The most featured CVEs in this week’s security newsletters, with public Proof-of-Concepts, ordered by mention count.

For the most up-to-date and accurate info, visit the NIST links. Always audit PoCs thoroughly before running them. Follow links with caution.

CVE-2025-55182

• Severity: 10.0 CRITICAL
• Impacted Products: React Server Components (RSC) versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0
• Description: A deserialization of untrusted data vulnerability. This flaw allows an unauthenticated, remote attacker to achieve arbitrary code execution on affected systems. Successful exploitation allows an unauthenticated, remote attacker to execute arbitrary JavaScript code on the server with the privileges of the application. This can lead to full compromise of the affected system, impacting confidenti…
• Remediation:
  • oss-security - CVE-2025-55182: RCE in React Server Components
  • Critical Security Vulnerability in React Server Components – React
  • GCP-2025-072
• More Info: NVD - CVE-2025-55182
• PoC:
  • https://github.com/assetnote/react2shell-scanner/blob/master/scanner.py
  • https://github.com/sickwell/CVE-2025-55182/blob/main/cve-2025-55182.yaml
  • https://github.com/Cillian-Collins/CVE-2025-55182/blob/main/CVE-2025-55182.py

CVE-2025-53770

• Severity: 8.8 HIGH
• Impacted Products: On-premises SharePoint servers
• Description: Starting in mid-July 2025, threat actors began actively exploiting two path traversal vulnerabilities affecting on-premises SharePoint servers: CVE-2025-53770 and CVE-2025-53771. With the discovery of the newer vulnerabilities, attackers managed to eliminate the need to be authenticated to obtain a valid signature, resulting in unauthenticated remote code execution.
• Remediation:
  • Microsoft SharePoint Server Remote Code Execution Vulnerability
  • Microsoft KB 5002753
  • Microsoft KB 5002759
• More Info: NVD - CVE-2025-53770
• PoC:
  • https://github.com/3a7/CVE-2025-53770
  • https://github.com/Agampreet-Singh/CVE-2025-53770/blob/main/cve-2025-53770.py
  • https://github.com/kaizensecurity/CVE-2025-53770/blob/master/payload

CVE-2025-41744

• Severity: 9.1 CRITICAL
• Impacted Products: Sprecher Automations SPRECON-E series
• Description: Sprecher Automations SPRECON-E series uses default cryptographic keys that allow an unprivileged remote attacker to access all encrypted communications, thereby compromising confidentiality and integrity.
• Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
• More Info: NVD - CVE-2025-41744
• PoC:
  • https://github.com/boeseejykbtanke348/CVE-2025-38001/blob/main/README.md
  • https://github.com/sinrinmagic43/CVE-2025-41744-Poc/blob/main/README.md
  • https://github.com/gromila7813/CVE-2025-41744/blob/main/README.md

CVE-2025-59718

• Severity: 9.8 CRITICAL
• Impacted Products: Fortinet FortiOS, FortiProxy, and FortiSwitchManager
• Description: Fortinet FortiOS, FortiProxy, and FortiSwitchManager contain an improper verification of cryptographic signature vulnerability that allows an unauthenticated attacker to bypass FortiCloud SSO login authentication. This flaw can be exploited by sending a specially crafted SAML response message. An unauthenticated attacker can bypass the FortiCloud SSO login authentication, potentially gaining administrative access to the device without valid credentials.
• Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
• More Info: NVD - CVE-2025-59718
• PoC:
  • https://github.com/Ashwesker/Blackash-CVE-2025-59718

CVE-2025-53771

• Severity: 6.5 MEDIUM
• Impacted Products: Microsoft SharePoint Server
• Description: Microsoft SharePoint Server is affected by a path traversal and spoofing vulnerability (CVE-2025-53771) that acts as a patch bypass for CVE-2025-49706, enabling unauthenticated remote code execution when chained with other vulnerabilities. This flaw allows an attacker to bypass authentication mechanisms.
• Remediation:
  • Microsoft SharePoint Server Spoofing Vulnerability
  • Microsoft KB 5002753
  • Microsoft KB 5002759
• More Info: NVD - CVE-2025-53771
• PoC:
  • https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/http/sharepoint_toolpane_rce.rb

CVE-2025-13486

• Severity: 9.8 CRITICAL
• Impacted Products: Advanced Custom Fields: Extended plugin for WordPress versions 0.9.0.5 through 0.9.1.1
• Description: Remote code execution. This flaw allows unauthenticated attackers to execute arbitrary code on the server due to improper handling of user-supplied input.
• Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
• More Info: NVD - CVE-2025-13486
• PoC:
  • https://github.com/0xanis/CVE-2025-13486-POC/blob/main/poc.py
  • https://github.com/lasthero-887/CVE-2025-13486---Poc/blob/main/README.md
  • https://github.com/0xgh057r3c0n/CVE-2025-13486

CVE-2025-60736

• Severity: 9.8 CRITICAL
• Impacted Products: code-projects Online Medicine Guide 1.0
• Description: SQL Injection in /login.php via the upass parameter.
• Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
• More Info: NVD - CVE-2025-60736
• PoC:
  • https://github.com/WinDyAlphA/CVE-2025-60736/blob/main/README.md

CVE-2025-67506

• Severity: 9.8 CRITICAL
• Impacted Products: PipesHub prior to 0.1.0-beta
• Description: PipesHub is a fully extensible workplace AI platform for enterprise search and workflow automation. Versions prior to 0.1.0-beta expose POST /api/v1/record/buffer/convert through missing authentication. The endpoint accepts a file upload and converts it to PDF via LibreOffice by uploading payload to os.path.join(tmpdir, file.filename) without normalizing the filename. An attacker can submit a crafted filename containing ../ sequences to write arbitrary files anywhere the service account has p…
• Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
• More Info: NVD - CVE-2025-67506
• PoC:
  • https://github.com/pipeshub-ai/pipeshub-ai/security/advisories/GHSA-w398-9m55-2357

CVE-2025-67494

• Severity: 9.3 CRITICAL
• Impacted Products: ZITADEL <= 4.7.0
• Description: ZITADEL is an open-source identity infrastructure tool. Versions 4.7.0 and below are vulnerable to an unauthenticated, full-read SSRF vulnerability. The ZITADEL Login UI (V2) treats the x-zitadel-forward-host header as a trusted fallback for all deployments, including self-hosted instances. This allows an unauthenticated attacker to force the server to make HTTP requests to arbitrary domains, such as internal addresses, and read the responses, enabling data exfiltration etc.
• Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
• More Info: NVD - CVE-2025-67494
• PoC:
  • https://github.com/Chocapikk/CVE-2025-67494

CVE-2025-67489

• Severity: 9.8 CRITICAL
• Impacted Products: @vitejs/plugin-rs <= 0.5.5
• Description: @vitejs/plugin-rs provides React Server Components (RSC) support for Vite. Versions 0.5.5 and below are vulnerable to arbitrary remote code execution on the development server through unsafe dynamic imports in server function APIs (loadServerAction, decodeReply, decodeAction) when integrated into RSC applications that expose server function endpoints. Attackers with network access to the development server can read/modify files, exfiltrate sensitive data.
• Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
• More Info: NVD - CVE-2025-67489
• PoC:
  • https://github.com/advisories/GHSA-j76j-5p5g-9wfr

CVE-2025-66401

• Severity: 9.8 CRITICAL
• Impacted Products: MCP Watch <= 0.1.2
• Description: MCP Watch is a comprehensive security scanner for Model Context Protocol (MCP) servers. In 0.1.2 and earlier, the MCPScanner class contains a critical Command Injection vulnerability in the cloneRepo method. The application passes the user-supplied githubUrl argument directly to a system shell via execSync without sanitization. This allows an attacker to execute arbitrary commands on the host machine by appending shell metacharacters to the URL.
• Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
• More Info: NVD - CVE-2025-66401
• PoC:
  • https://github.com/advisories/GHSA-27m7-ffhq-jqrm

CVE-2025-6389

• Severity: 9.8 CRITICAL
• Impacted Products: Sneeit Framework plugin for WordPress <= 8.3
• Description: The Sneeit Framework plugin for WordPress, in all versions up to and including 8.3, is susceptible to a remote code execution vulnerability. This flaw allows unauthenticated attackers to execute arbitrary code on the server due to improper handling of user-supplied input. Successful exploitation allows an unauthenticated attacker to execute arbitrary code on the server with the privileges of the web server process. This can lead to the creation of new administrative user accounts etc.
• Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
• More Info: NVD - CVE-2025-6389
• PoC:
  • https://github.com/Ashwesker/Blackash-CVE-2025-6389/blob/main/CVE-2025-6389.py
  • https://github.com/itsismarcos/SneeitScanner-CVE-2025-6389/blob/main/SneeitScanner.py

CVE-2025-60854

• Severity: 9.8 CRITICAL
• Impacted Products: D-Link R15 (AX1500) 1.20.01 and below
• Description: By manipulating the model name parameter during a password change request in the web administrator page, it is possible to trigger a command injection in httpd.
• Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
• More Info: NVD - CVE-2025-60854
• PoC:
  • https://github.com/K0n9-log/CVE-2025-60854/blob/main/exploit.md

CVE-2025-59390

• Severity: 9.8 CRITICAL
• Impacted Products: Information not available
• Description: Apache Druid’s Kerberos authenticator, when not explicitly configured with druid.auth.authenticator.kerberos.cookieSignatureSecret, generates a weak fallback secret using ThreadLocalRandom, enabling potential authentication bypass or token forgery. This also causes authentication failures in distributed deployments due to inconsistent secrets across nodes.
• Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
• More Info: NVD - CVE-2025-59390
• PoC:
  • https://github.com/Daeda1usUK/CVE-2025-59390-

CVE-2025-58360

• Severity: 8.2 HIGH
• Impacted Products: GeoServer versions 2.26.0 to before 2.26.2 and before 2.25.6
• Description: GeoServer versions 2.26.0 to before 2.26.2 and before 2.25.6 are affected by an XML External Entity (XXE) vulnerability in the /geoserver/wms endpoint’s GetMap operation, allowing an attacker to define external entities within XML requests. This flaw stems from insufficient sanitization of XML input.
• Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
• More Info: NVD - CVE-2025-58360
• PoC:
  • https://github.com/quyenheu/CVE-2025-58360
  • https://gist.github.com/bolhasec/32fa035354d7cc9417aa297e2fe22b30
  • https://github.com/Ashwesker/Blackash-CVE-2025-58360/blob/main/README.md

CVE-2025-51682

• Severity: 9.8 CRITICAL
• Impacted Products: mJobtime 15.7.2
• Description: mJobtime 15.7.2 handles authorization on the client side, which allows an attacker to modify the client-side code and gain access to administrative features. Additionally, they can craft requests based on the client-side code to call these administrative functions directly.
• Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
• More Info: NVD - CVE-2025-51682
• PoC:
  • https://labs.infoguard.ch/advisories/cve-2025-51682_cve-2025-51683_time_management_softare_sqli-rce

CVE-2025-13595

• Severity: 9.8 CRITICAL
• Impacted Products: CIBELES AI plugin for WordPress <= 1.10.8
• Description: The CIBELES AI plugin for WordPress is vulnerable to arbitrary file uploads due to missing capability check in the ‘actualizador_git.php’ file in all versions up to, and including, 1.10.8. This makes it possible for unauthenticated attackers to download arbitrary GitHub repositories and overwrite plugin files on the affected site’s server which may make remote code execution possible.
• Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
• More Info: NVD - CVE-2025-13595
• PoC:
  • https://github.com/d0n601/CVE-2025-13595/blob/master/CVE-2025-13595.py

CVE-2025-13342

• Severity: 9.8 CRITICAL
• Impacted Products: Frontend Admin by DynamiApps plugin for WordPress <= 3.28.20
• Description: The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to unauthorized modification of arbitrary WordPress options in all versions up to, and including, 3.28.20. This is due to insufficient capability checks and input validation in the ActionOptions::run() save handler. This makes it possible for unauthenticated attackers to modify critical WordPress options such as users_can_register, default_role, and admin_email via submitting crafted form data to public frontend forms.
• Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
• More Info: NVD - CVE-2025-13342
• PoC:
  • https://github.com/Altelus1/CVE-2025-13342/blob/main/poc.py

CVE-2021-26828

• Severity: 8.8 HIGH
• Impacted Products: OpenPLC ScadaBR
• Description: OpenPLC ScadaBR contains an unrestricted upload of file with dangerous type vulnerability that allows remote authenticated users to upload and execute arbitrary JSP files via view_edit.shtm.
• Remediation:
  • https://github.com/SCADA-LTS/Scada-LTS/pull/2174
• More Info: NVD - CVE-2021-26828
• PoC:
  • https://github.com/Yuri08loveElaina/CVE-2021-26828/blob/main/CVE-2021-26828

CVE-2025-6554

• Severity: 8.1 HIGH
• Impacted Products: Google Chrome’s V8 JavaScript engine
• Description: Google Chrome’s V8 JavaScript engine contains a type confusion vulnerability that allows a remote attacker to achieve arbitrary read/write capabilities and arbitrary code execution. This can be triggered by a specially crafted HTML page.
• Remediation:
  • Security Update for Dell ThinOS 10 for Multiple Google Chrome Vulnerabilities
  • Product Release Advisory - Tanzu Hub 10.2.1
  • chromium-138.0.7204.92-1.fc41
• More Info: NVD - CVE-2025-6554
• PoC:
  • https://github.com/9Insomnie/CVE-2025-6554
  • https://github.com/PwnToday/CVE-2025-6554/blob/main/PoC.html
  • https://github.com/mistymntncop/CVE-2025-6554

CVE-2025-61757

• Severity: 9.8 CRITICAL
• Impacted Products: Oracle Fusion Middleware (component: REST WebServices) 12.2.1.4.0 and 14.1.2.1.0
• Description: Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: REST WebServices). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Identity Manager. Successful attacks of this vulnerability can result in takeover of Identity Manager.
• Remediation:
  • Oracle Critical Patch Update Advisory - October 2025
  • Text Form of Oracle Critical Patch Update - October 2025 Risk Matrices
• More Info: NVD - CVE-2025-61757
• PoC:
  • https://github.com/Jinxia62/Oracle-Identity-Manager-CVE-2025-61757/blob/main/CVE-2025-61757.py
  • https://github.com/B1ack4sh/Blackash-CVE-2025-61757/blob/main/CVE-2025-61757.py

CVE-2022-43939

• Severity: 8.6 HIGH
• Impacted Products: Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x
• Description: Security restrictions using non-canonical URLs which can be circumvented.
• Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
• More Info: NVD - CVE-2022-43939
• PoC:
  • https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/pentaho_business_server_authbypass_and_ssti.rb
  • https://research.aurainfosec.io/pentest/pentah0wnage
  • https://www.exploit-db.com/exploits/51350

CVE-2022-43769

• Severity: 8.8 HIGH
• Impacted Products: Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x
• Description: Allow certain web services to set property values which contain Spring templates that are interpreted downstream.
• Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
• More Info: NVD - CVE-2022-43769
• PoC:
  • https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/pentaho_business_server_authbypass_and_ssti.rb
  • https://research.aurainfosec.io/pentest/pentah0wnage
  • https://www.exploit-db.com/exploits/51350

References

This list was scraped from the quite amazing and highly recommended newsletters below:

• ~this week in security~
• Unsupervised Learning
• @RISK
• Hive Five
• Vulnerable U
• tl;dr sec

Thanks for reading! For corrections, omissions (e.g. newsletter recs) feel free to get in touch.