2025-08-28
2025-08-28 13:16Z
HIGH

CVE-2025-49407 — Incorrect: Privilege Assignment vulnerability in favethemes Premium SEO Pack premium-seo-pack allows Privilege Escalation.This issue

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-49407

Incorrect Privilege Assignment vulnerability in favethemes Premium SEO Pack premium-seo-pack allows Privilege Escalation.This issue affects Premium SEO Pack: from n/a through <= 3.3.2. CVSSv3.1 8.8 (HIGH)

CWECWE 266TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2025-08-28
2025-08-28 13:15Z
HIGH

CVE-2025-49404 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-49404

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in purethemes Listeo Core listeo-core allows SQL Injection.This issue affects Listeo Core: from n/a through < 2.0.7. CVSSv3.1 8.5 (HIGH)

CWECWE 89TYPVulnerability
8.5
CVSS v3.1
93
Edit Score
2025-08-28
2025-08-28 13:15Z
HIGH

CVE-2025-49402 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-49402

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in scriptsbundle Exertio Framework exertio-framework allows Blind SQL Injection.This issue affects Exertio Framework: from n/a through <= 1.3.3. CVSSv3.1 8.5 (HIGH)

CWECWE 89TYPVulnerability
8.5
CVSS v3.1
93
Edit Score
2025-08-28
2025-08-28 13:15Z
CRIT

CVE-2025-49388 — Incorrect: Privilege Assignment vulnerability in kamleshyadav Miraculous Core Plugin miraculouscore allows Privilege Escalation.This issue

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-49388

Incorrect Privilege Assignment vulnerability in kamleshyadav Miraculous Core Plugin miraculouscore allows Privilege Escalation.This issue affects Miraculous Core Plugin: from n/a through <= 2.0.7. CVSSv3.1 9.8 (CRITICAL)

CWECWE 266TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-08-28
2025-08-28 13:15Z
CRIT

CVE-2025-49387 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in add-ons.org Drag and Drop File

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-49387

Unrestricted Upload of File with Dangerous Type vulnerability in add-ons.org Drag and Drop File Upload for Elementor Forms drag-and-drop-file-upload-for-elementor-forms allows Upload a Web Shell to a Web Server.This issue affects Drag and Drop File Upload for Elementor Forms: from n/a through <= 1.5.3. CVSSv3.1 10.0 (CRITICAL)

CWECWE 434TYPVulnerability
10.0
CVSS v3.1
100
Edit Score
2025-08-28
2025-08-28 13:15Z
HIGH

CVE-2025-49383 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-49383

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CocoBasic Neresa neresa-wp allows PHP Local File Inclusion.This issue affects Neresa: from n/a through <= 1.3. CVSSv3.1 8.1 (HIGH)

CWECWE 98TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-08-28
2025-08-28 13:15Z
CRIT

CVE-2025-48100 — Control: Improper Control of Generation of Code ('Code Injection') vulnerability in extremeidea bidorbuy Store Integrator

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-48100

Improper Control of Generation of Code ('Code Injection') vulnerability in extremeidea bidorbuy Store Integrator bidorbuystoreintegrator allows Remote Code Inclusion.This issue affects bidorbuy Store Integrator: from n/a through <= 2.12.0. CVSSv3.1 9.1 (CRITICAL)

CWECWE 94TYPVulnerability
9.1
CVSS v3.1
96
Edit Score
728 × 90 / responsive · programmatic ad slot
2025-08-28
2025-08-28 12:15Z
CRIT

CVE-2025-39496 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-39496

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WBW WooBeWoo Product Filter Pro woofilter-pro allows SQL Injection.This issue affects WooBeWoo Product Filter Pro: from n/a through < 2.9.6. CVSSv3.1 9.3 (CRITICAL)

CWECWE 89TYPVulnerability
9.3
CVSS v3.1
97
Edit Score
2025-08-28
2025-08-28 00:00Z
CRIT

TAOTH Campaign Exploits End-of-Support Software to Target Traditional Chinese Users and Dissidents

Trend Micro Research·trendmicro.comin the wild

The TAOTH campaign exploited an abandoned Sogou Zhuyin IME update server (hijacked in October 2024) to distribute four malware families (TOSHIS, C6DOOR, DESFY, GTELAM) targeting Taiwanese users, dissidents, and journalists across Eastern Asia. Parallel spear-phishing operations deployed malware via fake cloud storage and login pages, with attackers harvesting OAuth credentials for email account compromise and lateral targeting.

SRFApplicationSRFOsTACTA0004TACTA0005TACTA0001TACTA0002TACTA0006TACTA0007
82
Edit Score
2025-08-27
2025-08-27 22:15Z
CRIT

CVE-2025-34523 — Arcserve Udp: A heap-based buffer overflow vulnerability exists in the network-facing input handling routines of Arcserve

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-34523

A heap-based buffer overflow vulnerability exists in the network-facing input handling routines of Arcserve Unified Data Protection (UDP). This flaw is reachable without authentication and results from improper bounds checking when processing attacker-controlled input. By sending specially crafted data, a remote attacker can corrupt heap memory, potentially causing a denial of service or enabling arbitrary code execution depending on the memory layout and exploitation techniq CVSSv3.1 9.8 (CRITICAL) · EPSS 67th percentile

CWECWE 122VNDArcserveTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-08-27
2025-08-27 18:15Z
HIGH

CVE-2025-55422 — Foxcms Foxcms: In FoxCMS 1.2.6, there is a reflected Cross Site Scripting (XSS) vulnerability in /index.php/plus.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-55422

In FoxCMS 1.2.6, there is a reflected Cross Site Scripting (XSS) vulnerability in /index.php/plus. CVSSv3.1 8.8 (HIGH) · EPSS 33th percentile

CWECWE 79VNDFoxcmsTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2025-08-27
2025-08-27 17:03Z
HIGH

Referral Beware, Your Rewards are Mine (Part 1)

Rhino Security Labs·rhinosecuritylabs.com

Rhino Security Labs published a comprehensive analysis of security vulnerabilities in referral rewards programs across 20+ companies, identifying three common implementation patterns and discovering 25+ vulnerability classes including business logic flaws, race conditions, cookie injection, client-side path traversals, and a novel attack vector called referral hijacking via cookie fixation. The research demonstrates how attackers can steal referral rewards, hijack referral codes, and achieve XSS/CSRF through gadget chaining in client-side code.

SRFApplicationTACTA0001TACTA0006SRFWebTYPResearchTYPTechniqueSTGInitial AccessSTGCred Access
72
Edit Score
2025-08-26
2025-08-26 14:15Z
HIGH

CVE-2025-50753 — Mitrastar: GPT-2741GNAC-N2 devices are provided with access through ssh into a restricted default shell.The

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-50753

Mitrastar GPT-2741GNAC-N2 devices are provided with access through ssh into a restricted default shell.The command "deviceinfo show file" is supposed to be used from restricted shell to show files and directories. By providing " /bin/sh" (quotes included) to the argument of this command will drop a root shell. CVSSv3.1 8.4 (HIGH) · EPSS 5th percentile

CWECWE 250VNDMitrastarTYPVulnerability
8.4
CVSS v3.1
92
Edit Score
2025-08-25
2025-08-25 18:15Z
HIGH

CVE-2025-50383 — Easyappointments Easy\!appointments: alextselegidis Easy!Appointments v1.5.1 was discovered to contain a SQL injection vulnerability via the order_by

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-50383

alextselegidis Easy!Appointments v1.5.1 was discovered to contain a SQL injection vulnerability via the order_by parameter. CVSSv3.1 8.1 (HIGH) · EPSS 27th percentile

CWECWE 89VNDEasyappointmentsTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-08-25
2025-08-25 16:15Z
HIGH

CVE-2025-55409 — Foxcms Foxcms: 1.2.6, there is a Cross Site Scripting vulnerability in /index.php/article.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-55409

FoxCMS 1.2.6, there is a Cross Site Scripting vulnerability in /index.php/article. This allows attackers to execute arbitrary code. CVSSv3.1 8.8 (HIGH) · EPSS 38th percentile

CWECWE 79VNDFoxcmsTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2025-08-25
2025-08-25 15:15Z
HIGH

CVE-2025-56216 — Phpgurukul Hospital_management_system: Hospital Management System 4.0 is vulnerable to SQL Injection in about-us.php via the

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-56216

phpgurukul Hospital Management System 4.0 is vulnerable to SQL Injection in about-us.php via the pagetitle parameter. CVSSv3.1 8.5 (HIGH)

CWECWE 89VNDPhpgurukulVNDHospitalTYPVulnerability
8.5
CVSS v3.1
93
Edit Score
2025-08-25
2025-08-25 15:15Z
CRIT

CVE-2025-56214 — Phpgurukul Hospital_management_system: Hospital Management System 4.0 is vulnerable to SQL Injection in index.php via the

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-56214

phpgurukul Hospital Management System 4.0 is vulnerable to SQL Injection in index.php via the username parameter. CVSSv3.1 9.8 (CRITICAL)

CWECWE 89VNDPhpgurukulVNDHospitalTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-08-25
2025-08-25 15:15Z
CRIT

CVE-2025-56212 — Phpgurukul Hospital_management_system: Hospital Management System 4.0 is vulnerable to SQL Injection in add-doctor.php via the

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-56212

phpgurukul Hospital Management System 4.0 is vulnerable to SQL Injection in add-doctor.php via the docname parameter. CVSSv3.1 9.8 (CRITICAL)

CWECWE 89VNDPhpgurukulVNDHospitalTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-08-23
2025-08-23 14:43Z
LOW

v3.4.10

Nuclei releases·github.com

Nuclei v3.4.10 released with a single bug fix addressing a segmentation fault in template caching logic. This is a maintenance release with no security implications or feature additions.

SRFApplicationVNDProjectdiscoveryTYPTool
25
Edit Score
2025-08-23
2025-08-23 07:15Z
CRIT

CVE-2025-5821 — Case: The Case Theme User plugin for WordPress is vulnerable to Authentication Bypass in all

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-5821

The Case Theme User plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.3. This is due to the plugin not properly logging in a user with the data that was previously verified through the facebook_ajax_login_callback() function. This makes it possible for unauthenticated attackers to log in as administrative users, as long as they have an existing account on the site which can easily be created by default through the temp user CVSSv3.1 9.8 (CRITICAL)

CWECWE 288TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-08-23
2025-08-23 07:15Z
HIGH

CVE-2025-5060 — Bravis: The Bravis User plugin for WordPress is vulnerable to Authentication Bypass in all versions

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-5060

The Bravis User plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.1. This is due to the plugin not properly logging a user in with the data that was previously verified through the facebook_ajax_login_callback(). This makes it possible for unauthenticated attackers to log in as administrative users, as long as they have an existing account on the site, and access to the administrative user's email. CVSSv3.1 8.1 (HIGH)

CWECWE 288VNDBravisTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-08-22
2025-08-22 17:15Z
CRIT

CVE-2025-57105 — Dlink Di-7400g\+_firmware: The DI-7400G+ router has a command injection vulnerability, which allows attackers to execute arbitrary

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-57105

The DI-7400G+ router has a command injection vulnerability, which allows attackers to execute arbitrary commands on the device. The sub_478D28 function in in mng_platform.asp, and sub_4A12DC function in wayos_ac_server.asp of the jhttpd program, with the parameter ac_mng_srv_host. CVSSv3.1 9.8 (CRITICAL) · EPSS 88th percentile

CWECWE 77VNDDlinkTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2025-08-22
2025-08-22 15:09Z
INFO

v3.4.9

Nuclei releases·github.com

Nuclei v3.4.9 released with a minor bug fix addressing output event handling for skipped hosts. This is a routine maintenance release with no security implications or feature additions.

SRFApplicationVNDProjectdiscoveryTYPTool
25
Edit Score
2025-08-21
2025-08-21 15:15Z
CRIT

CVE-2025-53251 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in An-Themes Pin WP pin-wp allows

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-53251

Unrestricted Upload of File with Dangerous Type vulnerability in An-Themes Pin WP pin-wp allows Upload a Web Shell to a Web Server.This issue affects Pin WP: from n/a through < 7.2. CVSSv3.1 9.9 (CRITICAL)

CWECWE 434TYPVulnerability
9.9
CVSS v3.1
100
Edit Score
2025-08-21
2025-08-21 14:15Z
HIGH

CVE-2025-55370 — Jishenghua Jsherp: Incorrect access control in the component \controller\ResourceController.java of jshERP v3.5 allows unauthorized attackers to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-55370

Incorrect access control in the component \controller\ResourceController.java of jshERP v3.5 allows unauthorized attackers to obtain all the corresponding ID data by modifying the ID value. CVSSv3.1 8.8 (HIGH) · EPSS 32th percentile

CWECWE 639VNDJishenghuaTYPVulnerability
8.8
CVSS v3.1
94
Edit Score