| CVE | KEV | CVSS | EPSS | Priority | ATT&CK | Description |
|---|---|---|---|---|---|---|
| CVE-2025-7775 | KEV | 9.8 | 0.00% | 8.36 | — | Memory overflow vulnerability leading to Remote Code Execution and/or Denial of Service in NetScaler ADC and NetScaler Gateway when NetScale |
| CVE-2025-57819 | KEV | 9.8 | 0.00% | 8.36 | T1059.005, T1190 | FreePBX is an open-source web-based graphical user interface. FreePBX 15, 16, and 17 endpoints are vulnerable due to insufficiently sanitize |
| CVE-2025-43300 | KEV | 8.8 | 0.00% | 7.66 | T1068 | An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 15.8.5 and iPadOS 15.8.5, iOS 16.7.12 a |
| CVE-2025-50567 | 10.0 | 0.00% | 7.0 | T1059.005, T1190, T1203 | Saurus CMS Community Edition 4.7.1 contains a vulnerability in the custom DB::prepare() function, which uses preg_replace() with the depreca | |
| CVE-2025-48148 | 10.0 | 0.00% | 7.0 | T1190 | Unrestricted Upload of File with Dangerous Type vulnerability in StoreKeeper B.V. StoreKeeper for WooCommerce allows Using Malicious Files. | |
| CVE-2025-53577 | 10.0 | 0.00% | 7.0 | T1203 | Improper Control of Generation of Code ('Code Injection') vulnerability in thehp Global DNS allows Remote Code Inclusion. This issue affects | |
| CVE-2022-31491 | 10.0 | 0.00% | 7.0 | T1203 | Voltronic Power ViewPower through 1.04-24215, ViewPower Pro through 2.0-22165, and PowerShield Netguard before 1.04-23292 allows a remote at | |
| CVE-2025-49387 | 10.0 | 0.00% | 7.0 | T1190 | Unrestricted Upload of File with Dangerous Type vulnerability in add-ons.org Drag and Drop File Upload for Elementor Forms allows Upload a W | |
| CVE-2025-48169 | 9.9 | 0.00% | 6.93 | T1203 | Improper Control of Generation of Code ('Code Injection') vulnerability in Jordy Meow Code Engine allows Remote Code Inclusion. This issue a | |
| CVE-2025-53213 | 9.9 | 0.00% | 6.93 | T1190 | Unrestricted Upload of File with Dangerous Type vulnerability in ELEXtensions ReachShip WooCommerce Multi-Carrier & Conditional Shipping all | |
| CVE-2025-54049 | 9.9 | 0.00% | 6.93 | — | Incorrect Privilege Assignment vulnerability in miniOrange Custom API for WP allows Privilege Escalation. This issue affects Custom API for | |
| CVE-2025-53251 | 9.9 | 0.00% | 6.93 | T1190 | Unrestricted Upload of File with Dangerous Type vulnerability in An-Themes Pin WP allows Upload a Web Shell to a Web Server.This issue affec | |
| CVE-2025-58048 | 9.9 | 0.00% | 6.93 | T1190 | Paymenter is a free and open-source webshop solution for hostings. Prior to version 1.2.11, the ticket attachments functionality in Paymente | |
| CVE-2025-58159 | 9.9 | 0.00% | 6.93 | T1203, T1190 | WeGIA is a Web manager for charitable institutions. Prior to version 3.4.11, a remote code execution vulnerability was identified, caused by | |
| CVE-2025-31100 | 9.9 | 0.00% | 6.93 | T1190 | Unrestricted Upload of File with Dangerous Type vulnerability in Mojoomla School Management allows Upload a Web Shell to a Web Server.This i | |
| CVE-2025-31715 | 9.8 | 0.00% | 6.86 | — | In vowifi service, there is a possible command injection due to improper input validation. This could lead to remote escalation of privilege | |
| CVE-2025-55591 | 9.8 | 0.00% | 6.86 | — | TOTOLINK-A3002R v4.0.0-B20230531.1404 was discovered to contain a command injection vulnerability in the devicemac parameter in the formMapD | |
| CVE-2025-6758 | 9.8 | 0.00% | 6.86 | — | The Real Spaces - WordPress Properties Directory Theme theme for WordPress is vulnerable to privilege escalation via the 'imic_agent_registe | |
| CVE-2025-8723 | 9.8 | 0.00% | 6.86 | T1203 | The Cloudflare Image Resizing plugin for WordPress is vulnerable to Remote Code Execution due to missing authentication and insufficient san | |
| CVE-2025-54336 | 9.8 | 0.00% | 6.86 | — | In Plesk Obsidian 18.0.70, _isAdminPasswordValid uses an == comparison. Thus, if the correct password is "0e" followed by any digit string, | |
| CVE-2025-55294 | 9.8 | 0.00% | 6.86 | — | screenshot-desktop allows capturing a screenshot of your local machine. This vulnerability is a command injection issue. When user-controlle | |
| CVE-2024-44373 | 9.8 | 0.00% | 6.86 | T1105 | A Path Traversal vulnerability in AllSky v2023.05.01_04 allows an unauthenticated attacker to create a webshell and remote code execution vi | |
| CVE-2025-55306 | 9.8 | 0.00% | 6.86 | — | GenX_FX is an advance IA trading platform that will focus on forex trading. A vulnerability was identified in the GenX FX backend where API | |
| CVE-2025-51543 | 9.8 | 0.00% | 6.86 | — | An issue was discovered in Cicool builder 3.4.4 allowing attackers to reset the administrator's password via the /administrator/auth/reset_p | |
| CVE-2025-54143 | 9.8 | 0.00% | 6.86 | — | Sandboxed iframes on webpages could potentially allow downloads to the device, bypassing the expected sandbox restrictions declared on the p | |
| CVE-2025-55031 | 9.8 | 0.00% | 6.86 | — | Malicious pages could use Firefox for iOS to pass FIDO: links to the OS and trigger the hybrid passkey transport. An attacker within Bluetoo | |
| CVE-2025-8042 | 9.8 | 0.00% | 6.86 | — | Firefox for Android allowed a sandboxed iframe without the `allow-downloads` attribute to start downloads. This vulnerability affects Firefo | |
| CVE-2025-9179 | 9.8 | 0.00% | 6.86 | — | An attacker was able to perform memory corruption in the GMP process which processes encrypted media. This process is also heavily sandboxed | |
| CVE-2025-9187 | 9.8 | 0.00% | 6.86 | — | Memory safety bugs present in Firefox 141 and Thunderbird 141. Some of these bugs showed evidence of memory corruption and we presume that w | |
| CVE-2025-53299 | 9.8 | 0.00% | 6.86 | T1190 | Deserialization of Untrusted Data vulnerability in ThemeMakers ThemeMakers Visual Content Composer allows Object Injection. This issue affec |
Priority = 1.5×KEV + 0.7×CVSS + 1.2×EPSS. ATT&CK entries are heuristic hints.