2025-06-24
2025-06-24 13:15Z
CRIT

CVE-2025-6424 — Mozilla Firefox: A use-after-free in FontFaceSet resulted in a potentially exploitable crash.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-6424

A use-after-free in FontFaceSet resulted in a potentially exploitable crash. This vulnerability was fixed in Firefox 140, Firefox ESR 115.25, Firefox ESR 128.12, Thunderbird 140, and Thunderbird 128.12. CVSSv3.1 9.8 (CRITICAL)

CWECWE 416VNDMozillaVNDFontfacesetTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-06-23
2025-06-23 23:15Z
HIGH

CVE-2025-6529 — 70mai M300_firmware: The manipulation leads to use of default credentials.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-6529

A vulnerability was found in 70mai M300 up to 20250611 and classified as critical. Affected by this issue is some unknown functionality of the component Telnet Service. The manipulation leads to use of default credentials. The attack needs to be initiated within the local network. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. CVSSv3.1 8.8 (HIGH) · EPSS 66th percentile

CWECWE 1392VND70maiTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2025-06-23
2025-06-23 17:15Z
CRIT

CVE-2023-47031 — Ncr Terminal_handler: An issue in NCR Terminal Handler v.1.5.1 allows a remote attacker to escalate privileges

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-47031

An issue in NCR Terminal Handler v.1.5.1 allows a remote attacker to escalate privileges via a crafted POST request to the grantRolesToUsers, grantRolesToGroups, and grantRolesToOrganization SOAP API component. CVSSv3.1 9.8 (CRITICAL) · EPSS 46th percentile

CWECWE 284VNDNcrTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-06-22
2025-06-22 22:49Z
HIGH

VEH2 — A Patchless AMSI Bypass Technique using VEH²

GitHub · EDR bypass / evasion·github.comGITHUB POC

VEH2 is a public proof-of-concept tool implementing a patchless AMSI bypass technique using double Vectored Exception Handling (VEH) to intercept AmsiScanBuffer at runtime without modifying its code. The tool hosts the .NET CLR natively and executes arbitrary .NET assemblies from memory while evading AMSI detection by manipulating hardware breakpoints and exception handlers to force a clean scan result.

SRFOsTACTA0005TYPToolTYPExploitSTGDefense EvasionTECT1562.001EXPSandbox EscapeSTApoc public
72
Edit Score
2025-06-20
2025-06-20 15:15Z
HIGH

CVE-2025-52825 — Site: Cross-Site Request Forgery (CSRF) vulnerability in Rameez Iqbal Real Estate Manager real-estate-manager allows Privilege

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-52825

Cross-Site Request Forgery (CSRF) vulnerability in Rameez Iqbal Real Estate Manager real-estate-manager allows Privilege Escalation.This issue affects Real Estate Manager: from n/a through <= 7.3. CVSSv3.1 8.8 (HIGH)

CWECWE 352TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2025-06-20
2025-06-20 15:15Z
HIGH

CVE-2025-52822 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-52822

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Iqonic Design WP Roadmap wp-roadmap allows SQL Injection.This issue affects WP Roadmap: from n/a through <= 2.1.3. CVSSv3.1 8.5 (HIGH)

CWECWE 89TYPVulnerability
8.5
CVSS v3.1
93
Edit Score
2025-06-20
2025-06-20 15:15Z
HIGH

CVE-2025-52821 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-52821

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in thanhtungtnt Video List Manager video-list-manager allows SQL Injection.This issue affects Video List Manager: from n/a through <= 1.7. CVSSv3.1 8.5 (HIGH)

CWECWE 89TYPVulnerability
8.5
CVSS v3.1
93
Edit Score
728 × 90 / responsive · programmatic ad slot
2025-06-19
2025-06-19 13:15Z
CRIT

CVE-2025-4738 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-4738

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Yirmibes Software MY ERP allows SQL Injection. This issue affects MY ERP: before 1.170. CVSSv3.1 9.8 (CRITICAL) · EPSS 48th percentile

CWECWE 89TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-06-18
2025-06-18 14:15Z
CRIT

CVE-2025-46157 — Efrotech Timetrax: An issue in EfroTech Time Trax v.1.0 allows a remote attacker to execute arbitrary

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-46157

An issue in EfroTech Time Trax v.1.0 allows a remote attacker to execute arbitrary code via the file attachment function in the leave request form CVSSv3.1 9.9 (CRITICAL) · EPSS 55th percentile

CWECWE 434VNDEfrotechTYPVulnerability
9.9
CVSS v3.1
100
Edit Score
2025-06-18
2025-06-18 13:00Z
HIGH

2025 Red Team Tools – Cloud & Identity Exploitation, Evasion & Developer Libraries

Bishop Fox Labs·bishopfox.com

Bishop Fox publishes a curated roundup of 16 red team tools spanning cloud/identity exploitation (AzureHound, ROADtools, AADInternals, GraphRunner, TREVORspray, MFASweep, SeamlessPass, MicroBurst), evasion techniques (Minikerberos, Windows-rs, Scapy, Pwntools), and post-exploitation frameworks (Volatility, Frida, Evilginx, CursedChrome). The selection emphasizes Azure AD/Microsoft 365 attack surface, credential harvesting, MFA bypass, and browser-based persistence mechanisms.

SRFApplicationSRFOsTACTA0004TACTA0005TACTA0001TACTA0002TACTA0006TACTA0007
72
Edit Score
2025-06-17
2025-06-17 15:15Z
HIGH

CVE-2025-49879 — Limitation: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in themezaa

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-49879

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in themezaa Litho litho allows Path Traversal.This issue affects Litho: from n/a through <= 3.0. CVSSv3.1 8.6 (HIGH)

CWECWE 22TYPVulnerability
8.6
CVSS v3.1
93
Edit Score
2025-06-17
2025-06-17 15:15Z
HIGH

CVE-2025-49508 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-49508

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in LoftOcean CozyStay cozystay allows PHP Local File Inclusion.This issue affects CozyStay: from n/a through < 1.7.1. CVSSv3.1 8.1 (HIGH)

CWECWE 98TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-06-17
2025-06-17 15:15Z
CRIT

CVE-2025-49452 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-49452

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Adrian Ladó PostaPanduri postapanduri allows SQL Injection.This issue affects PostaPanduri: from n/a through <= 2.1.3. CVSSv3.1 9.3 (CRITICAL)

CWECWE 89TYPVulnerability
9.3
CVSS v3.1
97
Edit Score
2025-06-17
2025-06-17 15:15Z
CRIT

CVE-2025-49447 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in Fastw3b LLC FW Food Menu

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-49447

Unrestricted Upload of File with Dangerous Type vulnerability in Fastw3b LLC FW Food Menu fw-food-menu allows Using Malicious Files.This issue affects FW Food Menu : from n/a through <= 6.0.0. CVSSv3.1 10.0 (CRITICAL)

CWECWE 434TYPVulnerability
10.0
CVSS v3.1
100
Edit Score
2025-06-17
2025-06-17 15:15Z
CRIT

CVE-2025-49444 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in merkulove Reformer for Elementor reformer-elementor

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-49444

Unrestricted Upload of File with Dangerous Type vulnerability in merkulove Reformer for Elementor reformer-elementor allows Upload a Web Shell to a Web Server.This issue affects Reformer for Elementor: from n/a through <= 1.0.5. CVSSv3.1 10.0 (CRITICAL)

CWECWE 434TYPVulnerability
10.0
CVSS v3.1
100
Edit Score
2025-06-17
2025-06-17 15:15Z
HIGH

CVE-2025-49415 — Limitation: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Fastw3b

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-49415

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Fastw3b LLC FW Gallery fw-gallery allows Path Traversal.This issue affects FW Gallery: from n/a through <= 8.0.0. CVSSv3.1 8.6 (HIGH)

CWECWE 22TYPVulnerability
8.6
CVSS v3.1
93
Edit Score
2025-06-17
2025-06-17 15:15Z
CRIT

CVE-2025-49330 — Deserialization: of Untrusted Data vulnerability in CRM Perks Integration for Contact Form 7 and

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-49330

Deserialization of Untrusted Data vulnerability in CRM Perks Integration for Contact Form 7 and Zoho CRM, Bigin cf7-zoho allows Object Injection.This issue affects Integration for Contact Form 7 and Zoho CRM, Bigin: from n/a through <= 1.3.0. CVSSv3.1 9.8 (CRITICAL)

CWECWE 502TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-06-17
2025-06-17 15:15Z
HIGH

CVE-2025-49261 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-49261

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Diza diza allows PHP Local File Inclusion.This issue affects Diza: from n/a through <= 1.3.8. CVSSv3.1 8.1 (HIGH)

CWECWE 98TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-06-17
2025-06-17 15:15Z
HIGH

CVE-2025-49260 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-49260

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Aora aora allows PHP Local File Inclusion.This issue affects Aora: from n/a through <= 1.3.9. CVSSv3.1 8.1 (HIGH)

CWECWE 98TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-06-17
2025-06-17 15:15Z
HIGH

CVE-2025-49259 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-49259

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Hara hara allows PHP Local File Inclusion.This issue affects Hara: from n/a through <= 1.2.10. CVSSv3.1 8.1 (HIGH)

CWECWE 98TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-06-17
2025-06-17 15:15Z
HIGH

CVE-2025-49258 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-49258

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Maia maia allows PHP Local File Inclusion.This issue affects Maia: from n/a through <= 1.1.15. CVSSv3.1 8.1 (HIGH)

CWECWE 98TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-06-17
2025-06-17 15:15Z
HIGH

CVE-2025-49257 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-49257

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Zota zota allows PHP Local File Inclusion.This issue affects Zota: from n/a through <= 1.3.8. CVSSv3.1 8.1 (HIGH)

CWECWE 98TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-06-17
2025-06-17 15:15Z
HIGH

CVE-2025-49256 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-49256

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Sapa sapa allows PHP Local File Inclusion.This issue affects Sapa: from n/a through <= 1.1.14. CVSSv3.1 8.1 (HIGH)

CWECWE 98TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-06-17
2025-06-17 15:15Z
HIGH

CVE-2025-49255 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-49255

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Ruza ruza allows PHP Local File Inclusion.This issue affects Ruza: from n/a through <= 1.0.7. CVSSv3.1 8.1 (HIGH)

CWECWE 98TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-06-17
2025-06-17 15:15Z
HIGH

CVE-2025-49254 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-49254

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Nika nika allows PHP Local File Inclusion.This issue affects Nika: from n/a through <= 1.2.8. CVSSv3.1 8.1 (HIGH)

CWECWE 98TYPVulnerability
8.1
CVSS v3.1
91
Edit Score