.1 8.1 (HIGH) · EPSS 13th percentile

CWECWE 552CWECWE 359TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-11-11
2025-11-11 04:15Z
CRIT

CVE-2025-12813 — Holiday: The Holiday class post calendar plugin for WordPress is vulnerable to Remote Code Execution

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-12813

The Holiday class post calendar plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.1 via the 'contents' parameter. This is due to a lack of sanitization of user-supplied data when creating a cache file. This makes it possible for unauthenticated attackers to execute code on the server. CVSSv3.1 9.8 (CRITICAL)

CWECWE 94VNDHolidayTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-11-11
2025-11-11 04:15Z
CRIT

CVE-2025-11457 — EasyCommerce: The EasyCommerce – AI-Powered, Fast & Beautiful WordPress Ecommerce Plugin plugin for WordPress is

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-11457

The EasyCommerce – AI-Powered, Fast & Beautiful WordPress Ecommerce Plugin plugin for WordPress is vulnerable to Privilege Escalation in versions 0.9.0-beta2 to 1.8.2. This is due to the /easycommerce/v1/orders REST API endpoint not properly restricting the ability for users to select roles during registration. This makes it possible for unauthenticated attackers to gain administrator-level access to a vulnerable site. CVSSv3.1 9.8 (CRITICAL)

CWECWE 269VNDEasycommerceTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-11-07
2025-11-07 20:15Z
CRIT

CVE-2025-10230 — Samba: A flaw was found in Samba, in the front-end WINS hook handling: NetBIOS names

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-10230

A flaw was found in Samba, in the front-end WINS hook handling: NetBIOS names from registration packets are passed to a shell without proper validation or escaping. Unsanitized NetBIOS name data from WINS registration packets are inserted into a shell command and executed by the Samba Active Directory Domain Controller’s wins hook, allowing an unauthenticated network attacker to achieve remote command execution as the Samba process. CVSSv3.1 10.0 (CRITICAL) · EPSS 98th percentile

CWECWE 78VNDSambaTYPVulnerability
10.0
CVSS v3.1
100
Edit Score
2025-11-07
2025-11-07 13:15Z
HIGH

CVE-2025-10968 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'), CWE -

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-10968

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'), CWE - 564 - SQL Injection: Hibernate vulnerability in GG Soft Software Services Inc. PaperWork allows Blind SQL Injection, SQL Injection. This issue affects PaperWork: from 6.1.0.9390 before 6.1.0.9398. CVSSv3.1 8.8 (HIGH) · EPSS 12th percentile

CWECWE 89TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2025-11-07
2025-11-07 11:00Z
CRIT

What’s That Coming Over The Hill? (Monsta FTP Remote Code Execution CVE-2025-34299)

watchTowr Labs·labs.watchtowr.comCVE-2025-34299CVE-2022-31827CVE-2022-27469CVE-2022-27468in the wild

watchTowr Labs discovered CVE-2025-34299, a pre-authenticated remote code execution vulnerability in Monsta FTP affecting versions up to 2.11.2. The vulnerability chains an SFTP connection mechanism with arbitrary file write via the downloadFile action, allowing attackers to write malicious PHP files to the web root. The flaw persisted unfixed across multiple versions despite prior CVE disclosures for similar issues, and was patched in version 2.11.3 released 26 August 2025.

SRFApplicationTACTA0001TACTA0002SRFWebVNDMonsta FtpTYPWriteupTYPVulnerabilitySTGExecution
82
Edit Score
2025-11-07
2025-11-07 04:15Z
HIGH

CVE-2025-64328 — Sangoma Filestore: In versions 17.0.2.36 and above before 17.0.3, the filestore module within the Administrative interface

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-64328in the wild

FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions 17.0.2.36 and above before 17.0.3, the filestore module within the Administrative interface is vulnerable to a post-authentication command injection by an authenticated known user via the testconnection -> check_ssh_connect() function. An attacker can leverage this vulnerability to obtain remote access to the system as an asterisk user. This issue is fixed in version 17.0.3. CVSSv3.1 7.2 (HIGH) · EPSS 100th percentile

CWECWE 78VNDFreepbxVNDSangomaTYPVulnerabilitySTAitw exploited
7.2
CVSS v3.1
100
Edit Score
2025-11-06
2025-11-06 16:16Z
HIGH

CVE-2025-64287 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-64287

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Edge-Themes Alloggio - Hotel Booking alloggio allows PHP Local File Inclusion.This issue affects Alloggio - Hotel Booking: from n/a through <= 1.8. CVSSv3.1 8.1 (HIGH)

CWECWE 98TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-11-06
2025-11-06 16:16Z
HIGH

CVE-2025-62067 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-62067

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Savory savory.This issue affects Savory: from n/a through <= 2.5. CVSSv3.1 8.1 (HIGH)

CWECWE 98TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-11-06
2025-11-06 16:16Z
HIGH

CVE-2025-62055 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-62055

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Academist academist.This issue affects Academist: from n/a through < 1.3. CVSSv3.1 8.1 (HIGH)

CWECWE 98TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-11-06
2025-11-06 16:16Z
HIGH

CVE-2025-62053 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-62053

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in favethemes Houzez houzez.This issue affects Houzez: from n/a through < 4.2.0. CVSSv3.1 8.1 (HIGH)

CWECWE 98TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-11-06
2025-11-06 16:16Z
HIGH

CVE-2025-62045 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-62045

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CodexThemes TheGem Theme Elements (for WPBakery) thegem-elements.This issue affects TheGem Theme Elements (for WPBakery): from n/a through <= 5.10.5.1. CVSSv3.1 8.1 (HIGH)

CWECWE 98TYPVulnerability
8.1
CVSS v3.1
91
Edit Score