Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2025-60724 — Microsoft Office: Heap-based buffer overflow in Microsoft Graphics Component allows an unauthorized attacker to execute code
Heap-based buffer overflow in Microsoft Graphics Component allows an unauthorized attacker to execute code over a network. CVSSv3.1 9.8 (CRITICAL) · EPSS 37th percentile
CVE-2025-30398 — Microsoft Nuance_powerscribe_360: Missing authorization in Nuance PowerScribe allows an unauthorized attacker to disclose information over a
Missing authorization in Nuance PowerScribe allows an unauthorized attacker to disclose information over a network. CVSSv3.1 8.1 (HIGH) · EPSS 51th percentile
CVE-2025-13027 — Mozilla Firefox: Some of these bugs showed evidence of memory corruption and we presume that with
Memory safety bugs present in Firefox 144 and Thunderbird 144. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 145 and Thunderbird 145. CVSSv3.1 8.1 (HIGH)
CVE-2025-13026 — Mozilla Firefox: Sandbox escape due to incorrect boundary conditions in the Graphics: WebGPU component.
Sandbox escape due to incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 145 and Thunderbird 145. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-13024 — Mozilla Firefox: JIT miscompilation in the JavaScript Engine: JIT component.
JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 145 and Thunderbird 145. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-13023 — Mozilla Firefox: Sandbox escape due to incorrect boundary conditions in the Graphics: WebGPU component.
Sandbox escape due to incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 145 and Thunderbird 145. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-13022 — Mozilla Firefox: Incorrect boundary conditions in the Graphics: WebGPU component.
Incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 145 and Thunderbird 145. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-13021 — Mozilla Firefox: Incorrect boundary conditions in the Graphics: WebGPU component.
Incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 145 and Thunderbird 145. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-13020 — Mozilla Firefox: Use-after-free in the WebRTC: Audio/Video component.
Use-after-free in the WebRTC: Audio/Video component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5. CVSSv3.1 8.8 (HIGH)
CVE-2025-13019 — Mozilla Firefox: Same-origin policy bypass in the DOM: Workers component.
Same-origin policy bypass in the DOM: Workers component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5. CVSSv3.1 8.1 (HIGH)
CVE-2025-13018 — Mozilla Firefox: Mitigation bypass in the DOM: Security component.
Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5. CVSSv3.1 8.1 (HIGH)
CVE-2025-13017 — Mozilla Firefox: Same-origin policy bypass in the DOM: Notifications component.
Same-origin policy bypass in the DOM: Notifications component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5. CVSSv3.1 8.1 (HIGH)
CVE-2025-13014 — Mozilla Firefox: Use-after-free in the Audio/Video component.
Use-after-free in the Audio/Video component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Firefox ESR 115.30, Thunderbird 145, and Thunderbird 140.5. CVSSv3.1 8.8 (HIGH)
CVE-2025-11959 — Files: or Directories Accessible to External Parties, Exposure of Private Personal Information to an
Files or Directories Accessible to External Parties, Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Premierturk Information Technologies Inc. Excavation Management Information System allows Footprinting, Functionality Misuse. This issue affects Excavation Management Information System: before v.10.2025.01. CVSSv3.1 8.1 (HIGH) · EPSS 13th percentile
CVE-2025-12813 — Holiday: The Holiday class post calendar plugin for WordPress is vulnerable to Remote Code Execution
The Holiday class post calendar plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.1 via the 'contents' parameter. This is due to a lack of sanitization of user-supplied data when creating a cache file. This makes it possible for unauthenticated attackers to execute code on the server. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-11457 — EasyCommerce: The EasyCommerce – AI-Powered, Fast & Beautiful WordPress Ecommerce Plugin plugin for WordPress is
The EasyCommerce – AI-Powered, Fast & Beautiful WordPress Ecommerce Plugin plugin for WordPress is vulnerable to Privilege Escalation in versions 0.9.0-beta2 to 1.8.2. This is due to the /easycommerce/v1/orders REST API endpoint not properly restricting the ability for users to select roles during registration. This makes it possible for unauthenticated attackers to gain administrator-level access to a vulnerable site. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-10230 — Samba: A flaw was found in Samba, in the front-end WINS hook handling: NetBIOS names
A flaw was found in Samba, in the front-end WINS hook handling: NetBIOS names from registration packets are passed to a shell without proper validation or escaping. Unsanitized NetBIOS name data from WINS registration packets are inserted into a shell command and executed by the Samba Active Directory Domain Controller’s wins hook, allowing an unauthenticated network attacker to achieve remote command execution as the Samba process. CVSSv3.1 10.0 (CRITICAL) · EPSS 98th percentile
CVE-2025-10968 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'), CWE -
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'), CWE - 564 - SQL Injection: Hibernate vulnerability in GG Soft Software Services Inc. PaperWork allows Blind SQL Injection, SQL Injection. This issue affects PaperWork: from 6.1.0.9390 before 6.1.0.9398. CVSSv3.1 8.8 (HIGH) · EPSS 12th percentile
What’s That Coming Over The Hill? (Monsta FTP Remote Code Execution CVE-2025-34299)
watchTowr Labs discovered CVE-2025-34299, a pre-authenticated remote code execution vulnerability in Monsta FTP affecting versions up to 2.11.2. The vulnerability chains an SFTP connection mechanism with arbitrary file write via the downloadFile action, allowing attackers to write malicious PHP files to the web root. The flaw persisted unfixed across multiple versions despite prior CVE disclosures for similar issues, and was patched in version 2.11.3 released 26 August 2025.
CVE-2025-64328 — Sangoma Filestore: In versions 17.0.2.36 and above before 17.0.3, the filestore module within the Administrative interface
FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions 17.0.2.36 and above before 17.0.3, the filestore module within the Administrative interface is vulnerable to a post-authentication command injection by an authenticated known user via the testconnection -> check_ssh_connect() function. An attacker can leverage this vulnerability to obtain remote access to the system as an asterisk user. This issue is fixed in version 17.0.3. CVSSv3.1 7.2 (HIGH) · EPSS 100th percentile
CVE-2025-64287 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Edge-Themes Alloggio - Hotel Booking alloggio allows PHP Local File Inclusion.This issue affects Alloggio - Hotel Booking: from n/a through <= 1.8. CVSSv3.1 8.1 (HIGH)
CVE-2025-62067 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Savory savory.This issue affects Savory: from n/a through <= 2.5. CVSSv3.1 8.1 (HIGH)
CVE-2025-62055 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Academist academist.This issue affects Academist: from n/a through < 1.3. CVSSv3.1 8.1 (HIGH)
CVE-2025-62053 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in favethemes Houzez houzez.This issue affects Houzez: from n/a through < 4.2.0. CVSSv3.1 8.1 (HIGH)
CVE-2025-62045 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CodexThemes TheGem Theme Elements (for WPBakery) thegem-elements.This issue affects TheGem Theme Elements (for WPBakery): from n/a through <= 5.10.5.1. CVSSv3.1 8.1 (HIGH)