CVE Database

391+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2025-4632
9.8 CRITICAL KEV

Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server version before 21.1052 allows attackers to write arbitrary file as …

May 13, 2025
CVE-2025-42999
9.1 CRITICAL KEV

SAP NetWeaver Visual Composer Metadata Uploader is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to …

May 13, 2025
CVE-2025-47729
1.9 LOW KEV

The TeleMessage archiving backend through 2025-05-05 holds cleartext copies of messages from TM SGNL (aka Archive Signal) app users, which is different functionality than described …

May 8, 2025
CVE-2025-35939
5.3 MEDIUM KEV

Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using an independent vulnerability. Craft …

May 7, 2025
CVE-2025-2776
9.3 CRITICAL KEV

SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the Server URL processing functionality, allowing for administrator account …

May 7, 2025
CVE-2025-2775
9.3 CRITICAL KEV

SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the Checkin processing functionality, allowing for administrator account takeover …

May 7, 2025
CVE-2025-27920
7.2 HIGH KEV

Output Messenger before 2.0.63 was vulnerable to a directory traversal attack through improper file path handling. By using ../ sequences in parameters, attackers could access …

May 5, 2025
CVE-2025-3935
8.1 HIGH KEV

ScreenConnect versions 25.2.3 and earlier versions may be susceptible to a ViewState code injection attack. ASP.NET Web Forms use ViewState to preserve page and control …

Apr 25, 2025
CVE-2025-3928
8.8 HIGH KEV

Commvault Web Server has an unspecified vulnerability that can be exploited by a remote, authenticated attacker. According to the Commvault advisory: "Webservers can be compromised …

Apr 25, 2025
CVE-2025-32432
10.0 CRITICAL KEV

Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to …

Apr 25, 2025
CVE-2025-31324
10.0 CRITICAL KEV

SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely …

Apr 24, 2025
CVE-2025-1976
6.7 MEDIUM KEV

Brocade Fabric OS versions starting with 9.1.0 have root access removed, however, a local user with admin privilege can potentially execute arbitrary code with full …

Apr 24, 2025
CVE-2025-34028
10.0 CRITICAL KEV

The Commvault Command Center Innovation Release allows an unauthenticated actor to upload ZIP files that represent install packages that, when expanded by the target server, …

Apr 22, 2025
CVE-2025-42599
9.8 CRITICAL KEV

Active! mail 6 BuildInfo: 6.60.05008561 and earlier contains a stack-based buffer overflow vulnerability. Receiving a specially crafted request created and sent by a remote unauthenticated …

Apr 18, 2025
CVE-2025-32433
10.0 CRITICAL KEV

Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may allow an attacker …

Apr 16, 2025
CVE-2025-31201
9.8 CRITICAL KEV

This issue was addressed by removing the vulnerable code. This issue is fixed in iOS 18.4.1 and iPadOS 18.4.1, macOS Sequoia 15.4.1, tvOS 18.4.1, visionOS …

Apr 16, 2025
CVE-2025-31200
9.8 CRITICAL KEV

A memory corruption issue was addressed with improved bounds checking. This issue is fixed in iOS 18.4.1 and iPadOS 18.4.1, macOS Sequoia 15.4.1, tvOS 18.4.1, …

Apr 16, 2025
CVE-2024-58136
9.0 CRITICAL KEV

Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an __class array key, a CVE-2024-4990 regression, as exploited in the wild …

Apr 10, 2025
CVE-2025-29824
7.8 HIGH KEV

Use after free in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally.

Apr 8, 2025
CVE-2025-3248
9.8 CRITICAL KEV

Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to …

Apr 7, 2025
CVE-2025-31161
9.8 CRITICAL KEV

CrushFTP 10 before 10.8.4 and 11 before 11.3.1 allows authentication bypass and takeover of the crushadmin account (unless a DMZ proxy instance is used), as …

Apr 3, 2025
CVE-2025-30406
9.0 CRITICAL KEV

Gladinet CentreStack through 16.1.10296.56315 (fixed in 16.4.10315.56368) has a deserialization vulnerability due to the CentreStack portal's hardcoded machineKey use, as exploited in the wild in …

Apr 3, 2025
CVE-2025-22457
9.0 CRITICAL KEV

A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6, Ivanti Policy Secure before version 22.7R1.4, and Ivanti ZTA Gateways before version 22.8R2.2 allows …

Apr 3, 2025
CVE-2025-31125
5.3 MEDIUM KEV

Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev …

Mar 31, 2025
CVE-2025-2783
8.3 HIGH KEV

Incorrect handle provided in unspecified circumstances in Mojo in Google Chrome on Windows prior to 134.0.6998.177 allowed a remote attacker to perform a sandbox escape …

Mar 26, 2025
CVE-2025-29635
7.2 HIGH KEV

A command injection vulnerability in D-Link DIR-823X 240126 and 240802 allows an authorized attacker to execute arbitrary commands on remote devices by sending a POST …

Mar 25, 2025
CVE-2025-2749
7.2 HIGH KEV

An authenticated remote code execution in Kentico Xperience allows authenticated users Staging Sync Server to upload arbitrary data to path relative locations. This results in …

Mar 24, 2025
CVE-2025-2747
9.8 CRITICAL KEV

An authentication bypass vulnerability in Kentico Xperience allows authentication bypass via the Staging Sync Server component password handling for the server defined None type. Authentication …

Mar 24, 2025
CVE-2025-2746
9.8 CRITICAL KEV

An authentication bypass vulnerability in Kentico Xperience allows authentication bypass via the Staging Sync Server password handling of empty SHA1 usernames in digest authentication. Authentication …

Mar 24, 2025
CVE-2025-30154
8.6 HIGH KEV

reviewdog/action-setup is a GitHub action that installs reviewdog. reviewdog/action-setup@v1 was compromised March 11, 2025, between 18:42 and 20:31 UTC, with malicious code added that dumps …

Mar 19, 2025
CVE-2025-30066
8.6 HIGH KEV

tj-actions changed-files before 46 allows remote attackers to discover secrets by reading actions logs. (The tags v1 through v45.0.7 were affected on 2025-03-14 and 2025-03-15 …

Mar 15, 2025
CVE-2025-27915
5.4 MEDIUM KEV

An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. A stored cross-site scripting (XSS) vulnerability exists in the Classic Web Client …

Mar 12, 2025
CVE-2025-21590
4.4 MEDIUM KEV

An Improper Isolation or Compartmentalization vulnerability in the kernel of Juniper Networks Junos OS allows a local attacker with high privileges to compromise the integrity …

Mar 12, 2025
CVE-2025-24201
10.0 CRITICAL KEV

An out-of-bounds write issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in Safari 18.3.1, iOS 15.8.4 and iPadOS 15.8.4, …

Mar 11, 2025
CVE-2025-26633
7.0 HIGH KEV

Improper neutralization in Microsoft Management Console allows an unauthorized attacker to bypass a security feature locally.

Mar 11, 2025
CVE-2025-24993
7.8 HIGH KEV

Heap-based buffer overflow in Windows NTFS allows an unauthorized attacker to execute code locally.

Mar 11, 2025
CVE-2025-24991
5.5 MEDIUM KEV

Out-of-bounds read in Windows NTFS allows an authorized attacker to disclose information locally.

Mar 11, 2025
CVE-2025-24985
7.8 HIGH KEV

Integer overflow or wraparound in Windows Fast FAT Driver allows an unauthorized attacker to execute code locally.

Mar 11, 2025
CVE-2025-24984
4.6 MEDIUM KEV

Insertion of sensitive information into log file in Windows NTFS allows an unauthorized attacker to disclose information with a physical attack.

Mar 11, 2025
CVE-2025-24983
7.0 HIGH KEV

Use after free in Windows Win32 Kernel Subsystem allows an authorized attacker to elevate privileges locally.

Mar 11, 2025
CVE-2025-24054
6.5 MEDIUM KEV

External control of file name or path in Windows NTLM allows an unauthorized attacker to perform spoofing over a network.

Mar 11, 2025
CVE-2025-27363
8.1 HIGH KEV

An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph …

Mar 11, 2025
CVE-2024-54085
9.8 CRITICAL KEV

AMI’s SPx contains a vulnerability in the BMC where an Attacker may bypass authentication remotely through the Redfish Host Interface. A successful exploitation of this …

Mar 11, 2025
CVE-2025-24813
9.8 CRITICAL KEV

Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet …

Mar 10, 2025
CVE-2025-1316
9.8 CRITICAL KEV

Edimax IC-7100 does not properly neutralize requests. An attacker can create specially crafted requests to achieve remote code execution on the device

Mar 5, 2025
CVE-2025-22226
7.1 HIGH KEV

VMware ESXi, Workstation, and Fusion contain an information disclosure vulnerability due to an out-of-bounds read in HGFS. A malicious actor with administrative privileges to a …

Mar 4, 2025
CVE-2025-22225
8.2 HIGH KEV

VMware ESXi contains an arbitrary write vulnerability. A malicious actor with privileges within the VMX process may trigger an arbitrary kernel write leading to an …

Mar 4, 2025
CVE-2025-22224
9.3 CRITICAL KEV

VMware ESXi, and Workstation contain a TOCTOU (Time-of-Check Time-of-Use) vulnerability that leads to an out-of-bounds write. A malicious actor with local administrative privileges on a …

Mar 4, 2025
CVE-2024-48248
8.6 HIGH KEV

NAKIVO Backup & Replication before 11.0.0.88174 allows absolute path traversal for reading files via getImageByPath to /c/router (this may lead to remote code execution across …

Mar 4, 2025
CVE-2025-24893
9.8 CRITICAL KEV

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary remote code execution …

Feb 20, 2025

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.