CVE Database

9262+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2024-8425
9.8 CRITICAL

The WooCommerce Ultimate Gift Card plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'mwb_wgm_preview_mail' and 'mwb_wgm_woocommerce_add_cart_item_data' …

Feb 28, 2025
CVE-2024-8420
9.8 CRITICAL

The DHVC Form plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.4.7. This is due to the plugin …

Feb 28, 2025
CVE-2025-1744
9.8 CRITICAL

Out-of-bounds Write vulnerability in radareorg radare2 allows heap-based buffer over-read or buffer overflow.This issue affects radare2: before <5.9.9.

Feb 28, 2025
CVE-2024-37567
9.1 CRITICAL

Infoblox NIOS through 8.6.4 has Improper Access Control for Grids.

Feb 27, 2025
CVE-2024-37566
9.8 CRITICAL

Infoblox NIOS through 8.6.4 has Improper Authentication for Grids.

Feb 27, 2025
CVE-2024-36047
9.8 CRITICAL

Infoblox NIOS through 8.6.4 and 9.x through 9.0.3 has Improper Input Validation.

Feb 27, 2025
CVE-2024-36046
9.8 CRITICAL

Infoblox NIOS through 8.6.4 executes with more privileges than required.

Feb 27, 2025
CVE-2025-26325
9.8 CRITICAL

ShopXO 6.4.0 is vulnerable to File Upload in ThemeDataService.php.

Feb 27, 2025
CVE-2025-25570
9.8 CRITICAL

Vue Vben Admin 2.10.1 allows unauthorized login to the backend due to an issue with hardcoded credentials.

Feb 27, 2025
CVE-2024-38292
9.8 CRITICAL

In Extreme Networks XIQ-SE before 24.2.11, due to a missing access control check, a path traversal is possible, which may lead to privilege escalation.

Feb 27, 2025
CVE-2024-55160
9.8 CRITICAL

GFast between v2 to v3.2 was discovered to contain a SQL injection vulnerability via the OrderBy parameter at /system/operLog/list.

Feb 27, 2025
CVE-2024-51139
9.8 CRITICAL

Buffer Overflow vulnerability in Vigor2620/LTE200 3.9.8.9 and earlier and Vigor2860/2925 3.9.8 and earlier and Vigor2862/2926 3.9.9.5 and earlier and Vigor2133/2762/2832 3.9.9 and earlier and Vigor165/166 …

Feb 27, 2025
CVE-2024-51138
9.8 CRITICAL

Vigor165/166 4.2.7 and earlier; Vigor2620/LTE200 3.9.8.9 and earlier; Vigor2860/2925 3.9.8 and earlier; Vigor2862/2926 3.9.9.5 and earlier; Vigor2133/2762/2832 3.9.9 and earlier; Vigor2135/2765/2766 4.4.5. and earlier; Vigor2865/2866/2927 …

Feb 27, 2025
CVE-2025-22952
9.8 CRITICAL

elestio memos v0.23.0 is vulnerable to Server-Side Request Forgery (SSRF) due to insufficient validation of user-supplied URLs, which can be exploited to perform SSRF attacks.

Feb 27, 2025
CVE-2024-53944
9.8 CRITICAL

An issue was discovered on Tuoshi/Dionlink LT15D 4G Wi-Fi devices through M7628NNxlSPv2xUI_v1.0.1802.10.08_P4 and LT21B devices through M7628xUSAxUIv2_v1.0.1481.15.02_P0. A unauthenticated remote attacker with network access can …

Feb 27, 2025
CVE-2025-0767
9.8 CRITICAL

WP Activity Log 5.3.2 was found to be vulnerable. Unvalidated user input is used directly in an unserialize function in myapp/classes/Writers/class-csv-writer.php.

Feb 27, 2025
CVE-2024-13148
9.8 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Yukseloglu Filter B2B Login Platform allows SQL Injection.This issue affects B2B …

Feb 27, 2025
CVE-2025-27154
9.8 CRITICAL

Spotipy is a lightweight Python library for the Spotify Web API. The `CacheHandler` class creates a cache file to store the auth token. Prior to …

Feb 27, 2025
CVE-2025-1751
9.8 CRITICAL

A SQL Injection vulnerability has been found in Ciges 2.15.5 from ATISoluciones. This vulnerability allows an attacker to retrieve, create, update and delete database via …

Feb 27, 2025
CVE-2024-57040
9.8 CRITICAL

TP-Link TL-WR845N devices with firmware TL-WR845N(UN)_V4_200909 and TL-WR845N(UN)_V4_190219 was discovered to contain a hardcoded password for the root account which can be obtained by analyzing …

Feb 26, 2025
CVE-2024-53573
9.8 CRITICAL

Unifiedtransform v2.X is vulnerable to Incorrect Access Control. Unauthorized users can access and manipulate endpoints intended exclusively for administrative use. This issue specifically affects teacher/edit/{id}.

Feb 26, 2025
CVE-2024-50693
9.1 CRITICAL

SunGrow iSolarCloud before the October 31, 2024 remediation is vulnerable to insecure direct object references (IDOR) via the userService API model.

Feb 26, 2025
CVE-2024-50689
9.1 CRITICAL

SunGrow iSolarCloud before the October 31, 2024 remediation is vulnerable to insecure direct object references (IDOR) via the orgService API model.

Feb 26, 2025
CVE-2024-50688
9.8 CRITICAL

SunGrow iSolarCloud Android application V2.1.6.20241017 and prior contains hardcoded credentials. The application (regardless of the user account) and the cloud uses the same MQTT credentials …

Feb 26, 2025
CVE-2024-50687
9.1 CRITICAL

SunGrow iSolarCloud before the October 31, 2024 remediation is vulnerable to insecure direct object references (IDOR) via the devService API model.

Feb 26, 2025
CVE-2024-50686
9.1 CRITICAL

SunGrow iSolarCloud before the October 31, 2024 remediation is vulnerable to insecure direct object references (IDOR) via the commonService API model.

Feb 26, 2025
CVE-2024-50685
9.1 CRITICAL

SunGrow iSolarCloud before the October 31, 2024 remediation, is vulnerable to insecure direct object references (IDOR) via the powerStationService API model.

Feb 26, 2025
CVE-2025-25790
9.8 CRITICAL

An arbitrary file upload vulnerability in the component \controller\LocalTemplate.php of FoxCMS v1.2.5 allows attackers to execute arbitrary code via uploading a crafted Zip file.

Feb 26, 2025
CVE-2025-25789
9.8 CRITICAL

FoxCMS v1.2.5 was discovered to contain a remote code execution (RCE) vulnerability via the index() method at \controller\Sitemap.php.

Feb 26, 2025
CVE-2025-25785
9.1 CRITICAL

JizhiCMS v2.5.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the component \c\PluginsController.php. This vulnerability allows attackers to perform an intranet scan via …

Feb 26, 2025
CVE-2025-25784
9.8 CRITICAL

An arbitrary file upload vulnerability in the component \c\TemplateController.php of Jizhicms v2.5.4 allows attackers to execute arbitrary code via uploading a crafted Zip file.

Feb 26, 2025
CVE-2025-25783
9.8 CRITICAL

An arbitrary file upload vulnerability in the component admin\plugin.php of Emlog Pro v2.5.3 allows attackers to execute arbitrary code via uploading a crafted Zip file.

Feb 26, 2025
CVE-2025-1716
9.8 CRITICAL

picklescan before 0.0.21 does not treat 'pip' as an unsafe global. An attacker could craft a malicious model that uses Pickle to pull in a …

Feb 26, 2025
CVE-2024-47051
9.1 CRITICAL

This advisory addresses two critical security vulnerabilities present in Mautic versions before 5.2.3. These vulnerabilities could be exploited by authenticated users. * Remote Code Execution …

Feb 26, 2025
CVE-2025-25521
9.8 CRITICAL

Seacms <=13.3 is vulnerable to SQL Injection in admin_type_news.php.

Feb 25, 2025
CVE-2025-25520
9.8 CRITICAL

Seacms <13.3 is vulnerable to SQL Injection in admin_pay.php.

Feb 25, 2025
CVE-2025-25519
9.8 CRITICAL

Seacms <=13.3 is vulnerable to SQL Injection in admin_zyk.php.

Feb 25, 2025
CVE-2025-25517
9.8 CRITICAL

Seacms <=13.3 is vulnerable to SQL Injection in admin_reslib.php.

Feb 25, 2025
CVE-2025-25516
9.8 CRITICAL

Seacms <=13.3 is vulnerable to SQL Injection in admin_paylog.php.

Feb 25, 2025
CVE-2025-27135
9.8 CRITICAL

RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. Versions 0.15.1 and prior are vulnerable to SQL injection. The ExeSQL component extracts the SQL statement from …

Feb 25, 2025
CVE-2025-26974
9.3 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPExperts.io WP Multistore Locator wp-multi-store-locator allows Blind SQL Injection.This issue affects …

Feb 25, 2025
CVE-2025-26966
9.8 CRITICAL

Authentication Bypass Using an Alternate Path or Channel vulnerability in Aldo Latino PrivateContent private-content.This issue affects PrivateContent: from n/a through <= 8.11.5.

Feb 25, 2025
CVE-2025-26943
9.3 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Jürgen Müller Easy Quotes easy-quotes allows Blind SQL Injection.This issue affects …

Feb 25, 2025
CVE-2025-26900
9.8 CRITICAL

Deserialization of Untrusted Data vulnerability in flexmls Flexmls® IDX flexmls-idx allows Object Injection.This issue affects Flexmls® IDX: from n/a through <= 3.14.27.

Feb 25, 2025
CVE-2023-25574
10.0 CRITICAL

`jupyterhub-ltiauthenticator` is a JupyterHub authenticator for learning tools interoperability (LTI). LTI13Authenticator that was introduced in `jupyterhub-ltiauthenticator` 1.3.0 wasn't validating JWT signatures. This is believed to …

Feb 25, 2025
CVE-2025-1128
9.8 CRITICAL

The Everest Forms – Contact Forms, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin for WordPress is vulnerable to arbitrary file upload, read, …

Feb 25, 2025
CVE-2025-22974
9.8 CRITICAL

SQL Injection vulnerability in SeaCMS v.13.2 and before allows a remote attacker to execute arbitrary code via the DoTranExecSql parameter in the phome.php component.

Feb 24, 2025
CVE-2024-56525
9.8 CRITICAL

In Public Knowledge Project (PKP) OJS, OMP, and OPS before 3.3.0.21 and 3.4.x before 3.4.0.8, an XXE attack by the Journal Editor Role can create …

Feb 24, 2025
CVE-2024-53544
9.8 CRITICAL

NovaCHRON Zeitsysteme GmbH & Co. KG Smart Time Plus v8.x to v8.6 was discovered to contain a SQL injection vulnerability via the getCookieNames method in …

Feb 24, 2025
CVE-2025-27140
9.8 CRITICAL

WeGIA is a Web manager for charitable institutions. An OS Command Injection vulnerability was discovered in versions prior to 3.2.15 of the WeGIA application, `importar_dump.php` …

Feb 24, 2025

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.