CVE Database

9241+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2025-63386
9.1 CRITICAL

A Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/setup endpoint. The endpoint implements an insecure CORS policy that reflects any …

Dec 18, 2025
CVE-2025-14878
9.8 CRITICAL

A security flaw has been discovered in Tenda WH450 1.0.0.18. This impacts an unknown function of the file /goform/wirelessRestart of the component HTTP Request Handler. …

Dec 18, 2025
CVE-2025-14860
9.8 CRITICAL

Use-after-free in the Disability Access APIs component. This vulnerability was fixed in Firefox 146.0.1.

Dec 18, 2025
CVE-2025-66078
9.1 CRITICAL

Improper Control of Generation of Code ('Code Injection') vulnerability in jetmonsters Hotel Booking Lite motopress-hotel-booking-lite allows Remote Code Inclusion.This issue affects Hotel Booking Lite: from …

Dec 18, 2025
CVE-2025-66074
9.0 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in Cozmoslabs WP Webhooks wp-webhooks allows Path Traversal.This issue affects WP Webhooks: from n/a through <= 3.3.8.

Dec 18, 2025
CVE-2025-64374
9.9 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in StylemixThemes Motors motors allows Using Malicious Files.This issue affects Motors: from n/a through <= 5.6.81.

Dec 18, 2025
CVE-2025-64233
9.8 CRITICAL

Deserialization of Untrusted Data vulnerability in BoldThemes Codiqa codiqa allows Object Injection.This issue affects Codiqa: from n/a through < 1.2.8.

Dec 18, 2025
CVE-2025-64231
9.9 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in RedefiningTheWeb WordPress Contact Form 7 PDF, Google Sheet & Database rtwwcfp-wordpress-contact-form-7-pdf allows Using Malicious Files.This issue …

Dec 18, 2025
CVE-2025-64227
9.8 CRITICAL

Deserialization of Untrusted Data vulnerability in BoldGrid Client Invoicing by Sprout Invoices sprout-invoices allows Object Injection.This issue affects Client Invoicing by Sprout Invoices: from n/a …

Dec 18, 2025
CVE-2025-64206
9.8 CRITICAL

Deserialization of Untrusted Data vulnerability in TieLabs Jannah jannah allows Object Injection.This issue affects Jannah: from n/a through <= 7.6.0.

Dec 18, 2025
CVE-2025-64188
9.8 CRITICAL

Incorrect Privilege Assignment vulnerability in PenciDesign Soledad soledad allows Privilege Escalation.This issue affects Soledad: from n/a through <= 8.6.9.

Dec 18, 2025
CVE-2025-60180
9.8 CRITICAL

Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms Salesforce gf-salesforce-crmperks allows Object Injection.This issue affects WP Gravity Forms Salesforce: from n/a through …

Dec 18, 2025
CVE-2025-60178
9.8 CRITICAL

Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms HubSpot gf-hubspot allows Object Injection.This issue affects WP Gravity Forms HubSpot: from n/a through …

Dec 18, 2025
CVE-2025-60174
9.8 CRITICAL

Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms Constant Contact Plugin gf-constant-contact allows Object Injection.This issue affects WP Gravity Forms Constant Contact …

Dec 18, 2025
CVE-2025-60091
9.8 CRITICAL

Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms Zoho CRM and Bigin gf-zoho allows Object Injection.This issue affects WP Gravity Forms Zoho …

Dec 18, 2025
CVE-2025-60090
9.8 CRITICAL

Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms Insightly gf-insightly allows Object Injection.This issue affects WP Gravity Forms Insightly: from n/a through …

Dec 18, 2025
CVE-2025-60089
9.8 CRITICAL

Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms FreshDesk Plugin gf-freshdesk allows Object Injection.This issue affects WP Gravity Forms FreshDesk Plugin: from …

Dec 18, 2025
CVE-2025-60062
9.3 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mmetrodw tPlayer tplayer-html5-audio-player-with-playlist allows SQL Injection.This issue affects tPlayer: from n/a …

Dec 18, 2025
CVE-2025-58951
9.3 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in smartcms Advance Seat Reservation Management for WooCommerce scw-seat-reservation allows SQL Injection.This …

Dec 18, 2025
CVE-2025-54723
9.8 CRITICAL

Deserialization of Untrusted Data vulnerability in BoldThemes DentiCare denticare allows Object Injection.This issue affects DentiCare: from n/a through < 1.4.3.

Dec 18, 2025
CVE-2025-53433
9.8 CRITICAL

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes EasyEat easyeat allows PHP Local File Inclusion.This issue …

Dec 18, 2025
CVE-2025-47372
9.0 CRITICAL

Memory Corruption when a corrupted ELF image with an oversized file size is read into a buffer without authentication.

Dec 18, 2025
CVE-2025-68435
9.1 CRITICAL

Zerobyte is a backup automation tool Zerobyte versions prior to 0.18.5 and 0.19.0 contain an authentication bypass vulnerability where authentication middleware is not properly applied …

Dec 17, 2025
CVE-2025-68145
9.1 CRITICAL

In mcp-server-git versions prior to 2025.12.17, when the server is started with the --repository flag to restrict operations to a specific repository path, it did …

Dec 17, 2025
CVE-2023-53926
9.8 CRITICAL

PHPJabbers Simple CMS 5.0 contains a SQL injection vulnerability in the 'column' parameter that allows remote attackers to manipulate database queries. Attackers can inject crafted …

Dec 17, 2025
CVE-2023-53923
9.8 CRITICAL

UliCMS 2023.1 contains a privilege escalation vulnerability that allows unauthenticated attackers to create administrative accounts through the UserController endpoint. Attackers can send a crafted POST …

Dec 17, 2025
CVE-2023-53922
9.8 CRITICAL

TinyWebGallery v2.5 contains a remote code execution vulnerability in the admin upload functionality that allows unauthenticated attackers to upload malicious PHP files. Attackers can upload …

Dec 17, 2025
CVE-2023-53921
9.8 CRITICAL

SitemagicCMS 4.4.3 contains a remote code execution vulnerability that allows attackers to upload malicious PHP files to the files/images directory. Attackers can upload a .phar …

Dec 17, 2025
CVE-2023-53914
9.8 CRITICAL

UliCMS 2023.1 contains an authentication bypass vulnerability that allows unauthenticated attackers to create admin users through mass assignment in the UserController. Attackers can send a …

Dec 17, 2025
CVE-2025-68118
9.1 CRITICAL

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.20.0, a vulnerability exists in FreeRDP’s certificate handling code on Windows platforms. …

Dec 17, 2025
CVE-2025-68112
9.6 CRITICAL

ChurchCRM is an open-source church management system. In versions prior to 6.5.3, a SQL injection vulnerability in ChurchCRM's Event Attendee Editor allows authenticated users to …

Dec 17, 2025
CVE-2025-68110
9.9 CRITICAL

ChurchCRM is an open-source church management system. Versions prior to 6.5.3 may disclose database information in an error message including the host, ip, username, and …

Dec 17, 2025
CVE-2025-68109
9.1 CRITICAL

ChurchCRM is an open-source church management system. In versions prior to 6.5.3, the Database Restore functionality does not validate the content or file extension of …

Dec 17, 2025
CVE-2025-67791
9.8 CRITICAL

An issue was discovered in DriveLock 24.1 through 24.1.*, 24.2 through 24.2.*, and 25.1 through 25.1.*. An incomplete configuration (agent authentication) in DriveLock tenant allows …

Dec 17, 2025
CVE-2025-67793
9.8 CRITICAL

An issue was discovered in DriveLock 24.1 through 24.1.*, 24.2 through 24.2.*, and 25.1 before 25.1.6. Users with the "Manage roles and permissions" privilege can …

Dec 17, 2025
CVE-2025-66647
9.8 CRITICAL

RIOT is an open-source microcontroller operating system, designed to match the requirements of Internet of Things (IoT) devices and other embedded devices. A vulnerability was …

Dec 17, 2025
CVE-2025-43526
9.8 CRITICAL

This issue was addressed with improved URL validation. This issue is fixed in Safari 26.2, macOS Tahoe 26.2. On a Mac with Lockdown Mode enabled, …

Dec 17, 2025
CVE-2025-43428
9.8 CRITICAL

A configuration issue was addressed with additional restrictions. This issue is fixed in iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, visionOS 26.2. Photos in …

Dec 17, 2025
CVE-2025-67787
9.6 CRITICAL

An issue was discovered in 25.1.2 before 25.1.5. A Cross Site Scripting (XSS) issue in DriveLock Operations Center allows for session takeover over a network.

Dec 17, 2025
CVE-2025-67781
9.9 CRITICAL

An issue was discovered in DriveLock 24.1 before 24.1.6, 24.2 before 24.2.7, and 25.1 before 25.1.5. Local unprivileged users can manipulate privileged processes to gain …

Dec 17, 2025
CVE-2025-67073
9.8 CRITICAL

A Buffer overflow vulnerability in function fromAdvSetMacMtuWan of bin httpd in Tenda AC10V4.0 V16.03.10.20 allows remote attackers to cause denial of service and possibly code …

Dec 17, 2025
CVE-2025-34434
9.1 CRITICAL

AVideo versions prior to 20.1 with the ImageGallery plugin enabled is vulnerable to unauthenticated file upload and deletion. Plugin endpoints responsible for managing gallery images …

Dec 17, 2025
CVE-2025-62521
10.0 CRITICAL

ChurchCRM is an open-source church management system. Prior to version 5.21.0, a pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard allows unauthenticated attackers to …

Dec 17, 2025
CVE-2025-67165
9.8 CRITICAL

An Insecure Direct Object Reference (IDOR) in Pagekit CMS v1.0.18 allows attackers to escalate privileges.

Dec 17, 2025
CVE-2025-67164
9.9 CRITICAL

An authenticated arbitrary file upload vulnerability in the /storage/poc.php component of Pagekit CMS v1.0.18 allows attackers to execute arbitrary code via uploading a crafted PHP …

Dec 17, 2025
CVE-2025-20393
10.0 CRITICAL KEV

A vulnerability in the Spam Quarantine feature of Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager could allow …

Dec 17, 2025
CVE-2025-44005
10.0 CRITICAL

An attacker can bypass authorization checks and force a Step CA ACME or SCEP provisioner to create certificates without completing certain protocol authorization checks.

Dec 17, 2025
CVE-2022-23851
9.8 CRITICAL

Netaxis API Orchestrator (APIO) before 0.19.3 allows server side template injection (SSTI).

Dec 17, 2025
CVE-2025-67895
9.8 CRITICAL

Edge3 Worker RPC RCE on Airflow 2. This issue affects Apache Airflow Providers Edge3: before 2.0.0 - and only if you installed and configured it …

Dec 17, 2025
CVE-2025-59374
9.8 CRITICAL KEV

"UNSUPPORTED WHEN ASSIGNED" Certain versions of the ASUS Live Update client were distributed with unauthorized modifications introduced through a supply chain compromise. The modified builds …

Dec 17, 2025

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.