Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2025-57819 — Sangoma Freepbx: 15, 16, and 17 endpoints are vulnerable due to insufficiently sanitized user-supplied data
FreePBX is an open-source web-based graphical user interface. FreePBX 15, 16, and 17 endpoints are vulnerable due to insufficiently sanitized user-supplied data allowing unauthenticated access to FreePBX Administrator leading to arbitrary database manipulation and remote code execution. This issue has been patched in endpoint versions 15.0.66, 16.0.89, and 17.0.3. CVSSv3.1 9.8 (CRITICAL) · EPSS 100th percentile
CVE-2025-8067 — A flaw was found in the Udisks daemon, where it allows unprivileged users to
A flaw was found in the Udisks daemon, where it allows unprivileged users to create loop devices using the D-BUS system. This is achieved via the loop device handler, which handles requests sent through the D-BUS interface. As two of the parameters of this handle, it receives the file descriptor list and index specifying the file where the loop device should be backed. The function itself validates the index value to ensure it isn't bigger than the maximum value allowed. Howe CVSSv3.1 8.5 (HIGH) · EPSS 47th percentile
CVE-2025-54742 — Deserialization: of Untrusted Data vulnerability in magepeopleteam WpEvently mage-eventpress allows Object Injection.This issue affects
Deserialization of Untrusted Data vulnerability in magepeopleteam WpEvently mage-eventpress allows Object Injection.This issue affects WpEvently: from n/a through <= 4.4.8. CVSSv3.1 8.8 (HIGH)
CVE-2025-54738 — Authentication: Bypass Using an Alternate Path or Channel vulnerability in NooTheme Jobmonster noo-jobmonster allows
Authentication Bypass Using an Alternate Path or Channel vulnerability in NooTheme Jobmonster noo-jobmonster allows Authentication Abuse.This issue affects Jobmonster: from n/a through <= 4.7.9. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-54731 — Control: Improper Control of Generation of Code ('Code Injection') vulnerability in emarket-design YouTube Showcase youtube-showcase
Improper Control of Generation of Code ('Code Injection') vulnerability in emarket-design YouTube Showcase youtube-showcase allows Object Injection.This issue affects YouTube Showcase: from n/a through <= 3.5.1. CVSSv3.1 8.1 (HIGH)
CVE-2025-54725 — Authentication: Bypass Using an Alternate Path or Channel vulnerability in uxper Golo golo allows
Authentication Bypass Using an Alternate Path or Channel vulnerability in uxper Golo golo allows Authentication Abuse.This issue affects Golo: from n/a through <= 1.7.0. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-54720 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in SteelThemes Nest Addons nest-addons allows SQL Injection.This issue affects Nest Addons: from n/a through <= 1.6.3. CVSSv3.1 9.3 (CRITICAL)
CVE-2025-54716 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ovatheme Ireca ireca allows PHP Local File Inclusion.This issue affects Ireca: from n/a through <= 1.8.5. CVSSv3.1 8.1 (HIGH)
CVE-2025-53584 — Deserialization: of Untrusted Data vulnerability in emarket-design WP Ticket Customer Service Software & Support
Deserialization of Untrusted Data vulnerability in emarket-design WP Ticket Customer Service Software & Support Ticket System wp-ticket allows Object Injection.This issue affects WP Ticket Customer Service Software & Support Ticket System: from n/a through <= 6.0.2. CVSSv3.1 8.1 (HIGH)
CVE-2025-53583 — Deserialization: of Untrusted Data vulnerability in emarket-design Employee Spotlight employee-spotlight allows Object Injection.This issue
Deserialization of Untrusted Data vulnerability in emarket-design Employee Spotlight employee-spotlight allows Object Injection.This issue affects Employee Spotlight: from n/a through <= 5.1.1. CVSSv3.1 8.1 (HIGH)
CVE-2025-53578 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in gavias Kipso kipso allows PHP Local File Inclusion.This issue affects Kipso: from n/a through <= 1.3.4. CVSSv3.1 8.1 (HIGH)
CVE-2025-53576 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ovatheme Ovatheme Events ova-events allows PHP Local File Inclusion.This issue affects Ovatheme Events: from n/a through <= 1.2.8. CVSSv3.1 8.1 (HIGH)
CVE-2025-53572 — Deserialization: of Untrusted Data vulnerability in emarket-design WP Easy Contact wp-easy-contact allows Object Injection.This
Deserialization of Untrusted Data vulnerability in emarket-design WP Easy Contact wp-easy-contact allows Object Injection.This issue affects WP Easy Contact: from n/a through <= 4.0.1. CVSSv3.1 8.1 (HIGH)
CVE-2025-53334 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in TieLabs Jannah jannah allows PHP Local File Inclusion.This issue affects Jannah: from n/a through < 7.5.1. CVSSv3.1 8.1 (HIGH)
CVE-2025-53248 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in unfoldwp Magazine eximious-magazine allows PHP Local File Inclusion.This issue affects Magazine: from n/a through <= 1.2.2. CVSSv3.1 8.1 (HIGH)
CVE-2025-53247 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in wpinterface BlogMarks blogmarks allows PHP Local File Inclusion.This issue affects BlogMarks: from n/a through <= 1.0.8. CVSSv3.1 8.1 (HIGH)
CVE-2025-53244 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in unfoldwp Magazine Elite magazine-elite allows PHP Local File Inclusion.This issue affects Magazine Elite: from n/a through <= 1.2.4. CVSSv3.1 8.1 (HIGH)
CVE-2025-53243 — Deserialization: of Untrusted Data vulnerability in emarket-design Employee Directory – Staff Listing & Team
Deserialization of Untrusted Data vulnerability in emarket-design Employee Directory – Staff Listing & Team Directory Plugin for WordPress employee-directory allows Object Injection.This issue affects Employee Directory – Staff Listing & Team Directory Plugin for WordPress: from n/a through <= 4.5.5. CVSSv3.1 8.1 (HIGH)
CVE-2025-53227 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in unfoldwp Magazine Saga magazine-saga allows PHP Local File Inclusion.This issue affects Magazine Saga: from n/a through <= 1.2.7. CVSSv3.1 8.1 (HIGH)
CVE-2025-53216 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in themeuniver Glamer glamer allows PHP Local File Inclusion.This issue affects Glamer: from n/a through <= 1.0.2. CVSSv3.1 8.1 (HIGH)
CVE-2025-52761 — Deserialization: of Untrusted Data vulnerability in manfcarlo WP Funnel Manager wp-funnel-manager allows Object Injection.This
Deserialization of Untrusted Data vulnerability in manfcarlo WP Funnel Manager wp-funnel-manager allows Object Injection.This issue affects WP Funnel Manager: from n/a through <= 1.4.0. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-49407 — Incorrect: Privilege Assignment vulnerability in favethemes Premium SEO Pack premium-seo-pack allows Privilege Escalation.This issue
Incorrect Privilege Assignment vulnerability in favethemes Premium SEO Pack premium-seo-pack allows Privilege Escalation.This issue affects Premium SEO Pack: from n/a through <= 3.3.2. CVSSv3.1 8.8 (HIGH)
CVE-2025-49404 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in purethemes Listeo Core listeo-core allows SQL Injection.This issue affects Listeo Core: from n/a through < 2.0.7. CVSSv3.1 8.5 (HIGH)
CVE-2025-49402 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in scriptsbundle Exertio Framework exertio-framework allows Blind SQL Injection.This issue affects Exertio Framework: from n/a through <= 1.3.3. CVSSv3.1 8.5 (HIGH)
CVE-2025-49388 — Incorrect: Privilege Assignment vulnerability in kamleshyadav Miraculous Core Plugin miraculouscore allows Privilege Escalation.This issue
Incorrect Privilege Assignment vulnerability in kamleshyadav Miraculous Core Plugin miraculouscore allows Privilege Escalation.This issue affects Miraculous Core Plugin: from n/a through <= 2.0.7. CVSSv3.1 9.8 (CRITICAL)