2025-06-17
2025-06-17 15:15Z
CRIT

CVE-2025-24773 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-24773

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mojoomla WPCRM - CRM for Contact form CF7 & WooCommerce wpcrm allows SQL Injection.This issue affects WPCRM - CRM for Contact form CF7 & WooCommerce: from n/a through <= 3.2.0. CVSSv3.1 9.3 (CRITICAL)

CWECWE 89TYPVulnerability
9.3
CVSS v3.1
97
Edit Score
2025-06-17
2025-06-17 15:15Z
HIGH

CVE-2025-24761 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-24761

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in snstheme DSK dsk allows PHP Local File Inclusion.This issue affects DSK: from n/a through < 2.4. CVSSv3.1 8.1 (HIGH)

CWECWE 98TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-06-17
2025-06-17 14:15Z
CRIT

CVE-2025-4404 — A privilege escalation from host to domain vulnerability was found in the FreeIPA project.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-4404

A privilege escalation from host to domain vulnerability was found in the FreeIPA project. The FreeIPA package fails to validate the uniqueness of the `krbCanonicalName` for the admin account by default, allowing users to create services with the same canonical name as the REALM admin. When a successful attack happens, the user can retrieve a Kerberos ticket in the name of this service, containing the admin@REALM credential. This flaw allows an attacker to perform administrat CVSSv3.1 9.1 (CRITICAL) · EPSS 76th percentile

CWECWE 1220TYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2025-06-16
2025-06-16 16:15Z
CRIT

CVE-2025-49796 — Processing certain sch:name elements from the input XML file can trigger a memory corruption

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-49796

A vulnerability was found in libxml2. Processing certain sch:name elements from the input XML file can trigger a memory corruption issue. This flaw allows an attacker to craft a malicious XML input file that can lead libxml to crash, resulting in a denial of service or other possible undefined behavior due to sensitive data being corrupted in memory. CVSSv3.1 9.1 (CRITICAL) · EPSS 83th percentile

CWECWE 125TYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2025-06-16
2025-06-16 16:15Z
CRIT

CVE-2025-49794 — A use-after-free vulnerability was found in libxml2.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-49794

A use-after-free vulnerability was found in libxml2. This issue occurs when parsing XPath elements under certain circumstances when the XML schematron has the <sch:name path="..."/> schema elements. This flaw allows a malicious actor to craft a malicious XML document used as input for libxml, resulting in the program's crash using libxml or other possible undefined behaviors. CVSSv3.1 9.1 (CRITICAL) · EPSS 63th percentile

CWECWE 825TYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2025-06-16
2025-06-16 02:01Z
HIGH

LainAmsiOpenSession — Custom Amsi Bypass by patching AmsiOpenSession function in amsi.dll

GitHub · EDR bypass / evasion·github.comGITHUB POC

LainAmsiOpenSession is a PowerShell-based AMSI bypass tool that patches the AmsiOpenSession function in amsi.dll to evade Windows Defender and EDR detection. The technique derives from prior work by Sam Rothlisberger and Nuke-Amsi, implementing in-memory patching of the AMSI DLL to disable scanning.

SRFOsTACTA0005TYPTechniqueTYPToolSTGDefense EvasionTECT1562.001EXPProcess Injection
62
Edit Score
2025-06-15
2025-06-15 23:15Z
HIGH

CVE-2025-6095 — Codesiddhant Jasmin-ransomware: The manipulation of the argument username/password leads to sql injection.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-6095

A vulnerability, which was classified as critical, was found in codesiddhant Jasmin Ransomware 1.0.1. Affected is an unknown function of the file /checklogin.php. The manipulation of the argument username/password leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. CVSSv3.1 7.3 (HIGH) · EPSS 98th percentile

CWECWE 89CWECWE 74VNDCodesiddhantTYPVulnerability
7.3
CVSS v3.1
100
Edit Score
728 × 90 / responsive · programmatic ad slot
2025-06-13
2025-06-13 13:15Z
CRIT

CVE-2025-46060 — Totolink N600r_firmware: Buffer Overflow vulnerability in TOTOLINK N600R v4.3.0cu.7866_B2022506 allows a remote attacker to execute arbitrary

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-46060

Buffer Overflow vulnerability in TOTOLINK N600R v4.3.0cu.7866_B2022506 allows a remote attacker to execute arbitrary code via the UPLOAD_FILENAME component CVSSv3.1 9.8 (CRITICAL) · EPSS 58th percentile

CWECWE 120VNDTotolinkVNDBufferTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-06-13
2025-06-13 07:55Z
CRIT

CVE-2025-32756-POC — Proof of Concept for CVE-2025-32756 - A critical stack-based buffer overflow vulnerability affecting multiple Fortinet p

GitHub · recent CVE PoCs·github.comGITHUB POCCVE-2025-32756in the wild

Public proof-of-concept released for CVE-2025-32756, a critical stack-based buffer overflow in Fortinet products (FortiVoice, FortiMail, FortiNDR, FortiRecorder, FortiCamera) affecting the AuthHash cookie processing in the /remote/hostcheck_validate endpoint. The PoC demonstrates unauthenticated RCE with CVSS 9.8 and includes scanning and exploitation capabilities across multiple target IPs and ranges.

SRFApplicationTACTA0001SRFNetwork ApplianceVNDFortinetTYPWriteupTYPExploitSTGInitial AccessTECT1190
88
Edit Score
2025-06-11
2025-06-11 12:15Z
CRIT

CVE-2025-49710 — Mozilla Firefox: An integer overflow was present in `OrderedHashTable` used by the JavaScript engine.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-49710

An integer overflow was present in `OrderedHashTable` used by the JavaScript engine. This vulnerability was fixed in Firefox 139.0.4. CVSSv3.1 9.8 (CRITICAL)

CWECWE 190VNDMozillaTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-06-11
2025-06-11 12:15Z
CRIT

CVE-2025-49709 — Mozilla Firefox: Certain canvas operations could have lead to memory corruption.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-49709

Certain canvas operations could have lead to memory corruption. This vulnerability was fixed in Firefox 139.0.4. CVSSv3.1 9.8 (CRITICAL)

CWECWE 787VNDMozillaVNDCertainTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-06-10
2025-06-10 17:24Z
HIGH

CVE-2025-47953 — Microsoft 365_apps: Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-47953

Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. CVSSv3.1 8.4 (HIGH) · EPSS 78th percentile

CWECWE 641VNDMicrosoftTYPVulnerability
8.4
CVSS v3.1
92
Edit Score
2025-06-10
2025-06-10 17:23Z
HIGH

CVE-2025-47167 — Microsoft 365_apps: Access of resource using incompatible type ('type confusion') in Microsoft Office allows an unauthorized

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-47167

Access of resource using incompatible type ('type confusion') in Microsoft Office allows an unauthorized attacker to execute code locally. CVSSv3.1 8.4 (HIGH) · EPSS 80th percentile

CWECWE 843VNDMicrosoftVNDAccessTYPVulnerability
8.4
CVSS v3.1
92
Edit Score
2025-06-10
2025-06-10 17:23Z
HIGH

CVE-2025-47164 — Microsoft 365_apps: Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-47164

Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. CVSSv3.1 8.4 (HIGH) · EPSS 76th percentile

CWECWE 416VNDMicrosoftTYPVulnerability
8.4
CVSS v3.1
92
Edit Score
2025-06-10
2025-06-10 17:23Z
HIGH

CVE-2025-47162 — Microsoft 365_apps: Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-47162

Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally. CVSSv3.1 8.4 (HIGH) · EPSS 76th percentile

CWECWE 122VNDMicrosoftVNDHeapTYPVulnerability
8.4
CVSS v3.1
92
Edit Score
2025-06-10
2025-06-10 13:15Z
CRIT

CVE-2025-49507 — Deserialization: of Untrusted Data vulnerability in LoftOcean CozyStay cozystay allows Object Injection.This issue affects

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-49507

Deserialization of Untrusted Data vulnerability in LoftOcean CozyStay cozystay allows Object Injection.This issue affects CozyStay: from n/a through < 1.7.1. CVSSv3.1 9.8 (CRITICAL)

CWECWE 502TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-06-10
2025-06-10 13:15Z
CRIT

CVE-2025-49455 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-49455

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ClickandPledge WordPress-WPJobBoard click-pledge-wpjobboard allows Blind SQL Injection.This issue affects WordPress-WPJobBoard: from n/a through <= 25.07010000-WP6.8.1-JB5.11.5. CVSSv3.1 9.3 (CRITICAL)

CWECWE 89TYPVulnerability
9.3
CVSS v3.1
97
Edit Score
2025-06-10
2025-06-10 13:15Z
HIGH

CVE-2025-49454 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-49454

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in LoftOcean TinySalt tinysalt allows PHP Local File Inclusion.This issue affects TinySalt: from n/a through < 3.10.0. CVSSv3.1 8.1 (HIGH) · EPSS 55th percentile

CWECWE 98TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-06-09
2025-06-09 16:15Z
HIGH

CVE-2025-49297 — Qodeinteractive Grill_and_chow: Path Traversal: '.../...//' vulnerability in Mikado-Themes Grill and Chow grillandchow allows PHP Local File

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-49297

Path Traversal: '.../...//' vulnerability in Mikado-Themes Grill and Chow grillandchow allows PHP Local File Inclusion.This issue affects Grill and Chow: from n/a through <= 1.6. CVSSv3.1 8.1 (HIGH)

CWECWE 35VNDQodeinteractiveTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-06-09
2025-06-09 16:15Z
HIGH

CVE-2025-49296 — Qodeinteractive Grandprix: Path Traversal: '.../...//' vulnerability in Mikado-Themes GrandPrix grandprix allows PHP Local File Inclusion.This issue

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-49296

Path Traversal: '.../...//' vulnerability in Mikado-Themes GrandPrix grandprix allows PHP Local File Inclusion.This issue affects GrandPrix: from n/a through <= 1.6. CVSSv3.1 8.1 (HIGH)

CWECWE 35VNDQodeinteractiveTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-06-09
2025-06-09 16:15Z
HIGH

CVE-2025-49295 — Qodeinteractive Mediclinic: Path Traversal: '.../...//' vulnerability in Mikado-Themes MediClinic mediclinic allows PHP Local File Inclusion.This issue

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-49295

Path Traversal: '.../...//' vulnerability in Mikado-Themes MediClinic mediclinic allows PHP Local File Inclusion.This issue affects MediClinic: from n/a through <= 2.1. CVSSv3.1 8.1 (HIGH)

CWECWE 35VNDQodeinteractiveTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-06-09
2025-06-09 16:15Z
HIGH

CVE-2025-49282 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-49282

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in unfoldwp Magze magze allows PHP Local File Inclusion.This issue affects Magze: from n/a through <= 1.0.9. CVSSv3.1 8.1 (HIGH)

CWECWE 98TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-06-09
2025-06-09 16:15Z
HIGH

CVE-2025-49281 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-49281

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in unfoldwp Magways magways allows PHP Local File Inclusion.This issue affects Magways: from n/a through <= 1.2.1. CVSSv3.1 8.1 (HIGH)

CWECWE 98TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-06-09
2025-06-09 16:15Z
HIGH

CVE-2025-49280 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-49280

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in unfoldwp Magty magty allows PHP Local File Inclusion.This issue affects Magty: from n/a through <= 1.0.6. CVSSv3.1 8.1 (HIGH)

CWECWE 98TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-06-09
2025-06-09 16:15Z
HIGH

CVE-2025-49279 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-49279

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in unfoldwp Blogvy blogvy allows PHP Local File Inclusion.This issue affects Blogvy: from n/a through <= 1.0.7. CVSSv3.1 8.1 (HIGH)

CWECWE 98TYPVulnerability
8.1
CVSS v3.1
91
Edit Score