Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2025-31423 — Deserialization: of Untrusted Data vulnerability in AncoraThemes Umberto umberto allows Object Injection.This issue affects
Deserialization of Untrusted Data vulnerability in AncoraThemes Umberto umberto allows Object Injection.This issue affects Umberto: from n/a through <= 1.2.8. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-31397 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in smartcms Bus Ticket Booking with Seat Reservation for WooCommerce scw-bus-seat-reservation allows SQL Injection.This issue affects Bus Ticket Booking with Seat Reservation for WooCommerce: from n/a through <= 1.7. CVSSv3.1 9.3 (CRITICAL)
CVE-2025-31069 — Deserialization: of Untrusted Data vulnerability in themeton HotStar – Multi-Purpose Business Theme hotstar allows
Deserialization of Untrusted Data vulnerability in themeton HotStar – Multi-Purpose Business Theme hotstar allows Object Injection.This issue affects HotStar – Multi-Purpose Business Theme: from n/a through <= 1.4. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-31064 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in gavias Vizeon - Business Consulting vizeon allows PHP Local File Inclusion.This issue affects Vizeon - Business Consulting: from n/a through < 1.2.1. CVSSv3.1 8.1 (HIGH)
CVE-2025-31060 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ApusTheme Capie capie allows PHP Local File Inclusion.This issue affects Capie: from n/a through <= 1.0.40. CVSSv3.1 8.1 (HIGH)
CVE-2025-31056 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Techspawn WhatsCart - Whatsapp Abandoned Cart Recovery, Order Notifications, Chat Box, OTP for WooCommerce WhatsCart-for-WooCommerce allows SQL Injection.This issue affects WhatsCart - Whatsapp Abandoned Cart Recovery, Order Notifications, Chat Box, OTP for WooCommerce: from n/a through <= 1.1.0. CVSSv3.1 9.3 (CRITICAL)
CVE-2025-31049 — Deserialization: of Untrusted Data vulnerability in themeton Dash dash allows Object Injection.This issue affects
Deserialization of Untrusted Data vulnerability in themeton Dash dash allows Object Injection.This issue affects Dash: from n/a through <= 1.3. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-26147: Authenticated RCE In Denodo Scheduler
CVE-2025-26147 is an authenticated path traversal vulnerability in Denodo Scheduler's Kerberos keytab file upload functionality that allows arbitrary file writes to the filesystem. By chaining this with JSP web shell upload to the Tomcat webroot, attackers achieve remote code execution. The vulnerability was patched in Denodo 8.0 update 20240307.
CVE-2025-4524 — Madara: The Madara – Responsive and modern WordPress theme for manga sites theme for WordPress
The Madara – Responsive and modern WordPress theme for manga sites theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.2.2 via the 'template' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and CVSSv3.1 9.8 (CRITICAL) · EPSS 87th percentile
CVE-2025-48340 — Site: Cross-Site Request Forgery (CSRF) vulnerability in Danny Vink User Profile Meta Manager user-profile-meta allows
Cross-Site Request Forgery (CSRF) vulnerability in Danny Vink User Profile Meta Manager user-profile-meta allows Privilege Escalation.This issue affects User Profile Meta Manager: from n/a through <= 1.02. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-39402 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in mojoomla WPAMS apartment-management allows Upload
Unrestricted Upload of File with Dangerous Type vulnerability in mojoomla WPAMS apartment-management allows Upload a Web Shell to a Web Server.This issue affects WPAMS: from n/a through <= 44.0 (17-08-2023). CVSSv3.1 9.9 (CRITICAL)
CVE-2025-39401 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in mojoomla WPAMS apartment-management allows Upload
Unrestricted Upload of File with Dangerous Type vulnerability in mojoomla WPAMS apartment-management allows Upload a Web Shell to a Web Server.This issue affects WPAMS: from n/a through <= 44.0 (17-08-2023). CVSSv3.1 10.0 (CRITICAL)
CVE-2025-39395 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mojoomla WPAMS apartment-management allows SQL Injection.This issue affects WPAMS: from n/a through <= 44.0 (17-08-2023). CVSSv3.1 9.3 (CRITICAL)
CVE-2025-39389 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Solid Plugins AnalyticsWP analyticswp allows SQL Injection.This issue affects AnalyticsWP: from n/a through <= 2.1.2. CVSSv3.1 9.3 (CRITICAL)
CVE-2025-39386 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mojoomla Hospital Management System hospital-management allows SQL Injection.This issue affects Hospital Management System: from n/a through <= 47.0(20-11-2023). CVSSv3.1 9.3 (CRITICAL)
CVE-2025-39380 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in mojoomla Hospital Management System hospital-management
Unrestricted Upload of File with Dangerous Type vulnerability in mojoomla Hospital Management System hospital-management allows Upload a Web Shell to a Web Server.This issue affects Hospital Management System: from n/a through <= 47.0(20-11-2023). CVSSv3.1 10.0 (CRITICAL)
CVE-2025-39366 — Incorrect: Privilege Assignment vulnerability in Rocket Apps wProject wproject.This issue affects wProject: from n/a
Incorrect Privilege Assignment vulnerability in Rocket Apps wProject wproject.This issue affects wProject: from n/a through < 5.8.0. CVSSv3.1 8.8 (HIGH)
CVE-2025-39357 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mojoomla Hospital Management System hospital-management allows SQL Injection.This issue affects Hospital Management System: from n/a through <= 47.0(20-11-2023). CVSSv3.1 8.5 (HIGH)
CVE-2025-39356 — Deserialization: of Untrusted Data vulnerability in Chimpstudio Foodbakery Sticky Cart foodbakery-sticky-cart allows Object Injection.This
Deserialization of Untrusted Data vulnerability in Chimpstudio Foodbakery Sticky Cart foodbakery-sticky-cart allows Object Injection.This issue affects Foodbakery Sticky Cart: from n/a through <= 3.2. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-39355 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in roninwp FAT Services Booking fat-services-booking allows SQL Injection.This issue affects FAT Services Booking: from n/a through <= 5.6. CVSSv3.1 8.5 (HIGH)
CVE-2025-39354 — Themegoods Grand_conference: Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Conference grandconference allows Object Injection.This issue
Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Conference grandconference allows Object Injection.This issue affects Grand Conference: from n/a through <= 5.3. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-39352 — Themegoods Grand_restaurant: Missing Authorization vulnerability in ThemeGoods Grand Restaurant grandrestaurant allows Exploiting Incorrectly Configured Access Control
Missing Authorization vulnerability in ThemeGoods Grand Restaurant grandrestaurant allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Grand Restaurant: from n/a through <= 7.0. CVSSv3.1 8.2 (HIGH)
CVE-2025-39350 — Authorization: Missing Authorization vulnerability in Rocket Apps wProject wproject.This issue affects wProject: from n/a through
Missing Authorization vulnerability in Rocket Apps wProject wproject.This issue affects wProject: from n/a through < 5.8.0. CVSSv3.1 8.2 (HIGH)
CVE-2025-39349 — Potenzaglobalsolutions Ciyashop: Deserialization of Untrusted Data vulnerability in Potenzaglobalsolutions CiyaShop ciyashop allows Object Injection.This issue affects
Deserialization of Untrusted Data vulnerability in Potenzaglobalsolutions CiyaShop ciyashop allows Object Injection.This issue affects CiyaShop: from n/a through <= 4.18.0. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-39348 — Themegoods Grand_restaurant: Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Restaurant grandrestaurant allows Object Injection.This issue
Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Restaurant grandrestaurant allows Object Injection.This issue affects Grand Restaurant: from n/a through <= 7.0. CVSSv3.1 9.8 (CRITICAL)