CVE Database

9215+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2025-15111
9.8 CRITICAL

Ksenia Security lares (legacy model) version 1.6 contains a default credentials vulnerability that allows unauthorized attackers to gain administrative access. Attackers can exploit the weak …

Dec 30, 2025
CVE-2024-58338
10.0 CRITICAL

Anevia Flamingo XL 3.2.9 contains a restricted shell vulnerability that allows remote attackers to escape the sandboxed environment through the traceroute command. Attackers can exploit …

Dec 30, 2025
CVE-2023-54327
9.8 CRITICAL

Tinycontrol LAN Controller 1.58a contains an authentication bypass vulnerability that allows unauthenticated attackers to change admin passwords through a crafted API request. Attackers can exploit …

Dec 30, 2025
CVE-2023-53983
9.8 CRITICAL

Anevia Flamingo XL/XS 3.6.20 contains a critical vulnerability with weak default administrative credentials that can be easily guessed. Attackers can leverage these hard-coded credentials to …

Dec 30, 2025
CVE-2022-50803
9.8 CRITICAL

JM-DATA ONU JF511-TV version 1.0.67 uses default credentials that allow attackers to gain unauthorized access to the device with administrative privileges.

Dec 30, 2025
CVE-2022-50796
9.8 CRITICAL

SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x contains an unauthenticated remote code execution vulnerability in the firmware upload functionality with path traversal flaw. Attackers can exploit the upload.cgi script …

Dec 30, 2025
CVE-2022-50794
9.8 CRITICAL

SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below contain an unauthenticated command injection vulnerability in the username parameter. Attackers can exploit index.php and login.php scripts by injecting …

Dec 30, 2025
CVE-2022-50696
9.8 CRITICAL

SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below contain hardcoded credentials embedded in server binaries that cannot be modified through normal device operations. Attackers can leverage these …

Dec 30, 2025
CVE-2022-50694
9.8 CRITICAL

SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x contains an SQL injection vulnerability in the 'username' POST parameter of index.php that allows attackers to manipulate database queries. Attackers can inject …

Dec 30, 2025
CVE-2022-50691
9.8 CRITICAL

MiniDVBLinux 5.4 contains a remote command execution vulnerability that allows unauthenticated attackers to execute arbitrary commands as root through the 'command' GET parameter. Attackers can …

Dec 30, 2025
CVE-2025-50343
9.8 CRITICAL

An issue was discovered in matio 1.5.28. A heap-based memory corruption can occur in Mat_VarCreateStruct() when the nfields value does not match the actual number …

Dec 30, 2025
CVE-2025-56332
9.1 CRITICAL

Authentication Bypass in fosrl/pangolin v1.6.2 and before allows attackers to access Pangolin resource via Insecure Default Configuration

Dec 30, 2025
CVE-2025-68926
9.8 CRITICAL

RustFS is a distributed object storage system built in Rust. In versions prior to 1.0.0-alpha.78, RustFS implements gRPC authentication using a hardcoded static token `"rustfs …

Dec 30, 2025
CVE-2025-66848
9.8 CRITICAL

JD Cloud NAS routers AX1800 (4.3.1.r4308 and earlier), AX3000 (4.3.1.r4318 and earlier), AX6600 (4.5.1.r4533 and earlier), BE6500 (4.4.1.r4308 and earlier), ER1 (4.5.1.r4518 and earlier), and …

Dec 30, 2025
CVE-2025-52835
9.6 CRITICAL

Cross-Site Request Forgery (CSRF) vulnerability in ConoHa by GMO WING WordPress Migrator wing-migrator allows Upload a Web Shell to a Web Server.This issue affects WING …

Dec 30, 2025
CVE-2025-15255
9.8 CRITICAL

A vulnerability was determined in Tenda W6-S 1.0.0.4(510). This impacts an unknown function of the file /bin/httpd of the component R7websSsecurityHandler. Executing a manipulation of …

Dec 30, 2025
CVE-2025-15359
9.1 CRITICAL

DVP-12SE11T - Out-of-bound memory write Vulnerability

Dec 30, 2025
CVE-2025-15102
9.1 CRITICAL

DVP-12SE11T - Password Protection Bypass

Dec 30, 2025
CVE-2025-69234
9.1 CRITICAL

Whale browser before 4.35.351.12 allows an attacker to escape the iframe sandbox in a sidebar environment.

Dec 30, 2025
CVE-2025-68860
9.8 CRITICAL

Authentication Bypass Using an Alternate Path or Channel vulnerability in Mobile Builder Mobile builder mobile-builder allows Authentication Abuse.This issue affects Mobile builder: from n/a through …

Dec 29, 2025
CVE-2025-68562
9.9 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in RomanCode MapSVG allows Upload a Web Shell to a Web Server.This issue affects MapSVG: from n/a …

Dec 29, 2025
CVE-2024-27480
9.8 CRITICAL

givanz VvvebJs 1.7.2 is vulnerable to Insecure File Upload.

Dec 29, 2025
CVE-2024-25182
9.8 CRITICAL

givanz VvvebJs 1.7.2 suffers from a File Upload vulnerability via save.php.

Dec 29, 2025
CVE-2024-25181
9.1 CRITICAL

A critical vulnerability has been identified in givanz VvvebJs 1.7.2, which allows both Server-Side Request Forgery (SSRF) and arbitrary file reading. The vulnerability stems from …

Dec 29, 2025
CVE-2025-68706
9.8 CRITICAL

A stack-based buffer overflow exists in the GoAhead-Webs HTTP daemon on KuWFi 4G LTE AC900 devices with firmware 1.0.13. The /goform/formMultiApnSetting handler uses sprintf() to …

Dec 29, 2025
CVE-2025-69201
9.8 CRITICAL

Tugtainer is a self-hosted app for automating updates of docker containers. In versions prior to 1.15.1, arbitary arguments can be injected in tugtainer-agent `POST api/command/run`. …

Dec 29, 2025
CVE-2025-68897
9.9 CRITICAL

Improper Control of Generation of Code ('Code Injection') vulnerability in Mohammad I. Okfie IF AS Shortcode if-as-shortcode allows Code Injection.This issue affects IF AS Shortcode: …

Dec 29, 2025
CVE-2025-56333
9.8 CRITICAL

An issue in Fossorial fosrl/pangolin v.1.6.2 and before allows a remote attacker to escalate privileges via the 2FA component

Dec 29, 2025
CVE-2025-15194
9.8 CRITICAL

A vulnerability was found in D-Link DIR-600 up to 2.15WWb02. Affected by this vulnerability is an unknown functionality of the file hedwig.cgi of the component …

Dec 29, 2025
CVE-2025-68929
9.0 CRITICAL

Frappe is a full-stack web application framework. Prior to versions 14.99.6 and 15.88.1, an authenticated user with specific permissions could be tricked into accessing a …

Dec 29, 2025
CVE-2025-65570
9.8 CRITICAL

A type confusion in jsish 2.0 allows incorrect control flow during execution of the OP_NEXT opcode. When an “instanceof” expression uses an array element access …

Dec 29, 2025
CVE-2025-57460
9.8 CRITICAL

File upload vulnerability in machsol machpanel 8.0.32 allows attacker to gain a webshell.

Dec 29, 2025
CVE-2025-15228
9.8 CRITICAL

BPMFlowWebkit developed by WELLTEND TECHNOLOGY has a Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary …

Dec 29, 2025
CVE-2025-15226
9.8 CRITICAL

WMPro developed by Sunnet has a Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code …

Dec 29, 2025
CVE-2025-52691
10.0 CRITICAL KEV

Successful exploitation of the vulnerability could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially enabling remote code …

Dec 29, 2025
CVE-2025-54322
10.0 CRITICAL

Xspeeder SXZOS through 2025-12-26 allows root remote code execution via base64-encoded Python code in the chkid parameter to vLogin.py. The title and oIP parameters are …

Dec 27, 2025
CVE-2025-68952
9.8 CRITICAL

Eigent is a multi-agent Workforce. In version 0.0.60, a 1-click Remote Code Execution (RCE) vulnerability has been identified in Eigent. This vulnerability allows an attacker …

Dec 27, 2025
CVE-2025-68932
9.8 CRITICAL

FreshRSS is a free, self-hostable RSS aggregator. Prior to version 1.28.0, FreshRSS uses cryptographically weak random number generators (mt_rand() and uniqid()) to generate remember-me authentication …

Dec 27, 2025
CVE-2025-66203
9.9 CRITICAL

StreamVault is a video download integration solution. Prior to version 251126, a Remote Code Execution (RCE) vulnerability exists in the stream-vault application (SpiritApplication). The application …

Dec 27, 2025
CVE-2025-68668
9.9 CRITICAL

n8n is an open source workflow automation platform. From version 1.0.0 to before 2.0.0, a sandbox bypass vulnerability exists in the Python Code Node that …

Dec 26, 2025
CVE-2024-44065
9.8 CRITICAL

Time-based blind SQL Injection vulnerability in Cloudlog v2.6.15 at the endpoint /index.php/logbookadvanced/search in the qsoresults parameter.

Dec 26, 2025
CVE-2025-13915
9.8 CRITICAL

IBM API Connect 10.0.8.0 through 10.0.8.5, and 10.0.11.0 could allow a remote attacker to bypass authentication mechanisms and gain unauthorized access to the application.

Dec 26, 2025
CVE-2025-8769
9.8 CRITICAL

Telenium Online Web Application is vulnerable due to a Perl script that is called to load the login page. Due to improper input validation, an …

Dec 24, 2025
CVE-2025-68916
9.1 CRITICAL

Riello UPS NetMan 208 Application before 1.12 allows cgi-bin/certsupload.cgi /../ directory traversal for file upload with resultant code execution.

Dec 24, 2025
CVE-2019-25249
9.8 CRITICAL

devolo dLAN 500 AV Wireless+ 3.1.0-1 contains an authentication bypass vulnerability that allows attackers to enable hidden services through the htmlmgr CGI script. Attackers can …

Dec 24, 2025
CVE-2019-25241
9.8 CRITICAL

FaceSentry Access Control System 6.4.8 contains a critical authentication vulnerability with hard-coded SSH credentials for the wwwuser account. Attackers can leverage the insecure sudoers configuration …

Dec 24, 2025
CVE-2019-25240
9.8 CRITICAL

Rifatron 5brid DVR contains an unauthenticated vulnerability in the animate.cgi script that allows unauthorized access to live video streams. Attackers can exploit the Mobile Web …

Dec 24, 2025
CVE-2019-25237
9.8 CRITICAL

V-SOL GPON/EPON OLT Platform v2.03 contains a privilege escalation vulnerability that allows normal users to gain administrative access by manipulating the user role parameter. Attackers …

Dec 24, 2025
CVE-2019-25236
9.8 CRITICAL

iSeeQ Hybrid DVR WH-H4 1.03R contains an unauthenticated vulnerability in the get_jpeg script that allows unauthorized access to live video streams. Attackers can retrieve video …

Dec 24, 2025
CVE-2019-25235
9.8 CRITICAL

Smartwares HOME easy 1.0.9 contains an authentication bypass vulnerability that allows unauthenticated attackers to access administrative web pages by disabling JavaScript. Attackers can navigate to …

Dec 24, 2025

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.