SugarCRM is a customer relationship management (CRM) system, providing sales force automation, marketing campaigns, customer support, collaboration, and other tools to manage customer data.

SugarCRM

A PHP object injection vulnerability exists in SugarCRM versions prior to 6.5.24, 6.7.13, 7.5.2.5, 7.6.2.2, and 7.7.1.0 due to improper validation of PHP serialized input in the SugarRestSerialize.php script. The vulnerable code fails to sanitize the rest_data parameter before passing it to the unserialize() function. This allows an unauthenticated attacker to submit crafted serialized data containing malicious object declarations, resulting in arbitrary code execution within the application context. Although SugarCRM released a prior fix in advisory sugarcrm-sa-2016-001, the patch was incomplete and failed to address some vectors.

CVE-2025-25034

Linux

Linux Kernel

Windows

Windows Cumulative Update

Teleport is an open-source security tool that provides developers and system administrators with secure access to infrastructure resources such as servers (SSH) and Kubernetes clusters (K8s). It enforces role-based access control, supports various authentication methods, and captures audit logs for user sessions and actions. Teleport's focus on secure access, access control, and auditing makes it an essential solution for managing and securing modern infrastructure.

Teleport

Teleport provides connectivity, authentication, access controls and audit for infrastructure. Community Edition versions before and including 17.5.1 are vulnerable to remote authentication bypass. At time of posting, there is no available open-source patch.

CVE-2025-49825

GoLang

GitHub Advisory Database

Sitecore Experience Platform (XP) is an enterprise content management system (CMS), providing tools for content management, digital marketing, and analytics and reporting.

Sitecore Experience Platform (XP)

Sitecore Experience Manager (XM), Experience Platform (XP), and Experience Commerce (XC) versions 9.0 through 9.3 and 10.0 through 10.4 are affected by a Zip Slip vulnerability. A remote, authenticated attacker can exploit this issue by sending a crafted HTTP request to upload a ZIP archive containing path traversal sequences, allowing arbitrary file writes and leading to code execution.

CVE-2025-34510

Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account. Unauthenticated and remote attackers can use this account to access administrative API over HTTP.

CVE-2025-34509

Trend Micro Apex Central is a centralized security management console for enterprises. It provides visibility and control across multiple layers of security, including endpoint, mobile, server, and network protection.

Apex Central

An insecure deserialization operation in Trend Micro Apex Central below version 8.0.7007 could lead to a pre-authentication remote code execution on affected installations. Note that this vulnerability is similar to CVE-2025-49219 but is in a different method.

CVE-2025-49220

JavaScript is a high-level, interpreted programming language essential for creating interactive web applications, running directly in web browsers to enable dynamic content and user interface enhancements. It is integral to the web development stack, working seamlessly with HTML and CSS to build responsive and feature-rich websites.

JavaScript

Versions of Filesystem prior to 0.6.3 & 2025.7.1 could allow access to unintended files in cases where the prefix matches an allowed directory. Users are advised to upgrade to 2025.7.1 to resolve the issue.
Thank you to Elad Beber (Cymulate) for reporting these issues.

CVE-2025-53110

Versions of Filesystem prior to 0.6.3 & 2025.7.1 could allow access to unintended files via symlinks within allowed directories. Users are advised to upgrade to 2025.7.1 to resolve.
Thank you to Elad Beber (Cymulate) for reporting these issues.

CVE-2025-53109

Python is a high-level, general-purpose programming language. Its key feature is the high readability of the code. It supports multiple programming paradigms, including Object-Oriented Programming (OOP) and Functional Programming.

Python

Pillow is a Python imaging library. In versions 11.2.0 to before 11.3.0, there is a heap buffer overflow when writing a sufficiently large (>64k encoded with default settings) image in the DDS format due to writing into a buffer without checking for available space. This only affects users who save untrusted data as a compressed DDS image. This issue has been patched in version 11.3.0.

CVE-2025-48379

WordPress is a content management system paired with a MySQL or MariaDB database. Features include a plugin architecture and a template system, referred to within WordPress as Themes.

WordPress

Missing Authorization vulnerability in POSIMYTH Innovation The Plus Addons for Elementor Pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Plus Addons for Elementor Pro: from n/a before 6.3.7.

CVE-2025-46259

@cyanheads/git-mcp-server is an MCP server designed to interact with Git repositories. Prior to version 2.1.5, there is a command injection vulnerability caused by the unsanitized use of input parameters within a call to child_process.exec, enabling an attacker to inject arbitrary system commands. Successful exploitation can lead to remote code execution under the server process's privileges. The server constructs and executes shell commands using unvalidated user input directly within command-line strings. This introduces the possibility of shell metacharacter injection (|, >, &&, etc.). An MCP Client can be instructed to execute additional actions for example via indirect prompt injection when asked to read git logs. This issue has been patched in version 2.1.5.

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2025-25034	CRITICAL	9.3	SugarCRM	cpe:2.3:a:sugarcrm:sugarcrm	No	Yes	Jun 20, 2025
CVE-2025-49825	CRITICAL	9.8	Teleport	cpe:2.3:a:goteleport:teleport	No	Yes	Jun 17, 2025
CVE-2025-34510	HIGH	8.8	Sitecore Experience Platform (XP)	cpe:2.3:a:sitecore:experience_platform	No	No	Jun 17, 2025
CVE-2025-34509	HIGH	8.2	Sitecore Experience Platform (XP)	cpe:2.3:a:sitecore:experience_platform	No	Yes	Jun 17, 2025
CVE-2025-49220	CRITICAL	9.8	Apex Central	cpe:2.3:a:trendmicro:apex_central	No	Yes	Jun 17, 2025

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2025-53110	HIGH	7.3	JavaScript	@modelcontextprotocol/server-filesystem	No	Yes	Jul 01, 2025
CVE-2025-53109	HIGH	7.3	JavaScript	@modelcontextprotocol/server-filesystem	No	Yes	Jul 01, 2025
CVE-2025-48379	HIGH	7.1	Python	pillow	No	Yes	Jul 01, 2025
CVE-2025-46259	MEDIUM	5.4	WordPress	theplus_elementor_addon	No	No	Jul 01, 2025
CVE-2025-53107	HIGH	7.5	JavaScript	@cyanheads/git-mcp-server	No	Yes	Jul 01, 2025

Wiz Vulnerability Database

Explore by technology

Popular filters

High Profile

Most Recent

Vulnerabilities by the numbers

The good, the bad, and the vulnerable

Additional Wiz resources

Cloud Vulnerability DB

Cloud Threat Landscape

PEACH

Ready to see Wiz in action?