The most featured CVEs in this week’s security newsletters, with public Proof-of-Concepts, ordered by mention count. Older CVEs, trivially exploitable vulnerabilities (such as using hard-coded credentials) and those affecting open source projects with very small userbases aren’t listed.

For the most up-to-date and accurate info, visit the NIST links. Always audit PoCs thoroughly before running them.

CVE-2025-33073

• Severity: 8.8 HIGH
• Impacted Products: Windows, various
• Description: Improper access control in Windows SMB allows an authorized attacker to elevate privileges over a network.
• Remediation: Follow developer advice.
• More Info: NVD - CVE-2025-33073
• PoC: https://github.com/mverschu/CVE-2025-33073

CVE-2025-33053

• Severity: 8.8 HIGH
• Impacted Products: Windows, various
• Description: External control of file name or path in WebDAV allows an unauthorized attacker to execute code over a network.
• Remediation: Follow developer advice.
• More Info: NVD - CVE-2025-33053
• PoC: https://github.com/DevBuiHieu/CVE-2025-33053-Proof-Of-Concept

CVE-2025-5701

• Severity: 9.8 CRITICAL
• Impacted Products: HyperComments <= 1.2.2 - Unauthenticated (Subscriber+) Arbitrary Options Update
• Description: The HyperComments plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the hc_request_handler function in all versions up to, and including, 1.2.2. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
• Remediation: Follow developer advice.
• More Info: NVD - CVE-2025-5701
• PoC: https://github.com/RandomRobbieBF/CVE-2025-5701/

CVE-2025-49223

• Severity: 9.8 CRITICAL
• Impacted Products: billboard.js before 3.15.1
• Description: billboard.js before 3.15.1 was discovered to contain a prototype pollution via the function generate, which could allow attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
• Remediation: Follow developer advice.
• More Info: NVD - CVE-2025-49223
• PoC: https://github.com/louay-075/CVE-2025-49223-BillboardJS-PoC

CVE-2025-49113

• Severity: 9.9 CRITICAL
• Impacted Products: Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11
• Description: Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.
• Remediation: Follow developer advice.
• More Info: NVD - CVE-2025-49113
• PoC: https://github.com/rasool13x/exploit-CVE-2025-49113/

CVE-2025-48828

• Severity: 9.0 CRITICAL
• Impacted Products: Vbulletin 6.0.3
• Description: Certain vBulletin versions might allow attackers to execute arbitrary PHP code by abusing Template Conditionals in the template engine. By crafting template code in an alternative PHP function invocation syntax, such as the “var_dump”(“test”) syntax, attackers can bypass security checks and execute arbitrary PHP code, as exploited in the wild in May 2025.
• Remediation: Follow developer advice.
• More Info: NVD - CVE-2025-48828
• PoC: https://karmainsecurity.com/pocs/vBulletin-replaceAdTemplate-RCE.php

CVE-2025-48827

• Severity: 10.0 CRITICAL
• Impacted Products: vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3
• Description: vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 allows unauthenticated users to invoke protected API controllers' methods when running on PHP 8.1 or later, as demonstrated by the /api.php?method=protectedMethod pattern, as exploited in the wild in May 2025.
• Remediation: Follow developer advice.
• More Info: NVD - CVE-2025-48827
• PoC: https://github.com/0xgh057r3c0n/CVE-2025-48827

CVE-2025-48129

• Severity: 9.8 CRITICAL
• Impacted Products: Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light: from n/a through 2.4.37.
• Description: Incorrect Privilege Assignment vulnerability in Holest Engineering Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light allows Privilege Escalation.
• Remediation: Follow developer advice.
• More Info: NVD - CVE-2025-48129
• PoC: https://github.com/Nxploited/CVE-2025-48129

CVE-2025-45854

• Severity: 10.0 CRITICAL
• Impacted Products: JEHC-BPM 2.0.1
• Description: /server/executeExec of JEHC-BPM 2.0.1 allows attackers to execute arbitrary code via execParams.
• Remediation: Follow developer advice.
• More Info: NVD - CVE-2025-45854
• PoC: https://gist.github.com/Cafe-Tea/bc14b38f4bfd951de2979a24c3358460

References

This list was scraped from the quite amazing and highly recommended newsletters below:

• ~this week in security~
• Unsupervised Learning
• @RISK
• Hive Five
• Vulnerable U
• tl;dr sec

Thanks for reading! For corrections, omissions (e.g. newsletter recs) feel free to get in touch.