Critical Vulnerabilities with Public Exploits
Updated 26m agoSearch and track vulnerabilities with real-time exploit intelligence. Cross-reference CVEs against public exploits from ExploitDB, Metasploit, GitHub, and Nuclei — with CVSS and EPSS scoring, CISA KEV monitoring, and AI-powered exploit analysis.
4,101 results
Clear all
CVE-2025-54466
9.8
CRITICAL
1 PoC
Analysis
EPSS 0.00
Apache Ofbiz < 24.09.02 - Code Injection
Improper Control of Generation of Code ('Code Injection') vulnerability leading to a possible RCE in Apache OFBiz scrum plugin.
This issue affects Apache OFBiz: before 24.09.02 only when the scrum plugin is used.
Even unauthenticated attackers can exploit this vulnerability.
Users are recommended to upgrade to version 24.09.02, which fixes the issue.
CWE-94
Aug 15, 2025
CVE-2025-53606
9.8
CRITICAL
1 PoC
Analysis
EPSS 0.00
Apache Seata <2.5.0 - Deserialization
Deserialization of Untrusted Data vulnerability in Apache Seata (incubating).
This issue affects Apache Seata (incubating): 2.4.0.
Users are recommended to upgrade to version 2.5.0, which fixes the issue.
CWE-502
Aug 08, 2025
CVE-2025-32897
9.8
CRITICAL
1 PoC
Analysis
EPSS 0.01
Apache Seata < 2.3.0 - Insecure Deserialization
Deserialization of Untrusted Data vulnerability in Apache Seata (incubating).
This security vulnerability is the same as CVE-2024-47552, but the version range described in the CVE-2024-47552 definition is too narrow.
This issue affects Apache Seata (incubating): from 2.0.0 before 2.3.0.
Severity Justification:
The Apache Seata security team assesses the severity of this vulnerability as "Low" due to stringent real-world mitigating factors. First, the vulnerability is strictly isolated to the Raft cluster mode, an optional and non-default feature introduced in v2.0.0, while most users rely on the unaffected traditional architecture. Second, Seata is an internal middleware; communication between TC and RM/TM occurs entirely within trusted internal networks. An attacker would require prior, unauthorized access to the Intranet to exploit this, making external exploitation highly improbable.
Users are recommended to upgrade to version 2.3.0, which fixes the issue.
CWE-502
Jun 28, 2025
CVE-2025-4981
9.9
CRITICAL
1 PoC
Analysis
EPSS 0.02
Mattermost Server < 9.11.16 - Uncontrolled Search Path
Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to sanitize filenames in the archive extractor which allows authenticated users to write files to arbitrary locations on the filesystem via uploading archives with path traversal sequences in filenames, potentially leading to remote code execution. The vulnerability impacts instances where file uploads and document search by content is enabled (FileSettings.EnableFileAttachments = true and FileSettings.ExtractContent = true). These configuration settings are enabled by default.
CWE-427
Jun 20, 2025
CVE-2025-27531
9.8
CRITICAL
1 PoC
Analysis
EPSS 0.00
Apache InLong <2.1.0 - Deserialization
Deserialization of Untrusted Data vulnerability in Apache InLong.
This issue affects Apache InLong: from 1.13.0 before 2.1.0,
this issue would allow an authenticated attacker to read arbitrary files by double writing the param.
Users are recommended to upgrade to version 2.1.0, which fixes the issue.
CWE-502
Jun 06, 2025
CVE-2025-47916
10.0
CRITICAL
EXPLOITED
4 PoCs
Analysis
NUCLEI
EPSS 0.91
Invisioncommunity < 5.0.7 - Remote Code Execution
Invision Community 5.0.0 before 5.0.7 allows remote code execution via crafted template strings to themeeditor.php. The issue lies within the themeeditor controller (file: /applications/core/modules/front/system/themeeditor.php), where a protected method named customCss can be invoked by unauthenticated users. This method passes the value of the content parameter to the Theme::makeProcessFunction() method; hence it is evaluated by the template engine. Accordingly, this can be exploited by unauthenticated attackers to inject and execute arbitrary PHP code by providing crafted template strings.
CWE-1336
May 16, 2025
CVE-2025-29953
9.8
CRITICAL
1 PoC
Analysis
EPSS 0.00
Apache ActiveMQ NMS OpenWire Client <2.1.1 - Deserialization
Deserialization of Untrusted Data vulnerability in Apache ActiveMQ NMS OpenWire Client.
This issue affects Apache ActiveMQ NMS OpenWire Client before 2.1.1 when performing connections to untrusted servers. Such servers could abuse the unbounded deserialization in the client to provide malicious responses that may eventually cause arbitrary code execution on the client. Version 2.1.0 introduced a allow/denylist feature to restrict deserialization, but this feature could be bypassed.
The .NET team has deprecated the built-in .NET binary serialization feature starting with .NET 9 and suggests migrating away from binary serialization. The project is considering to follow suit and drop this part of the NMS API altogether.
Users are recommended to upgrade to version 2.1.1, which fixes the issue. We also recommend to migrate away from relying on .NET binary serialization as a hardening method for the future.
CWE-502
Apr 18, 2025
CVE-2025-24490
9.6
CRITICAL
1 PoC
Analysis
EPSS 0.00
Mattermost Server < 9.11.8 - SQL Injection
Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to use prepared statements in the SQL query of boards reordering which allows an attacker to retrieve data from the database, via a SQL injection when reordering specially crafted boards categories.
CWE-89
Feb 24, 2025
CVE-2025-68860
9.8
CRITICAL
2 PoCs
Analysis
EPSS 0.00
Mobile builder <1.4.2 - Auth Bypass
Authentication Bypass Using an Alternate Path or Channel vulnerability in Mobile Builder Mobile builder mobile-builder allows Authentication Abuse.This issue affects Mobile builder: from n/a through <= 1.4.2.
CWE-288
Dec 29, 2025
CVE-2025-1716
9.8
CRITICAL
4 PoCs
Analysis
EPSS 0.16
picklescan <0.0.21 - Code Injection
picklescan before 0.0.21 does not treat 'pip' as an unsafe global. An attacker could craft a malicious model that uses Pickle to pull in a malicious PyPI package (hosted, for example, on pypi.org or GitHub) via `pip.main()`. Because pip is not a restricted global, the model, when scanned with picklescan, would pass security checks and appear to be safe, when it could instead prove to be problematic.
CWE-184
Feb 26, 2025
CVE-2025-1242
9.1
CRITICAL
2 PoCs
1 Writeup
Analysis
EPSS 0.00
Gardyn IoT Hub - Info Disclosure
The administrative credentials can be extracted through application API responses, mobile application reverse engineering, and device firmware reverse engineering. The exposure may result in an attacker gaining full administrative access to the Gardyn IoT Hub exposing connected devices to malicious control.
CWE-798
Feb 25, 2026
CVE-2025-60355
9.8
CRITICAL
1 PoC
Analysis
EPSS 0.00
zhangyd-c OneBlog <2.3.9 - Server-Side Template Injection
zhangyd-c OneBlog v2.3.9 and before was vulnerable to SSTI (Server-Side Template Injection) via FreeMarker templates.
CWE-1336
Oct 28, 2025
CVE-2025-58159
9.9
CRITICAL
1 PoC
Analysis
EPSS 0.01
Wegia < 3.4.11 - Code Injection
WeGIA is a Web manager for charitable institutions. Prior to version 3.4.11, a remote code execution vulnerability was identified, caused by improper validation of uploaded files. The application allows an attacker to upload files with arbitrary filenames, including those with a .php extension. Because the uploaded file is written directly to disk without adequate sanitization or extension restrictions, a spreadsheet file followed by PHP code can be uploaded and executed on the server, leading to arbitrary code execution. This is due to insufficient mitigation of CVE-2025-22133. This issue has been patched in version 3.4.11.
CWE-434
Aug 29, 2025
CVE-2025-55010
9.1
CRITICAL
1 PoC
1 Writeup
Analysis
EPSS 0.04
Kanboard <1.2.47 - Remote Code Execution
Kanboard is project management software that focuses on the Kanban methodology. Prior to version 1.2.47, an unsafe deserialization vulnerability in the ProjectEventActvityFormatter allows admin users the ability to instantiate arbitrary php objects by modifying the event["data"] field in the project_activities table. A malicious actor can update this field to use a php gadget to write a web shell into the /plugins folder, which then gives remote code execution on the host system. This issue has been patched in version 1.2.47.
CWE-502
Aug 12, 2025
CVE-2025-53833
10.0
CRITICAL
EXPLOITED
2 PoCs
Analysis
NUCLEI
EPSS 0.17
LaRecipe <2.8.1 - SSRF/RCE
LaRecipe is an application that allows users to create documentation with Markdown inside a Laravel app. Versions prior to 2.8.1 are vulnerable to Server-Side Template Injection (SSTI), which could potentially lead to Remote Code Execution (RCE) in vulnerable configurations. Attackers could execute arbitrary commands on the server, access sensitive environment variables, and/or escalate access depending on server configuration. Users are strongly advised to upgrade to version v2.8.1 or later to receive a patch.
CWE-1336
Jul 14, 2025
CVE-2025-1302
9.8
CRITICAL
EXPLOITED
3 PoCs
Analysis
NUCLEI
EPSS 0.89
NPM Jsonpath-plus < 10.3.0 - Code Injection
Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of eval='safe' mode.
**Note:**
This is caused by an incomplete fix for [CVE-2024-21534](https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884).
CWE-94
Feb 15, 2025
CVE-2025-8572
9.8
CRITICAL
2 PoCs
Analysis
EPSS 0.00
Truelysell Core <1.8.7 - Privilege Escalation
The Truelysell Core plugin for WordPress is vulnerable to privilege escalation in versions less than, or equal to, 1.8.7. This is due to insufficient validation of the user_role parameter during user registration. This makes it possible for unauthenticated attackers to create accounts with elevated privileges, including administrator access.
CWE-269
Feb 14, 2026
CVE-2025-64155
9.8
CRITICAL
EXPLOITED
6 PoCs
Analysis
EPSS 0.00
Fortinet Fortisiem < 7.1.9 - OS Command Injection
An improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSIEM 7.4.0, FortiSIEM 7.3.0 through 7.3.4, FortiSIEM 7.1.0 through 7.1.8, FortiSIEM 7.0.0 through 7.0.4, FortiSIEM 6.7.0 through 6.7.10 may allow an attacker to execute unauthorized code or commands via crafted TCP requests.
CWE-78
Jan 13, 2026
CVE-2025-59470
9.0
CRITICAL
2 PoCs
Analysis
EPSS 0.00
Veeam Backup & Replication < 13.0.1.1071 - Command Injection
This vulnerability allows a Backup Operator to perform remote code execution (RCE) as the postgres user by sending a malicious interval or order parameter.
CWE-77
Jan 08, 2026
CVE-2025-4606
9.8
CRITICAL
4 PoCs
Analysis
EPSS 0.00
Uxper Sala - Startup & SaaS WordPress Theme <=1.1.4 - Privilege Escalation via Account Takeover
The Sala - Startup & SaaS WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.1.4. This is due to the theme not properly validating a user's identity prior to updating their details like password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
CWE-620
Jul 09, 2025