Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2025-57105 — Dlink Di-7400g\+_firmware: The DI-7400G+ router has a command injection vulnerability, which allows attackers to execute arbitrary
The DI-7400G+ router has a command injection vulnerability, which allows attackers to execute arbitrary commands on the device. The sub_478D28 function in in mng_platform.asp, and sub_4A12DC function in wayos_ac_server.asp of the jhttpd program, with the parameter ac_mng_srv_host. CVSSv3.1 9.8 (CRITICAL) · EPSS 88th percentile
v3.4.9
Nuclei v3.4.9 released with a minor bug fix addressing output event handling for skipped hosts. This is a routine maintenance release with no security implications or feature additions.
CVE-2025-53251 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in An-Themes Pin WP pin-wp allows
Unrestricted Upload of File with Dangerous Type vulnerability in An-Themes Pin WP pin-wp allows Upload a Web Shell to a Web Server.This issue affects Pin WP: from n/a through < 7.2. CVSSv3.1 9.9 (CRITICAL)
CVE-2025-55370 — Jishenghua Jsherp: Incorrect access control in the component \controller\ResourceController.java of jshERP v3.5 allows unauthorized attackers to
Incorrect access control in the component \controller\ResourceController.java of jshERP v3.5 allows unauthorized attackers to obtain all the corresponding ID data by modifying the ID value. CVSSv3.1 8.8 (HIGH) · EPSS 32th percentile
CVE-2025-55368 — Jishenghua Jsherp: Incorrect access control in the component \controller\RoleController.java of jshERP v3.5 allows unauthorized attackers to
Incorrect access control in the component \controller\RoleController.java of jshERP v3.5 allows unauthorized attackers to arbitrarily modify the supplier status under any account. CVSSv3.1 8.8 (HIGH) · EPSS 32th percentile
CVE-2025-5260 — Server: Server-Side Request Forgery (SSRF) vulnerability in Pik Online Yazılım Çözümleri A.Ş.
Server-Side Request Forgery (SSRF) vulnerability in Pik Online Yazılım Çözümleri A.Ş. Pik Online allows Server Side Request Forgery. This issue affects Pik Online: before 3.1.5. CVSSv3.1 8.6 (HIGH) · EPSS 25th percentile
CVE-2025-54735 — Incorrect: Privilege Assignment vulnerability in Imran Tauqeer CubeWP cubewp-framework allows Privilege Escalation.This issue affects
Incorrect Privilege Assignment vulnerability in Imran Tauqeer CubeWP cubewp-framework allows Privilege Escalation.This issue affects CubeWP: from n/a through <= 1.1.24. CVSSv3.1 8.8 (HIGH)
CVE-2025-54726 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Miguel Useche JS Archive List jquery-archive-list-widget allows SQL Injection.This issue affects JS Archive List: from n/a through < 6.1.6. CVSSv3.1 9.3 (CRITICAL)
CVE-2025-54713 — Authentication: Bypass Using an Alternate Path or Channel vulnerability in magepeopleteam Taxi Booking Manager
Authentication Bypass Using an Alternate Path or Channel vulnerability in magepeopleteam Taxi Booking Manager for WooCommerce ecab-taxi-booking-manager allows Authentication Abuse.This issue affects Taxi Booking Manager for WooCommerce: from n/a through <= 1.3.0. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-54677 — Vcita Online_booking_\&_scheduling_calendar: Unrestricted Upload of File with Dangerous Type vulnerability in vcita Online Booking & Scheduling
Unrestricted Upload of File with Dangerous Type vulnerability in vcita Online Booking & Scheduling Calendar for WordPress by vcita meeting-scheduler-by-vcita allows Using Malicious Files.This issue affects Online Booking & Scheduling Calendar for WordPress by vcita: from n/a through <= 4.5.3. CVSSv3.1 9.1 (CRITICAL)
CVE-2025-54049 — Incorrect: Privilege Assignment vulnerability in miniOrange Custom API for WP custom-api-for-wp allows Privilege Escalation.This
Incorrect Privilege Assignment vulnerability in miniOrange Custom API for WP custom-api-for-wp allows Privilege Escalation.This issue affects Custom API for WP: from n/a through <= 4.2.2. CVSSv3.1 9.9 (CRITICAL)
CVE-2025-54048 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in miniOrange Custom API for WP custom-api-for-wp allows SQL Injection.This issue affects Custom API for WP: from n/a through <= 4.2.2. CVSSv3.1 9.3 (CRITICAL)
CVE-2025-54031 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Schiocco Support Board supportboard allows PHP Local File Inclusion.This issue affects Support Board: from n/a through <= 3.8.0. CVSSv3.1 8.1 (HIGH)
CVE-2025-54014 — Deserialization: of Untrusted Data vulnerability in QuanticaLabs MediCenter - Health Medical Clinic medicenter allows
Deserialization of Untrusted Data vulnerability in QuanticaLabs MediCenter - Health Medical Clinic medicenter allows Object Injection.This issue affects MediCenter - Health Medical Clinic: from n/a through <= 15.1. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-54007 — Deserialization: of Untrusted Data vulnerability in PickPlugins Post Grid and Gutenberg Blocks post-grid allows
Deserialization of Untrusted Data vulnerability in PickPlugins Post Grid and Gutenberg Blocks post-grid allows Object Injection.This issue affects Post Grid and Gutenberg Blocks: from n/a through <= 2.3.11. CVSSv3.1 8.8 (HIGH)
CVE-2025-53580 — Incorrect: Privilege Assignment vulnerability in quantumcloud Simple Business Directory Pro simple-business-directory-pro allows Privilege Escalation.This
Incorrect Privilege Assignment vulnerability in quantumcloud Simple Business Directory Pro simple-business-directory-pro allows Privilege Escalation.This issue affects Simple Business Directory Pro: from n/a through < 15.6.9. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-53577 — Control: Improper Control of Generation of Code ('Code Injection') vulnerability in thehp Global DNS global-dns
Improper Control of Generation of Code ('Code Injection') vulnerability in thehp Global DNS global-dns allows Remote Code Inclusion.This issue affects Global DNS: from n/a through <= 3.1.0. CVSSv3.1 10.0 (CRITICAL)
CVE-2025-53567 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in nK Ghost Kit ghostkit allows PHP Local File Inclusion.This issue affects Ghost Kit: from n/a through <= 3.4.1. CVSSv3.1 8.1 (HIGH)
CVE-2025-53565 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in RadiusTheme Widget for Google Reviews business-reviews-wp allows PHP Local File Inclusion.This issue affects Widget for Google Reviews: from n/a through <= 1.0.15. CVSSv3.1 8.1 (HIGH)
CVE-2025-53560 — Deserialization: of Untrusted Data vulnerability in rascals Noisa noisa allows Object Injection.This issue affects
Deserialization of Untrusted Data vulnerability in rascals Noisa noisa allows Object Injection.This issue affects Noisa: from n/a through <= 2.6.0. CVSSv3.1 8.8 (HIGH)
CVE-2025-53299 — Deserialization: of Untrusted Data vulnerability in ThemeMakers ThemeMakers Visual Content Composer tmm_content_composer allows Object
Deserialization of Untrusted Data vulnerability in ThemeMakers ThemeMakers Visual Content Composer tmm_content_composer allows Object Injection.This issue affects ThemeMakers Visual Content Composer: from n/a through <= 1.5.8. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-53213 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in ELEXtensions ReachShip WooCommerce Multi-Carrier &
Unrestricted Upload of File with Dangerous Type vulnerability in ELEXtensions ReachShip WooCommerce Multi-Carrier & Conditional Shipping elex-reachship-multi-carrier-conditional-shipping allows Using Malicious Files.This issue affects ReachShip WooCommerce Multi-Carrier & Conditional Shipping: from n/a through <= 4.3.1. CVSSv3.1 9.9 (CRITICAL)
CVE-2025-53207 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Travel WP Travel Gutenberg Blocks wp-travel-blocks allows PHP Local File Inclusion.This issue affects WP Travel Gutenberg Blocks: from n/a through <= 3.9.0. CVSSv3.1 8.1 (HIGH)
CVE-2025-53204 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ovatheme eventlist eventlist allows PHP Local File Inclusion.This issue affects eventlist: from n/a through <= 1.9.2. CVSSv3.1 8.1 (HIGH)
CVE-2025-53198 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in favethemes Houzez houzez allows PHP Local File Inclusion.This issue affects Houzez: from n/a through <= 4.0.4. CVSSv3.1 8.1 (HIGH)