Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2025-49251 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Fana fana allows PHP Local File Inclusion.This issue affects Fana: from n/a through <= 1.1.28. CVSSv3.1 8.1 (HIGH)
CVE-2025-49071 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in NasaTheme Flozen flozen-theme allows Upload
Unrestricted Upload of File with Dangerous Type vulnerability in NasaTheme Flozen flozen-theme allows Upload a Web Shell to a Web Server.This issue affects Flozen: from n/a through < 1.5.1. CVSSv3.1 10.0 (CRITICAL)
CVE-2025-48274 — Wpjobportal Wp_job_portal: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wpjobportal WP Job Portal wp-job-portal allows Blind SQL Injection.This issue affects WP Job Portal: from n/a through <= 2.3.2. CVSSv3.1 9.3 (CRITICAL)
CVE-2025-48118 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WpExperts Hub Woocommerce Partial Shipment wc-partial-shipment allows SQL Injection.This issue affects Woocommerce Partial Shipment: from n/a through <= 3.2. CVSSv3.1 8.5 (HIGH)
CVE-2025-47573 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mojoomla School Management school-management allows Blind SQL Injection.This issue affects School Management: from n/a through <= 92.0.0. CVSSv3.1 9.3 (CRITICAL)
CVE-2025-47559 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in RomanCode MapSVG mapsvg allows Upload
Unrestricted Upload of File with Dangerous Type vulnerability in RomanCode MapSVG mapsvg allows Upload a Web Shell to a Web Server.This issue affects MapSVG: from n/a through < 8.7.4. CVSSv3.1 9.9 (CRITICAL)
CVE-2025-47452 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in RexTheme WP VR wpvr allows
Unrestricted Upload of File with Dangerous Type vulnerability in RexTheme WP VR wpvr allows Upload a Web Shell to a Web Server.This issue affects WP VR: from n/a through <= 8.5.26. CVSSv3.1 9.9 (CRITICAL)
CVE-2025-39486 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ValvePress Rankie valvepress-rankie allows SQL Injection.This issue affects Rankie: from n/a through < 1.8.2. CVSSv3.1 8.5 (HIGH)
CVE-2025-39479 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in smartiolabs Smart Notification smio-push-notification allows Blind SQL Injection.This issue affects Smart Notification: from n/a through <= 10.3. CVSSv3.1 9.3 (CRITICAL)
CVE-2025-32510 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in ovatheme Ovatheme Events Manager ova-events-manager
Unrestricted Upload of File with Dangerous Type vulnerability in ovatheme Ovatheme Events Manager ova-events-manager allows Using Malicious Files.This issue affects Ovatheme Events Manager: from n/a through <= 1.8.4. CVSSv3.1 10.0 (CRITICAL)
CVE-2025-31919 — Deserialization: of Untrusted Data vulnerability in themeton Spare spare allows Object Injection.This issue affects
Deserialization of Untrusted Data vulnerability in themeton Spare spare allows Object Injection.This issue affects Spare: from n/a through <= 1.7. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-30618 — Deserialization: of Untrusted Data vulnerability in yuliaz Rapyd Payment Extension for WooCommerce rapyd-payments allows
Deserialization of Untrusted Data vulnerability in yuliaz Rapyd Payment Extension for WooCommerce rapyd-payments allows Object Injection.This issue affects Rapyd Payment Extension for WooCommerce: from n/a through <= 1.2.0. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-30562 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wpdistillery Navigation Tree Elementor navigation-tree-elementor allows Blind SQL Injection.This issue affects Navigation Tree Elementor: from n/a through <= 1.0.1. CVSSv3.1 8.5 (HIGH) · EPSS 32th percentile
CVE-2025-29002 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in snstheme Simen snssimen allows PHP Local File Inclusion.This issue affects Simen: from n/a through <= 4.6. CVSSv3.1 8.1 (HIGH)
CVE-2025-28991 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in snstheme Evon snsevon allows PHP Local File Inclusion.This issue affects Evon: from n/a through <= 3.4. CVSSv3.1 8.1 (HIGH)
CVE-2025-24773 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mojoomla WPCRM - CRM for Contact form CF7 & WooCommerce wpcrm allows SQL Injection.This issue affects WPCRM - CRM for Contact form CF7 & WooCommerce: from n/a through <= 3.2.0. CVSSv3.1 9.3 (CRITICAL)
CVE-2025-24761 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in snstheme DSK dsk allows PHP Local File Inclusion.This issue affects DSK: from n/a through < 2.4. CVSSv3.1 8.1 (HIGH)
CVE-2025-4404 — A privilege escalation from host to domain vulnerability was found in the FreeIPA project.
A privilege escalation from host to domain vulnerability was found in the FreeIPA project. The FreeIPA package fails to validate the uniqueness of the `krbCanonicalName` for the admin account by default, allowing users to create services with the same canonical name as the REALM admin. When a successful attack happens, the user can retrieve a Kerberos ticket in the name of this service, containing the admin@REALM credential. This flaw allows an attacker to perform administrat CVSSv3.1 9.1 (CRITICAL) · EPSS 76th percentile
CVE-2025-49796 — Processing certain sch:name elements from the input XML file can trigger a memory corruption
A vulnerability was found in libxml2. Processing certain sch:name elements from the input XML file can trigger a memory corruption issue. This flaw allows an attacker to craft a malicious XML input file that can lead libxml to crash, resulting in a denial of service or other possible undefined behavior due to sensitive data being corrupted in memory. CVSSv3.1 9.1 (CRITICAL) · EPSS 83th percentile
CVE-2025-49794 — A use-after-free vulnerability was found in libxml2.
A use-after-free vulnerability was found in libxml2. This issue occurs when parsing XPath elements under certain circumstances when the XML schematron has the <sch:name path="..."/> schema elements. This flaw allows a malicious actor to craft a malicious XML document used as input for libxml, resulting in the program's crash using libxml or other possible undefined behaviors. CVSSv3.1 9.1 (CRITICAL) · EPSS 63th percentile
LainAmsiOpenSession — Custom Amsi Bypass by patching AmsiOpenSession function in amsi.dll
LainAmsiOpenSession is a PowerShell-based AMSI bypass tool that patches the AmsiOpenSession function in amsi.dll to evade Windows Defender and EDR detection. The technique derives from prior work by Sam Rothlisberger and Nuke-Amsi, implementing in-memory patching of the AMSI DLL to disable scanning.
CVE-2025-6095 — Codesiddhant Jasmin-ransomware: The manipulation of the argument username/password leads to sql injection.
A vulnerability, which was classified as critical, was found in codesiddhant Jasmin Ransomware 1.0.1. Affected is an unknown function of the file /checklogin.php. The manipulation of the argument username/password leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. CVSSv3.1 7.3 (HIGH) · EPSS 98th percentile
CVE-2025-46060 — Totolink N600r_firmware: Buffer Overflow vulnerability in TOTOLINK N600R v4.3.0cu.7866_B2022506 allows a remote attacker to execute arbitrary
Buffer Overflow vulnerability in TOTOLINK N600R v4.3.0cu.7866_B2022506 allows a remote attacker to execute arbitrary code via the UPLOAD_FILENAME component CVSSv3.1 9.8 (CRITICAL) · EPSS 58th percentile
CVE-2025-32756-POC — Proof of Concept for CVE-2025-32756 - A critical stack-based buffer overflow vulnerability affecting multiple Fortinet p
Public proof-of-concept released for CVE-2025-32756, a critical stack-based buffer overflow in Fortinet products (FortiVoice, FortiMail, FortiNDR, FortiRecorder, FortiCamera) affecting the AuthHash cookie processing in the /remote/hostcheck_validate endpoint. The PoC demonstrates unauthenticated RCE with CVSS 9.8 and includes scanning and exploitation capabilities across multiple target IPs and ranges.
CVE-2025-49710 — Mozilla Firefox: An integer overflow was present in `OrderedHashTable` used by the JavaScript engine.
An integer overflow was present in `OrderedHashTable` used by the JavaScript engine. This vulnerability was fixed in Firefox 139.0.4. CVSSv3.1 9.8 (CRITICAL)