Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2025-5243 — Upload: Unrestricted Upload of File with Dangerous Type, Improper Neutralization of Special Elements used in
Unrestricted Upload of File with Dangerous Type, Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in SMG Software Information Portal allows Code Injection, Upload a Web Shell to a Web Server, Code Inclusion. This issue affects Information Portal: before 13.06.2025. CVSSv3.1 10.0 (CRITICAL) · EPSS 85th percentile
CVE-2025-4822 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Bayraktar Solar Energies ScadaWatt Otopilot allows SQL Injection. This issue affects ScadaWatt Otopilot: before 27.05.2025. CVSSv3.1 9.8 (CRITICAL) · EPSS 28th percentile
CVE-2025-6441 — Webinar: The Webinar Solution: Create live/evergreen/automated/instant webinars, stream & Zoom Meetings | WebinarIgnition plugin for
The Webinar Solution: Create live/evergreen/automated/instant webinars, stream & Zoom Meetings | WebinarIgnition plugin for WordPress is vulnerable to unauthenticated login token generation due to a missing capability check on the `webinarignition_sign_in_support_staff` and `webinarignition_register_support` functions in all versions up to, and including, 4.03.32. This makes it possible for unauthenticated attackers to generate login tokens for arbitrary WordPress users under CVSSv3.1 9.8 (CRITICAL)
CVE-2025-8020 — All versions of the package private-ip are vulnerable to Server-Side Request Forgery (SSRF) where
All versions of the package private-ip are vulnerable to Server-Side Request Forgery (SSRF) where an attacker can provide an IP or hostname that resolves to a multicast IP address (224.0.0.0/4) which is not included as part of the private IP ranges in the package's source code. CVSSv3.1 8.2 (HIGH) · EPSS 7th percentile
CVE-2025-8044 — Mozilla Firefox: Some of these bugs showed evidence of memory corruption and we presume that with
Memory safety bugs present in Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 141 and Thunderbird 141. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-8043 — Mozilla Firefox: Focus incorrectly truncated URLs towards the beginning instead of around the origin.
Focus incorrectly truncated URLs towards the beginning instead of around the origin. This vulnerability was fixed in Firefox 141. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-8040 — Mozilla Firefox: Some of these bugs showed evidence of memory corruption and we presume that with
Memory safety bugs present in Firefox ESR 140.0, Thunderbird ESR 140.0, Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 141, Firefox ESR 140.1, Thunderbird 141, and Thunderbird 140.1. CVSSv3.1 8.8 (HIGH)
CVE-2025-8039 — Mozilla Firefox: In some cases search terms persisted in the URL bar even after navigating away
In some cases search terms persisted in the URL bar even after navigating away from the search page. This vulnerability was fixed in Firefox 141, Firefox ESR 140.1, Thunderbird 141, and Thunderbird 140.1. CVSSv3.1 8.1 (HIGH)
CVE-2025-8038 — Mozilla Firefox: Thunderbird ignored paths when checking the validity of navigations in a frame.
Thunderbird ignored paths when checking the validity of navigations in a frame. This vulnerability was fixed in Firefox 141, Firefox ESR 140.1, Thunderbird 141, and Thunderbird 140.1. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-8037 — Mozilla Firefox: Setting a nameless cookie with an equals sign in the value shadowed other cookies.
Setting a nameless cookie with an equals sign in the value shadowed other cookies. Even if the nameless cookie was set over HTTP and the shadowed cookie included the `Secure` attribute. This vulnerability was fixed in Firefox 141, Firefox ESR 140.1, Thunderbird 141, and Thunderbird 140.1. CVSSv3.1 9.1 (CRITICAL)
CVE-2025-8036 — Mozilla Firefox: Thunderbird cached CORS preflight responses across IP address changes.
Thunderbird cached CORS preflight responses across IP address changes. This allowed circumventing CORS with DNS rebinding. This vulnerability was fixed in Firefox 141, Firefox ESR 140.1, Thunderbird 141, and Thunderbird 140.1. CVSSv3.1 8.1 (HIGH)
CVE-2025-8035 — Mozilla Firefox: Some of these bugs showed evidence of memory corruption and we presume that with
Memory safety bugs present in Firefox ESR 128.12, Thunderbird ESR 128.12, Firefox ESR 140.0, Thunderbird ESR 140.0, Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 141, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1. CVSSv3.1 8.8 (HIGH)
CVE-2025-8034 — Mozilla Firefox: Some of these bugs showed evidence of memory corruption and we presume that with
Memory safety bugs present in Firefox ESR 115.25, Firefox ESR 128.12, Thunderbird ESR 128.12, Firefox ESR 140.0, Thunderbird ESR 140.0, Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 141, Firefox ESR 115.26, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderb CVSSv3.1 8.8 (HIGH)
CVE-2025-8032 — Mozilla Firefox: XSLT document loading did not correctly propagate the source document which bypassed its CSP.
XSLT document loading did not correctly propagate the source document which bypassed its CSP. This vulnerability was fixed in Firefox 141, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1. CVSSv3.1 8.1 (HIGH)
CVE-2025-8031 — Mozilla Firefox: The `username:password` part was not correctly stripped from URLs in CSP reports potentially leaking
The `username:password` part was not correctly stripped from URLs in CSP reports potentially leaking HTTP Basic Authentication credentials. This vulnerability was fixed in Firefox 141, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-8030 — Mozilla Firefox: Insufficient escaping in the “Copy as cURL” feature could potentially be used to trick
Insufficient escaping in the “Copy as cURL” feature could potentially be used to trick a user into executing unexpected code. This vulnerability was fixed in Firefox 141, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1. CVSSv3.1 8.1 (HIGH)
CVE-2025-8029 — Mozilla Firefox: Thunderbird executed `javascript:` URLs when used in `object` and `embed` tags.
Thunderbird executed `javascript:` URLs when used in `object` and `embed` tags. This vulnerability was fixed in Firefox 141, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1. CVSSv3.1 8.1 (HIGH)
CVE-2025-8028 — Mozilla Firefox: On arm64, a WASM `br_table` instruction with a lot of entries could lead to
On arm64, a WASM `br_table` instruction with a lot of entries could lead to the label being too far from the instruction causing truncation and incorrect computation of the branch address. This vulnerability was fixed in Firefox 141, Firefox ESR 115.26, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-4285 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Rolantis Information Technologies Agentis allows SQL Injection. This issue affects Agentis: before 4.32. CVSSv3.1 10.0 (CRITICAL) · EPSS 48th percentile
CVE-2025-44654 — Linksys E2500_firmware: This could lead to unauthorized access to system files, privilege escalation, or use of
In Linksys E2500 3.0.04.002, the chroot_local_user option is enabled in the vsftpd configuration file. This could lead to unauthorized access to system files, privilege escalation, or use of the compromised server as a pivot point for internal network attacks. CVSSv3.1 9.8 (CRITICAL) · EPSS 61th percentile
CVE-2025-44655 — Totolink A7100ru_firmware: This could lead to unauthorized access to system files, privilege escalation, or use of
In TOTOLink A7100RU V7.4, A950RG V5.9, and T10 V5.9, the chroot_local_user option is enabled in the vsftpd.conf. This could lead to unauthorized access to system files, privilege escalation, or use of the compromised server as a pivot point for internal network attacks. CVSSv3.1 9.8 (CRITICAL) · EPSS 26th percentile
CVE-2025-50585 — Daycloud Studentmanage: v1.0 was discovered to contain a SQL injection vulnerability via the component /admin/adminStudentUrl.
StudentManage v1.0 was discovered to contain a SQL injection vulnerability via the component /admin/adminStudentUrl. CVSSv3.1 8.8 (HIGH) · EPSS 28th percentile
CVE-2025-52164 — Software: GmbH Agorum core open v11.9.2 & v11.10.1 was discovered to store credentials in
Software GmbH Agorum core open v11.9.2 & v11.10.1 was discovered to store credentials in plaintext. CVSSv3.1 8.2 (HIGH) · EPSS 16th percentile
CVE-2025-6718 — WordPress: The B1.lt plugin for WordPress is vulnerable to SQL Injection due to a missing
The B1.lt plugin for WordPress is vulnerable to SQL Injection due to a missing capability check on the b1_run_query AJAX action in all versions up to, and including, 2.2.57. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute and run arbitrary SQL commands. CVSSv3.1 8.8 (HIGH)
CVE-2025-7398 — Broadcom Brocade_active_support_connectivity_gateway: Brocade ASCG before 3.3.0 allows for the use of medium strength cryptography algorithms on
Brocade ASCG before 3.3.0 allows for the use of medium strength cryptography algorithms on internal ports ports 9000 and 8036. CVSSv3.1 9.1 (CRITICAL)