Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2025-24767 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in facturaone TicketBAI Facturas para WooCommerce wp-ticketbai allows Blind SQL Injection.This issue affects TicketBAI Facturas para WooCommerce: from n/a through <= 3.19. CVSSv3.1 9.3 (CRITICAL)
CVE-2025-23974 — Incorrect: Privilege Assignment vulnerability in ifkooo One-Login one-login allows Privilege Escalation.This issue affects One-Login
Incorrect Privilege Assignment vulnerability in ifkooo One-Login one-login allows Privilege Escalation.This issue affects One-Login: from n/a through <= 1.4. CVSSv3.1 8.1 (HIGH)
CVE-2023-26005 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BZOTheme Fitrush bw-fitrush allows PHP Local File Inclusion.This issue affects Fitrush: from n/a through <= 1.3.4. CVSSv3.1 8.1 (HIGH)
CVE-2023-25999 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in snstheme BodyCenter - Gym, Fitness WooCommerce WordPress Theme bodycenter allows PHP Local File Inclusion.This issue affects BodyCenter - Gym, Fitness WooCommerce WordPress Theme: from n/a through <= 2.4. CVSSv3.1 8.1 (HIGH)
k8s-container-escape-lkm
RBT Security released a proof-of-concept Kubernetes container escape leveraging a custom Linux Kernel Module (LKM) to achieve host-level code execution from a privileged container. The exploit chains initial code execution (e.g., via SSTI) with kernel module loading to spawn a reverse shell with full host privileges, demonstrating the critical risk of running containers with CAP_SYS_MODULE capability.
CVE-2025-47601 — Authorization: Missing Authorization vulnerability in Christiaan Pieterse MaxiBlocks maxi-blocks allows Privilege Escalation.This issue affects MaxiBlocks
Missing Authorization vulnerability in Christiaan Pieterse MaxiBlocks maxi-blocks allows Privilege Escalation.This issue affects MaxiBlocks: from n/a through <= 2.1.0. CVSSv3.1 8.8 (HIGH)
CVE-2025-49323 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Themefic Hydra Booking hydra-booking allows SQL Injection.This issue affects Hydra Booking: from n/a through <= 1.1.10. CVSSv3.1 8.5 (HIGH)
CVE-2025-49288 — Authorization: Missing Authorization vulnerability in Rustaurius Ultimate WP Mail ultimate-wp-mail allows Authentication Bypass.This issue affects
Missing Authorization vulnerability in Rustaurius Ultimate WP Mail ultimate-wp-mail allows Authentication Bypass.This issue affects Ultimate WP Mail: from n/a through <= 1.3.5. CVSSv3.1 8.8 (HIGH)
CVE-2025-49073 — Axiomthemes Sweet_dessert: Deserialization of Untrusted Data vulnerability in axiomthemes Sweet Dessert sweet-dessert allows Object Injection.This issue
Deserialization of Untrusted Data vulnerability in axiomthemes Sweet Dessert sweet-dessert allows Object Injection.This issue affects Sweet Dessert: from n/a through < 1.1.13. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-49072 — Deserialization: of Untrusted Data vulnerability in AncoraThemes Mr.
Deserialization of Untrusted Data vulnerability in AncoraThemes Mr. Murphy mr-murphy allows Object Injection.This issue affects Mr. Murphy: from n/a through < 1.2.12.1. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-28986 — Site: Cross-Site Request Forgery (CSRF) vulnerability in Webaholicson Epicwin Plugin epicwin-subscribers allows SQL Injection.This issue
Cross-Site Request Forgery (CSRF) vulnerability in Webaholicson Epicwin Plugin epicwin-subscribers allows SQL Injection.This issue affects Epicwin Plugin: from n/a through <= 1.5. CVSSv3.1 8.2 (HIGH)
CVE-2025-47586 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in StylemixThemes Motors - Events stm-motors-events allows PHP Local File Inclusion.This issue affects Motors - Events: from n/a through <= 1.4.7. CVSSv3.1 9.0 (CRITICAL)
CVE-2025-39358 — Deserialization: of Untrusted Data vulnerability in teastudio.pl WP Posts Carousel wp-posts-carousel allows Object Injection.This
Deserialization of Untrusted Data vulnerability in teastudio.pl WP Posts Carousel wp-posts-carousel allows Object Injection.This issue affects WP Posts Carousel: from n/a through <= 1.3.12. CVSSv3.1 8.8 (HIGH) · EPSS 55th percentile
CVE-2025-5701 — HyperComments: The HyperComments plugin for WordPress is vulnerable to unauthorized modification of data that can
The HyperComments plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the hc_request_handler function in all versions up to, and including, 1.2.2. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain CVSSv3.1 8.8 (HIGH)
Multiple CVEs in Infoblox NetMRI: RCE, Auth Bypass, SQLi, and File Read Vulnerabilities
Rhino Security Labs disclosed six critical vulnerabilities in Infoblox NetMRI 7.5.4.104695, including unauthenticated command injection (CVE-2025-32813), SQL injection (CVE-2025-32814), hardcoded credentials enabling auth bypass (CVE-2025-32815), and authenticated arbitrary file read as root (CVE-2024-54188). The vulnerabilities span from initial access through privilege escalation, with full proof-of-concept code and exploitation chains provided. Patches are available in NetMRI 7.6.1.
CVE-2025-44148 — Mailenable Mailenable: Cross Site Scripting (XSS) vulnerability in MailEnable before v10 allows a remote attacker to
Cross Site Scripting (XSS) vulnerability in MailEnable before v10 allows a remote attacker to execute arbitrary code via the failure.aspx component CVSSv3.1 9.8 (CRITICAL) · EPSS 99th percentile
CVE-2025-4797 — Golo: The Golo - City Travel Guide WordPress Theme theme for WordPress is vulnerable to
The Golo - City Travel Guide WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.7.0. This is due to the plugin not properly validating a user's identity prior to setting an authorization cookie. This makes it possible for unauthenticated attackers to log in as any user, including administrators, provided they know the user's email address. CVE-2025-54725 is likely a duplicate of this issue. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-44619 — Tinxy Wifi_lock_controller_v1_rf_firmware: WiFi Lock Controller v1 RF was discovered to be configured to transmit on
Tinxy WiFi Lock Controller v1 RF was discovered to be configured to transmit on an open Wi-Fi network, allowing attackers to join the network without authentication. CVSSv3.1 9.1 (CRITICAL)
CVE-2025-48336 — Deserialization: of Untrusted Data vulnerability in ThimPress Course Builder course-builder allows Object Injection.This issue
Deserialization of Untrusted Data vulnerability in ThimPress Course Builder course-builder allows Object Injection.This issue affects Course Builder: from n/a through < 3.6.6. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-45343 — Tenda W18e_firmware: An issue in Tenda W18E v.2.0 v.16.01.0.11 allows an attacker to execute arbitrary code
An issue in Tenda W18E v.2.0 v.16.01.0.11 allows an attacker to execute arbitrary code via the editing functionality of the account module in the goform/setmodules route. CVSSv3.1 9.8 (CRITICAL) · EPSS 45th percentile
CVE-2025-5269 — Mozilla Firefox: This bug showed evidence of memory corruption and we presume that with enough effort
Memory safety bug present in Firefox ESR 128.10, and Thunderbird 128.10. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox ESR 128.11 and Thunderbird 128.11. CVSSv3.1 8.1 (HIGH)
CVE-2025-5268 — Mozilla Firefox: Some of these bugs showed evidence of memory corruption and we presume that with
Memory safety bugs present in Firefox 138, Thunderbird 138, Firefox ESR 128.10, and Thunderbird 128.10. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 139, Firefox ESR 128.11, Thunderbird 139, and Thunderbird 128.11. CVSSv3.1 8.1 (HIGH)
CVE-2025-5058 — Emagicone Emagicone_store_manager_for_woocommerce: The eMagicOne Store Manager for WooCommerce plugin for WordPress is vulnerable to arbitrary file
The eMagicOne Store Manager for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the set_image() function in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. This is only exploitable by unauthenticated attackers in default configurations where the the default password CVSSv3.1 9.8 (CRITICAL)
CVE-2025-4603 — Emagicone Emagicone_store_manager_for_woocommerce: The eMagicOne Store Manager for WooCommerce plugin for WordPress is vulnerable to arbitrary file
The eMagicOne Store Manager for WooCommerce plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_file() function in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). This is only exploitable by unauthenticated attackers in defa CVSSv3.1 9.1 (CRITICAL)
CVE-2025-4336 — Emagicone Emagicone_store_manager_for_woocommerce: The eMagicOne Store Manager for WooCommerce plugin for WordPress is vulnerable to arbitrary file
The eMagicOne Store Manager for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the set_file() function in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. This is only exploitable by unauthenticated attackers in default configurations where the the default password CVSSv3.1 8.1 (HIGH)