2025-06-17
2025-06-17 15:15Z
HIGH

CVE-2025-49251 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-49251

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Fana fana allows PHP Local File Inclusion.This issue affects Fana: from n/a through <= 1.1.28. CVSSv3.1 8.1 (HIGH)

CWECWE 98TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-06-17
2025-06-17 15:15Z
CRIT

CVE-2025-49071 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in NasaTheme Flozen flozen-theme allows Upload

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-49071

Unrestricted Upload of File with Dangerous Type vulnerability in NasaTheme Flozen flozen-theme allows Upload a Web Shell to a Web Server.This issue affects Flozen: from n/a through < 1.5.1. CVSSv3.1 10.0 (CRITICAL)

CWECWE 434TYPVulnerability
10.0
CVSS v3.1
100
Edit Score
2025-06-17
2025-06-17 15:15Z
CRIT

CVE-2025-48274 — Wpjobportal Wp_job_portal: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-48274

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wpjobportal WP Job Portal wp-job-portal allows Blind SQL Injection.This issue affects WP Job Portal: from n/a through <= 2.3.2. CVSSv3.1 9.3 (CRITICAL)

CWECWE 89VNDWpjobportalTYPVulnerability
9.3
CVSS v3.1
97
Edit Score
2025-06-17
2025-06-17 15:15Z
HIGH

CVE-2025-48118 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-48118

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WpExperts Hub Woocommerce Partial Shipment wc-partial-shipment allows SQL Injection.This issue affects Woocommerce Partial Shipment: from n/a through <= 3.2. CVSSv3.1 8.5 (HIGH)

CWECWE 89TYPVulnerability
8.5
CVSS v3.1
93
Edit Score
2025-06-17
2025-06-17 15:15Z
CRIT

CVE-2025-47573 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-47573

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mojoomla School Management school-management allows Blind SQL Injection.This issue affects School Management: from n/a through <= 92.0.0. CVSSv3.1 9.3 (CRITICAL)

CWECWE 89TYPVulnerability
9.3
CVSS v3.1
97
Edit Score
2025-06-17
2025-06-17 15:15Z
CRIT

CVE-2025-47559 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in RomanCode MapSVG mapsvg allows Upload

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-47559

Unrestricted Upload of File with Dangerous Type vulnerability in RomanCode MapSVG mapsvg allows Upload a Web Shell to a Web Server.This issue affects MapSVG: from n/a through < 8.7.4. CVSSv3.1 9.9 (CRITICAL)

CWECWE 434TYPVulnerability
9.9
CVSS v3.1
100
Edit Score
2025-06-17
2025-06-17 15:15Z
CRIT

CVE-2025-47452 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in RexTheme WP VR wpvr allows

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-47452

Unrestricted Upload of File with Dangerous Type vulnerability in RexTheme WP VR wpvr allows Upload a Web Shell to a Web Server.This issue affects WP VR: from n/a through <= 8.5.26. CVSSv3.1 9.9 (CRITICAL)

CWECWE 434TYPVulnerability
9.9
CVSS v3.1
100
Edit Score
728 × 90 / responsive · programmatic ad slot
2025-06-17
2025-06-17 15:15Z
HIGH

CVE-2025-39486 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-39486

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ValvePress Rankie valvepress-rankie allows SQL Injection.This issue affects Rankie: from n/a through < 1.8.2. CVSSv3.1 8.5 (HIGH)

CWECWE 89TYPVulnerability
8.5
CVSS v3.1
93
Edit Score
2025-06-17
2025-06-17 15:15Z
CRIT

CVE-2025-39479 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-39479

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in smartiolabs Smart Notification smio-push-notification allows Blind SQL Injection.This issue affects Smart Notification: from n/a through <= 10.3. CVSSv3.1 9.3 (CRITICAL)

CWECWE 89TYPVulnerability
9.3
CVSS v3.1
97
Edit Score
2025-06-17
2025-06-17 15:15Z
CRIT

CVE-2025-32510 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in ovatheme Ovatheme Events Manager ova-events-manager

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-32510

Unrestricted Upload of File with Dangerous Type vulnerability in ovatheme Ovatheme Events Manager ova-events-manager allows Using Malicious Files.This issue affects Ovatheme Events Manager: from n/a through <= 1.8.4. CVSSv3.1 10.0 (CRITICAL)

CWECWE 434TYPVulnerability
10.0
CVSS v3.1
100
Edit Score
2025-06-17
2025-06-17 15:15Z
CRIT

CVE-2025-31919 — Deserialization: of Untrusted Data vulnerability in themeton Spare spare allows Object Injection.This issue affects

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-31919

Deserialization of Untrusted Data vulnerability in themeton Spare spare allows Object Injection.This issue affects Spare: from n/a through <= 1.7. CVSSv3.1 9.8 (CRITICAL)

CWECWE 502TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-06-17
2025-06-17 15:15Z
CRIT

CVE-2025-30618 — Deserialization: of Untrusted Data vulnerability in yuliaz Rapyd Payment Extension for WooCommerce rapyd-payments allows

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-30618

Deserialization of Untrusted Data vulnerability in yuliaz Rapyd Payment Extension for WooCommerce rapyd-payments allows Object Injection.This issue affects Rapyd Payment Extension for WooCommerce: from n/a through <= 1.2.0. CVSSv3.1 9.8 (CRITICAL)

CWECWE 502TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-06-17
2025-06-17 15:15Z
HIGH

CVE-2025-30562 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-30562

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wpdistillery Navigation Tree Elementor navigation-tree-elementor allows Blind SQL Injection.This issue affects Navigation Tree Elementor: from n/a through <= 1.0.1. CVSSv3.1 8.5 (HIGH) · EPSS 32th percentile

CWECWE 89TYPVulnerability
8.5
CVSS v3.1
93
Edit Score
2025-06-17
2025-06-17 15:15Z
HIGH

CVE-2025-29002 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-29002

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in snstheme Simen snssimen allows PHP Local File Inclusion.This issue affects Simen: from n/a through <= 4.6. CVSSv3.1 8.1 (HIGH)

CWECWE 98TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-06-17
2025-06-17 15:15Z
HIGH

CVE-2025-28991 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-28991

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in snstheme Evon snsevon allows PHP Local File Inclusion.This issue affects Evon: from n/a through <= 3.4. CVSSv3.1 8.1 (HIGH)

CWECWE 98TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-06-17
2025-06-17 15:15Z
CRIT

CVE-2025-24773 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-24773

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mojoomla WPCRM - CRM for Contact form CF7 & WooCommerce wpcrm allows SQL Injection.This issue affects WPCRM - CRM for Contact form CF7 & WooCommerce: from n/a through <= 3.2.0. CVSSv3.1 9.3 (CRITICAL)

CWECWE 89TYPVulnerability
9.3
CVSS v3.1
97
Edit Score
2025-06-17
2025-06-17 15:15Z
HIGH

CVE-2025-24761 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-24761

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in snstheme DSK dsk allows PHP Local File Inclusion.This issue affects DSK: from n/a through < 2.4. CVSSv3.1 8.1 (HIGH)

CWECWE 98TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-06-17
2025-06-17 14:15Z
CRIT

CVE-2025-4404 — A privilege escalation from host to domain vulnerability was found in the FreeIPA project.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-4404

A privilege escalation from host to domain vulnerability was found in the FreeIPA project. The FreeIPA package fails to validate the uniqueness of the `krbCanonicalName` for the admin account by default, allowing users to create services with the same canonical name as the REALM admin. When a successful attack happens, the user can retrieve a Kerberos ticket in the name of this service, containing the admin@REALM credential. This flaw allows an attacker to perform administrat CVSSv3.1 9.1 (CRITICAL) · EPSS 76th percentile

CWECWE 1220TYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2025-06-16
2025-06-16 16:15Z
CRIT

CVE-2025-49796 — Processing certain sch:name elements from the input XML file can trigger a memory corruption

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-49796

A vulnerability was found in libxml2. Processing certain sch:name elements from the input XML file can trigger a memory corruption issue. This flaw allows an attacker to craft a malicious XML input file that can lead libxml to crash, resulting in a denial of service or other possible undefined behavior due to sensitive data being corrupted in memory. CVSSv3.1 9.1 (CRITICAL) · EPSS 83th percentile

CWECWE 125TYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2025-06-16
2025-06-16 16:15Z
CRIT

CVE-2025-49794 — A use-after-free vulnerability was found in libxml2.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-49794

A use-after-free vulnerability was found in libxml2. This issue occurs when parsing XPath elements under certain circumstances when the XML schematron has the <sch:name path="..."/> schema elements. This flaw allows a malicious actor to craft a malicious XML document used as input for libxml, resulting in the program's crash using libxml or other possible undefined behaviors. CVSSv3.1 9.1 (CRITICAL) · EPSS 63th percentile

CWECWE 825TYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2025-06-16
2025-06-16 02:01Z
HIGH

LainAmsiOpenSession — Custom Amsi Bypass by patching AmsiOpenSession function in amsi.dll

GitHub · EDR bypass / evasion·github.comGITHUB POC

LainAmsiOpenSession is a PowerShell-based AMSI bypass tool that patches the AmsiOpenSession function in amsi.dll to evade Windows Defender and EDR detection. The technique derives from prior work by Sam Rothlisberger and Nuke-Amsi, implementing in-memory patching of the AMSI DLL to disable scanning.

SRFOsTACTA0005TYPTechniqueTYPToolSTGDefense EvasionTECT1562.001EXPProcess Injection
62
Edit Score
2025-06-15
2025-06-15 23:15Z
HIGH

CVE-2025-6095 — Codesiddhant Jasmin-ransomware: The manipulation of the argument username/password leads to sql injection.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-6095

A vulnerability, which was classified as critical, was found in codesiddhant Jasmin Ransomware 1.0.1. Affected is an unknown function of the file /checklogin.php. The manipulation of the argument username/password leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. CVSSv3.1 7.3 (HIGH) · EPSS 98th percentile

CWECWE 89CWECWE 74VNDCodesiddhantTYPVulnerability
7.3
CVSS v3.1
100
Edit Score
2025-06-13
2025-06-13 13:15Z
CRIT

CVE-2025-46060 — Totolink N600r_firmware: Buffer Overflow vulnerability in TOTOLINK N600R v4.3.0cu.7866_B2022506 allows a remote attacker to execute arbitrary

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-46060

Buffer Overflow vulnerability in TOTOLINK N600R v4.3.0cu.7866_B2022506 allows a remote attacker to execute arbitrary code via the UPLOAD_FILENAME component CVSSv3.1 9.8 (CRITICAL) · EPSS 58th percentile

CWECWE 120VNDTotolinkVNDBufferTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-06-13
2025-06-13 07:55Z
CRIT

CVE-2025-32756-POC — Proof of Concept for CVE-2025-32756 - A critical stack-based buffer overflow vulnerability affecting multiple Fortinet p

GitHub · recent CVE PoCs·github.comGITHUB POCCVE-2025-32756in the wild

Public proof-of-concept released for CVE-2025-32756, a critical stack-based buffer overflow in Fortinet products (FortiVoice, FortiMail, FortiNDR, FortiRecorder, FortiCamera) affecting the AuthHash cookie processing in the /remote/hostcheck_validate endpoint. The PoC demonstrates unauthenticated RCE with CVSS 9.8 and includes scanning and exploitation capabilities across multiple target IPs and ranges.

SRFApplicationTACTA0001SRFNetwork ApplianceVNDFortinetTYPWriteupTYPExploitSTGInitial AccessTECT1190
88
Edit Score
2025-06-11
2025-06-11 12:15Z
CRIT

CVE-2025-49710 — Mozilla Firefox: An integer overflow was present in `OrderedHashTable` used by the JavaScript engine.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-49710

An integer overflow was present in `OrderedHashTable` used by the JavaScript engine. This vulnerability was fixed in Firefox 139.0.4. CVSSv3.1 9.8 (CRITICAL)

CWECWE 190VNDMozillaTYPVulnerability
9.8
CVSS v3.1
99
Edit Score