Latest Critical CVEs
Updates on the latest high and critical severity vulnerabilities.
-
CVE-2025-3928 - Commvault Web Server Remote Webshell Execution
CVE ID :CVE-2025-3928
Published : April 25, 2025, 4:15 p.m. | 21 minutes ago
Description :Commvault Web Server has an unspecified vulnerability that can be exploited by a remote, authenticated attacker. According to the Commvault advisory: "Webservers can be compromised through bad actors creating and executing webshells." Fixed in version 11.36.46, 11.32.89, 11.28.141, and 11.20.217 for Windows and Linux platforms.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-3642 - Moodle EQUELLA Remote Code Execution Vulnerability
CVE ID :CVE-2025-3642
Published : April 25, 2025, 3:15 p.m. | 1 hour, 21 minutes ago
Description :A flaw was found in Moodle. A remote code execution risk was identified in the Moodle LMS EQUELLA repository. By default, this was only available to teachers and managers on sites with the EQUELLA repository enabled.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-3641 - Moodle Dropbox Repository Remote Code Execution Vulnerability
CVE ID :CVE-2025-3641
Published : April 25, 2025, 3:15 p.m. | 1 hour, 21 minutes ago
Description :A flaw was found in Moodle. A remote code execution risk was identified in the Moodle LMS Dropbox repository. By default, this was only available to teachers and managers on sites with the Dropbox repository enabled.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-32432 - Craft CMS Remote Code Execution Vulnerability
CVE ID :CVE-2025-32432
Published : April 25, 2025, 3:15 p.m. | 1 hour, 21 minutes ago
Description :Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This is a high-impact, low-complexity attack vector. This issue has been patched in versions 3.9.15, 4.14.15, and 5.6.17, and is an additional fix for CVE-2023-41892.
Severity: 10.0 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-2470 - Nextend Social Login WordPress Plugin Privilege Escalation Vulnerability
CVE ID :CVE-2025-2470
Published : April 25, 2025, 12:15 p.m. | 4 hours, 21 minutes ago
Description :The Service Finder Bookings plugin for WordPress, used by the Service Finder - Directory and Job Board WordPress Theme, is vulnerable to privilege escalation in all versions up to, and including, 5.1. This is due to a lack of restriction on user role in the 'nsl_registration_store_extra_input' function. This makes it possible for unauthenticated attackers to register an account on the site with an arbitrary role, including Administrator, when registering via a social login. The Nextend Social Login plugin must be installed and configured to exploit the vulnerability.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2024-11917 - Xing and Google Vulnerability: Authentication Bypass in JobSearch WP Job Board Plugin
CVE ID :CVE-2024-11917
Published : April 25, 2025, 12:15 p.m. | 4 hours, 21 minutes ago
Description :The JobSearch WP Job Board plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.8.8. This is due to improper configurations in the 'jobsearch_xing_response_data_callback', 'set_access_tokes', and 'google_callback' functions. This makes it possible for unauthenticated attackers to log in as the first connected Xing user, or any connected Xing user if the Xing id is known. It is also possible for unauthenticated attackers to log in as the first connected Google user if the user has logged in, without subsequently logging out, in thirty days. The vulnerability was partially patched in version 2.8.4.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-1279 - "WordPress BM Content Builder Unauthenticated Privilege Escalation"
CVE ID :CVE-2025-1279
Published : April 25, 2025, 9:15 a.m. | 7 hours, 21 minutes ago
Description :The BM Content Builder plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the ux_cb_tools_import_item_ajax AJAX action in all versions up to, and including, 3.16.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-46616 - Quantum StorNext Web GUI API RCE
CVE ID :CVE-2025-46616
Published : April 25, 2025, 7:15 a.m. | 9 hours, 21 minutes ago
Description :Quantum StorNext Web GUI API before 7.2.4 allows potential Arbitrary Remote Code Execution (RCE) via upload of a file. This affects StorNext RYO before 7.2.4, StorNext Xcellis Workflow Director before 7.2.4, and ActiveScale Cold Storage.
Severity: 9.9 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-2238 - Vikinger WordPress Privilege Escalation Vulnerability
CVE ID :CVE-2025-2238
Published : April 25, 2025, 7:15 a.m. | 9 hours, 21 minutes ago
Description :The Vikinger theme for WordPress is vulnerable to privilege in all versions up to, and including, 1.9.30. This is due to insufficient user_meta restrictions in the 'vikinger_user_meta_update_ajax' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to escalate their privileges to Administrator-level.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-43865 - React Router HTTP Header Injection Vulnerability
CVE ID :CVE-2025-43865
Published : April 25, 2025, 1:15 a.m. | 15 hours, 21 minutes ago
Description :React Router is a router for React. In versions on the 7.0 branch prior to version 7.5.2, it's possible to modify pre-rendered data by adding a header to the request. This allows to completely spoof its contents and modify all the values of the data object passed to the HTML. This issue has been patched in version 7.5.2.
Severity: 8.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-2185 - ALBEDO Telecom Net.Time PTP/NTP Clock Authentication Bypass
CVE ID :CVE-2025-2185
Published : April 25, 2025, 12:15 a.m. | 16 hours, 21 minutes ago
Description :ALBEDO Telecom Net.Time - PTP/NTP clock (Serial No. NBC0081P) software release 1.4.4 is vulnerable to an insufficient session expiration vulnerability, which could permit an attacker to transmit passwords over unencrypted connections, resulting in the product becoming vulnerable to interception.
Severity: 8.0 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-46275 - Fortinet FortiSwitch Unauthenticated Administrator Account Creation
CVE ID :CVE-2025-46275
Published : April 24, 2025, 11:15 p.m. | 17 hours, 21 minutes ago
Description :WGS-80HPT-V2 and WGS-4215-8T2S are missing authentication that could allow an attacker to create an administrator account without knowing any existing credentials.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-46274 - UNI-NMS-Lite Authentication Bypass
CVE ID :CVE-2025-46274
Published : April 24, 2025, 11:15 p.m. | 17 hours, 21 minutes ago
Description :UNI-NMS-Lite uses hard-coded credentials that could allow an unauthenticated attacker to read, manipulate and create entries in the managed database.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-46273 - UNI-NMS-Lite Hard-Coded Credentials Authentication Bypass
CVE ID :CVE-2025-46273
Published : April 24, 2025, 11:15 p.m. | 17 hours, 21 minutes ago
Description :UNI-NMS-Lite uses hard-coded credentials that could allow an unauthenticated attacker to gain administrative privileges to all UNI-NMS managed devices.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-46272 - D-Link Router Command Injection Vulnerability
CVE ID :CVE-2025-46272
Published : April 24, 2025, 11:15 p.m. | 17 hours, 21 minutes ago
Description :WGS-80HPT-V2 and WGS-4215-8T2S are vulnerable to a command injection attack that could allow an unauthenticated attacker to execute OS commands on the host system.
Severity: 9.1 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-46271 - UNI-NMS-Lite Command Injection Vulnerability
CVE ID :CVE-2025-46271
Published : April 24, 2025, 11:15 p.m. | 17 hours, 21 minutes ago
Description :UNI-NMS-Lite is vulnerable to a command injection attack that could allow an unauthenticated attacker to read or manipulate device data.
Severity: 9.1 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-43859 - Apache h11 Chunked-Coding Request Smuggling Vulnerability
CVE ID :CVE-2025-43859
Published : April 24, 2025, 7:15 p.m. | 21 hours, 21 minutes ago
Description :h11 is a Python implementation of HTTP/1.1. Prior to version 0.16.0, a leniency in h11's parsing of line terminators in chunked-coding message bodies can lead to request smuggling vulnerabilities under certain conditions. This issue has been patched in version 0.16.0. Since exploitation requires the combination of buggy h11 with a buggy (reverse) proxy, fixing either component is sufficient to mitigate this issue.
Severity: 9.1 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-43858 - YouTubeDLSharp Windows Command Injection Vulnerability
CVE ID :CVE-2025-43858
Published : April 24, 2025, 6:15 p.m. | 22 hours, 21 minutes ago
Description :YoutubeDLSharp is a wrapper for the command-line video downloaders youtube-dl and yt-dlp. In versions starting from 1.0.0-beta4 and prior to 1.1.2, an unsafe conversion of arguments allows the injection of a malicious commands when starting `yt-dlp` from a commands prompt running on Windows OS with the `UseWindowsEncodingWorkaround` value defined to true (default behavior). If a user is using built-in methods from the YoutubeDL.cs file, the value is true by default and a user cannot disable it from these methods. This issue has been patched in version 1.1.2.
Severity: 9.2 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-31324 - SAP NetWeaver Unauthenticated Remote Code Execution
CVE ID :CVE-2025-31324
Published : April 24, 2025, 5:15 p.m. | 23 hours, 21 minutes ago
Description :SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system.
Severity: 10.0 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-46264 - Angelo Mandato PowerPress Podcasting Unrestricted File Upload Vulnerability
CVE ID :CVE-2025-46264
Published : April 24, 2025, 4:15 p.m. | 1 day ago
Description :Unrestricted Upload of File with Dangerous Type vulnerability in Angelo Mandato PowerPress Podcasting allows Upload a Web Shell to a Web Server. This issue affects PowerPress Podcasting: from n/a through 11.12.5.
Severity: 9.9 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...