The most featured CVEs in this week’s security newsletters, with public Proof-of-Concepts, ordered by mention count.

For the most up-to-date and accurate info, visit the NIST links. Always audit PoCs thoroughly before running them. Follow links with caution.

CVE-2025-53770

• Severity: 8.8 HIGH
• Impacted Products: On-premises SharePoint servers
• Description: Starting in mid-July 2025, threat actors began actively exploiting two path traversal vulnerabilities affecting on-premises SharePoint servers: CVE-2025-53770 and CVE-2025-53771. With the discovery of the newer vulnerabilities, attackers managed to eliminate the need to be authenticated to obtain a valid signature, resulting in unauthenticated remote code execution.
• Remediation:
  • Microsoft SharePoint Server Remote Code Execution Vulnerability
  • Microsoft KB 5002753
  • Microsoft KB 5002759
• More Info: NVD - CVE-2025-53770
• PoC:
  • https://github.com/3a7/CVE-2025-53770
  • https://github.com/Agampreet-Singh/CVE-2025-53770/blob/main/cve-2025-53770.py
  • https://github.com/kaizensecurity/CVE-2025-53770/blob/master/payload

CVE-2025-53771

• Severity: 6.5 MEDIUM
• Impacted Products: Microsoft SharePoint Server Subscription Edition, Microsoft SharePoint Server 2019, Microsoft SharePoint Server 2016
• Description: Microsoft SharePoint Server is affected by a path traversal and spoofing vulnerability (CVE-2025-53771) that acts as a patch bypass for CVE-2025-49706, enabling unauthenticated remote code execution when chained with other vulnerabilities. This flaw allows an attacker to bypass authentication mechanisms.
• Remediation:
  • Microsoft SharePoint Server Spoofing Vulnerability
  • Microsoft KB 5002753
  • Microsoft KB 5002759
• More Info: NVD - CVE-2025-53771
• PoC:
  • https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/http/sharepoint_toolpane_rce.rb

CVE-2025-55182

• Severity: 10.0 CRITICAL
• Impacted Products: React Server Components (RSC) 19.0.0, 19.1.0, 19.1.1, 19.2.0
• Description: React Server Components (RSC) versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 are affected by a deserialization of untrusted data vulnerability. This flaw allows an unauthenticated, remote attacker to achieve arbitrary code execution on affected systems.
• Remediation:
  • oss-security - CVE-2025-55182: RCE in React Server Components
  • Critical Security Vulnerability in React Server Components – React
  • GCP-2025-072
• More Info: NVD - CVE-2025-55182
• PoC:
  • https://github.com/assetnote/react2shell-scanner/blob/master/scanner.py
  • https://github.com/ThemeHackers/CVE-2025-55182/blob/main/CVE-2025-55182.py
  • https://github.com/lachlan2k/React2Shell-CVE-2025-55182-original-poc

CVE-2025-66401

• Severity: 9.8 CRITICAL
• Impacted Products: MCP Watch 0.1.2 and earlier
• Description: MCP Watch is a comprehensive security scanner for Model Context Protocol (MCP) servers. In 0.1.2 and earlier, the MCPScanner class contains a critical Command Injection vulnerability in the cloneRepo method. The application passes the user-supplied githubUrl argument directly to a system shell via execSync without sanitization. This allows an attacker to execute arbitrary commands on the host machine by appending shell metacharacters to the URL.
• Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
• More Info: NVD - CVE-2025-66401
• PoC:
  • https://github.com/advisories/GHSA-27m7-ffhq-jqrm

CVE-2025-6389

• Severity: 9.8 CRITICAL
• Impacted Products: Sneeit Framework plugin for WordPress, 8.3
• Description: The Sneeit Framework plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 8.3 via the sneeit_articles_pagination_callback() function. This is due to the function accepting user input and then passing that through call_user_func(). This makes it possible for unauthenticated attackers to execute code on the server which can be leveraged to inject backdoors or, for example, create new administrative user accounts.
• Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
• More Info: NVD - CVE-2025-6389
• PoC:
  • https://github.com/Ashwesker/Blackash-CVE-2025-6389/blob/main/CVE-2025-6389.py

CVE-2025-59390

• Severity: 9.8 CRITICAL
• Impacted Products: Apache Druid 34.0.0
• Description: Apache Druid’s Kerberos authenticator, when not explicitly configured with druid.auth.authenticator.kerberos.cookieSignatureSecret, generates a weak fallback secret using ThreadLocalRandom, enabling potential authentication bypass or token forgery. This also causes authentication failures in distributed deployments due to inconsistent secrets across nodes.
• Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
• More Info: NVD - CVE-2025-59390
• PoC:
  • https://github.com/Daeda1usUK/CVE-2025-59390-

CVE-2025-58360

• Severity: 8.2 HIGH
• Impacted Products: GeoServer from version 2.26.0 to before 2.26.2 and before 2.25.6
• Description: GeoServer is an open source server that allows users to share and edit geospatial data. An XML External Entity (XXE) vulnerability was identified. The application accepts XML input through a specific endpoint /geoserver/wms operation GetMap. However, this input is not sufficiently sanitized or restricted, allowing an attacker to define external entities within the XML request. This issue has been patched in GeoServer 2.25.6, GeoServer 2….
• Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
• More Info: NVD - CVE-2025-58360
• PoC:
  • https://github.com/quyenheu/CVE-2025-58360
  • https://github.com/Ashwesker/Blackash-CVE-2025-58360/blob/main/README.md

CVE-2025-51682

• Severity: 9.8 CRITICAL
• Impacted Products: mJobtime 15.7.2
• Description: mJobtime 15.7.2 handles authorization on the client side, which allows an attacker to modify the client-side code and gain access to administrative features. Additionally, they can craft requests based on the client-side code to call these administrative functions directly.
• Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
• More Info: NVD - CVE-2025-51682
• PoC:
  • https://labs.infoguard.ch/advisories/cve-2025-51682_cve-2025-51683_time_management_softare_sqli-rce

CVE-2025-41744

• Severity: 9.1 CRITICAL
• Impacted Products: Sprecher Automations SPRECON-E series
• Description: Sprecher Automations SPRECON-E series uses default cryptographic keys that allow an unprivileged remote attacker to access all encrypted communications, thereby compromising confidentiality and integrity.
• Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
• More Info: NVD - CVE-2025-41744
• PoC:
  • https://github.com/boeseejykbtanke348/CVE-2025-38001/blob/main/README.md
  • https://github.com/sinrinmagic43/CVE-2025-41744-Poc/blob/main/README.md
  • https://github.com/gromila7813/CVE-2025-41744/blob/main/README.md

CVE-2025-13595

• Severity: 9.8 CRITICAL
• Impacted Products: CIBELES AI plugin for WordPress, 1.10.8
• Description: The CIBELES AI plugin for WordPress is vulnerable to arbitrary file uploads due to missing capability check in the ‘actualizador_git.php’ file in all versions up to, and including, 1.10.8. This makes it possible for unauthenticated attackers to download arbitrary GitHub repositories and overwrite plugin files on the affected site’s server which may make remote code execution possible.
• Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
• More Info: NVD - CVE-2025-13595
• PoC:
  • https://github.com/d0n601/CVE-2025-13595/blob/master/CVE-2025-13595.py

CVE-2025-66478

• Severity: 10.0 CRITICAL
• Impacted Products: Next.js 15.x, Next.js 16.x, Next.js 14.3.0-canary.77
• Description: Next.js is affected by a deserialization of untrusted data vulnerability in its implementation of React Server Components, which can allow for remote code execution. This flaw stems from improper handling of arguments in Server Actions.
• Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
• More Info: NVD - CVE-2025-66478
• PoC:
  • https://github.com/BankkRoll/Quickcheck-CVE-2025-55182-React-and-CVE-2025-66478-Next.js
  • https://github.com/abtonc/next-cve-2025-66478/blob/main/run.sh
  • https://github.com/santihabib/CVE-2025-55182-analysis/blob/main/README.md

CVE-2025-6554

• Severity: 8.1 HIGH
• Impacted Products: Google Chrome prior to version 138.0.7204.96
• Description: Google Chrome’s V8 JavaScript engine contains a type confusion vulnerability that allows a remote attacker to achieve arbitrary read/write capabilities and arbitrary code execution. This can be triggered by a specially crafted HTML page.
• Remediation:
  • Security Update for Dell ThinOS 10 for Multiple Google Chrome Vulnerabilities
  • Product Release Advisory - Tanzu Hub 10.2.1
  • chromium-138.0.7204.92-1.fc41
• More Info: NVD - CVE-2025-6554
• PoC:
  • https://github.com/9Insomnie/CVE-2025-6554
  • https://github.com/PwnToday/CVE-2025-6554/blob/main/PoC.html
  • https://github.com/mistymntncop/CVE-2025-6554

CVE-2025-61757

• Severity: 9.8 CRITICAL
• Impacted Products: Oracle Fusion Middleware Identity Manager 12.2.1.4.0, Oracle Fusion Middleware Identity Manager 14.1.2.1.0
• Description: Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: REST WebServices). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Identity Manager. Successful attacks of this vulnerability can result in takeover of Identity Manager. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/P…
• Remediation:
  • Oracle Critical Patch Update Advisory - October 2025
  • Text Form of Oracle Critical Patch Update - October 2025 Risk Matrices
• More Info: NVD - CVE-2025-61757
• PoC:
  • https://github.com/Jinxia62/Oracle-Identity-Manager-CVE-2025-61757/blob/main/CVE-2025-61757.py
  • https://github.com/B1ack4sh/Blackash-CVE-2025-61757/blob/main/CVE-2025-61757.py

CVE-2025-13486

• Severity: 9.8 CRITICAL
• Impacted Products: Advanced Custom Fields: Extended plugin for WordPress 0.9.0.5 through 0.9.1.1
• Description: The Advanced Custom Fields: Extended plugin for WordPress versions 0.9.0.5 through 0.9.1.1 is vulnerable to remote code execution. This flaw allows unauthenticated attackers to execute arbitrary code on the server due to improper handling of user-supplied input.
• Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
• More Info: NVD - CVE-2025-13486
• PoC:
  • https://github.com/0xanis/CVE-2025-13486-POC/blob/main/poc.py
  • https://github.com/lasthero-887/CVE-2025-13486---Poc/blob/main/README.md
  • https://github.com/MataKucing-OFC/CVE-2025-13486/blob/main/CVE-2025-13486.py

CVE-2022-43939

• Severity: 8.6 HIGH
• Impacted Products: Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x
• Description: Hitachi Vantara Pentaho Business Analytics Server versions contain security restrictions using non-canonical URLs which can be circumvented.
• Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
• More Info: NVD - CVE-2022-43939
• PoC:
  • https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/pentaho_business_server_authbypass_and_ssti.rb
  • https://research.aurainfosec.io/pentest/pentah0wnage
  • https://www.exploit-db.com/exploits/51350

CVE-2022-43769

• Severity: 8.8 HIGH
• Impacted Products: Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1, 9.3.0.2, 8.3.x
• Description: Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x allow certain web services to set property values which contain Spring templates that are interpreted downstream.
• Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
• More Info: NVD - CVE-2022-43769
• PoC:
  • https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/pentaho_business_server_authbypass_and_ssti.rb
  • https://research.aurainfosec.io/pentest/pentah0wnage
  • https://www.exploit-db.com/exploits/51350

References

This list was scraped from the quite amazing and highly recommended newsletters below:

• ~this week in security~
• Unsupervised Learning
• @RISK
• Hive Five
• Vulnerable U
• tl;dr sec

Thanks for reading! For corrections, omissions (e.g. newsletter recs) feel free to get in touch.