HIGH
MongoDB Memory Leak (MongoBleed)
High-severity vulnerability in MongoDB that allows unauthenticated attackers to read uninitialized heap memory from MongoDB servers. Exploits improper handling of length parameter inconsistencies in Zlib-compressed protocol headers (OP_COMPRESSED messages). Can leak sensitive in-memory data including credentials, API keys, tokens, and encryption keys.
CRITICAL
XWiki Server-Side Template Injection RCE
Critical Server-Side Template Injection (SSTI) vulnerability in XWiki via Groovy template injection in the SolrSearch RSS feed endpoint. Allows unauthenticated remote code execution with full system access.
CRITICAL
CrushFTP Server Side Template Injection
Critical Server Side Template Injection (SSTI) vulnerability in CrushFTP that allows remote code execution through template manipulation. Affects multiple versions and can lead to complete system compromise with administrative privileges.
CRITICAL
NextGen Mirth Connect Pre-Auth RCE
Pre-authentication Remote Code Execution vulnerability in NextGen Mirth Connect that allows attackers to execute arbitrary code without authentication. Critical severity with widespread impact on healthcare systems.
CRITICAL
PHP CGI Argument Injection RCE
Critical argument injection vulnerability in PHP CGI affecting Windows systems when using certain locale settings. Allows remote code execution through crafted HTTP requests.
CRITICAL
F5 BIG-IP iControl REST API Authentication Bypass
Critical authentication bypass vulnerability in F5 BIG-IP iControl REST API that allows unauthenticated remote code execution with administrative privileges.
CRITICAL
Next.js Middleware Authorization Bypass
Authorization bypass vulnerability in Next.js middleware that allows attackers to access protected routes by manipulating request headers and bypassing security controls.
HIGH
Ivanti Endpoint Manager Mobile Authentication Bypass
Authentication bypass vulnerability in Ivanti Endpoint Manager Mobile (EPMM) that allows unauthorized access to administrative functions and sensitive enterprise data.
MEDIUM
Drupal 11.x-dev Full Path Disclosure
Information disclosure vulnerability in Drupal 11.x-dev that exposes sensitive file system paths through the authorize.php endpoint. The vulnerability allows attackers to discover server directory structures, settings.php locations, and potentially sensitive configuration file paths without authentication.
ARSENAL
Advanced Exploitation Collection
Comprehensive collection of 10 advanced proof-of-concept exploits including CVE-2025-31161, CVE-2024-4879, CVE-2024-28995, CVE-2024-0204, CVE-2023-30258, MS15-034, Shellshock, SpringBoot, TeamCity, and Zyxel PoC. Multi-platform exploitation toolkit for security research.