2025-06-17
2025-06-17 15:15Z
HIGH

CVE-2025-49255 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-49255

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Ruza ruza allows PHP Local File Inclusion.This issue affects Ruza: from n/a through <= 1.0.7. CVSSv3.1 8.1 (HIGH)

CWECWE 98TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-06-17
2025-06-17 15:15Z
HIGH

CVE-2025-49254 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-49254

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Nika nika allows PHP Local File Inclusion.This issue affects Nika: from n/a through <= 1.2.8. CVSSv3.1 8.1 (HIGH)

CWECWE 98TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-06-17
2025-06-17 15:15Z
HIGH

CVE-2025-49253 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-49253

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Lasa lasa allows PHP Local File Inclusion.This issue affects Lasa: from n/a through <= 1.1. CVSSv3.1 8.1 (HIGH)

CWECWE 98TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-06-17
2025-06-17 15:15Z
HIGH

CVE-2025-49252 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-49252

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Besa besa allows PHP Local File Inclusion.This issue affects Besa: from n/a through <= 2.3.8. CVSSv3.1 8.1 (HIGH)

CWECWE 98TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-06-17
2025-06-17 15:15Z
HIGH

CVE-2025-49251 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-49251

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Fana fana allows PHP Local File Inclusion.This issue affects Fana: from n/a through <= 1.1.28. CVSSv3.1 8.1 (HIGH)

CWECWE 98TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-06-17
2025-06-17 15:15Z
CRIT

CVE-2025-49071 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in NasaTheme Flozen flozen-theme allows Upload

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-49071

Unrestricted Upload of File with Dangerous Type vulnerability in NasaTheme Flozen flozen-theme allows Upload a Web Shell to a Web Server.This issue affects Flozen: from n/a through < 1.5.1. CVSSv3.1 10.0 (CRITICAL)

CWECWE 434TYPVulnerability
10.0
CVSS v3.1
100
Edit Score
2025-06-17
2025-06-17 15:15Z
CRIT

CVE-2025-48274 — Wpjobportal Wp_job_portal: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-48274

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wpjobportal WP Job Portal wp-job-portal allows Blind SQL Injection.This issue affects WP Job Portal: from n/a through <= 2.3.2. CVSSv3.1 9.3 (CRITICAL)

CWECWE 89VNDWpjobportalTYPVulnerability
9.3
CVSS v3.1
97
Edit Score
728 × 90 / responsive · programmatic ad slot
2025-06-17
2025-06-17 15:15Z
HIGH

CVE-2025-48118 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-48118

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WpExperts Hub Woocommerce Partial Shipment wc-partial-shipment allows SQL Injection.This issue affects Woocommerce Partial Shipment: from n/a through <= 3.2. CVSSv3.1 8.5 (HIGH)

CWECWE 89TYPVulnerability
8.5
CVSS v3.1
93
Edit Score
2025-06-17
2025-06-17 15:15Z
CRIT

CVE-2025-47573 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-47573

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mojoomla School Management school-management allows Blind SQL Injection.This issue affects School Management: from n/a through <= 92.0.0. CVSSv3.1 9.3 (CRITICAL)

CWECWE 89TYPVulnerability
9.3
CVSS v3.1
97
Edit Score
2025-06-17
2025-06-17 15:15Z
CRIT

CVE-2025-47559 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in RomanCode MapSVG mapsvg allows Upload

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-47559

Unrestricted Upload of File with Dangerous Type vulnerability in RomanCode MapSVG mapsvg allows Upload a Web Shell to a Web Server.This issue affects MapSVG: from n/a through < 8.7.4. CVSSv3.1 9.9 (CRITICAL)

CWECWE 434TYPVulnerability
9.9
CVSS v3.1
100
Edit Score
2025-06-17
2025-06-17 15:15Z
CRIT

CVE-2025-47452 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in RexTheme WP VR wpvr allows

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-47452

Unrestricted Upload of File with Dangerous Type vulnerability in RexTheme WP VR wpvr allows Upload a Web Shell to a Web Server.This issue affects WP VR: from n/a through <= 8.5.26. CVSSv3.1 9.9 (CRITICAL)

CWECWE 434TYPVulnerability
9.9
CVSS v3.1
100
Edit Score
2025-06-17
2025-06-17 15:15Z
HIGH

CVE-2025-39486 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-39486

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ValvePress Rankie valvepress-rankie allows SQL Injection.This issue affects Rankie: from n/a through < 1.8.2. CVSSv3.1 8.5 (HIGH)

CWECWE 89TYPVulnerability
8.5
CVSS v3.1
93
Edit Score
2025-06-17
2025-06-17 15:15Z
CRIT

CVE-2025-39479 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-39479

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in smartiolabs Smart Notification smio-push-notification allows Blind SQL Injection.This issue affects Smart Notification: from n/a through <= 10.3. CVSSv3.1 9.3 (CRITICAL)

CWECWE 89TYPVulnerability
9.3
CVSS v3.1
97
Edit Score
2025-06-17
2025-06-17 15:15Z
CRIT

CVE-2025-32510 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in ovatheme Ovatheme Events Manager ova-events-manager

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-32510

Unrestricted Upload of File with Dangerous Type vulnerability in ovatheme Ovatheme Events Manager ova-events-manager allows Using Malicious Files.This issue affects Ovatheme Events Manager: from n/a through <= 1.8.4. CVSSv3.1 10.0 (CRITICAL)

CWECWE 434TYPVulnerability
10.0
CVSS v3.1
100
Edit Score
2025-06-17
2025-06-17 15:15Z
CRIT

CVE-2025-31919 — Deserialization: of Untrusted Data vulnerability in themeton Spare spare allows Object Injection.This issue affects

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-31919

Deserialization of Untrusted Data vulnerability in themeton Spare spare allows Object Injection.This issue affects Spare: from n/a through <= 1.7. CVSSv3.1 9.8 (CRITICAL)

CWECWE 502TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-06-17
2025-06-17 15:15Z
CRIT

CVE-2025-30618 — Deserialization: of Untrusted Data vulnerability in yuliaz Rapyd Payment Extension for WooCommerce rapyd-payments allows

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-30618

Deserialization of Untrusted Data vulnerability in yuliaz Rapyd Payment Extension for WooCommerce rapyd-payments allows Object Injection.This issue affects Rapyd Payment Extension for WooCommerce: from n/a through <= 1.2.0. CVSSv3.1 9.8 (CRITICAL)

CWECWE 502TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-06-17
2025-06-17 15:15Z
HIGH

CVE-2025-30562 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-30562

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wpdistillery Navigation Tree Elementor navigation-tree-elementor allows Blind SQL Injection.This issue affects Navigation Tree Elementor: from n/a through <= 1.0.1. CVSSv3.1 8.5 (HIGH) · EPSS 32th percentile

CWECWE 89TYPVulnerability
8.5
CVSS v3.1
93
Edit Score
2025-06-17
2025-06-17 15:15Z
HIGH

CVE-2025-29002 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-29002

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in snstheme Simen snssimen allows PHP Local File Inclusion.This issue affects Simen: from n/a through <= 4.6. CVSSv3.1 8.1 (HIGH)

CWECWE 98TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-06-17
2025-06-17 15:15Z
HIGH

CVE-2025-28991 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-28991

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in snstheme Evon snsevon allows PHP Local File Inclusion.This issue affects Evon: from n/a through <= 3.4. CVSSv3.1 8.1 (HIGH)

CWECWE 98TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-06-17
2025-06-17 15:15Z
CRIT

CVE-2025-24773 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-24773

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mojoomla WPCRM - CRM for Contact form CF7 & WooCommerce wpcrm allows SQL Injection.This issue affects WPCRM - CRM for Contact form CF7 & WooCommerce: from n/a through <= 3.2.0. CVSSv3.1 9.3 (CRITICAL)

CWECWE 89TYPVulnerability
9.3
CVSS v3.1
97
Edit Score
2025-06-17
2025-06-17 15:15Z
HIGH

CVE-2025-24761 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-24761

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in snstheme DSK dsk allows PHP Local File Inclusion.This issue affects DSK: from n/a through < 2.4. CVSSv3.1 8.1 (HIGH)

CWECWE 98TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-06-17
2025-06-17 14:15Z
CRIT

CVE-2025-4404 — A privilege escalation from host to domain vulnerability was found in the FreeIPA project.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-4404

A privilege escalation from host to domain vulnerability was found in the FreeIPA project. The FreeIPA package fails to validate the uniqueness of the `krbCanonicalName` for the admin account by default, allowing users to create services with the same canonical name as the REALM admin. When a successful attack happens, the user can retrieve a Kerberos ticket in the name of this service, containing the admin@REALM credential. This flaw allows an attacker to perform administrat CVSSv3.1 9.1 (CRITICAL) · EPSS 76th percentile

CWECWE 1220TYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2025-06-16
2025-06-16 16:15Z
CRIT

CVE-2025-49796 — Processing certain sch:name elements from the input XML file can trigger a memory corruption

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-49796

A vulnerability was found in libxml2. Processing certain sch:name elements from the input XML file can trigger a memory corruption issue. This flaw allows an attacker to craft a malicious XML input file that can lead libxml to crash, resulting in a denial of service or other possible undefined behavior due to sensitive data being corrupted in memory. CVSSv3.1 9.1 (CRITICAL) · EPSS 83th percentile

CWECWE 125TYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2025-06-16
2025-06-16 16:15Z
CRIT

CVE-2025-49794 — A use-after-free vulnerability was found in libxml2.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-49794

A use-after-free vulnerability was found in libxml2. This issue occurs when parsing XPath elements under certain circumstances when the XML schematron has the <sch:name path="..."/> schema elements. This flaw allows a malicious actor to craft a malicious XML document used as input for libxml, resulting in the program's crash using libxml or other possible undefined behaviors. CVSSv3.1 9.1 (CRITICAL) · EPSS 63th percentile

CWECWE 825TYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2025-06-16
2025-06-16 02:01Z
HIGH

LainAmsiOpenSession — Custom Amsi Bypass by patching AmsiOpenSession function in amsi.dll

GitHub · EDR bypass / evasion·github.comGITHUB POC

LainAmsiOpenSession is a PowerShell-based AMSI bypass tool that patches the AmsiOpenSession function in amsi.dll to evade Windows Defender and EDR detection. The technique derives from prior work by Sam Rothlisberger and Nuke-Amsi, implementing in-memory patching of the AMSI DLL to disable scanning.

SRFOsTACTA0005TYPTechniqueTYPToolSTGDefense EvasionTECT1562.001EXPProcess Injection
62
Edit Score