2025-08-20
2025-08-20 08:15Z
HIGH

CVE-2025-48158 — Limitation: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Alex

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-48158

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Alex Githatu BuddyPress XProfile Custom Image Field buddypress-xprofile-image-field allows Path Traversal.This issue affects BuddyPress XProfile Custom Image Field: from n/a through <= 3.0.1. CVSSv3.1 8.6 (HIGH)

CWECWE 22TYPVulnerability
8.6
CVSS v3.1
93
Edit Score
2025-08-20
2025-08-20 08:15Z
HIGH

CVE-2025-48157 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-48157

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Michele Giorgi Formality formality allows PHP Local File Inclusion.This issue affects Formality: from n/a through <= 1.5.9. CVSSv3.1 8.1 (HIGH)

CWECWE 98TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-08-20
2025-08-20 08:15Z
HIGH

CVE-2025-48149 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-48149

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in dedalx Cook&Meal cookandmeal allows PHP Local File Inclusion.This issue affects Cook&Meal: from n/a through <= 1.2.3. CVSSv3.1 8.1 (HIGH)

CWECWE 98TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-08-20
2025-08-20 08:15Z
CRIT

CVE-2025-48148 — Upload: StoreKeeper for WooCommerce storekeeper-for-woocommerce allows Using Malicious Files.This issue affects StoreKeeper for WooCommerce: from

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-48148

Unrestricted Upload of File with Dangerous Type vulnerability in StoreKeeper B.V. StoreKeeper for WooCommerce storekeeper-for-woocommerce allows Using Malicious Files.This issue affects StoreKeeper for WooCommerce: from n/a through <= 14.4.4. CVSSv3.1 10.0 (CRITICAL)

CWECWE 434TYPVulnerability
10.0
CVSS v3.1
100
Edit Score
2025-08-20
2025-08-20 08:15Z
HIGH

CVE-2025-48142 — Incorrect: Privilege Assignment vulnerability in Saad Iqbal Bookify bookify allows Privilege Escalation.This issue affects

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-48142

Incorrect Privilege Assignment vulnerability in Saad Iqbal Bookify bookify allows Privilege Escalation.This issue affects Bookify: from n/a through <= 1.0.9. CVSSv3.1 8.8 (HIGH)

CWECWE 266TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2025-08-20
2025-08-20 00:00Z
CRIT

Warlock: From SharePoint Vulnerability Exploit to Enterprise Ransomware

Trend Micro Research·trendmicro.comin the wild

Warlock ransomware operators exploit unpatched Microsoft SharePoint vulnerabilities to gain initial access to enterprise networks, then escalate privileges via Group Policy abuse, steal credentials using Mimikatz and registry dumping, move laterally across domains using SMB and RDP, and deploy LockBit 3.0-derived ransomware with .x2anylock extension while exfiltrating data via RClone. The group emerged in June 2025 on Russian forums and rapidly expanded to target organizations across North America, Europe, Asia, and Africa in technology, finance, manufacturing, and critical infrastructure sectors, with suspected ties to Black Basta.

SRFApplicationSRFOsTACTA0004TACTA0005TACTA0001SRFNetworkTACTA0006TACTA0007
82
Edit Score
2025-08-19
2025-08-19 21:15Z
CRIT

CVE-2025-9187 — Mozilla Firefox: Some of these bugs showed evidence of memory corruption and we presume that with

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-9187

Memory safety bugs present in Firefox 141 and Thunderbird 141. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 142 and Thunderbird 142. CVSSv3.1 9.8 (CRITICAL)

CWECWE 119VNDMozillaTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
728 × 90 / responsive · programmatic ad slot
2025-08-19
2025-08-19 21:15Z
HIGH

CVE-2025-9185 — Mozilla Firefox: Some of these bugs showed evidence of memory corruption and we presume that with

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-9185

Memory safety bugs present in Firefox ESR 115.26, Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 142, Firefox ESR 115.27, Firefox ESR 128.14, Firefox ESR 140.2, Thunderbird 142, Thunderbird 128.14, and Thunderb CVSSv3.1 8.1 (HIGH)

CWECWE 119VNDMozillaTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-08-19
2025-08-19 21:15Z
HIGH

CVE-2025-9184 — Mozilla Firefox: Some of these bugs showed evidence of memory corruption and we presume that with

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-9184

Memory safety bugs present in Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 142, Firefox ESR 140.2, Thunderbird 142, and Thunderbird 140.2. CVSSv3.1 8.1 (HIGH)

CWECWE 119VNDMozillaTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-08-19
2025-08-19 21:15Z
HIGH

CVE-2025-9180 — Mozilla Firefox: Same-origin policy bypass in the Graphics: Canvas2D component.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-9180

Same-origin policy bypass in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 142, Firefox ESR 115.27, Firefox ESR 128.14, Firefox ESR 140.2, Thunderbird 142, Thunderbird 128.14, and Thunderbird 140.2. CVSSv3.1 8.1 (HIGH)

CWECWE 346VNDMozillaTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-08-19
2025-08-19 21:15Z
CRIT

CVE-2025-9179 — Mozilla Firefox: An attacker was able to perform memory corruption in the GMP process which processes

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-9179

An attacker was able to perform memory corruption in the GMP process which processes encrypted media. This process is also heavily sandboxed, but represents slightly different privileges from the content process. This vulnerability was fixed in Firefox 142, Firefox ESR 115.27, Firefox ESR 128.14, Firefox ESR 140.2, Thunderbird 142, Thunderbird 128.14, and Thunderbird 140.2. CVSSv3.1 9.8 (CRITICAL)

CWECWE 119VNDMozillaTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-08-19
2025-08-19 21:15Z
CRIT

CVE-2025-8042 — Mozilla Firefox: for Android allowed a sandboxed iframe without the `allow-downloads` attribute to start downloads.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-8042

Firefox for Android allowed a sandboxed iframe without the `allow-downloads` attribute to start downloads. This vulnerability was fixed in Firefox 141. CVSSv3.1 9.8 (CRITICAL)

CWECWE 732VNDMozillaVNDFirefoxTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-08-19
2025-08-19 21:15Z
CRIT

CVE-2025-55031 — Mozilla Firefox: Malicious pages could use Firefox for iOS to pass FIDO: links to the OS

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-55031

Malicious pages could use Firefox for iOS to pass FIDO: links to the OS and trigger the hybrid passkey transport. An attacker within Bluetooth range could have used this to trick the user into using their passkey to log the attacker's computer into the target account. This vulnerability was fixed in Firefox for iOS 142 and Focus for iOS 142. CVSSv3.1 9.8 (CRITICAL)

CWECWE 601VNDMozillaVNDMaliciousTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-08-19
2025-08-19 21:15Z
CRIT

CVE-2025-54145 — Mozilla Firefox: The QR scanner could allow arbitrary websites to be opened if a user was

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-54145

The QR scanner could allow arbitrary websites to be opened if a user was tricked into scanning a malicious link that leveraged Firefox's open-text URL scheme. This vulnerability was fixed in Firefox for iOS 141. CVSSv3.1 9.1 (CRITICAL)

CWECWE 601VNDMozillaTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2025-08-19
2025-08-19 21:15Z
CRIT

CVE-2025-54143 — Mozilla Firefox: Sandboxed iframes on webpages could potentially allow downloads to the device, bypassing the expected

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-54143

Sandboxed iframes on webpages could potentially allow downloads to the device, bypassing the expected sandbox restrictions declared on the parent page. This vulnerability was fixed in Firefox for iOS 141. CVSSv3.1 9.8 (CRITICAL)

CWECWE 693VNDMozillaVNDSandboxedTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-08-19
2025-08-19 20:15Z
CRIT

CVE-2025-51543 — Cicool: An issue was discovered in Cicool builder 3.4.4 allowing attackers to reset the administrator's

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-51543

An issue was discovered in Cicool builder 3.4.4 allowing attackers to reset the administrator's password via the /administrator/auth/reset_password endpoint. CVSSv3.1 9.8 (CRITICAL) · EPSS 26th percentile

CWECWE 306VNDCicoolTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-08-19
2025-08-19 14:15Z
CRIT

CVE-2025-50567 — Saurus: This leads to injection of user-controlled SQL statements, potentially leading to arbitrary PHP code

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-50567

Saurus CMS Community Edition 4.7.1 contains a vulnerability in the custom DB::prepare() function, which uses preg_replace() with the deprecated /e (eval) modifier to interpolate SQL query parameters. This leads to injection of user-controlled SQL statements, potentially leading to arbitrary PHP code execution. CVSSv3.1 10.0 (CRITICAL) · EPSS 49th percentile

CWECWE 89CWECWE 94VNDSaurusTYPVulnerability
10.0
CVSS v3.1
100
Edit Score
2025-08-16
2025-08-16 07:15Z
CRIT

CVE-2025-8898 — Taxi: The Taxi Booking Manager for Woocommerce | E-cab plugin for WordPress is vulnerable to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-8898

The Taxi Booking Manager for Woocommerce | E-cab plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.3.0. This is due to the plugin not properly validating a user's capabilities prior to updating a plugin setting or their identity prior to updating their details like email address. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and le CVSSv3.1 9.8 (CRITICAL)

CWECWE 862VNDTaxiTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-08-16
2025-08-16 04:16Z
CRIT

CVE-2025-7441 — StoryChief: The StoryChief plugin for WordPress is vulnerable to arbitrary file uploads in all versions

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-7441

The StoryChief plugin for WordPress is vulnerable to arbitrary file uploads in all versions up to, and including, 1.0.42. This vulnerability occurs through the /wp-json/storychief/webhook REST-API endpoint that does not have sufficient filetype validation. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. CVSSv3.1 9.8 (CRITICAL)

CWECWE 434VNDStorychiefTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-08-16
2025-08-16 04:15Z
HIGH

CVE-2025-6079 — School: The School Management System for Wordpress plugin for WordPress is vulnerable to arbitrary file

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-6079

The School Management System for Wordpress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the homework.php file in all versions up to, and including, 93.2.0. This makes it possible for authenticated attackers, with Student-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. CVE-2025-31100 is potentially a duplicate of this. CVSSv3.1 8.8 (HIGH)

CWECWE 434VNDSchoolTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2025-08-15
2025-08-15 16:15Z
HIGH

CVE-2025-49897 — Incorrect: Privilege Assignment vulnerability in gopiplus School Management school-management allows Privilege Escalation.This issue affects

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-49897

Incorrect Privilege Assignment vulnerability in gopiplus School Management school-management allows Privilege Escalation.This issue affects School Management: from n/a through <= 93.2.0. CVSSv3.1 8.8 (HIGH)

CWECWE 266TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2025-08-15
2025-08-15 13:00Z
INFO

Vulnerability Discovery with LLM-Powered Patch Diffing

Bishop Fox Labs·bishopfox.com

Bishop Fox published research on using LLM-powered patch diffing to accelerate vulnerability discovery by automating the analysis of binary diffs. Testing across four high-impact CVEs (CVSS 9.4+) showed Claude Sonnet 3.7 achieved 66% success rate in ranking vulnerable functions within Top 25 results, with variable performance depending on vulnerability class and advisory clarity.

SRFApplicationTACTA0043VNDAnthropicTYPResearchTYPToolSTGReconTECT1526
72
Edit Score
2025-08-14
2025-08-14 19:15Z
HIGH

CVE-2025-55708 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-55708

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ExpressTech Systems Quiz And Survey Master quiz-master-next allows SQL Injection.This issue affects Quiz And Survey Master: from n/a through <= 10.2.4. CVSSv3.1 8.5 (HIGH)

CWECWE 89TYPVulnerability
8.5
CVSS v3.1
93
Edit Score
2025-08-14
2025-08-14 19:15Z
HIGH

CVE-2025-53587 — Site: Cross-Site Request Forgery (CSRF) vulnerability in ApusTheme Findgo findgo allows Cross Site Request Forgery.This

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-53587

Cross-Site Request Forgery (CSRF) vulnerability in ApusTheme Findgo findgo allows Cross Site Request Forgery.This issue affects Findgo: from n/a through <= 1.3.57. CVSSv3.1 8.8 (HIGH)

CWECWE 352TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2025-08-14
2025-08-14 19:15Z
HIGH

CVE-2025-52797 — Site: Cross-Site Request Forgery (CSRF) vulnerability in josepsitjar StoryMap wp-storymap allows SQL Injection.This issue affects

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-52797

Cross-Site Request Forgery (CSRF) vulnerability in josepsitjar StoryMap wp-storymap allows SQL Injection.This issue affects StoryMap: from n/a through <= 2.1. CVSSv3.1 8.2 (HIGH)

CWECWE 352TYPVulnerability
8.2
CVSS v3.1
91
Edit Score