The most featured CVEs in this week’s security newsletters, with public Proof-of-Concepts, ordered by mention count. Older CVEs, trivially exploitable vulnerabilities (such as using hard-coded credentials) and those affecting open source projects with very small userbases aren’t listed.

For the most up-to-date and accurate info, visit the NIST links. Always audit PoCs thoroughly before running them.

CVE-2025-54914

• Severity: 10 CRITICAL
• Impacted Products: Azure
• Description: Azure Networking Elevation of Privilege Vulnerability. During analysis of the Azure Networking service’s “GetRouteTable” API, I discovered an access‑control gap that allows a client with read permissions on a virtual network to create new route objects inside the same subnet without verifying that the caller is authorized for that action. The code path responsible for serialising the incoming request was missing an explicit privilege check.
• Remediation: Follow developer advice.
• More Info: NVD - CVE-2025-54914
• PoC: https://github.com/mrk336/Azure-Networking-Privilege-Escalation-Exploit-CVE-2025-54914/

CVE-2025-5086

• Severity: 9.0 CRITICAL
• Impacted Products: 3DS Delmia Apriso
• Description: A deserialization of untrusted data vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025 could lead to a remote code execution.
• Remediation: Follow developer advice.
• More Info: NVD - CVE-2025-5086
• PoC: https://isc.sans.edu/diary/32256

CVE-2025-59046

• Severity: 9.8 CRITICAL
• Impacted Products: interactive-git-checkout
• Description: The npm package interactive-git-checkout is an interactive command-line tool that allows users to checkout a git branch while it prompts for the branch name on the command-line. It is available as an npm package and can be installed via npm install -g interactive-git-checkout. Versions up to and including 1.1.4 of the interactive-git-checkout tool are vulnerable to a command injection vulnerability because the software passes the branch name to the git checkout command using the Node.js child process module’s exec() function without proper input validation or sanitization. Commit 8dd832dd302af287a61611f4f85e157cd1c6bb41 fixes the issue.
• Remediation: Follow developer advice.
• More Info: NVD - CVE-2025-59046
• PoC: https://github.com/ninofiliu/interactive-git-checkout/security/advisories/GHSA-4wcm-7hjf-6xw5

CVE-2025-58746

• Severity: 9.0 CRITICAL
• Impacted Products: Volkov Labs Business Links panel for Grafana
• Description: The Volkov Labs Business Links panel for Grafana provides an interface to navigate using external links, internal dashboards, time pickers, and dropdown menus. Prior to version 2.4.0, a malicious actor with Editor privileges can escalate their privileges to Administrator and perform arbitrary administrative actions. This is possible because the plugin allows arbitrary JavaScript code injection in the [Layout] → [Link] → [URL] field. Version 2.4.0 contains a fix for the issue.
• Remediation: Follow developer advice.
• More Info: NVD - CVE-2025-58746
• PoC: https://github.com/VolkovLabs/business-links/security/advisories/GHSA-93qj-gv4p-mf53

CVE-2025-57285

• Severity: 9.8 CRITICAL
• Impacted Products: codeceptjs 3.7.3
• Description: codeceptjs 3.7.3 contains a command injection vulnerability in the emptyFolder function (lib/utils.js). The execSync command directly concatenates the user-controlled directoryPath parameter without sanitization or escaping, allowing attackers to execute arbitrary commands.
• Remediation: Follow developer advice.
• More Info: NVD - CVE-2025-57285
• PoC: https://gist.github.com/Dremig/1ba111f9b1f7cffe1fcb4838b64e55b9

CVE-2025-57141

• Severity: 9.8 CRITICAL
• Impacted Products: codeceptjs 3.7.3
• Description: rsbi-os 4.7 is vulnerable to Remote Code Execution (RCE) in sqlite-jdbc. An attacker would need to create a specially crafted HTTP POST request containing a malicious JDBC connection string within the linkUrl parameter and send it to the vulnerable /rsbi/model/testDataSource.action endpoint, causing the application to connect to a malicious MySQL server. A failed attempt at exploitation could potentially cause a crash of the application, resulting in a denial-of-service condition.
• Remediation: Follow developer advice.
• More Info: NVD - CVE-2025-57141
• PoC: https://github.com/line2222/vuln/issues/2

CVE-2025-53693

• Severity: 9.8 CRITICAL
• Impacted Products: Sitecore Experience Manager (XM): from 9.0 through 9.3, from 10.0 through 10.4; Experience Platform (XP): from 9.0 through 9.3, from 10.0 through 10.4.
• Description: Use of Externally-Controlled Input to Select Classes or Code (‘Unsafe Reflection’) vulnerability in Sitecore Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Cache Poisoning.
• Remediation: Follow developer advice.
• More Info: NVD - CVE-2025-53693
• PoC: https://github.com/brokendreamsclub/CVE-2025-53693/

CVE-2025-53690

• Severity: 9.8 CRITICAL
• Impacted Products: Sitecore Experience Manager (XM): through 9.0; Experience Platform (XP): through 9.0.Experience Platform (XP): from 9.0 through 9.3, from 10.0 through 10.4.
• Description: Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Code Injection.
• Remediation: Follow developer advice.
• More Info: NVD - CVE-2025-53690
• PoC: https://github.com/rxerium/CVE-2025-53690

CVE-2025-48543

• Severity: 9.8 CRITICAL
• Impacted Products: Android (various)
• Description: In multiple locations, there is a possible way to escape chrome sandbox to attack android system-server due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
• Remediation: Follow developer advice.
• More Info: NVD - CVE-2025-48543
• PoC: https://github.com/gamesarchive/CVE-2025-48543

CVE-2025-10183

• Severity: 9.1 CRITICAL
• Impacted Products: TecConnect 4.1
• Description: A blind XML External Entity (XXE) injection in the OpenMessaging webservice in TecCom TecConnect 4.1 allows an unauthenticated attacker to exfiltrate arbitrary files to an attacker-controlled server. TecConnect 4.1 is considered end-of-life as of December 2023. Users are advised to upgrade to TecCom Connect 5.
• Remediation: Follow developer advice.
• More Info: NVD - CVE-2025-10183
• PoC: https://blog.blacklanternsecurity.com/p/teccom-tecconnect-41-xml-external

References

This list was scraped from the quite amazing and highly recommended newsletters below:

• ~this week in security~
• Unsupervised Learning
• @RISK
• Hive Five
• Vulnerable U
• tl;dr sec

Thanks for reading! For corrections, omissions (e.g. newsletter recs) feel free to get in touch.