| SL.NO | CVE | Vulnerability | Vendor | Service | Version | CVSS | Severity |
| 1 | CVE-2025-0927 | Linux Kernel Privilege Escalation | Linux Kernel Organization | Linux Kernel | Ubuntu 22.04 with Linux Kernel 6.5.0-18-generic. | 7.8 | HIGH |
| 2 | CVE-2025-2783 | Google Chromium Mojo Sandbox Escape Vulnerability | Google | Google Chrome Browser | Prior to 134.0.6998.177/.178 on Windows systems. | 8.3 | HIGH |
| 3 | CVE-2025-26633 | Windows MMC Zero-Day Vulnerability | Microsoft | Microsoft Management Console (MMC) | Windows Server 2008 R2 SP1, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019. | 7.0 | HIGH |
| 4 | CVE-2025-20229 | Splunk Enterprise Arbitrary File Upload Remote Code Execution Vulnerability | Splunk Inc. | Splunk Enterprise and Splunk Cloud Platform | Versions prior to 9.3.3, 9.2.5, and 9.1.8. | 8.0 | HIGH |
| 5 | CVE-2025-2825 | CrushFTP Unauthenticated HTTP(S) Port Access Vulnerability | CrushFTP | CrushFTP File Transfer Solution | CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0 are affected. | 9.8 | CRITICAL |
| 6 | CVE-2025-1097 | Ingress NGINX Configuration Injection | NGINX Inc. | Ingress NGINX Controller for Kubernetes | Versions prior to 1.11.0 | 9.8 | CRITICAL |
| 7 | CVE-2025-26909 | WP Ghost Plugin Local File Inclusion | WP Ghost | WP Ghost WordPress Security Plugin | Versions up to and including 5.4.01 are affected. | 9.6 | HIGH |
| 8 | CVE-2025-29927 | Next.js Middleware Authorization Bypass | Vercel (Next.js) | Next.js Web Framework | Next.js versions 11.1.4 through 13.5.6Next.js versions 14.0.1 through 14.2.24Next.js versions 15.0.1 through 15.2.2 | 9.1 | HIGH |
| 9 | CVE-2024-13496 | GamiPress Plugin Unauthenticated SQL Injection Vulnerability | GamiPress | GamiPress WordPress Plugin | Versions up to and including 7.3.1 | 7.5 | HIGH |
| 10 | CVE-2025-23120 | Veeam Backup & Replication Remote Code Execution (RCE) Vulnerability | Veeam | Veeam Backup & Replication | Version 12.3.0.310 and all earlier versions 12 builds. | 9.8 | CRITICAL |
Description
1.CVE-2025-0927
The flaw resides in the HFS+ driver of the Linux kernel. According to the advisory, the vulnerability is a buffer overflow in B-tree node processing. Under specific conditions, the hfs_bnode_read_key function, located in fs/hfsplus/bnode.c, is used to populate an in-kernel buffer from the filesystem, but it lacks proper boundary checks on the size of the key.
References:
2.CVE-2025-2783
The vulnerability CVE-2025-2783 really left us scratching our heads, as, without doing anything obviously malicious or forbidden, it allowed the attackers to bypass Google Chrome’s sandbox protection as if it didn’t even exist,” noted Kaspersky researchers in their analysis.
References:
3.CVE-2025-26633
This vulnerability has been actively exploited by the Russian threat actor group known as Water Gamayun (also referred to as EncryptHub and Larva-208). They have leveraged this flaw, dubbed “MSC EvilTwin,” to manipulate .msc files and the Multilingual User Interface Path (MUIPath), enabling the download and execution of malicious payloads, maintaining persistence, and stealing sensitive data from infected systems.
References:
4.CVE-2025-20229
According to Splunk’s advisory, a low-privileged user without “admin” or “power” roles could exploit the vulnerability. This is achieved through uploading a file to the “$SPLUNK_HOME/var/run/splunk/apptemp” directory, bypassing necessary authorization checks.
References:
https://cybersecuritynews.com/splunk-rce-vulnerability-arbitrary-code/5.CVE-2025-2825
The vulnerability allows attackers to potentially gain initial access without authentication, which represents a critical security breakdown.”File transfer technologies like CrushFTP are considered high-value targets for ransomware operators and threat actors seeking to access and exfiltrate sensitive organizational data quickly.
References:
https://cybersecuritynews.com/crushftp-https-port-vulnerability/
6.CVE-2025-1097
A series of critical vulnerabilities in the Ingress NGINX Controller for Kubernetes, collectively termed “IngressNightmare,” allow unauthenticated attackers to inject arbitrary NGINX configurations and execute remote code, potentially leading to full cluster compromise.
References:
https://cybersecuritynews.com/ingress-nginx-remote-code-execution-vulnerability/7.CVE-2025-26909
A critical Local File Inclusion (LFI) vulnerability in the WP Ghost WordPress plugin allows unauthenticated attackers to include arbitrary files, potentially leading to Remote Code Execution (RCE).
References:
https://cybersecuritynews.com/wordpress-plugin-vulnerability-exposes-200k-sites/
8.CVE-2025-29927
A critical security vulnerability (CVE-2025-29927) has been discovered in Next.js that allows attackers to completely bypass middleware-based security controls by manipulating the x-middleware-subrequest header.
References:
https://cybersecuritynews.com/critical-next-js-middleware-vulnerability/?fbclid=PAY2xjawJOGwBleHRuA2FlbQIxMQABpi-dQcZf2CEbtjX89fhcOx4ai4heH1kht_y39goomIHI8BV_D8cM99N60w_aem_uLLCubBjm7D7MhoAEXRcSg
9.CVE-2024-13496
A critical SQL injection vulnerability exists in the GamiPress WordPress plugin, allowing unauthenticated attackers to inject malicious SQL queries. This flaw can lead to unauthorized access to sensitive database information and potential compromise of the entire WordPress installation
https://cybersecuritynews.com/wordpress-hackers-inject-malicious-sql-queries/
10.CVE-2025-23120
A critical remote code execution vulnerability exists in Veeam Backup & Replication that allows any domain user to execute arbitrary code with SYSTEM-level privileges on the backup server. This flaw arises from insecure deserialization mechanisms within Veeam’s backup solution, enabling attackers to escalate privileges and potentially compromise critical backup infrastructure.
https://cybersecuritynews.com/veeam-rce-vulnerability-domain-user/
