Latest Critical CVEs

• CVE-2025-23316 - NVIDIA Triton Inference Server Python Backend Remote Code Execution Vulnerability

  CVE ID :CVE-2025-23316
  Published : Sept. 17, 2025, 10:15 p.m. | 8 hours, 34 minutes ago
  Description :NVIDIA Triton Inference Server for Windows and Linux contains a vulnerability in the Python backend, where an attacker could cause a remote code execution by manipulating the model name parameter in the model control APIs. A successful exploit of this vulnerability might lead to remote code execution, denial of service, information disclosure, and data tampering.
  Severity: 9.8 | CRITICAL
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-23268 - NVIDIA Triton Inference Server DALI Code Execution Vulnerability

  CVE ID :CVE-2025-23268
  Published : Sept. 17, 2025, 10:15 p.m. | 8 hours, 34 minutes ago
  Description :NVIDIA Triton Inference Server contains a vulnerability in the DALI backend where an attacker may cause an improper input validation issue. A successful exploit of this vulnerability may lead to code execution.
  Severity: 8.0 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-10644 - Wondershare Repairit SAS Token Incorrect Permission Assignment Authentication Bypass Vulnerability

  CVE ID :CVE-2025-10644
  Published : Sept. 17, 2025, 9:15 p.m. | 9 hours, 34 minutes ago
  Description :Wondershare Repairit SAS Token Incorrect Permission Assignment Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on Wondershare Repairit. Authentication is not required to exploit this vulnerability. The specific flaw exists within the permissions granted to an SAS token. An attacker can leverage this vulnerability to launch a supply-chain attack and execute arbitrary code on customers' endpoints. Was ZDI-CAN-26892.
  Severity: 9.4 | CRITICAL
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-10643 - Wondershare Repairit Incorrect Permission Assignment Authentication Bypass Vulnerability

  CVE ID :CVE-2025-10643
  Published : Sept. 17, 2025, 9:15 p.m. | 9 hours, 34 minutes ago
  Description :Wondershare Repairit Incorrect Permission Assignment Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of Wondershare Repairit. Authentication is not required to exploit this vulnerability. The specific flaw exists within the permissions granted to a storage account token. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-26902.
  Severity: 9.1 | CRITICAL
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-59340 - jinjava Sandbox Bypass via JavaType-Based Deserialization

  CVE ID :CVE-2025-59340
  Published : Sept. 17, 2025, 8:15 p.m. | 10 hours, 34 minutes ago
  Description :jinjava is a Java-based template engine based on django template syntax, adapted to render jinja templates. Priori to 2.8.1, by using mapper.getTypeFactory().constructFromCanonical(), it is possible to instruct the underlying ObjectMapper to deserialize attacker-controlled input into arbitrary classes. This enables the creation of semi-arbitrary class instances without directly invoking restricted methods or class literals. As a result, an attacker can escape the sandbox and instantiate classes such as java.net.URL, opening up the ability to access local files and URLs(e.g., file:///etc/passwd). With further chaining, this primitive can potentially lead to remote code execution (RCE). This vulnerability is fixed in 2.8.1.
  Severity: 9.8 | CRITICAL
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-58766 - Dyad Vulnerable to Remote Code Execution via Top-level Navigation in Preview Window

  CVE ID :CVE-2025-58766
  Published : Sept. 17, 2025, 6:15 p.m. | 12 hours, 34 minutes ago
  Description :Dyad is a local AI app builder. A critical security vulnerability has been discovered that affected Dyad v0.19.0 and earlier versions that allows attackers to execute arbitrary code on users' systems. The vulnerability affects the application's preview window functionality and can bypass Docker container protections. An attacker can craft web content that automatically executes when the preview loads. The malicious content can break out of the application's security boundaries and gain control of the system. This has been fixed in Dyad v0.20.0 and later.
  Severity: 9.0 | CRITICAL
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-59304 - Swetrix Web Analytics API Directory Traversal Remote Code Execution

  CVE ID :CVE-2025-59304
  Published : Sept. 17, 2025, 5:15 p.m. | 13 hours, 34 minutes ago
  Description :A directory traversal issue in Swetrix Web Analytics API 3.1.1 before 7d8b972 allows a remote attacker to achieve Remote Code Execution via a crafted HTTP request.
  Severity: 9.8 | CRITICAL
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-10205 - Predictable Salt and Weak Hashing Algorithm

  CVE ID :CVE-2025-10205
  Published : Sept. 17, 2025, 3:15 p.m. | 15 hours, 34 minutes ago
  Description :Use of a One-Way Hash with a Predictable Salt vulnerability in ABB FLXEON.This issue affects FLXEON: through 9.3.5. and newer versions
  Severity: 9.4 | CRITICAL
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-8077 - NeuVector admin account has insecure default password

  CVE ID :CVE-2025-8077
  Published : Sept. 17, 2025, 1:15 p.m. | 17 hours, 34 minutes ago
  Description :A vulnerability exists in NeuVector versions up to and including 5.4.5, where a fixed string is used as the default password for the built-in `admin` account. If this password is not changed immediately after deployment, any workload with network access within the cluster could use the default credentials to obtain an authentication token. This token can then be used to perform any operation via NeuVector APIs.
  Severity: 9.8 | CRITICAL
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-10439 - SQLi in Yordam Library Automation System

  CVE ID :CVE-2025-10439
  Published : Sept. 17, 2025, 12:15 p.m. | 18 hours, 34 minutes ago
  Description :Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Yordam Informatics Yordam Library Automation System allows SQL Injection.This issue affects Yordam Library Automation System: from 21.5 & 21.6 before 21.7.
  Severity: 9.8 | CRITICAL
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-10157 - PickleScan Bypasses Unsafe Globals Check Using Submodule Imports

  CVE ID :CVE-2025-10157
  Published : Sept. 17, 2025, 12:15 p.m. | 18 hours, 34 minutes ago
  Description :A Protection Mechanism Failure vulnerability in mmaitre314 picklescan versions up to and including 0.0.30 allows a remote attacker to bypass the unsafe globals check. This is possible because the scanner performs an exact match for module names, allowing malicious payloads to be loaded via submodules of dangerous packages (e.g., 'asyncio.unix_events' instead of 'asyncio'). When the incorrectly considered safe file is loaded after scan, it can lead to the execution of malicious code.
  Severity: 9.3 | CRITICAL
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-10156 - PickleScan Security Bypass via Bad CRC in ZIP Archive

  CVE ID :CVE-2025-10156
  Published : Sept. 17, 2025, 11:15 a.m. | 19 hours, 34 minutes ago
  Description :An Improper Handling of Exceptional Conditions vulnerability in the ZIP archive scanning component of mmaitre314 picklescan allows a remote attacker to bypass security scans. This is achieved by crafting a ZIP archive containing a file with a bad Cyclic Redundancy Check (CRC), which causes the scanner to halt and fail to analyze the contents for malicious pickle files. When the file incorrectly considered safe is loaded, it can lead to the execution of malicious code.
  Severity: 9.3 | CRITICAL
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-10155 - PickleScan Security Bypass Using Misleading File Extension

  CVE ID :CVE-2025-10155
  Published : Sept. 17, 2025, 10:15 a.m. | 20 hours, 34 minutes ago
  Description :An Improper Input Validation vulnerability in the scanning logic of mmaitre314 picklescan versions up to and including 0.0.30 allows a remote attacker to bypass pickle files security checks by supplying a standard pickle file with a PyTorch-related file extension. When the pickle file incorrectly considered safe is loaded, it can lead to the execution of malicious code.
  Severity: 9.3 | CRITICAL
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-59458 - JetBrains Junie Command Injection

  CVE ID :CVE-2025-59458
  Published : Sept. 17, 2025, 9:15 a.m. | 21 hours, 34 minutes ago
  Description :In JetBrains Junie before 252.284.66, 251.284.66, 243.284.66, 252.284.61, 251.284.61, 243.284.61, 252.284.50, 252.284.54, 251.284.54, 251.284.50, 243.284.54, 243.284.50 code execution was possible due to improper command validation
  Severity: 8.3 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-9242 - WatchGuard Firebox iked Out of Bounds Write Vulnerability

  CVE ID :CVE-2025-9242
  Published : Sept. 17, 2025, 8:15 a.m. | 22 hours, 34 minutes ago
  Description :An Out-of-bounds Write vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to execute arbitrary code. This vulnerability affects both the Mobile User VPN with IKEv2 and the Branch Office VPN using IKEv2 when configured with a dynamic gateway peer.This vulnerability affects Fireware OS 11.10.2 up to and including 11.12.4_Update1, 12.0 up to and including 12.11.3 and 2025.1.
  Severity: 9.3 | CRITICAL
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-9972 - Planet Technology｜Industrial Cellular Gateway - OS Command Injection

  CVE ID :CVE-2025-9972
  Published : Sept. 17, 2025, 7:15 a.m. | 23 hours, 34 minutes ago
  Description :The N-Reporter, N-Cloud, and N-Probe developed by N-Partner has an OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the server.
  Severity: 9.8 | CRITICAL
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-9971 - Planet Technology｜Industrial Cellular Gateway - Missing Authentication

  CVE ID :CVE-2025-9971
  Published : Sept. 17, 2025, 7:15 a.m. | 23 hours, 34 minutes ago
  Description :Certain models of Industrial Cellular Gateway developed by Planet Technology have a Missing Authentication vulnerability, allowing unauthenticated remote attackers to manipulate the device via a specific functionality.
  Severity: 9.8 | CRITICAL
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-9216 - StoreEngine – Powerful WordPress eCommerce Plugin for Payments, Memberships, Affiliates, Sales & More

  CVE ID :CVE-2025-9216
  Published : Sept. 17, 2025, 7:15 a.m. | 23 hours, 34 minutes ago
  Description :The StoreEngine – Powerful WordPress eCommerce Plugin for Payments, Memberships, Affiliates, Sales & More plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import() function in all versions up to, and including, 1.5.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
  Severity: 8.8 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-10058 - WP Import – Ultimate CSV XML Importer for WordPress

  CVE ID :CVE-2025-10058
  Published : Sept. 17, 2025, 6:15 a.m. | 1 day ago
  Description :The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the upload_function() function in all versions up to, and including, 7.27. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
  Severity: 8.1 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-10057 - WP Import – Ultimate CSV XML Importer for WordPress 7.20 - 7.28 - Authenticated (Subscriber+) Remote Code Execution via Code Injection

  CVE ID :CVE-2025-10057
  Published : Sept. 17, 2025, 6:15 a.m. | 1 day ago
  Description :The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.28. This is due to the write_to_customfile() function writing unfiltered PHP code to a file. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject the customFunction.php file with PHP code that can be accessed to trigger remote code execution.
  Severity: 8.8 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...