New
CVE-2025-9056: Unprotected service in the AudioLink component allows a local attacker to overwrite system files via unauthorized service invocation.
CVE-2025-13677: Simple Download Counter <= 2.2.2 - Authenticated (Administrator+) Arbitrary File Read via Path Traversal: The Simple Download Counter plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.2.2. This is due to insufficient path validation in the `simple_download_counter_parse_path()` function. This makes it possible for authenticated attackers, with Administ...
CVE-2025-13613: Elated Membership <= 1.2 - Authentication Bypass via Social Login: The Elated Membership plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.2. This is due to the plugin not properly logging in a user with the data that was previously verified through the 'eltdf_membership_check_facebook_user' and the 'eltdf_membership_login_user_from_social_netwo...
CVE-2025-67507: Filament's multi-factor authentication (app) recovery codes can be used multiple times: Filament is a collection of full-stack components for accelerated Laravel development. Versions 4.0.0 through 4.3.0 contain a flaw in the handling of recovery codes for app-based multi-factor authentication, allowing the same recovery code to be reused indefinitely. This issue does not affect email-based MFA...
CVE-2025-67506: PipesHub Vulnerable to Path Traversal through Unauthenticated Arbitrary File Upload: PipesHub is a fully extensible workplace AI platform for enterprise search and workflow automation. Versions prior to 0.1.0-beta expose POST /api/v1/record/buffer/convert through missing authentication. The endpoint accepts a file upload and converts it to PDF via LibreOffice by uploading payload to os.path.joi...
Updated
CVE-2024-12087: Rsync: path traversal vulnerability in rsync: A path traversal vulnerability exists in rsync. It stems from behavior enabled by the `--inc-recursive` option, a default-enabled option for many client options and can be enabled by the server even if not explicitly enabled by the client. When using the `--inc-recursive` option, a lack of proper symlink verification coupled with deduplication check...
CVE-2025-62221: Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability: Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally.
CVE-2025-54100: PowerShell Remote Code Execution Vulnerability: Improper neutralization of special elements used in a command ('command injection') in Windows PowerShell allows an unauthorized attacker to execute code locally.
CVE-2025-64680: Windows DWM Core Library Elevation of Privilege Vulnerability: Heap-based buffer overflow in Windows DWM Core Library allows an authorized attacker to elevate privileges locally.
CVE-2025-64679: Windows DWM Core Library Elevation of Privilege Vulnerability: Heap-based buffer overflow in Windows DWM Core Library allows an authorized attacker to elevate privileges locally.
CISA Known Exploited Vulnerabilities
CVE-2025-62221 Microsoft Windows: Microsoft Windows Cloud Files Mini Filter Driver contains a use after free vulnerability that can allow an authorized attacker to elevate privileges locally.
CVE-2025-6218 RARLAB WinRAR: RARLAB WinRAR contains a path traversal vulnerability allowing an attacker to execute code in the context of the current user.
CVE-2022-37055 D-Link Routers: D-Link Routers contains a buffer overflow vulnerability that has a high impact on confidentiality, integrity, and availability. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.
CVE-2025-66644 Array Networks ArrayOS AG: Array Networks ArrayOS AG contains an OS command injection vulnerability that could allow an attacker to execute arbitrary commands.
CVE-2025-55182 Meta React Server Components: Meta React Server Components contains a remote code execution vulnerability that could allow unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints.
