Latest Critical CVEs
Updates on the latest high and critical severity vulnerabilities.
-
CVE-2025-2421 - Profelis Informatics SambaBox Code Injection Vulnerability
CVE ID :CVE-2025-2421
Published : May 2, 2025, 12:15 p.m. | 1 hour, 10 minutes ago
Description :Improper Control of Generation of Code ('Code Injection') vulnerability in Profelis Informatics SambaBox allows Code Injection.This issue affects SambaBox: before 5.1.
Severity: 8.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-2812 - Mydata Informatics Ticket Sales Automation SQL Injection
CVE ID :CVE-2025-2812
Published : May 2, 2025, 9:15 a.m. | 4 hours, 10 minutes ago
Description :Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mydata Informatics Ticket Sales Automation allows Blind SQL Injection.This issue affects Ticket Sales Automation: before 03.04.2025 (DD.MM.YYYY).
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-3709 - Agentflow from Flowring Technology Account Lockout Bypass Vulnerability
CVE ID :CVE-2025-3709
Published : May 2, 2025, 4:15 a.m. | 9 hours, 10 minutes ago
Description :Agentflow from Flowring Technology has an Account Lockout Bypass vulnerability, allowing unauthenticated remote attackers to exploit this vulnerability to perform password brute force attack.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-3708 - Le-Yan Le-Show Medical SQL Injection Vulnerability
CVE ID :CVE-2025-3708
Published : May 2, 2025, 4:15 a.m. | 9 hours, 10 minutes ago
Description :Le-show medical practice management system from Le-yan has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2024-13418 - WordPress Theme/Plugin Arbitrary File Upload Vulnerability
CVE ID :CVE-2024-13418
Published : May 2, 2025, 4:15 a.m. | 9 hours, 10 minutes ago
Description :Multiple plugins and/or themes for WordPress are vulnerable to Arbitrary File Uploads due to a missing capability check on the ajaxUploadFonts() function in various versions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files that can make remote code execution possible. This issue was escalated to Envato over two months from the date of this disclosure and the issue, while partially patched, is still vulnerable.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-3746 - WordPress One Tap Signin Plugin Authentication Bypass
CVE ID :CVE-2025-3746
Published : May 2, 2025, 3:15 a.m. | 10 hours, 10 minutes ago
Description :The OTP-less one tap Sign in plugin for WordPress is vulnerable to privilege escalation via account takeover in versions 2.0.14 to 2.0.59. This is due to the plugin not properly validating a user's identity prior to updating their details, like email. This makes it possible for unauthenticated attackers to change arbitrary users' email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. Additionally, the plugin returns authentication cookies in the response, which can be used to access the account directly.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-36521 - MicroDicom DICOM Viewer Out-of-Bounds Read Vulnerability
CVE ID :CVE-2025-36521
Published : May 1, 2025, 7:15 p.m. | 18 hours, 10 minutes ago
Description :MicroDicom DICOM Viewer is vulnerable to an out-of-bounds read which may allow an attacker to cause memory corruption within the application. The user must open a malicious DCM file for exploitation.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-35996 - KUNBUS PiCtory Stored Cross-Site Scripting (XSS)
CVE ID :CVE-2025-35996
Published : May 1, 2025, 7:15 p.m. | 18 hours, 10 minutes ago
Description :KUNBUS PiCtory version 2.11.1 and earlier are vulnerable when an authenticated remote attacker crafts a special filename that can be stored by API endpoints. That filename is later transmitted to the client in order to show a list of configuration files. Due to a missing escape or sanitization, the filename could be executed as HTML script tag resulting in a cross-site-scripting attack.
Severity: 9.0 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-35975 - MicroDicom DICOM Viewer Out-of-Bounds Write RCE
CVE ID :CVE-2025-35975
Published : May 1, 2025, 7:15 p.m. | 18 hours, 10 minutes ago
Description :MicroDicom DICOM Viewer is vulnerable to an out-of-bounds write which may allow an attacker to execute arbitrary code. The user must open a malicious DCM file for exploitation.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-32011 - KUNBUS PiCtory Authentication Bypass Vulnerability
CVE ID :CVE-2025-32011
Published : May 1, 2025, 7:15 p.m. | 18 hours, 10 minutes ago
Description :KUNBUS PiCtory versions 2.5.0 through 2.11.1 have an authentication bypass vulnerability where a remote attacker can bypass authentication to get access due to a path traversal.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-24522 - KUNBUS Revolution Pi Node-RED Remote Command Execution
CVE ID :CVE-2025-24522
Published : May 1, 2025, 7:15 p.m. | 18 hours, 10 minutes ago
Description :KUNBUS Revolution Pi OS Bookworm 01/2025 is vulnerable because authentication is not configured by default for the Node-RED server. This can give an unauthenticated remote attacker full access to the Node-RED server where they can run arbitrary commands on the underlying operating system.
Severity: 10.0 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-46337 - ADOdb PostgreSQL SQL Injection Vulnerability
CVE ID :CVE-2025-46337
Published : May 1, 2025, 6:15 p.m. | 19 hours, 10 minutes ago
Description :ADOdb is a PHP database class library that provides abstractions for performing queries and managing databases. Prior to version 5.22.9, improper escaping of a query parameter may allow an attacker to execute arbitrary SQL statements when the code using ADOdb connects to a PostgreSQL database and calls pg_insert_id() with user-supplied data. This issue has been patched in version 5.22.9.
Severity: 10.0 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-23254 - NVIDIA TensorRT-LLM Python Executor Code Execution and Data Tampering Vulnerability
CVE ID :CVE-2025-23254
Published : May 1, 2025, 2:15 p.m. | 23 hours, 10 minutes ago
Description :NVIDIA TensorRT-LLM for any platform contains a vulnerability in python executor where an attacker may cause a data validation issue by local access to the TRTLLM server. A successful exploit of this vulnerability may lead to code execution, information disclosure and data tampering.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-27007 - Brainstorm Force SureTriggers Privilege Escalation Vulnerability
CVE ID :CVE-2025-27007
Published : May 1, 2025, 11:15 a.m. | 1 day, 2 hours ago
Description :Incorrect Privilege Assignment vulnerability in Brainstorm Force SureTriggers allows Privilege Escalation.This issue affects SureTriggers: from n/a through 1.0.82.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-47154 - Ladybird LibJS Use-After-Free Remote Code Execution Vulnerability
CVE ID :CVE-2025-47154
Published : May 1, 2025, 8:15 a.m. | 1 day, 5 hours ago
Description :LibJS in Ladybird before f5a6704 mishandles the freeing of the vector that arguments_list references, leading to a use-after-free, and allowing remote attackers to execute arbitrary code via a crafted .js file. NOTE: the GitHub README says "Ladybird is in a pre-alpha state, and only suitable for use by developers."
Severity: 9.0 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-4150 - Netgear EX6200 Remote Buffer Overflow
CVE ID :CVE-2025-4150
Published : May 1, 2025, 5:15 a.m. | 1 day, 8 hours ago
Description :A vulnerability was found in Netgear EX6200 1.0.3.94. It has been declared as critical. This vulnerability affects the function sub_54340. The manipulation of the argument host leads to buffer overflow. The attack can be initiated remotely. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-3952 - Projectopia WordPress Project Management Unauthenticated Option Deletion
CVE ID :CVE-2025-3952
Published : May 1, 2025, 5:15 a.m. | 1 day, 8 hours ago
Description :The Projectopia – WordPress Project Management plugin for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the 'pto_remove_logo' function in all versions up to, and including, 5.1.16. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary option values on the WordPress site. This can be leveraged to delete an option that would create an error on the site and deny service to legitimate users.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-4149 - Netgear EX6200 Remote Buffer Overflow Vulnerability
CVE ID :CVE-2025-4149
Published : May 1, 2025, 4:16 a.m. | 1 day, 9 hours ago
Description :A vulnerability was found in Netgear EX6200 1.0.3.94. It has been classified as critical. This affects the function sub_54014. The manipulation of the argument host leads to buffer overflow. It is possible to initiate the attack remotely. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-4148 - Netgear EX6200 Remote Buffer Overflow Vulnerability
CVE ID :CVE-2025-4148
Published : May 1, 2025, 4:16 a.m. | 1 day, 9 hours ago
Description :A vulnerability was found in Netgear EX6200 1.0.3.94 and classified as critical. Affected by this issue is the function sub_503FC. The manipulation of the argument host leads to buffer overflow. The attack may be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-1305 - NewsBlogger WordPress CSRF Remote Code Execution Vulnerability
CVE ID :CVE-2025-1305
Published : May 1, 2025, 4:16 a.m. | 1 day, 9 hours ago
Description :The NewsBlogger theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.2.5.4. This is due to missing or incorrect nonce validation on the newsblogger_install_and_activate_plugin() function. This makes it possible for unauthenticated attackers to upload arbitrary files and achieve remote code execution via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...