CVE Database

36731+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2025-64685
8.1 HIGH

In JetBrains YouTrack before 2025.3.104432 missing TLS certificate validation enabled data disclosure

Nov 10, 2025
CVE-2025-64456
8.4 HIGH

In JetBrains ReSharper before 2025.2.4 missing signature verification in DPA Collector allows local privilege escalation

Nov 10, 2025
CVE-2025-12938
7.3 HIGH

A vulnerability was identified in projectworlds Online Admission System 1.0. Affected by this vulnerability is an unknown functionality of the file /process_login.php. The manipulation of …

Nov 10, 2025
CVE-2025-41731
7.4 HIGH

A vulnerability was identified in the password generation algorithm when accessing the debug-interface. An unauthenticated local attacker with knowledge of the password generation timeframe might …

Nov 10, 2025
CVE-2025-62689
7.5 HIGH

NULL pointer dereference vulnerability exists in GNU libmicrohttpd v1.0.2 and earlier. The vulnerability was fixed in commit ff13abc on the master branch of the libmicrohttpd …

Nov 10, 2025
CVE-2025-59777
7.5 HIGH

NULL pointer dereference vulnerability exists in GNU libmicrohttpd v1.0.2 and earlier. The vulnerability was fixed in commit ff13abc on the master branch of the libmicrohttpd …

Nov 10, 2025
CVE-2025-12613
8.6 HIGH

Versions of the package cloudinary before 2.7.0 are vulnerable to Arbitrary Argument Injection due to improper parsing of parameter values containing an ampersand. An attacker …

Nov 10, 2025
CVE-2025-12929
7.3 HIGH

A flaw has been found in SourceCodester Survey Application System 1.0. This impacts the function save_user/update_user of the file /LoginRegistration.php. Executing manipulation of the argument …

Nov 10, 2025
CVE-2025-12928
7.3 HIGH

A vulnerability was detected in code-projects Online Job Search Engine 1.0. This affects an unknown function of the file /login.php. Performing manipulation of the argument …

Nov 10, 2025
CVE-2025-12867
7.2 HIGH

EIP Plus developed by Hundred Plus has an Arbitrary File Uplaod vulnerability, allowing privileged remote attackers to upload and execute web shell backdoors, thereby enabling …

Nov 10, 2025
CVE-2025-12865
8.8 HIGH

U-Office Force developed by e-Excellence has a SQL Injection vulnerability, allowing authenticated remote attacker to inject arbitrary SQL commands to read, modify, and delete database …

Nov 10, 2025
CVE-2025-12864
8.8 HIGH

U-Office Force developed by e-Excellence has a SQL Injection vulnerability, allowing authenticated remote attacker to inject arbitrary SQL commands to read, modify, and delete database …

Nov 10, 2025
CVE-2025-12925
7.3 HIGH

A security flaw has been discovered in rymcu forest up to de53ce79db9faa2efc4e79ce1077a302c42a1224. Impacted is the function getAll/addDic/getAllDic/deleteDic of the file src/main/java/com/rymcu/forest/lucene/api/UserDicController.java. The manipulation results in …

Nov 10, 2025
CVE-2025-12399
7.2 HIGH

The Alex Reservations: Smart Restaurant Booking plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the /wp-json/srr/v1/app/upload/file REST …

Nov 8, 2025
CVE-2025-11967
7.2 HIGH

The Mail Mint plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the process_contact_attribute_import function in all versions …

Nov 8, 2025
CVE-2025-12099
7.2 HIGH

The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, …

Nov 8, 2025
CVE-2025-9334
8.8 HIGH

The Better Find and Replace – AI-Powered Suggestions plugin for WordPress is vulnerable to Limited Code Injection in all versions up to, and including, 1.7.7. …

Nov 8, 2025
CVE-2025-12161
8.8 HIGH

The Smart Auto Upload Images plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the auto-image creation functionality …

Nov 8, 2025
CVE-2025-11452
7.5 HIGH

The Asgaros Forum plugin for WordPress is vulnerable to SQL Injection via the '$_COOKIE['asgarosforum_unread_exclude']' cookie in all versions up to, and including, 3.1.0 due to …

Nov 8, 2025
CVE-2025-64496
7.3 HIGH

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Versions 0.6.224 and prior contain a code injection vulnerability in the Direct …

Nov 8, 2025
CVE-2025-64495
8.7 HIGH

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. In versions 0.6.34 and below, the functionality that inserts custom prompts into …

Nov 8, 2025
CVE-2025-64492
8.8 HIGH

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 8.9.0 and below contain a time-based blind SQL Injection vulnerability. This vulnerability allows …

Nov 8, 2025
CVE-2025-64490
8.3 HIGH

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 7.14.7 and prior, 8.0.0-beta.1 through 8.9.0 allow a low-privileged user with a restrictive …

Nov 8, 2025
CVE-2025-64489
8.3 HIGH

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 7.14.7 and prior, 8.0.0-beta.1 through 8.9.0 contain a privilege escalation vulnerability where user …

Nov 8, 2025
CVE-2025-64488
8.8 HIGH

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 7.14.7 and below and 8.0.0-beta.1 through 8.9.0 8.0.0-beta.1, an attacker can craft …

Nov 8, 2025
CVE-2025-12907
8.8 HIGH

Insufficient validation of untrusted input in Devtools in Google Chrome prior to 140.0.7339.80 allowed a remote attacker to execute arbitrary code via user action in …

Nov 8, 2025
CVE-2025-37736
8.8 HIGH

Improper Authorization in Elastic Cloud Enterprise can lead to Privilege Escalation where the built-in readonly user can call APIs that should not be allowed. The …

Nov 7, 2025
CVE-2025-60574
7.5 HIGH

A Local File Inclusion (LFI) vulnerability has been identified in tQuadra CMS 4.2.1117. The issue exists in the "/styles/" path, which fails to properly sanitize …

Nov 7, 2025
CVE-2025-36186
7.4 HIGH

IBM Db2 12.1.0 through 12.1.3 for Linux, UNIX and Windows (includes Db2 Connect Server) under specific configurations could allow a local user to execute malicious …

Nov 7, 2025
CVE-2025-9458
7.8 HIGH

A maliciously crafted PRT file, when parsed through certain Autodesk products, can force a Memory Corruption vulnerability. A malicious actor can leverage this vulnerability to …

Nov 7, 2025
CVE-2025-64430
7.5 HIGH

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions 4.2.0 through 7.5.3, and 8.0.0 …

Nov 7, 2025
CVE-2025-64347
7.5 HIGH

Apollo Router Core is a configurable Rust graph router written to run a federated supergraph using Apollo Federation 2. Versions 1.61.12-rc.0 and below and 2.8.1-rc.0 …

Nov 7, 2025
CVE-2025-57698
7.5 HIGH

AstrBot Project v3.5.22 contains a directory traversal vulnerability. The handler function install_plugin_upload of the interface '/plugin/install-upload' parses the filename from the request body provided by …

Nov 7, 2025
CVE-2025-63783
7.6 HIGH

A Broken Object Level Authorization (BOLA) vulnerability was discovered in the tRPC project mutation APIs (update, delete, add/remove tag) of the Onlook web application 0.2.32. …

Nov 7, 2025
CVE-2025-58469
8.8 HIGH

A cross-site request forgery (CSRF) vulnerability has been reported to affect QuLog Center. The remote attackers can then exploit the vulnerability to gain privileges or …

Nov 7, 2025
CVE-2025-58464
7.5 HIGH

A relative path traversal vulnerability has been reported to affect QuMagie. If a remote attacker, they can then exploit the vulnerability to read the contents …

Nov 7, 2025
CVE-2025-10968
8.8 HIGH

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'), CWE - 564 - SQL Injection: Hibernate vulnerability in GG Soft Software Services …

Nov 7, 2025
CVE-2025-64343
7.8 HIGH

(conda) Constructor is a tool that enables users to create installers for conda package collections. In versions 3.12.2 and below, the installation directory inherits permissions …

Nov 7, 2025
CVE-2025-4519
8.8 HIGH

The IDonate – Blood Donation, Request And Donor Management System plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on …

Nov 7, 2025
CVE-2025-64328
7.2 HIGH KEV

FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions 17.0.2.36 and above before 17.0.3, the filestore module within the …

Nov 7, 2025
CVE-2025-64184
8.8 HIGH

Dosage is a comic strip downloader and archiver. When downloading comic images in versions 3.1 and below, Dosage constructs target file names from different aspects …

Nov 7, 2025
CVE-2025-5483
8.1 HIGH

The LC Wizard plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check in the ghl-wizard/inc/wp_user.php file in versions 1.2.10 to …

Nov 7, 2025
CVE-2025-62630
8.8 HIGH

Due to insufficient sanitization, an attacker can upload a specially crafted configuration file to traverse directories and achieve remote code execution with system-level permissions.

Nov 6, 2025
CVE-2025-59171
7.5 HIGH

Due to insufficient sanitization, an attacker can upload a specially crafted configuration file to traverse directories and achieve remote code execution with system-level permissions.

Nov 6, 2025
CVE-2025-58423
8.8 HIGH

Due to insufficient sanitization, an attacker can upload a specially crafted configuration file to cause a denial-of-service condition, traverse directories, or read/write files, within the …

Nov 6, 2025
CVE-2025-12036
8.8 HIGH

Out of bounds memory access in V8 in Google Chrome prior to 141.0.7390.122 allowed a remote attacker to perform out of bounds memory access via …

Nov 6, 2025
CVE-2025-11756
8.8 HIGH

Use after free in Safe Browsing in Google Chrome prior to 141.0.7390.107 allowed a remote attacker who had compromised the renderer process to potentially perform …

Nov 6, 2025
CVE-2025-11460
8.8 HIGH

Use after free in Storage in Google Chrome prior to 141.0.7390.65 allowed a remote attacker to execute arbitrary code via a crafted video file. (Chromium …

Nov 6, 2025
CVE-2025-11458
8.1 HIGH

Heap buffer overflow in Sync in Google Chrome prior to 141.0.7390.65 allowed a remote attacker to perform an out of bounds memory read via a …

Nov 6, 2025
CVE-2025-11211
7.5 HIGH

Out of bounds read in Media in Google Chrome prior to 141.0.7390.54 allowed a remote attacker to potentially perform out of bounds memory access via …

Nov 6, 2025

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.