CVE Database

36709+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2025-66238
7.2 HIGH

DCIM dcTrack allows an attacker to misuse certain remote access features. An authenticated user with access to the appliance's virtual console could exploit these features …

Dec 4, 2025
CVE-2025-53704
7.5 HIGH

The password reset mechanism for the Pivot client application is weak, and it may allow an attacker to take over the account.

Dec 4, 2025
CVE-2025-1547
7.2 HIGH

A stack-based buffer overflow vulnerability [CWE-121] in WatchGuard Fireware OS's certificate request command could allow an authenticated privileged user to execute arbitrary code via specially …

Dec 4, 2025
CVE-2025-1545
7.5 HIGH

An XPath Injection vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to retrieve sensitive information from the Firebox configuration through an exposed …

Dec 4, 2025
CVE-2025-12196
7.2 HIGH

An Out-of-bounds Write vulnerability in WatchGuard Fireware OS's CLI could allow an authenticated privileged user to execute arbitrary code via a specially crafted CLI command.This …

Dec 4, 2025
CVE-2025-12195
7.2 HIGH

An Out-of-bounds Write vulnerability in WatchGuard Fireware OS's CLI could allow an authenticated privileged user to execute arbitrary code via specially crafted IPSec configuration CLI …

Dec 4, 2025
CVE-2025-12026
7.2 HIGH

An Out-of-bounds Write vulnerability in WatchGuard Fireware OS’s certificate request command could allow an authenticated privileged user to execute arbitrary code via specially crafted CLI …

Dec 4, 2025
CVE-2025-11838
7.5 HIGH

A memory corruption vulnerability in WatchGuard Fireware OS may allow an unauthenticated attacker to trigger a Denial of Service (DoS) condition in the Mobile User …

Dec 4, 2025
CVE-2025-66575
7.8 HIGH

VeeVPN 1.6.1 contains an unquoted service path vulnerability in the VeePNService that allows remote attackers to execute code during startup or reboot with escalated privileges. …

Dec 4, 2025
CVE-2025-66573
7.5 HIGH

Solstice Pod API (version 5.5, 6.2) contains an unauthenticated API endpoint (`/api/config`) that exposes sensitive information such as the session key, server version, product details, …

Dec 4, 2025
CVE-2025-65959
8.7 HIGH

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.37, a Stored XSS vulnerability was discovered in Open-WebUI's Notes …

Dec 4, 2025
CVE-2025-63896
7.6 HIGH

An issue in the Bluetooth Human Interface Device (HID) of JXL 9 Inch Car Android Double Din Player Android v12.0 allows attackers to inject arbitrary …

Dec 4, 2025
CVE-2025-55948
7.3 HIGH

This vulnerability fundamentally arises from yzcheng90 X-SpringBoot 6.0's implementation of role-based access control (RBAC) through dual dependency on frontend menu systems and backend permission tables, …

Dec 4, 2025
CVE-2025-13543
8.8 HIGH

The PostGallery plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'PostGalleryUploader' class functions in all versions …

Dec 4, 2025
CVE-2025-65958
8.5 HIGH

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.37, a Server-Side Request Forgery (SSRF) vulnerability in Open WebUI …

Dec 4, 2025
CVE-2025-65883
8.4 HIGH

A vulnerability has been identified in Genexis Platinum P4410 router (Firmware P4410-V2–1.41) that allows a local network attacker to achieve Remote Code Execution (RCE) with …

Dec 4, 2025
CVE-2025-12995
8.1 HIGH

Medtronic CareLink Network allows an unauthenticated remote attacker to perform a brute force attack on an API endpoint that could be used to determine a …

Dec 4, 2025
CVE-2025-12097
7.5 HIGH

There is a relative path traversal vulnerability in the NI System Web Server that may result in information disclosure. Successful exploitation requires an attacker to …

Dec 4, 2025
CVE-2025-65945
7.5 HIGH

auth0/node-jws is a JSON Web Signature implementation for Node.js. In versions 3.2.2 and earlier and version 4.0.0, auth0/node-jws has an improper signature verification vulnerability when …

Dec 4, 2025
CVE-2025-65637
7.5 HIGH

A denial-of-service vulnerability exists in github.com/sirupsen/logrus when using Entry.Writer() to log a single-line payload larger than 64KB without newline characters. Due to limitations in the …

Dec 4, 2025
CVE-2025-14015
8.8 HIGH

A weakness has been identified in H3C Magic B0 up to 100R002. This impacts the function EditWlanMacList of the file /goform/aspForm. This manipulation of the …

Dec 4, 2025
CVE-2025-63363
7.5 HIGH

A lack of Management Frame Protection in Waveshare RS232/485 TO WIFI ETH (B) Serial to Ethernet/Wi-Fi Gateway Firmware V3.1.1.0: HW 4.3.2.1: Webpage V7.04T.07.002880.0301 allows attackers …

Dec 4, 2025
CVE-2025-66516
8.4 HIGH

Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity …

Dec 4, 2025
CVE-2025-66287
8.8 HIGH

A flaw was found in WebKitGTK. Processing malicious web content can cause an unexpected process crash due to improper memory handling.

Dec 4, 2025
CVE-2025-63364
7.5 HIGH

Waveshare RS232/485 TO WIFI ETH (B) Serial to Ethernet/Wi-Fi Gateway Firmware V3.1.1.0: HW 4.3.2.1: Webpage V7.04T.07.002880.0301 was discovered to transmit Administrator credentials in plaintext.

Dec 4, 2025
CVE-2025-57213
7.5 HIGH

Incorrect access control in the component orderService.queryObject of platform v1.0.0 allows attackers to access sensitive information via a crafted request.

Dec 4, 2025
CVE-2025-57212
7.5 HIGH

Incorrect access control in the component ApiOrderService.java of platform v1.0.0 allows attackers to access sensitive information via a crafted request.

Dec 4, 2025
CVE-2025-57210
7.5 HIGH

Incorrect access control in the component ApiPayController.java of platform v1.0.0 allows attackers to access sensitive information via unspecified vectors.

Dec 4, 2025
CVE-2025-56427
7.5 HIGH

Directory Traversal vulnerability in ComposioHQ v.0.7.20 allows a remote attacker to obtain sensitive information via the _download_file_or_dir function.

Dec 4, 2025
CVE-2025-54160
7.8 HIGH

Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in BeeDrive in Synology BeeDrive for desktop before 1.4.2-13960 allows local users to …

Dec 4, 2025
CVE-2025-54159
7.5 HIGH

Missing authorization vulnerability in BeeDrive in Synology BeeDrive for desktop before 1.4.2-13960 allows remote attackers to delete arbitrary files via unspecified vectors.

Dec 4, 2025
CVE-2025-54158
7.8 HIGH

Missing authentication for critical function vulnerability in BeeDrive in Synology BeeDrive for desktop before 1.4.2-13960 allows local users to execute arbitrary code via unspecified vectors.

Dec 4, 2025
CVE-2025-54307
8.8 HIGH

An issue was discovered in the Thermo Fisher Torrent Suite Django application 5.18.1. The /configure/plugins/plugin/upload/zip/ and /configure/newupdates/offline/bundle/upload/ endpoints allow low-privilege users to upload ZIP files …

Dec 4, 2025
CVE-2025-54306
7.2 HIGH

An issue was discovered in the Thermo Fisher Torrent Suite Django application 5.18.1. A remote code execution vulnerability exists in the network configuration functionality, stemming …

Dec 4, 2025
CVE-2025-54305
7.8 HIGH

An issue was discovered in the Thermo Fisher Torrent Suite Django application 5.18.1. One of the middlewares included in this application, LocalhostAuthMiddleware, authenticates users as …

Dec 4, 2025
CVE-2025-29846
7.2 HIGH

A vulnerability in portenable cgi allows remote authenticated users to get the status of installed packages.

Dec 4, 2025
CVE-2024-45539
7.5 HIGH

Out-of-bounds write vulnerability in cgi components in Synology DiskStation Manager (DSM) before 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote attackers …

Dec 4, 2025
CVE-2025-11727
7.2 HIGH

The Omnichannel for WooCommerce: Google, Amazon, eBay & Walmart Integration – Powered by Codisto plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the …

Dec 4, 2025
CVE-2025-66293
7.1 HIGH

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.52, an …

Dec 3, 2025
CVE-2025-65868
7.5 HIGH

XML external entity (XXE) injection in eyoucms v1.7.1 allows remote attackers to cause a denial of service via crafted body of a POST request.

Dec 3, 2025
CVE-2025-66453
7.5 HIGH

Rhino is an open-source implementation of JavaScript written entirely in Java. Prior to 1.8.1, 1.7.15.1, and 1.7.14.1, when an application passed an attacker controlled float …

Dec 3, 2025
CVE-2025-66411
7.8 HIGH

Coder allows organizations to provision remote development environments via Terraform. Prior to 2.26.5, 2.27.7, and 2.28.4, Workspace Agent manifests containing sensitive values were logged in …

Dec 3, 2025
CVE-2025-65027
7.6 HIGH

RomM (ROM Manager) allows users to scan, enrich, browse and play their game collections with a clean and responsive interface. RomM contains multiple unrestricted file …

Dec 3, 2025
CVE-2025-13086
7.5 HIGH

Improper validation of source IP addresses in OpenVPN version 2.6.0 through 2.6.15 and 2.7_alpha1 through 2.7_rc1 allows an attacker to open a session from a …

Dec 3, 2025
CVE-2025-50360
8.4 HIGH

A heap buffer overflow in compiler.c and compiler.h in Pepper language 0.1.1commit 961a5d9988c5986d563310275adad3fd181b2bb7. Malicious execution of a pepper source file(.pr) could lead to arbitrary code …

Dec 3, 2025
CVE-2025-33211
7.5 HIGH

NVIDIA Triton Server for Linux contains a vulnerability where an attacker may cause an improper validation of specified quantity in input. A successful exploit of …

Dec 3, 2025
CVE-2025-33208
8.8 HIGH

NVIDIA TAO contains a vulnerability where an attacker may cause a resource to be loaded via an uncontrolled search path. A successful exploit of this …

Dec 3, 2025
CVE-2025-33201
7.5 HIGH

NVIDIA Triton Inference Server contains a vulnerability where an attacker may cause an improper check for unusual or exceptional conditions issue by sending extra large …

Dec 3, 2025
CVE-2025-12819
7.5 HIGH

Untrusted search path in auth_query connection handler in PgBouncer before 1.25.1 allows an unauthenticated attacker to execute arbitrary SQL during authentication via a malicious search_path …

Dec 3, 2025
CVE-2024-3884
7.5 HIGH

A flaw was found in Undertow that can cause remote denial of service attacks. When the server uses the FormEncodedDataDefinition.doParse(StreamSourceChannel) method to parse large form …

Dec 3, 2025

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.