Critical active threat
CVE-2025-3248 Langflow Missing Authentication
- Actively exploited (CISA KEV)
- Listed on CISA KEV
Confirmed in-the-wild exploitation per CISA KEV — active threat momentum, not theoretical risk.
Track daily vulnerability activity, KEV additions, public exploits, critical disclosures, and EPSS risk shifts.
Three highest-priority changes — analyst brief, not a CVE dump.
Critical active threat
Confirmed in-the-wild exploitation per CISA KEV — active threat momentum, not theoretical risk.
Critical exposure
New critical Buddyboss Platform Auth Bypass (CVSS 9.8) — fresh disclosure window; early internet scanning often precedes mature exploit chains.
Critical exposure
New critical Seacms RCE (CVSS 9.8) — fresh disclosure window; early internet scanning often precedes mature exploit chains.
CISA KEV — confirmed in-the-wild exploitation.
Langflow Missing Authentication
Nothing flagged in this category for this digest.
Nothing flagged in this category for this digest.
The BuddyBoss Platform Pro plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.7.01.
The AWS Amplify Studio UI component property expressions in the aws-amplify/amplify-codegen-ui package lack input validation.
SeaCMS v13.3 was discovered to contain a remote code execution (RCE) vulnerability via the component phomebak.php.
SeaCMS v13.3 was discovered to contain a SQL injection vulnerability via the component admin_manager.php.
SeaCMS v13.3 was discovered to contain a SQL injection vulnerability via the component admin_topic.php.
An issue in the component /manage/ of itranswarp v2.19 allows attackers to bypass authentication via a crafted request.
Incorrect access control in the /user/edit/ component of hope-boot v1.0.0 allows attackers to bypass authentication via a crafted GET req...
Incorrect access control in xmall v1.1 allows attackers to bypass authentication via a crafted GET request to /index.
Incorrect access control in the /admin/ API of yaoqishan v0.0.1-SNAPSHOT allows attackers to gain access to Admin rights via a crafted re...
Incorrect access control in the /admin/** API of brcc v1.2.0 allows attackers to gain access to Admin rights via a crafted request.