CVE Database

36731+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2025-11307
8.8 HIGH

The WP Go Maps (formerly WP Google Maps) WordPress plugin before 9.0.48 does not sanitize user input provided via an AJAX action, allowing unauthenticated users …

Nov 11, 2025
CVE-2025-12637
8.8 HIGH

The Elastic Theme Editor plugin for WordPress is vulnerable to arbitrary file uploads due to a dynamic code generation feature in the process_theme function in …

Nov 11, 2025
CVE-2025-11521
8.1 HIGH

The Astra Security Suite – Firewall & Malware Scan plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient validation of remote URLs …

Nov 11, 2025
CVE-2025-11451
7.5 HIGH

The Auto Amazon Links – Amazon Associates Affiliate Plugin plugin for WordPress is vulnerable to arbitrary files reads in all versions up to, and including, …

Nov 11, 2025
CVE-2025-11168
8.8 HIGH

The Mementor Core plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.2.5. This is due to plugin not …

Nov 11, 2025
CVE-2025-42940
7.5 HIGH

SAP CommonCryptoLib does not perform necessary boundary checks during pre-authentication parsing of manipulated ASN.1 data over the network. This may result in memory corruption followed …

Nov 11, 2025
CVE-2025-64519
8.8 HIGH

TorrentPier is an open source BitTorrent Public/Private tracker engine, written in php. In versions up to and including 2.8.8, an authenticated SQL injection vulnerability exists …

Nov 10, 2025
CVE-2025-63678
7.2 HIGH

An authenticated arbitrary file upload vulnerability in the /uploads/ endpoint of CMS Made Simple Foundation File Manager v2.2.22 allows attackers with Administrator privileges to execute …

Nov 10, 2025
CVE-2025-11578
7.2 HIGH

A privilege escalation vulnerability was identified in GitHub Enterprise Server that allowed an authenticated Enterprise admin to gain root SSH access to the appliance by …

Nov 10, 2025
CVE-2025-64518
7.5 HIGH

The CycloneDX core module provides a model representation of the SBOM along with utilities to assist in creating, validating, and parsing SBOMs. Starting in version …

Nov 10, 2025
CVE-2025-64512
8.6 HIGH

Pdfminer.six is a community maintained fork of the original PDFMiner, a tool for extracting information from PDF documents. Prior to version 20251107, pdfminer.six will execute …

Nov 10, 2025
CVE-2025-64509
7.5 HIGH

Bugsink is a self-hosted error tracking tool. In versions prior to 2.0.6, a specially crafted Brotli-compressed envelope can cause Bugsink to spend excessive CPU time …

Nov 10, 2025
CVE-2025-64508
7.5 HIGH

Bugsink is a self-hosted error tracking tool. In versions prior to 2.0.5, brotli "bombs" (highly compressed brotli streams, such as many zeros) can be sent …

Nov 10, 2025
CVE-2025-64507
7.8 HIGH

Incus is a system container and virtual machine manager. An issue in versions prior to 6.0.6 and 6.19.0 affects any Incus user in an environment …

Nov 10, 2025
CVE-2025-64501
7.6 HIGH

ProsemirrorToHtml is a JSON converter which takes ProseMirror-compatible JSON and outputs HTML. In versions 0.2.0 and below, the `prosemirror_to_html` gem is vulnerable to Cross-Site Scripting …

Nov 10, 2025
CVE-2025-64484
8.5 HIGH

OAuth2-Proxy is an open-source tool that can act as either a standalone reverse proxy or a middleware component integrated into existing reverse proxy or load …

Nov 10, 2025
CVE-2025-64183
7.5 HIGH

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.2.0 through …

Nov 10, 2025
CVE-2025-64182
7.8 HIGH

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.2.0 through …

Nov 10, 2025
CVE-2025-64181
7.5 HIGH

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.3.0 through …

Nov 10, 2025
CVE-2025-64167
7.1 HIGH

Combodo iTop is a web based IT service management tool. Versions prior to 2.7.13 and 3.2.2 are vulnerable to a cross-site scripting attack (leading to …

Nov 10, 2025
CVE-2025-49145
8.7 HIGH

Combodo iTop is a web based IT service management tool. In versions prior to 2.7.13 and 3.2.2, a user that has enough rights to create …

Nov 10, 2025
CVE-2025-48065
8.8 HIGH

Combodo iTop is a web based IT service management tool. Versions prior to 2.7.13 and 3.2.2 are vulnerable to cross-site scripting when a field with …

Nov 10, 2025
CVE-2025-48055
8.5 HIGH

Combodo iTop is a web based IT service management tool. In versions prior to 3.2.2, when displaying content in a browse brick in the user …

Nov 10, 2025
CVE-2025-63149
7.5 HIGH

Tenda AX3 V16.03.12.10_CN was discovered to contain a stack overflow in the urls parameter of the get_parentControl_list_Info function. This vulnerability allows attackers to cause a …

Nov 10, 2025
CVE-2025-47932
8.8 HIGH

Combodo iTop is a web based IT service management tool. Versions prior to 2.7.13 and 3.2.2 are vulnerable to cross-site scripting when a dashboard is …

Nov 10, 2025
CVE-2025-12727
8.8 HIGH

Inappropriate implementation in V8 in Google Chrome prior to 142.0.7444.137 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium …

Nov 10, 2025
CVE-2025-12726
7.5 HIGH

Inappropriate implementation in Views in Google Chrome on Windows prior to 142.0.7444.137 allowed a remote attacker who had compromised the renderer process to perform privilege …

Nov 10, 2025
CVE-2025-12725
8.8 HIGH

Out of bounds read in WebGPU in Google Chrome on Android prior to 142.0.7444.137 allowed a remote attacker to perform an out of bounds memory …

Nov 10, 2025
CVE-2025-12438
8.8 HIGH

Use after free in Ozone in Google Chrome on Linux and ChromeOS prior to 142.0.7444.59 allowed a remote attacker to potentially exploit object corruption via …

Nov 10, 2025
CVE-2025-12437
7.5 HIGH

Use after free in PageInfo in Google Chrome prior to 142.0.7444.59 allowed a remote attacker who convinced a user to engage in specific UI gestures …

Nov 10, 2025
CVE-2025-12432
8.8 HIGH

Race in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security …

Nov 10, 2025
CVE-2025-12430
7.5 HIGH

Object lifecycle issue in Media in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium …

Nov 10, 2025
CVE-2025-12429
8.8 HIGH

Inappropriate implementation in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security …

Nov 10, 2025
CVE-2025-12428
8.8 HIGH

Type Confusion in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security …

Nov 10, 2025
CVE-2025-63288
7.5 HIGH

In Open5GS 2.7.6, AMF crashes when receiving an abnormal NGSetupRequest message, resulting in denial of service.

Nov 10, 2025
CVE-2025-47773
8.8 HIGH

Combodo iTop is a web based IT service management tool. Versions prior to 2.7.13 and 3.2.2 are vulnerable to cross-site scripting when a dashboard is …

Nov 10, 2025
CVE-2025-47286
7.2 HIGH

Combodo iTop is a web based IT service management tool. In versions prior to 2.7.13 and 3.2.2, an administrator can, by editing the configuration of …

Nov 10, 2025
CVE-2025-12967
8.0 HIGH

An issue in AWS Wrappers for Amazon Aurora PostgreSQL may allow for privilege escalation to rds_superuser role. A low privilege authenticated user can create a …

Nov 10, 2025
CVE-2025-63835
8.8 HIGH

A stack-based buffer overflow vulnerability was discovered in Tenda AC18 v15.03.05.05_multi. The vulnerability exists in the guestSsid parameter of the /goform/WifiGuestSet interface. Remote attackers can …

Nov 10, 2025
CVE-2025-63497
7.1 HIGH

The patient prescription viewing functionality in his_doc_view_single_patient.php of rickxy Hospital Management System version 1.0 contains an SQL injection vulnerability. The pat_number GET parameter is directly …

Nov 10, 2025
CVE-2025-63457
7.5 HIGH

Tenda AX-1803 v1.0.0.1 was discovered to contain a stack overflow via the wanMTU parameter in the sub_4F55C function. This vulnerability allows attackers to cause a …

Nov 10, 2025
CVE-2025-63456
7.5 HIGH

Tenda AX-1803 v1.0.0.1 was discovered to contain a stack overflow via the time parameter in the SetSysTimeCfg function. This vulnerability allows attackers to cause a …

Nov 10, 2025
CVE-2025-63455
7.5 HIGH

Tenda AX-3 v16.03.12.10_CN was discovered to contain a stack overflow via the shareSpeed parameter in the fromSetWifiGusetBasic function. This vulnerability allows attackers to cause a …

Nov 10, 2025
CVE-2025-63147
7.5 HIGH

Tenda AX3 V16.03.12.10_CN was discovered to contain a stack overflow in the deviceId parameter of the saveParentControlInfo function. This vulnerability allows attackers to cause a …

Nov 10, 2025
CVE-2025-63154
7.5 HIGH

TOTOLink A7000R V9.1.0u.6115_B20201022 was discovered to contain a stack overflow in the addEffect parameter of the urldecode function. This vulnerability allows attackers to cause a …

Nov 10, 2025
CVE-2025-63153
7.5 HIGH

TOTOLink A7000R V9.1.0u.6115_B20201022 was discovered to contain a stack overflow in the ssid parameter of the urldecode function. This vulnerability allows attackers to cause a …

Nov 10, 2025
CVE-2025-63152
7.5 HIGH

Tenda AX3 V16.03.12.10_CN was discovered to contain a stack overflow in the wpapsk_crypto parameter of the wlSetExternParameter function. This vulnerability allows attackers to cause a …

Nov 10, 2025
CVE-2025-46430
7.3 HIGH

Dell Display and Peripheral Manager, versions prior to 2.1.2.12, contains an Execution with Unnecessary Privileges vulnerability in the Installer. A low privileged attacker with local …

Nov 10, 2025
CVE-2025-63712
8.8 HIGH

Cross-Site Request Forgery (CSRF) in SourceCodester Product Expiry Management System. The User Management module (delete-user.php) allows remote attackers to delete arbitrary user accounts via forged …

Nov 10, 2025
CVE-2025-63711
7.1 HIGH

A Cross-Site Request Forgery (CSRF) vulnerability in the SourceCodester Client Database Management System 1.0 allows an attacker to cause an authenticated administrative user to perform …

Nov 10, 2025

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.