2025-06-09
2025-06-09 16:15Z
CRIT

CVE-2025-24767 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-24767

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in facturaone TicketBAI Facturas para WooCommerce wp-ticketbai allows Blind SQL Injection.This issue affects TicketBAI Facturas para WooCommerce: from n/a through <= 3.19. CVSSv3.1 9.3 (CRITICAL)

CWECWE 89TYPVulnerability
9.3
CVSS v3.1
97
Edit Score
2025-06-09
2025-06-09 16:15Z
HIGH

CVE-2025-23974 — Incorrect: Privilege Assignment vulnerability in ifkooo One-Login one-login allows Privilege Escalation.This issue affects One-Login

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-23974

Incorrect Privilege Assignment vulnerability in ifkooo One-Login one-login allows Privilege Escalation.This issue affects One-Login: from n/a through <= 1.4. CVSSv3.1 8.1 (HIGH)

CWECWE 266TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-06-09
2025-06-09 16:15Z
HIGH

CVE-2023-26005 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-26005

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BZOTheme Fitrush bw-fitrush allows PHP Local File Inclusion.This issue affects Fitrush: from n/a through <= 1.3.4. CVSSv3.1 8.1 (HIGH)

CWECWE 98TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-06-09
2025-06-09 16:15Z
HIGH

CVE-2023-25999 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-25999

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in snstheme BodyCenter - Gym, Fitness WooCommerce WordPress Theme bodycenter allows PHP Local File Inclusion.This issue affects BodyCenter - Gym, Fitness WooCommerce WordPress Theme: from n/a through <= 2.4. CVSSv3.1 8.1 (HIGH)

CWECWE 98TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-06-09
2025-06-09 04:03Z
CRIT

k8s-container-escape-lkm

GitHub · container escape·github.comGITHUB POC

RBT Security released a proof-of-concept Kubernetes container escape leveraging a custom Linux Kernel Module (LKM) to achieve host-level code execution from a privileged container. The exploit chains initial code execution (e.g., via SSTI) with kernel module loading to spawn a reverse shell with full host privileges, demonstrating the critical risk of running containers with CAP_SYS_MODULE capability.

SRFOsTACTA0004TACTA0002SRFCloudTACTA0008TYPToolTYPWriteupTYPExploit
72
Edit Score
2025-06-07
2025-06-07 05:15Z
HIGH

CVE-2025-47601 — Authorization: Missing Authorization vulnerability in Christiaan Pieterse MaxiBlocks maxi-blocks allows Privilege Escalation.This issue affects MaxiBlocks

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-47601

Missing Authorization vulnerability in Christiaan Pieterse MaxiBlocks maxi-blocks allows Privilege Escalation.This issue affects MaxiBlocks: from n/a through <= 2.1.0. CVSSv3.1 8.8 (HIGH)

CWECWE 862TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2025-06-06
2025-06-06 13:15Z
HIGH

CVE-2025-49323 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-49323

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Themefic Hydra Booking hydra-booking allows SQL Injection.This issue affects Hydra Booking: from n/a through <= 1.1.10. CVSSv3.1 8.5 (HIGH)

CWECWE 89TYPVulnerability
8.5
CVSS v3.1
93
Edit Score
728 × 90 / responsive · programmatic ad slot
2025-06-06
2025-06-06 13:15Z
HIGH

CVE-2025-49288 — Authorization: Missing Authorization vulnerability in Rustaurius Ultimate WP Mail ultimate-wp-mail allows Authentication Bypass.This issue affects

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-49288

Missing Authorization vulnerability in Rustaurius Ultimate WP Mail ultimate-wp-mail allows Authentication Bypass.This issue affects Ultimate WP Mail: from n/a through <= 1.3.5. CVSSv3.1 8.8 (HIGH)

CWECWE 862TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2025-06-06
2025-06-06 13:15Z
CRIT

CVE-2025-49073 — Axiomthemes Sweet_dessert: Deserialization of Untrusted Data vulnerability in axiomthemes Sweet Dessert sweet-dessert allows Object Injection.This issue

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-49073

Deserialization of Untrusted Data vulnerability in axiomthemes Sweet Dessert sweet-dessert allows Object Injection.This issue affects Sweet Dessert: from n/a through < 1.1.13. CVSSv3.1 9.8 (CRITICAL)

CWECWE 502VNDAxiomthemesTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-06-06
2025-06-06 13:15Z
CRIT

CVE-2025-49072 — Deserialization: of Untrusted Data vulnerability in AncoraThemes Mr.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-49072

Deserialization of Untrusted Data vulnerability in AncoraThemes Mr. Murphy mr-murphy allows Object Injection.This issue affects Mr. Murphy: from n/a through < 1.2.12.1. CVSSv3.1 9.8 (CRITICAL)

CWECWE 502TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-06-06
2025-06-06 13:15Z
HIGH

CVE-2025-28986 — Site: Cross-Site Request Forgery (CSRF) vulnerability in Webaholicson Epicwin Plugin epicwin-subscribers allows SQL Injection.This issue

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-28986

Cross-Site Request Forgery (CSRF) vulnerability in Webaholicson Epicwin Plugin epicwin-subscribers allows SQL Injection.This issue affects Epicwin Plugin: from n/a through <= 1.5. CVSSv3.1 8.2 (HIGH)

CWECWE 352TYPVulnerability
8.2
CVSS v3.1
91
Edit Score
2025-06-06
2025-06-06 12:15Z
CRIT

CVE-2025-47586 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-47586

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in StylemixThemes Motors - Events stm-motors-events allows PHP Local File Inclusion.This issue affects Motors - Events: from n/a through <= 1.4.7. CVSSv3.1 9.0 (CRITICAL)

CWECWE 98TYPVulnerability
9.0
CVSS v3.1
95
Edit Score
2025-06-06
2025-06-06 12:15Z
HIGH

CVE-2025-39358 — Deserialization: of Untrusted Data vulnerability in teastudio.pl WP Posts Carousel wp-posts-carousel allows Object Injection.This

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-39358

Deserialization of Untrusted Data vulnerability in teastudio.pl WP Posts Carousel wp-posts-carousel allows Object Injection.This issue affects WP Posts Carousel: from n/a through <= 1.3.12. CVSSv3.1 8.8 (HIGH) · EPSS 55th percentile

CWECWE 502TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2025-06-05
2025-06-05 12:15Z
HIGH

CVE-2025-5701 — HyperComments: The HyperComments plugin for WordPress is vulnerable to unauthorized modification of data that can

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-5701

The HyperComments plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the hc_request_handler function in all versions up to, and including, 1.2.2. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain CVSSv3.1 8.8 (HIGH)

CWECWE 862VNDHypercommentsTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2025-06-04
2025-06-04 10:55Z
CRIT

Multiple CVEs in Infoblox NetMRI: RCE, Auth Bypass, SQLi, and File Read Vulnerabilities

Rhino Security Labs disclosed six critical vulnerabilities in Infoblox NetMRI 7.5.4.104695, including unauthenticated command injection (CVE-2025-32813), SQL injection (CVE-2025-32814), hardcoded credentials enabling auth bypass (CVE-2025-32815), and authenticated arbitrary file read as root (CVE-2024-54188). The vulnerabilities span from initial access through privilege escalation, with full proof-of-concept code and exploitation chains provided. Patches are available in NetMRI 7.6.1.

SRFApplicationTACTA0004TACTA0005TACTA0001TACTA0002SRFNetwork ApplianceVNDInfobloxTYPResearch
92
Edit Score
2025-06-03
2025-06-03 16:15Z
CRIT

CVE-2025-44148 — Mailenable Mailenable: Cross Site Scripting (XSS) vulnerability in MailEnable before v10 allows a remote attacker to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-44148

Cross Site Scripting (XSS) vulnerability in MailEnable before v10 allows a remote attacker to execute arbitrary code via the failure.aspx component CVSSv3.1 9.8 (CRITICAL) · EPSS 99th percentile

CWECWE 79VNDMailenableTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2025-06-03
2025-06-03 05:15Z
CRIT

CVE-2025-4797 — Golo: The Golo - City Travel Guide WordPress Theme theme for WordPress is vulnerable to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-4797

The Golo - City Travel Guide WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.7.0. This is due to the plugin not properly validating a user's identity prior to setting an authorization cookie. This makes it possible for unauthenticated attackers to log in as any user, including administrators, provided they know the user's email address. CVE-2025-54725 is likely a duplicate of this issue. CVSSv3.1 9.8 (CRITICAL)

CWECWE 288VNDGoloTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-05-30
2025-05-30 03:15Z
CRIT

CVE-2025-44619 — Tinxy Wifi_lock_controller_v1_rf_firmware: WiFi Lock Controller v1 RF was discovered to be configured to transmit on

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-44619

Tinxy WiFi Lock Controller v1 RF was discovered to be configured to transmit on an open Wi-Fi network, allowing attackers to join the network without authentication. CVSSv3.1 9.1 (CRITICAL)

CWECWE 284VNDTinxyTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2025-05-29
2025-05-29 19:15Z
CRIT

CVE-2025-48336 — Deserialization: of Untrusted Data vulnerability in ThimPress Course Builder course-builder allows Object Injection.This issue

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-48336

Deserialization of Untrusted Data vulnerability in ThimPress Course Builder course-builder allows Object Injection.This issue affects Course Builder: from n/a through < 3.6.6. CVSSv3.1 9.8 (CRITICAL)

CWECWE 502TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-05-28
2025-05-28 16:15Z
CRIT

CVE-2025-45343 — Tenda W18e_firmware: An issue in Tenda W18E v.2.0 v.16.01.0.11 allows an attacker to execute arbitrary code

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-45343

An issue in Tenda W18E v.2.0 v.16.01.0.11 allows an attacker to execute arbitrary code via the editing functionality of the account module in the goform/setmodules route. CVSSv3.1 9.8 (CRITICAL) · EPSS 45th percentile

CWECWE 284VNDTendaTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-05-27
2025-05-27 13:15Z
HIGH

CVE-2025-5269 — Mozilla Firefox: This bug showed evidence of memory corruption and we presume that with enough effort

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-5269

Memory safety bug present in Firefox ESR 128.10, and Thunderbird 128.10. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox ESR 128.11 and Thunderbird 128.11. CVSSv3.1 8.1 (HIGH)

CWECWE 787VNDMozillaTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-05-27
2025-05-27 13:15Z
HIGH

CVE-2025-5268 — Mozilla Firefox: Some of these bugs showed evidence of memory corruption and we presume that with

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-5268

Memory safety bugs present in Firefox 138, Thunderbird 138, Firefox ESR 128.10, and Thunderbird 128.10. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 139, Firefox ESR 128.11, Thunderbird 139, and Thunderbird 128.11. CVSSv3.1 8.1 (HIGH)

CWECWE 119VNDMozillaTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-05-24
2025-05-24 04:15Z
CRIT

CVE-2025-5058 — Emagicone Emagicone_store_manager_for_woocommerce: The eMagicOne Store Manager for WooCommerce plugin for WordPress is vulnerable to arbitrary file

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-5058

The eMagicOne Store Manager for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the set_image() function in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. This is only exploitable by unauthenticated attackers in default configurations where the the default password CVSSv3.1 9.8 (CRITICAL)

CWECWE 434VNDEmagiconeVNDStoreTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-05-24
2025-05-24 04:15Z
CRIT

CVE-2025-4603 — Emagicone Emagicone_store_manager_for_woocommerce: The eMagicOne Store Manager for WooCommerce plugin for WordPress is vulnerable to arbitrary file

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-4603

The eMagicOne Store Manager for WooCommerce plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_file() function in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). This is only exploitable by unauthenticated attackers in defa CVSSv3.1 9.1 (CRITICAL)

CWECWE 73VNDEmagiconeVNDStoreTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2025-05-24
2025-05-24 04:15Z
HIGH

CVE-2025-4336 — Emagicone Emagicone_store_manager_for_woocommerce: The eMagicOne Store Manager for WooCommerce plugin for WordPress is vulnerable to arbitrary file

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-4336

The eMagicOne Store Manager for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the set_file() function in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. This is only exploitable by unauthenticated attackers in default configurations where the the default password CVSSv3.1 8.1 (HIGH)

CWECWE 434VNDEmagiconeVNDStoreTYPVulnerability
8.1
CVSS v3.1
91
Edit Score