CVE Database

36709+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2025-34442
7.5 HIGH

AVideo versions prior to 20.1 disclose absolute filesystem paths via multiple public API endpoints. Returned metadata includes full server paths to media files, revealing underlying …

Dec 17, 2025
CVE-2025-34441
7.5 HIGH

AVideo versions prior to 20.1 expose sensitive user information through an unauthenticated public API endpoint. Responses include emails, usernames, administrative status, and last login times, …

Dec 17, 2025
CVE-2025-34438
8.1 HIGH

AVideo versions prior to 20.1 contain an insecure direct object reference vulnerability allowing users with upload permissions to modify the rotation metadata of any video. …

Dec 17, 2025
CVE-2025-34437
8.8 HIGH

AVideo versions prior to 20.1 permit any authenticated user to upload comment images to videos owned by other users. The endpoint validates authentication but omits …

Dec 17, 2025
CVE-2025-34436
8.8 HIGH

AVideo versions prior to 20.1 allow any authenticated user to upload files into directories belonging to other users due to an insecure direct object reference. …

Dec 17, 2025
CVE-2025-67174
7.5 HIGH

A local file inclusion (LFI) vulnerability in RiteCMS v3.1.0 allows attackers to read arbitrary files on the host via a directory traversal in the admin_language_file …

Dec 17, 2025
CVE-2025-67171
7.5 HIGH

Incorrect access control in the /templates/ component of RiteCMS v3.1.0 allows attackers to access sensitive files via directory traversal.

Dec 17, 2025
CVE-2025-66953
8.8 HIGH

CSRF vulnerability in narda miteq Uplink Power Contril Unit UPC2 v.1.17 allows a remote attacker to execute arbitrary code via the Web-based management interface and …

Dec 17, 2025
CVE-2025-66395
8.8 HIGH

ChurchCRM is an open-source church management system. Prior to version 6.5.3, a SQL injection vulnerability exists in the `src/ListEvents.php` file. When filtering events by type, …

Dec 17, 2025
CVE-2024-46062
7.8 HIGH

Miniconda3 macOS installers before 23.11.0-1 contain a local privilege escalation vulnerability when installed outside the user's home directory. During installation, world-writable files are created and …

Dec 17, 2025
CVE-2024-46060
7.8 HIGH

Anaconda3 macOS installers before 2024.06-1 contain a local privilege escalation vulnerability when installed outside the user's home directory. During installation, world-writable files are created and …

Dec 17, 2025
CVE-2025-67172
7.2 HIGH

RiteCMS v3.1.0 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the parse_special_tags() function.

Dec 17, 2025
CVE-2025-66923
7.2 HIGH

A Cross-site scripting (XSS) vulnerability in Create/Update Customer(s) in Open Source Point of Sale v3.4.1 allows remote attackers to inject arbitrary web script or HTML …

Dec 17, 2025
CVE-2025-65203
7.1 HIGH

KeePassXC-Browser thru 1.9.9.2 autofills or prompts to fill stored credentials into documents rendered under a browser-enforced CSP directive and iframe attribute sandbox, allowing attacker-controlled script …

Dec 17, 2025
CVE-2025-67285
7.3 HIGH

A SQL injection vulnerability was found in the '/cts/admin/?page=zone' file of ITSourcecode COVID Tracking System Using QR-Code v1.0. The reason for this issue is that …

Dec 17, 2025
CVE-2025-66921
7.2 HIGH

A Cross-site scripting (XSS) vulnerability in Create/Update Item(s) Module in Open Source Point of Sale v3.4.1 allows remote attackers to inject arbitrary web script or …

Dec 17, 2025
CVE-2025-53919
7.8 HIGH

An issue was discovered in the Portrait Dell Color Management application through 3.3.008 for Dell monitors, It creates a temporary folder, with weak permissions, during …

Dec 17, 2025
CVE-2025-53398
7.8 HIGH

The Portrait Dell Color Management application 3.3.8 for Dell monitors has Insecure Permissions,

Dec 17, 2025
CVE-2025-14727
8.3 HIGH

A vulnerability exists in NGINX Ingress Controller's nginx.org/rewrite-target annotation validation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Dec 17, 2025
CVE-2024-29371
7.5 HIGH

In jose4j before 0.9.6, an attacker can cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high …

Dec 17, 2025
CVE-2025-14097
7.2 HIGH

A vulnerability in the application software of multiple Radiometer products may allow remote code execution and unauthorized device management when specific internal conditions are met. …

Dec 17, 2025
CVE-2025-14096
8.4 HIGH

A vulnerability exists in multiple Radiometer products that allow an attacker with physical access to the analyzer possibility to extract credential information. The vulnerability is …

Dec 17, 2025
CVE-2025-14101
7.1 HIGH

Authorization Bypass Through User-Controlled Key vulnerability in GG Soft Software Services Inc. PaperWork allows Exploitation of Trusted Identifiers.This issue affects PaperWork: from 5.2.0.9427 before 6.0.

Dec 17, 2025
CVE-2025-11924
7.5 HIGH

The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up …

Dec 17, 2025
CVE-2025-14305
7.8 HIGH

ListCheck.exe developed by Acer has a Local Privilege Escalation vulnerability. Authenticated local attackers can replace ListCheck.exe with a malicious executable of the same name, which …

Dec 17, 2025
CVE-2025-53524
7.8 HIGH

Fuji Electric Monitouch V-SFT-6 is vulnerable to an out-of-bounds write while processing a specially crafted project file, which may allow an attacker to execute arbitrary …

Dec 17, 2025
CVE-2025-14701
7.1 HIGH

An input neutralization vulnerability in the Server MOTD component of Crafty Controller allows a remote, unauthenticated attacker to perform stored XSS via server MOTD modification.

Dec 17, 2025
CVE-2025-14766
8.8 HIGH

Out of bounds read and write in V8 in Google Chrome prior to 143.0.7499.147 allowed a remote attacker to potentially exploit heap corruption via a …

Dec 16, 2025
CVE-2025-14765
8.8 HIGH

Use after free in WebGPU in Google Chrome prior to 143.0.7499.147 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. …

Dec 16, 2025
CVE-2025-68274
7.5 HIGH

SIPGO is a library for writing SIP services in the GO language. Starting in version 0.3.0 and prior to version 1.0.0-alpha-1, a nil pointer dereference …

Dec 16, 2025
CVE-2025-53619
7.4 HIGH

An out-of-bounds read vulnerability exists in the JPEGBITSCodec::InternalCode functionality of Grassroot DICOM 3.024. A specially crafted DICOM file can lead to an information leak. An …

Dec 16, 2025
CVE-2025-53618
7.4 HIGH

An out-of-bounds read vulnerability exists in the JPEGBITSCodec::InternalCode functionality of Grassroot DICOM 3.024. A specially crafted DICOM file can lead to an information leak. An …

Dec 16, 2025
CVE-2025-52582
7.4 HIGH

An out-of-bounds read vulnerability exists in the Overlay::GrabOverlayFromPixelData functionality of Grassroot DICOM 3.024. A specially crafted DICOM file can lead to an information leak. An …

Dec 16, 2025
CVE-2025-48429
7.4 HIGH

An out-of-bounds read vulnerability exists in the RLECodec::DecodeByStreams functionality of Grassroot DICOM 3.024. A specially crafted DICOM file can lead to leaking heap data. An …

Dec 16, 2025
CVE-2025-68156
7.5 HIGH

Expr is an expression language and expression evaluation for Go. Prior to version 1.17.7, several builtin functions in Expr, including `flatten`, `min`, `max`, `mean`, and …

Dec 16, 2025
CVE-2025-68155
7.5 HIGH

@vitejs/plugin-rs provides React Server Components (RSC) support for Vite. Prior to version 0.5.8, the `/__vite_rsc_findSourceMapURL` endpoint in `@vitejs/plugin-rsc` allows unauthenticated arbitrary file read during development …

Dec 16, 2025
CVE-2025-68154
8.1 HIGH

systeminformation is a System and OS information library for node.js. In versions prior to 5.27.14, the `fsSize()` function in systeminformation is vulnerable to OS command …

Dec 16, 2025
CVE-2025-65593
8.8 HIGH

nopCommerce 4.90.0 is vulnerable to Cross Site Request Forgery (CSRF) via the Schedule Tasks functionality.

Dec 16, 2025
CVE-2025-52196
7.5 HIGH

Server-Side Request Forgery (SSRF) vulnerability in Ctera Portal 8.1.x (8.1.1417.24) allows remote attackers to induce the server to make arbitrary HTTP requests via a crafted …

Dec 16, 2025
CVE-2025-33235
7.8 HIGH

NVIDIA Resiliency Extension for Linux contains a vulnerability in the checkpointing core, where an attacker may cause a race condition. A successful exploit of this …

Dec 16, 2025
CVE-2025-33226
7.8 HIGH

NVIDIA NeMo Framework for all platforms contains a vulnerability where malicious data created by an attacker may cause a code injection. A successful exploit of …

Dec 16, 2025
CVE-2025-33225
8.4 HIGH

NVIDIA Resiliency Extension for Linux contains a vulnerability in log aggregation, where an attacker could cause predictable log-file names. A successful exploit of this vulnerability …

Dec 16, 2025
CVE-2025-33212
7.3 HIGH

NVIDIA NeMo Framework contains a vulnerability in model loading that could allow an attacker to exploit improper control mechanisms if a user loads a maliciously …

Dec 16, 2025
CVE-2023-53900
8.8 HIGH

Spip 4.1.10 contains a file upload vulnerability that allows attackers to upload malicious SVG files with embedded external links. Attackers can trick administrators into clicking …

Dec 16, 2025
CVE-2023-53896
7.5 HIGH

D-Link DAP-1325 firmware version 1.01 contains a broken access control vulnerability that allows unauthenticated attackers to download device configuration settings without authentication. Attackers can exploit …

Dec 16, 2025
CVE-2025-68116
8.9 HIGH

FileRise is a self-hosted web file manager / WebDAV server. Versions prior to 2.7.1 are vulnerable to Stored Cross-Site Scripting (XSS) due to unsafe handling …

Dec 16, 2025
CVE-2025-10450
7.5 HIGH

Exposure of Private Personal Information to an Unauthorized Actor vulnerability in RTI Connext Professional (Core Libraries) allows Sniffing Network Traffic.This issue affects Connext Professional: from …

Dec 16, 2025
CVE-2025-65074
7.2 HIGH

WaveView client allows users to execute restricted set of predefined commands and scripts on the connected WaveStore Server. A malicious attacker with high-privileges is able …

Dec 16, 2025
CVE-2025-13474
7.5 HIGH

Authorization Bypass Through User-Controlled Key vulnerability in Menulux Software Inc. Mobile App allows Exploitation of Trusted Identifiers.This issue affects Mobile App: before 9.5.8.

Dec 16, 2025
CVE-2025-14002
8.1 HIGH

The WPCOM Member plugin for WordPress is vulnerable to authentication bypass via brute force in all versions up to, and including, 1.7.16. This is due …

Dec 16, 2025

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.