The most featured CVEs in this week’s security newsletters, with public Proof-of-Concepts, ordered by mention count. Older CVEs, trivially exploitable vulnerabilities (such as using hard-coded credentials) and those affecting open source projects with very small userbases aren’t listed.

For the most up-to-date and accurate info, visit the NIST links. Always audit PoCs thoroughly before running them.

CVE-2025-2783

• Severity: 8.3 HIGH
• Impacted Products: Google Chrome on Windows prior to 134.0.6998.177
• Description: Incorrect handle provided in unspecified circumstances in Mojo in Google Chrome on Windows prior to 134.0.6998.177 allowed a remote attacker to perform a sandbox escape via a malicious file.
• Remediation: Follow developer advice.
• More Info: NVD - CVE-2025-2783
• PoC: https://github.com/byteReaper77/CVE-2025-2783

CVE-2025-33073

• Severity: 8.8 HIGH
• Impacted Products: Windows, various
• Description: Improper access control in Windows SMB allows an authorized attacker to elevate privileges over a network.
• Remediation: Follow developer advice.
• More Info: NVD - CVE-2025-33073
• PoC: https://github.com/mverschu/CVE-2025-33073

CVE-2025-33053

• Severity: 8.8 HIGH
• Impacted Products: Windows, various
• Description: External control of file name or path in WebDAV allows an unauthorized attacker to execute code over a network.
• Remediation: Follow developer advice.
• More Info: NVD - CVE-2025-33053
• PoC: https://github.com/DevBuiHieu/CVE-2025-33053-Proof-Of-Concept

CVE-2025-6179

• Severity: 4.4 MEDIUM
• Impacted Products: Google ChromeOS 16181.27.0
• Description: Permissions Bypass in Extension Management in Google ChromeOS 16181.27.0 on managed Chrome devices allows a local attacker to disable extensions and access Developer Mode, including loading additional extensions via exploiting vulnerabilities using the ExtHang3r and ExtPrint3r tools.
• Remediation: Follow developer advice.
• More Info: NVD - CVE-2025-6179
• PoC: https://github.com/Blobby-Boi/ExtPrint3r

CVE-2025-6065

• Severity: 9.1 CRITICAL
• Impacted Products: Image Resizer On The Fly plugin for WordPress <= v1.1
• Description: The vulnerability stems from insufficient file path validation in the ‘delete’ task functionality.
• Remediation: Follow developer advice.
• More Info: NVD - CVE-2025-6065
• PoC: https://github.com/Yuri08loveElaina/CVE_2025_6065

CVE-2025-6018 & CVE-2025-6019

• Severity: 7 HIGH
• Impacted Products: libblockdev
• Description: A Local Privilege Escalation (LPE) vulnerability was found in libblockdev. Generally, the “allow_active” setting in Polkit permits a physically present user to take certain actions based on the session type. Due to the way libblockdev interacts with the udisks daemon, an “allow_active” user on a system may be able escalate to full root privileges on the target host. Normally, udisks mounts user-provided filesystem images with security flags like nosuid and nodev to prevent privilege escalation. However, a local attacker can create a specially crafted XFS image containing a SUID-root shell, then trick udisks into resizing it. This mounts their malicious filesystem with root privileges, allowing them to execute their SUID-root shell and gain complete control of the system.
• Remediation: Follow developer advice.
• More Info: NVD - CVE-2025-6018 & NVD - CVE-2025-6019
• PoC: https://cdn2.qualys.com/2025/06/17/suse15-pam-udisks-lpe.txt

CVE-2025-5288

• Severity: 9.1 CRITICAL
• Impacted Products: REST API | Custom API Generator For Cross Platform And Import Export In WP plugin v1.0.0 to 2.0.3
• Description: The REST API | Custom API Generator For Cross Platform And Import Export In WP plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the process_handler() function in versions 1.0.0 to 2.0.3. This makes it possible for unauthenticated attackers to POST an arbitrary import_api URL, import specially crafted JSON, and thereby create a new user with full Administrator privileges.
• Remediation: Follow developer advice.
• More Info: NVD - CVE-2025-5288
• PoC: https://github.com/Nxploited/CVE-2025-5288

CVE-2025-45988

• Severity: 9.1 CRITICAL
• Impacted Products: Blink routers BL-WR9000 V2.4.9 , BL-AC2100_AZ3 V1.0.4, BL-X10_AC8 v1.0.5 , BL-LTE300 v1.2.3, BL-F1200_AT1 v1.0.0, BL-X26_AC8 v1.2.8, BLAC450M_AE4 v4.0.0 and BL-X26_DA3 v1.2.7
• Description: Multiple command injection vulnerabilities via the cmd parameter in the bs_SetCmd function.
• Remediation: Follow developer advice.
• More Info: NVD - CVE-2025-45988
• PoC: https://github.com/glkfc/IoT-Vulnerability/blob/main/LB-LINK/LB-LINK_cmd%20Indicates%20the%20unauthorized%20command%20injection/The%20LB-LINK_cmd%20command%20is%20used%20to%20inject%20information.md

CVE-2025-45984

• Severity: 9.1 CRITICAL
• Impacted Products: Blink routers BL-WR9000 V2.4.9, BL-AC1900 V1.0.2, BL-AC2100_AZ3 V1.0.4, BL-X10_AC8 V1.0.5, BL-LTE300 V1.2.3, BL-F1200_AT1 V1.0.0, BL-X26_AC8 V1.2.8, BLAC450M_AE4 V4.0.0 and BL-X26_DA3 V1.2.7
• Description: Command injection vulnerability via the routepwd parameter in the sub_45B238 function.
• Remediation: Follow developer advice.
• More Info: NVD - CVE-2025-45984
• PoC: https://github.com/glkfc/IoT-Vulnerability/blob/main/LB-LINK/LB-LINK_routepwd%20Indicates%20the%20unauthorized%20command%20injection/LB-LINK_routepwd%20command%20injection.md

CVE-2025-4123

• Severity: 7.6 HIGH
• Impacted Products: Grafana 11.2, Grafana 11.3, Grafana 11.4, Grafana 11.5, Grafana 11.6, Grafana 12.0
• Description: A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF. The default Content-Security-Policy (CSP) in Grafana will block the XSS though the connect-src directive.
• Remediation: Follow developer advice.
• More Info: NVD - CVE-2025-4123
• PoC: https://github.com/B1ack4sh/Blackash-CVE-2025-4123

CVE-2025-29927

• Severity: 9.1 CRITICAL
• Impacted Products: Next.js
• Description: Next.js uses an internal header x-middleware-subrequest to prevent recursive requests from triggering infinite loops. The security report showed it was possible to skip running Middleware, which could allow requests to skip critical checks—such as authorization cookie validation—before reaching routes.
• Remediation: Follow developer advice.
• More Info: NVD - CVE-2025-29927
• PoC: https://github.com/KamalideenAK/poc-cve-2025-29927

References

This list was scraped from the quite amazing and highly recommended newsletters below:

• ~this week in security~
• Unsupervised Learning
• @RISK
• Hive Five
• Vulnerable U
• tl;dr sec

Thanks for reading! For corrections, omissions (e.g. newsletter recs) feel free to get in touch.