Latest Critical CVEs

• CVE-2025-4796 - Eventin WordPress Privilege Escalation Vulnerability

  CVE ID :CVE-2025-4796
  Published : Aug. 8, 2025, 7:15 p.m. | 6 hours, 3 minutes ago
  Description :The Eventin plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.0.34. This is due to the plugin not properly validating a user's identity or capability prior to updating their details like email in the 'Eventin\Speaker\Api\SpeakerController::update_item' function. This makes it possible for unauthenticated attackers with contributor-level and above permissions to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
  Severity: 8.8 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-5095 - Burk Technology ARC Solo Authentication Bypass

  CVE ID :CVE-2025-5095
  Published : Aug. 8, 2025, 6:15 p.m. | 7 hours, 3 minutes ago
  Description :Burk Technology ARC Solo's password change mechanism can be utilized without proper authentication procedures, allowing an attacker to take over the device. A password change request can be sent directly to the device's HTTP endpoint without providing valid credentials. The system does not enforce proper authentication or session validation, allowing the password change to proceed without verifying the request's legitimacy.
  Severity: 9.8 | CRITICAL
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-52914 - Mitel MiCollab SQL Injection Vulnerability

  CVE ID :CVE-2025-52914
  Published : Aug. 8, 2025, 6:15 p.m. | 7 hours, 3 minutes ago
  Description :A vulnerability in the Suite Applications Services component of Mitel MiCollab 10.0 through SP1 FP1 (10.0.1.101) could allow an authenticated attacker to conduct a SQL Injection attack due to insufficient validation of user input. A successful exploit could allow an attacker to execute arbitrary SQL database commands.
  Severity: 8.8 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-52913 - Mitel MiCollab NuPoint Unified Messaging Path Traversal Vulnerability

  CVE ID :CVE-2025-52913
  Published : Aug. 8, 2025, 6:15 p.m. | 7 hours, 3 minutes ago
  Description :A vulnerability in the NuPoint Unified Messaging (NPM) component of Mitel MiCollab through 9.8 SP2 (9.8.2.12) could allow an unauthenticated attacker to conduct a path traversal attack due to insufficient input validation. A successful exploit could allow unauthorized access, enabling the attacker to view, corrupt, or delete users' data and system configurations.
  Severity: 9.8 | CRITICAL
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-8284 - Packet Power Monitoring and Control Web Interface Authentication Bypass

  CVE ID :CVE-2025-8284
  Published : Aug. 8, 2025, 5:15 p.m. | 8 hours, 3 minutes ago
  Description :By default, the Packet Power Monitoring and Control Web Interface do not enforce authentication mechanisms. This vulnerability could allow unauthorized users to access and manipulate monitoring and control functions.
  Severity: 9.8 | CRITICAL
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-53520 - EG4 Firmware Update Vulnerability - Unchecked Archive Exploitation

  CVE ID :CVE-2025-53520
  Published : Aug. 8, 2025, 5:15 p.m. | 8 hours, 3 minutes ago
  Description :The affected product allows firmware updates to be downloaded from EG4's website, transferred via USB dongles, or installed through EG4's Monitoring Center (remote, cloud-connected interface) or via a serial connection, and can install these files without integrity checks. The TTComp archive format used for the firmware is unencrypted and can be unpacked and altered without detection.
  Severity: 8.8 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-46414 - Apache IoT Device PIN Brute-Force Weakness

  CVE ID :CVE-2025-46414
  Published : Aug. 8, 2025, 5:15 p.m. | 8 hours, 3 minutes ago
  Description :The affected product does not limit the number of attempts for inputting the correct PIN for a registered product, which may allow an attacker to gain unauthorized access using brute-force methods if they possess a valid device serial number. The API provides clear feedback when the correct PIN is entered. This vulnerability was patched in a server-side update on April 6, 2025.
  Severity: 8.1 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-8731 - TRENDnet SSH Service Default Credentials Vulnerability (Critical)

  CVE ID :CVE-2025-8731
  Published : Aug. 8, 2025, 4:15 p.m. | 9 hours, 3 minutes ago
  Description :A vulnerability was found in TRENDnet TI-G160i, TI-PG102i and TPL-430AP up to 20250724. It has been classified as critical. This affects an unknown part of the component SSH Service. The manipulation leads to use of default credentials. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
  Severity: 9.8 | CRITICAL
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-8356 - Xerox FreeFlow Core Path Traversal Remote Code Execution

  CVE ID :CVE-2025-8356
  Published : Aug. 8, 2025, 4:15 p.m. | 9 hours, 3 minutes ago
  Description :In Xerox FreeFlow Core version 8.0.4, an attacker can exploit a Path Traversal vulnerability to access unauthorized files on the server. This can lead to Remote Code Execution (RCE), allowing the attacker to run arbitrary commands on the system.
  Severity: 9.8 | CRITICAL
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-8730 - Belkin Web Interface Hard-Coded Credentials Remote Vulnerability

  CVE ID :CVE-2025-8730
  Published : Aug. 8, 2025, 3:15 p.m. | 10 hours, 3 minutes ago
  Description :A vulnerability was found in Belkin F9K1009 and F9K1010 2.00.04/2.00.09 and classified as critical. Affected by this issue is some unknown functionality of the component Web Interface. The manipulation leads to hard-coded credentials. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
  Severity: 9.8 | CRITICAL
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2020-9322 - Statamic Core XSS Vulnerability

  CVE ID :CVE-2020-9322
  Published : Aug. 8, 2025, 3:15 p.m. | 10 hours, 3 minutes ago
  Description :The /users endpoint in Statamic Core before 2.11.8 allows XSS to add an administrator user. This can be exploited via CSRF. Stored XSS can occur via a JavaScript payload in a username during account registration. Reflected XSS can occur via the /users PATH_INFO.
  Severity: 8.8 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-8748 - MiR Command Injection Vulnerability

  CVE ID :CVE-2025-8748
  Published : Aug. 8, 2025, 11:15 a.m. | 14 hours, 3 minutes ago
  Description :MiR software versions prior to version 3.0.0 are affected by a command injection vulnerability. A malicious HTTP request crafted by an authenticated user could allow the execution of arbitrary commands on the underlying operating system.
  Severity: 8.8 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-53606 - Apache Seata (incubating) Deserialization of Untrusted Data Remote Code Execution

  CVE ID :CVE-2025-53606
  Published : Aug. 8, 2025, 10:15 a.m. | 15 hours, 3 minutes ago
  Description :Deserialization of Untrusted Data vulnerability in Apache Seata (incubating). This issue affects Apache Seata (incubating): 2.4.0. Users are recommended to upgrade to version 2.5.0, which fixes the issue.
  Severity: 9.8 | CRITICAL
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-48913 - Apache CXF JMS Untrusted Configuration RCE

  CVE ID :CVE-2025-48913
  Published : Aug. 8, 2025, 10:15 a.m. | 15 hours, 3 minutes ago
  Description :If untrusted users are allowed to configure JMS for Apache CXF, previously they could use RMI or LDAP URLs, potentially leading to code execution capabilities. This interface is now restricted to reject those protocols, removing this possibility. Users are recommended to upgrade to versions 3.6.8, 4.0.9 or 4.1.3, which fix this issue.
  Severity: 9.8 | CRITICAL
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-54887 - jwe JSON Web Encryption Authentication Tag Brute Force Vulnerability

  CVE ID :CVE-2025-54887
  Published : Aug. 8, 2025, 1:15 a.m. | 1 day ago
  Description :jwe is a Ruby implementation of the RFC 7516 JSON Web Encryption (JWE) standard. In versions 1.1.0 and below, authentication tags of encrypted JWEs can be brute forced, which may result in loss of confidentiality for those JWEs and provide ways to craft arbitrary JWEs. This puts users at risk because JWEs can be modified to decrypt to an arbitrary value, decrypted by observing parsing differences and the GCM internal GHASH key can be recovered. Users are affected by this vulnerability even if they do not use an AES-GCM encryption algorithm for their JWEs. As the GHASH key may have been leaked, users must rotate the encryption keys after upgrading. This issue is fixed in version 1.1.1.
  Severity: 9.1 | CRITICAL
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-54886 - Skops Remote Code Execution Vulnerability

  CVE ID :CVE-2025-54886
  Published : Aug. 8, 2025, 1:15 a.m. | 1 day ago
  Description :skops is a Python library which helps users share and ship their scikit-learn based models. In versions 0.12.0 and below, the Card.get_model does not contain any logic to prevent arbitrary code execution. The Card.get_model function supports both joblib and skops for model loading. When loading .skops models, it uses skops' secure loading with trusted type validation, raising errors for untrusted types unless explicitly allowed. However, when non-.zip file formats are provided, the function silently falls back to joblib without warning. Unlike skops, joblib allows arbitrary code execution during loading, bypassing security measures and potentially enabling malicious code execution. This issue is fixed in version 0.13.0.
  Severity: 8.4 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-54952 - ExecuTorch Integer Overflow Code Execution Vulnerability

  CVE ID :CVE-2025-54952
  Published : Aug. 8, 2025, 12:15 a.m. | 1 day, 1 hour ago
  Description :An integer overflow vulnerability in the loading of ExecuTorch models can cause smaller-than-expected memory regions to be allocated, potentially resulting in code execution or other undesirable effects. This issue affects ExecuTorch prior to commit 8f062d3f661e20bb19b24b767b9a9a46e8359f2b.
  Severity: 9.8 | CRITICAL
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-53792 - Azure Portal Unauthenticated Remote Command Injection

  CVE ID :CVE-2025-53792
  Published : Aug. 7, 2025, 9:15 p.m. | 1 day, 4 hours ago
  Description :Azure Portal Elevation of Privilege Vulnerability
  Severity: 9.1 | CRITICAL
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-53787 - Microsoft 365 Copilot BizChat Sensitive Data Exposure

  CVE ID :CVE-2025-53787
  Published : Aug. 7, 2025, 9:15 p.m. | 1 day, 4 hours ago
  Description :Microsoft 365 Copilot BizChat Information Disclosure Vulnerability
  Severity: 8.2 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-53767 - Azure OpenAI Privilege Escalation

  CVE ID :CVE-2025-53767
  Published : Aug. 7, 2025, 9:15 p.m. | 1 day, 4 hours ago
  Description :Azure OpenAI Elevation of Privilege Vulnerability
  Severity: 10.0 | CRITICAL
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...