CVE Trends

CVE-2025-3776 is a vulnerability found in the Verification SMS with TargetSMS plugin for WordPress, affecting versions up to and including 1.5. The vulnerability allows for limited Remote Code Execution (RCE) due to a lack of validation on the type of function that can be called via the 'targetvr_ajax_handler' function. This flaw stems from the use of `call_user_func()` on user-controlled input without proper sanitization against a whitelist of allowed functions. As a result, unauthenticated attackers can execute arbitrary PHP functions that exist in memory, potentially leading to the execution of commands like phpinfo() or other malicious functions if an attacker can load them.

CVE-2025-31161 is a critical authentication bypass vulnerability found in CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0. It stems from a flaw in the AWS4-HMAC authorization method within the HTTP component, allowing remote attackers to gain unauthorized access to systems running unpatched versions of the software via unauthenticated HTTP requests. The vulnerability allows attackers to impersonate any known or guessable user, including the "crushadmin" account, by sending a manipulated Authorization header. The server initially verifies user existence without requiring a password, enabling session authentication through HMAC verification before a subsequent user verification check. This bypass can lead to a full compromise of the system by obtaining an administrative account.

CVE-2025-2774 refers to a vulnerability found in Webmin, a web-based system administration tool commonly used for Unix-like servers. This vulnerability is a CRLF Injection Privilege Escalation vulnerability. The vulnerability stems from Webmin's handling of CGI requests, specifically the "lack of proper neutralization of CRLF sequences". By injecting Carriage Return and Line Feed characters into specific requests, an attacker can manipulate the server's response. Successful exploitation could allow an attacker to escalate privileges and execute arbitrary code with root privileges, gaining significant control over the affected system. Another CVE with a similar number, CVE-2024-2774, is a SQL injection vulnerability found in Campcodes Online Marriage Registration System. Also, CVE-2025-27743 refers to an untrusted search path in System Center that allows an authorized attacker to elevate privileges locally.

CVE-2024-38475 involves improper output escaping in the `mod_rewrite` module of the Apache HTTP Server, specifically in versions 2.4.59 and earlier. This flaw allows an attacker to map URLs to filesystem locations that the server is permitted to serve but are not intended to be directly accessible. This vulnerability can lead to code execution or source code disclosure. The issue arises when substitutions in the server context use backreferences or variables as the initial segment of the substitution. While the fix might break some existing RewriteRules, the "UnsafePrefixStat" flag can be used to revert to the previous behavior if the substitution is appropriately constrained.

CVE-2025-31125 is an arbitrary file read vulnerability that affects Vite, a frontend tooling framework for JavaScript. The vulnerability exists because Vite exposes the content of non-allowed files when using `?inline&import` or `?raw?import`. Exploitation is possible if the Vite development server is exposed to the network using the `--host` or `server.host` configuration options. An unauthenticated attacker can exploit this vulnerability by crafting malicious HTTP requests to read arbitrary files on the server, potentially leading to sensitive information leakage. Users can mitigate this vulnerability by updating to versions 6.2.4, 6.1.3, 6.0.13, 5.4.16, or 4.5.11. If upgrading is not immediately feasible, restricting access to the Vite development server can provide temporary relief.

CVE-2025-31207 refers to a vulnerability found in SourceCodester Apartment Visitors Management System 1.0. It involves a SQL injection vulnerability affecting the processing of the `/add-apartment.php` file. Specifically, the `apartmentno` argument can be manipulated to inject SQL code. The attack can be initiated remotely, and the exploit is publicly available. It is possible that other parameters are also affected by this vulnerability. Another vulnerability with the ID CVE-2025-34028 exists in Commvault Command Center, where a path traversal vulnerability allows a remote, unauthenticated attacker to execute arbitrary code. Also, CVE-2025-31201 describes an arbitrary read and write vulnerability in Apple iOS, iPadOS, macOS, and other Apple products that allows an attacker to bypass Pointer Authentication.

CVE-2025-34028 is a vulnerability in Commvault Command Center Innovation Release that allows an unauthenticated attacker to upload ZIP files. This path traversal vulnerability can lead to remote code execution when the server expands these files. The vulnerability affects Command Center Innovation Release versions 11.38.0 through 11.38.19 and has been patched in version 11.38.20. The vulnerability exists in the "deployWebpackage.do" and "deployServiceCommcell.do" endpoints, which are excluded from authentication requirements. An attacker can exploit this by sending an HTTP request to these endpoints, triggering a Server-Side Request Forgery (SSRF) vulnerability. This allows the attacker to force the Commvault server to download a ZIP file from an external server, use path traversal to place files in restricted directories, and ultimately execute malicious code via the web interface.

CVE-2025-32433 is a vulnerability found in the Erlang/OTP SSH server. It stems from a flaw in the SSH protocol message handling, which allows an attacker with network access to execute arbitrary code on the server without authentication. Specifically, the vulnerability enables a malicious actor to send connection protocol messages before authentication takes place. Successful exploitation could lead to full compromise of the host, unauthorized access, manipulation of sensitive data, or denial-of-service attacks.

CVE-2024-58136 is a vulnerability in Yii 2, a PHP framework, affecting versions prior to 2.0.52. It involves mishandling the attaching of behavior that is defined by an `__class` array key. This vulnerability is a regression of a previously patched issue, CVE-2024-4990. The vulnerability allows attackers to manipulate the behavior of Yii 2 web applications. It stems from improper type and configuration checks in Yii's use of PHP's `__set()` magic method and the `Yii::createObject()` function, potentially leading to the instantiation of arbitrary PHP classes with malicious arguments. This vulnerability was actively exploited between February and April 2025.

CVE-2025-26529 is a stored Cross-Site Scripting (XSS) vulnerability found in Moodle's site administration live log functionality. The vulnerability exists because description information displayed in the site administration live log was not properly sanitized. This flaw affects Moodle versions 4.5 to 4.5.1, 4.4 to 4.4.5, 4.3 to 4.3.9, 4.1 to 4.1.15, and earlier unsupported versions. Successful exploitation of this vulnerability could allow attackers to inject malicious scripts that would be executed in the context of other users' browsers when they view the affected live log section in the site administration area. To remediate this vulnerability, users are advised to upgrade to the patched versions: Moodle 4.5.2, 4.4.6, 4.3.10, and 4.1.16. The fix involves implementing proper sanitization for event descriptions in the live log functionality.