CVE Database

9262+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2025-26361
9.1 CRITICAL

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to …

Feb 12, 2025
CVE-2025-26359
9.8 CRITICAL

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to …

Feb 12, 2025
CVE-2025-26347
9.8 CRITICAL

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/menu/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to …

Feb 12, 2025
CVE-2025-26345
9.8 CRITICAL

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/menu/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to …

Feb 12, 2025
CVE-2025-26344
9.8 CRITICAL

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/guest-mode/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to …

Feb 12, 2025
CVE-2025-26342
9.8 CRITICAL

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to …

Feb 12, 2025
CVE-2025-26341
9.8 CRITICAL

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to …

Feb 12, 2025
CVE-2025-26339
9.8 CRITICAL

A CWE-306 "Missing Authentication for Critical Function" in maxtime/handleRoute.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to …

Feb 12, 2025
CVE-2025-1100
9.8 CRITICAL

A CWE-259 "Use of Hard-coded Password" for the root account in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker …

Feb 12, 2025
CVE-2024-10960
9.9 CRITICAL

The Brizy – Page Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'storeUploads' function in …

Feb 12, 2025
CVE-2024-13365
9.8 CRITICAL

The Security & Malware scan by CleanTalk plugin for WordPress is vulnerable to arbitrary file uploads due to the plugin uploading and extracting .zip archives …

Feb 12, 2025
CVE-2024-12213
9.8 CRITICAL

The WP Job Board Pro plugin for WordPress is vulnerable to privilege escalation in all versions up to 2.3.16. This is due to the plugin …

Feb 12, 2025
CVE-2024-13421
9.8 CRITICAL

The Real Estate 7 WordPress theme for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.5.1. This is due to …

Feb 12, 2025
CVE-2022-3180
9.8 CRITICAL

The WPGateway Plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 3.5. This allows unauthenticated attackers to create arbitrary malicious …

Feb 11, 2025
CVE-2025-25530
9.8 CRITICAL

Buffer overflow vulnerability in Digital China DCBI-Netlog-LAB Gateway 1.0 due to the lack of length verification, which is related to saving parental control configuration information. …

Feb 11, 2025
CVE-2025-1044
9.8 CRITICAL

Logsign Unified SecOps Platform Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of Logsign Unified SecOps Platform. Authentication is …

Feb 11, 2025
CVE-2025-24434
9.1 CRITICAL

Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Incorrect Authorization vulnerability that could result in Privilege escalation. An attacker …

Feb 11, 2025
CVE-2025-21198
9.0 CRITICAL

Microsoft High Performance Compute (HPC) Pack Remote Code Execution Vulnerability

Feb 11, 2025
CVE-2025-1126
9.3 CRITICAL

A Reliance on Untrusted Inputs in a Security Decision vulnerability has been identified in the Lexmark Print Management Client.

Feb 11, 2025
CVE-2025-24973
9.3 CRITICAL

Concorde, formerly know as Nexkey, is a fork of the federated microblogging platform Misskey. Prior to version 12.25Q1.1, due to an improper implementation of the …

Feb 11, 2025
CVE-2025-22467
9.9 CRITICAL

A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6 allows a remote authenticated attacker to achieve remote code execution.

Feb 11, 2025
CVE-2024-47908
9.1 CRITICAL

OS command injection in the admin web console of Ivanti CSA before version 5.0.5 allows a remote authenticated attacker with admin privileges to achieve remote …

Feb 11, 2025
CVE-2024-10644
9.1 CRITICAL

Code injection in Ivanti Connect Secure before version 22.7R2.4 and Ivanti Policy Secure before version 22.7R1.3 allows a remote authenticated attacker with admin privileges to …

Feb 11, 2025
CVE-2024-12366
9.8 CRITICAL

PandasAI uses an interactive prompt function that is vulnerable to prompt injection and run arbitrary Python code that can lead to Remote Code Execution (RCE) …

Feb 11, 2025
CVE-2025-26410
9.8 CRITICAL

The firmware of all Wattsense Bridge devices contain the same hard-coded user and root credentials. The user password can be easily recovered via password cracking …

Feb 11, 2025
CVE-2025-0181
9.8 CRITICAL

The WP Foodbakery plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.8. This is due …

Feb 11, 2025
CVE-2025-0180
9.8 CRITICAL

The WP Foodbakery plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 4.7. This is due to the plugin …

Feb 11, 2025
CVE-2025-1144
9.8 CRITICAL

School Affairs System from Quanxun has an Exposure of Sensitive Information, allowing unauthenticated attackers to view specific pages and obtain database information as well as …

Feb 11, 2025
CVE-2025-24016
9.9 CRITICAL KEV

Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 4.4.0 and prior to version 4.9.1, an …

Feb 10, 2025
CVE-2024-13011
9.8 CRITICAL

The WP Foodbakery plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'upload_publisher_profile_image' function in versions up …

Feb 10, 2025
CVE-2025-0316
9.8 CRITICAL

The WP Directorybox Manager plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.5. This is due to incorrect authentication …

Feb 8, 2025
CVE-2024-55215
9.8 CRITICAL

An issue in trojan v.2.0.0 through v.2.15.3 allows a remote attacker to escalate privileges via the initialization interface /auth/register.

Feb 7, 2025
CVE-2024-57707
9.8 CRITICAL

An issue in DataEase v1 allows an attacker to execute arbitrary code via the user account and password components.

Feb 7, 2025
CVE-2025-1107
9.9 CRITICAL

Unverified password change vulnerability in Janto, versions prior to r12. This could allow an unauthenticated attacker to change another user's password without knowing their current …

Feb 7, 2025
CVE-2025-25107
9.6 CRITICAL

Cross-Site Request Forgery (CSRF) vulnerability in sainwp OneStore Sites onestore-sites allows Cross Site Request Forgery.This issue affects OneStore Sites: from n/a through <= 0.1.1.

Feb 7, 2025
CVE-2025-25106
9.6 CRITICAL

Cross-Site Request Forgery (CSRF) vulnerability in FancyWP Starter Templates by FancyWP starter-templates allows Cross Site Request Forgery.This issue affects Starter Templates by FancyWP: from n/a …

Feb 7, 2025
CVE-2025-25101
9.6 CRITICAL

Cross-Site Request Forgery (CSRF) vulnerability in MetricThemes Munk Sites munk-sites allows Cross Site Request Forgery.This issue affects Munk Sites: from n/a through <= 1.0.7.

Feb 7, 2025
CVE-2025-1061
9.8 CRITICAL

The Nextend Social Login Pro plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.1.16. This is due to insufficient …

Feb 7, 2025
CVE-2025-0674
9.8 CRITICAL

Multiple Elber products are affected by an authentication bypass vulnerability which allows unauthorized access to the password management functionality. Attackers can exploit this issue by …

Feb 7, 2025
CVE-2025-24786
10.0 CRITICAL

WhoDB is an open source database management tool. While the application only displays Sqlite3 databases present in the directory `/db`, there is no path traversal …

Feb 6, 2025
CVE-2025-22992
9.8 CRITICAL

A SQL Injection vulnerability exists in the /feed/insert.json endpoint of the Emoncms project >= 11.6.9. The vulnerability is caused by improper handling of user-supplied input …

Feb 6, 2025
CVE-2025-24981
9.3 CRITICAL

MDC is a tool to take regular Markdown and write documents interacting deeply with a Vue component. In affected versions unsafe parsing logic of the …

Feb 6, 2025
CVE-2024-36556
9.1 CRITICAL

Forever KidsWatch Call Me KW50 R36_YDR_A3PW_GM7S_V1.0_2019_07_15_16.19.24_cob_h, and Forever KidsWatch Call Me 2 KW60 R36CW_YDE_S4_A29_2_V1.0_2023.05.24_22.49.44_cob_b have a Hardcoded password vulnerability.

Feb 6, 2025
CVE-2024-36555
9.8 CRITICAL

Built-in SMS-configuration command in Forever KidsWatch Call Me KW50 R36_YDR_A3PW_GM7S_V1.0_2019_07_15_16.19.24_cob_h and Forever KidsWatch Call Me 2 KW-60 R36CW_YDE_S4_A29_2_V1.0_2023.05.24_22.49.44_cob_b allows malicious users to change the device …

Feb 6, 2025
CVE-2024-36554
9.8 CRITICAL

Forever KidsWatch Call Me KW-50 R36_YDR_A3PW_GM7S_V1.0_2019_07_15_16.19.24_cob_h and Forever KidsWatch Call Me KW-60 R36CW_YDE_S4_A29_2_V1.0_2023.05.24_22.49.44_cob_b allow a malicious user to gain information about the device by sending …

Feb 6, 2025
CVE-2024-57430
9.8 CRITICAL

An SQL injection vulnerability in the pjActionGetUser function of PHPJabbers Cinema Booking System v2.0 allows attackers to manipulate database queries via the column parameter. Exploiting …

Feb 6, 2025
CVE-2024-57428
9.3 CRITICAL

A stored cross-site scripting (XSS) vulnerability in PHPJabbers Cinema Booking System v2.0 exists due to unsanitized input in file upload fields (event_img, seat_maps) and seat …

Feb 6, 2025
CVE-2024-39272
9.0 CRITICAL

A cross-site scripting (xss) vulnerability exists in the dataset upload functionality of ClearML Enterprise Server 3.22.5-1533. A specially crafted HTTP request can lead to an …

Feb 6, 2025
CVE-2022-40916
9.8 CRITICAL

Tiny File Manager v2.4.7 and below is vulnerable to session fixation.

Feb 6, 2025
CVE-2025-0982
10.0 CRITICAL

Sandbox escape in the JavaScript Task feature of Google Cloud Application Integration allows an actor to execute arbitrary unsandboxed code via crafted JavaScript code executed …

Feb 6, 2025

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.