CVE Database

37700+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2025-46439
7.4 HIGH

Cross-Site Request Forgery (CSRF) vulnerability in Vladimir Prelovac Plugin Central plugin-central allows Path Traversal.This issue affects Plugin Central: from n/a through <= 2.5.1.

Apr 24, 2025
CVE-2025-46435
7.1 HIGH

Cross-Site Request Forgery (CSRF) vulnerability in Yash Binani Time Based Greeting time-based-greeting allows Stored XSS.This issue affects Time Based Greeting: from n/a through <= 2.2.2.

Apr 24, 2025
CVE-2025-46234
7.1 HIGH

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Habibur Rahman Razib Control Listings control-listings allows Reflected XSS.This issue affects Control Listings: …

Apr 24, 2025
CVE-2025-46230
7.5 HIGH

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in GhozyLab Popup Builder easy-notify-lite allows PHP Local File Inclusion.This …

Apr 24, 2025
CVE-2025-39408
7.1 HIGH

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in EverPress BruteGuard – Brute Force Login Protection bruteguard allows Reflected XSS.This issue affects …

Apr 24, 2025
CVE-2025-39400
7.1 HIGH

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpeverest User Registration user-registration allows Reflected XSS.This issue affects User Registration: from n/a …

Apr 24, 2025
CVE-2025-39399
7.5 HIGH

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Ashraful Sarkar Naiem License For Envato license-envato allows PHP …

Apr 24, 2025
CVE-2025-39397
7.1 HIGH

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in [email protected] Anything Popup anything-popup allows Reflected XSS.This issue affects Anything Popup: from n/a …

Apr 24, 2025
CVE-2025-39391
7.5 HIGH

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in zamartz Checkout Field Visibility for WooCommerce checkout-field-visibility-for-woocommerce allows PHP …

Apr 24, 2025
CVE-2025-39387
7.5 HIGH

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in wpoperations Opstore opstore allows PHP Local File Inclusion.This issue …

Apr 24, 2025
CVE-2025-39384
7.5 HIGH

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in cedcommerce Product Lister for eBay product-lister-ebay allows PHP Local …

Apr 24, 2025
CVE-2025-39383
7.5 HIGH

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in codeworkweb Xews Lite xews-lite allows PHP Local File Inclusion.This …

Apr 24, 2025
CVE-2025-39382
7.1 HIGH

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in danielpataki ACF: Google Font Selector acf-google-font-selector-field allows Reflected XSS.This issue affects ACF: Google …

Apr 24, 2025
CVE-2025-39381
7.1 HIGH

Cross-Site Request Forgery (CSRF) vulnerability in Kiotviet KiotViet Sync allows Stored XSS. This issue affects KiotViet Sync: from n/a through 1.8.4.

Apr 24, 2025
CVE-2025-39379
7.5 HIGH

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Capturly Capturly capturly-optimize-your-website allows PHP Local File Inclusion.This issue …

Apr 24, 2025
CVE-2025-39378
7.5 HIGH

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Holest Engineering Spreadsheet Price Changer for WooCommerce and WP …

Apr 24, 2025
CVE-2025-39377
8.5 HIGH

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in weDevs Appsero Helper appsero-helper allows SQL Injection.This issue affects Appsero Helper: …

Apr 24, 2025
CVE-2025-39360
7.5 HIGH

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in everestthemes Grace Mag grace-mag allows PHP Local File Inclusion.This …

Apr 24, 2025
CVE-2025-39359
7.5 HIGH

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in codeworkweb CWW Portfolio cww-portfolio allows PHP Local File Inclusion.This …

Apr 24, 2025
CVE-2025-32921
7.5 HIGH

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in wpoperations Arrival arrival allows PHP Local File Inclusion.This issue …

Apr 24, 2025
CVE-2025-27820
7.5 HIGH

A bug in PSL validation logic in Apache HttpClient 5.4.x disables domain checks, affecting cookie management and host name verification. Discovered by the Apache HttpClient …

Apr 24, 2025
CVE-2025-3872
7.2 HIGH

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Centreon centreon-web (User configuration form modules) allows SQL Injection. A user …

Apr 24, 2025
CVE-2021-47663
8.1 HIGH

Due to improper JSON Web Tokens implementation an unauthenticated remote attacker can guess a valid session ID and therefore impersonate a user to gain full …

Apr 24, 2025
CVE-2021-47662
7.5 HIGH

Due to missing authorization an unauthenticated remote attacker can cause a DoS attack by connecting via HTTPS and triggering the shutdown button.

Apr 24, 2025
CVE-2025-3776
8.3 HIGH

The Verification SMS with TargetSMS plugin for WordPress is vulnerable to limited Remote Code Execution in all versions up to, and including, 1.5 via the …

Apr 24, 2025
CVE-2025-3607
8.8 HIGH

The Frontend Login and Registration Blocks plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.8. …

Apr 24, 2025
CVE-2025-3300
7.2 HIGH

The WPMasterToolKit (WPMTK) – All in one plugin plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.5.2. This …

Apr 24, 2025
CVE-2025-3101
8.8 HIGH

The Configurator Theme Core plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.4.7. This is due to the …

Apr 24, 2025
CVE-2025-3058
8.8 HIGH

The Xelion Webchat plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check …

Apr 24, 2025
CVE-2025-1908
7.7 HIGH

An issue has been discovered in GitLab EE/CE that could allow an attacker to track users' browsing activities, potentially leading to full account take-over, affecting …

Apr 24, 2025
CVE-2025-3761
8.8 HIGH

The My Tickets – Accessible Event Ticketing plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.0.16. This is …

Apr 24, 2025
CVE-2025-2558
8.6 HIGH

The-wound WordPress theme through 0.0.1 does not validate some parameters before using them to generate paths passed to include function/s, allowing unauthenticated users to perform …

Apr 24, 2025
CVE-2025-46417
7.5 HIGH

The unsafe globals in Picklescan before 0.0.25 do not include ssl. Consequently, ssl.get_server_certificate can exfiltrate data via DNS after deserialization.

Apr 24, 2025
CVE-2025-27580
7.5 HIGH

NIH BRICS (aka Biomedical Research Informatics Computing System) through 14.0.0-67 generates predictable tokens (that depend on username, time, and the fixed 7Dl9#dj- string) and thus …

Apr 24, 2025
CVE-2025-46397
7.8 HIGH

A flaw was found in xfig. This vulnerability allows possible code execution via local input manipulation via bezier_spline function.

Apr 23, 2025
CVE-2025-32818
7.5 HIGH

A Null Pointer Dereference vulnerability in the SonicOS SSLVPN Virtual office interface allows a remote, unauthenticated attacker to crash the firewall, potentially leading to a …

Apr 23, 2025
CVE-2025-28169
8.1 HIGH

BYD QIN PLUS DM-i Dilink OS v3.0_13.1.7.2204050.1 to v3.0_13.1.7.2312290.1_0 was discovered to cend broadcasts to the manufacturer's cloud server unencrypted, allowing attackers to execute a …

Apr 23, 2025
CVE-2025-3904
7.3 HIGH

Vulnerability in Drupal Sportsleague.This issue affects Sportsleague: *.*.

Apr 23, 2025
CVE-2025-3903
7.3 HIGH

Vulnerability in Drupal UEditor - 百度编辑器.This issue affects UEditor - 百度编辑器: *.*.

Apr 23, 2025
CVE-2025-2773
7.2 HIGH

BEC Technologies Multiple Routers sys ping Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of …

Apr 23, 2025
CVE-2025-2769
7.8 HIGH

Bdrive NetDrive Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Bdrive NetDrive. An …

Apr 23, 2025
CVE-2025-2768
7.8 HIGH

Bdrive NetDrive Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Bdrive NetDrive. An …

Apr 23, 2025
CVE-2025-2765
8.8 HIGH

CarlinKit CPC200-CCPA Wireless Hotspot Hard-Coded Credentials Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of CarlinKit CPC200-CCPA devices. Authentication …

Apr 23, 2025
CVE-2025-2764
8.0 HIGH

CarlinKit CPC200-CCPA update.cgi Improper Verification of Cryptographic Signature Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of CarlinKit …

Apr 23, 2025
CVE-2025-2762
7.8 HIGH

CarlinKit CPC200-CCPA Missing Root of Trust Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of CarlinKit CPC200-CCPA devices. …

Apr 23, 2025
CVE-2025-2761
7.8 HIGH

GIMP FLI File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User …

Apr 23, 2025
CVE-2025-2760
7.8 HIGH

GIMP XWD File Parsing Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User …

Apr 23, 2025
CVE-2025-28028
7.3 HIGH

TOTOLINK A830R V4.1.2cu.5182_B20201102, A950RG V4.1.2cu.5161_B20200903, A3000RU V5.9c.5185_B20201128, and A3100R V4.1.2cu.5247_B20211129 were found to contain a buffer overflow vulnerability in downloadFile.cgi through the v5 parameter.

Apr 23, 2025
CVE-2025-28025
7.3 HIGH

TOTOLINK A830R V4.1.2cu.5182_B20201102, A950RG V4.1.2cu.5161_B20200903, A3000RU V5.9c.5185_B20201128, and A3100R V4.1.2cu.5247_B20211129 were found to contain a buffer overflow vulnerability in downloadFile.cgi through the v14 parameter.

Apr 23, 2025
CVE-2025-28022
7.3 HIGH

TOTOLINK A810R V4.1.2cu.5182_B20201026 was found to contain a buffer overflow vulnerability in downloadFile.cgi through the v25 parameter.

Apr 23, 2025

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.