CVE Database

9241+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2025-14700
9.9 CRITICAL

An input neutralization vulnerability in the Webhook Template component of Crafty Controller allows a remote, authenticated attacker to perform remote code execution via Server Side …

Dec 17, 2025
CVE-2025-65834
9.8 CRITICAL

Meltytech Shotcut 25.10.31 is vulnerable to Buffer Overflow. A memory access violation occurs when processing MLT project files with manipulated width and height parameters. By …

Dec 16, 2025
CVE-2025-68270
9.9 CRITICAL

The Open edX Platform is a learning management platform. Prior to commit 05d0d0936daf82c476617257aa6c35f0cd4ca060, CourseLimitedStaffRole users are able to access and edit courses in studio if …

Dec 16, 2025
CVE-2025-62864
9.8 CRITICAL

Ampere AmpereOne AC03 devices before 3.5.9.3, AmpereOne AC04 devices before 4.4.5.2, and AmpereOne M devices before 5.4.5.1 allow an incorrectly formed SMC call to UEFI-MM …

Dec 16, 2025
CVE-2025-62863
9.8 CRITICAL

Ampere AmpereOne AC03 devices before 3.5.9.3, AmpereOne AC04 devices before 4.4.5.2, and AmpereOne M devices before 5.4.5.1 allow an incorrectly formed SMC call to UEFI-MM …

Dec 16, 2025
CVE-2025-46295
9.8 CRITICAL

Apache Commons Text versions prior to 1.10.0 included interpolation features that could be abused when applications passed untrusted input into the text-substitution API. Because some …

Dec 16, 2025
CVE-2025-33210
9.0 CRITICAL

NVIDIA Isaac Lab contains a deserialization vulnerability. A successful exploit of this vulnerability might lead to code execution.

Dec 16, 2025
CVE-2025-63414
10.0 CRITICAL

A Path Traversal vulnerability in the Allsky WebUI version v2024.12.06_06 allows an unauthenticated remote attacker to achieve arbitrary command execution. By sending a crafted HTTP …

Dec 16, 2025
CVE-2025-50401
9.8 CRITICAL

Mercury D196G d196gv1-cn-up_2020-01-09_11.21.44 is vulnerable to Buffer Overflow in the function sub_404CAEDC via the parameter password.

Dec 16, 2025
CVE-2025-50398
9.8 CRITICAL

Mercury D196G d196gv1-cn-up_2020-01-09_11.21.44 is vulnerable to Buffer Overflow in the function sub_404CAEDC via the parameter fac_password.

Dec 16, 2025
CVE-2025-37164
10.0 CRITICAL KEV

A remote code execution issue exists in HPE OneView.

Dec 16, 2025
CVE-2023-53899
9.8 CRITICAL

PodcastGenerator 3.2.9 contains a blind server-side request forgery vulnerability that allows attackers to inject XML in the episode upload form. Attackers can manipulate the 'shortdesc' …

Dec 16, 2025
CVE-2023-53895
9.8 CRITICAL

PimpMyLog 1.7.14 contains an improper access control vulnerability that allows remote attackers to create admin accounts without authorization through the configuration endpoint. Attackers can exploit …

Dec 16, 2025
CVE-2023-53894
9.8 CRITICAL

phpfm 1.7.9 contains an authentication bypass vulnerability that allows attackers to log in by exploiting loose type comparison in password hash validation. Attackers can craft …

Dec 16, 2025
CVE-2025-65319
9.1 CRITICAL

When using the attachment interaction functionality, Blue Mail 1.140.103 and below saves documents to a file system without a Mark-of-the-Web tag, which allows attackers to …

Dec 16, 2025
CVE-2025-65318
9.1 CRITICAL

When using the attachment interaction functionality, Canary Mail 5.1.40 and below saves documents to a file system without a Mark-of-the-Web tag, which allows attackers to …

Dec 16, 2025
CVE-2025-68263
9.8 CRITICAL

In the Linux kernel, the following vulnerability has been resolved: ksmbd: ipc: fix use-after-free in ipc_msg_send_request ipc_msg_send_request() waits for a generic netlink reply using an …

Dec 16, 2025
CVE-2025-62849
9.8 CRITICAL

An SQL injection vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to execute unauthorized …

Dec 16, 2025
CVE-2025-59385
9.8 CRITICAL

An authentication bypass by spoofing vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to …

Dec 16, 2025
CVE-2025-67744
9.6 CRITICAL

DeepChat is an open-source artificial intelligence agent platform that unifies models, tools, and agents. Prior to version 0.5.3, a security vulnerability exists in the Mermaid …

Dec 16, 2025
CVE-2025-64725
9.8 CRITICAL

Weblate is a web based localization tool. In versions prior to 5.15, it was possible to accept an invitation opened by a different user. Version …

Dec 15, 2025
CVE-2025-59947
9.0 CRITICAL

NanoMQ is a messaging broker/bus for IoT Edge & SDV. Versions prior to 0.24.4 have a buffer overflow case while the PUBLISH packets trigger both …

Dec 15, 2025
CVE-2025-55895
9.1 CRITICAL

TOTOLINK A3300R V17.0.0cu.557_B20221024 and N200RE V9.3.5u.6448_B20240521 and V9.3.5u.6437_B20230519 are vulnerable to Incorrect Access Control. Attackers can send payloads to the interface without logging in (remote).

Dec 15, 2025
CVE-2023-53877
9.8 CRITICAL

Bus Reservation System 1.1 contains a SQL injection vulnerability in the pickup_id parameter that allows attackers to manipulate database queries. Attackers can exploit boolean-based, error-based, …

Dec 15, 2025
CVE-2023-53874
9.8 CRITICAL

GOM Player 2.3.90.5360 contains a buffer overflow vulnerability in the equalizer preset name input field that allows attackers to crash the application. Attackers can overwrite …

Dec 15, 2025
CVE-2023-53871
9.8 CRITICAL

Soosyze 2.0.0 contains a file upload vulnerability that allows attackers to upload arbitrary HTML files with embedded PHP code to the application. Attackers can exploit …

Dec 15, 2025
CVE-2025-65213
9.8 CRITICAL

MooreThreads torch_musa through all versions contains an unsafe deserialization vulnerability in torch_musa.utils.compare_tool. The compare_for_single_op() and nan_inf_track_for_single_op() functions use pickle.load() on user-controlled file paths without validation, …

Dec 15, 2025
CVE-2025-66844
9.1 CRITICAL

In grav <1.7.49.5, a SSRF (Server-Side Request Forgery) vector may be triggered via Twig templates when page content is processed by Twig and the configuration …

Dec 15, 2025
CVE-2025-13888
9.1 CRITICAL

A flaw was found in OpenShift GitOps. Namespace admins can create ArgoCD Custom Resources (CRs) that trick the system into granting them elevated permissions in …

Dec 15, 2025
CVE-2025-14156
9.8 CRITICAL

The Fox LMS – WordPress LMS Plugin plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.0.5.1. This is …

Dec 15, 2025
CVE-2025-14709
9.8 CRITICAL

A security vulnerability has been detected in Shiguangwu sgwbox N3 2.0.25. Affected by this issue is some unknown functionality of the file /usr/sbin/http_eshell_server of the …

Dec 15, 2025
CVE-2025-14708
9.8 CRITICAL

A weakness has been identified in Shiguangwu sgwbox N3 2.0.25. Affected by this vulnerability is an unknown functionality of the file /usr/sbin/http_eshell_server of the component …

Dec 15, 2025
CVE-2025-14707
9.8 CRITICAL

A security flaw has been discovered in Shiguangwu sgwbox N3 2.0.25. Affected is an unknown function of the file /usr/sbin/http_eshell_server of the component DOCKER Feature. …

Dec 15, 2025
CVE-2025-14706
9.8 CRITICAL

A vulnerability was identified in Shiguangwu sgwbox N3 2.0.25. This impacts an unknown function of the file /usr/sbin/http_eshell_server of the component NETREBOOT Interface. Such manipulation …

Dec 15, 2025
CVE-2025-14705
9.8 CRITICAL

A vulnerability was determined in Shiguangwu sgwbox N3 2.0.25. This affects an unknown function of the component SHARESERVER Feature. This manipulation of the argument params …

Dec 15, 2025
CVE-2025-14665
9.8 CRITICAL

A security flaw has been discovered in Tenda WH450 1.0.0.18. Impacted is an unknown function of the file /goform/DhcpListClient of the component HTTP Request Handler. …

Dec 14, 2025
CVE-2025-36753
9.8 CRITICAL

The SWD debug interface on the Growatt ShineLan-X communication dongle is available by default, allowing an attacker to attain debug access to the device and …

Dec 13, 2025
CVE-2025-36752
9.8 CRITICAL

Growatt ShineLan-X communication dongle has an undocumented backup account with undocumented credentials which allows significant level access to the device, such as allowing any attacker …

Dec 13, 2025
CVE-2025-36747
9.8 CRITICAL

ShineLan-X contains a set of credentials for an FTP server was found within the firmware, allowing testers to establish an insecure FTP connection with the …

Dec 13, 2025
CVE-2025-14440
9.8 CRITICAL

The JAY Login & Register plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.4.01. This is due to incorrect …

Dec 13, 2025
CVE-2025-11693
9.8 CRITICAL

The Export WP Page to Static HTML & PDF plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, …

Dec 13, 2025
CVE-2025-10738
9.8 CRITICAL

The URL Shortener Plugin For WordPress plugin for WordPress is vulnerable to SQL Injection via the ‘analytic_id’ parameter in all versions up to, and including, …

Dec 13, 2025
CVE-2025-14611
9.8 CRITICAL KEV

Gladinet CentreStack and Triofox prior to version 16.12.10420.56791 used hardcoded values for their implementation of the AES cryptoscheme. This degrades security for public exposed endpoints …

Dec 12, 2025
CVE-2024-58311
9.8 CRITICAL

Dormakaba Saflok System 6000 contains a predictable key generation algorithm that allows attackers to derive card access keys from a 32-bit unique identifier. Attackers can …

Dec 12, 2025
CVE-2024-58299
9.8 CRITICAL

PCMan FTP Server 2.0 contains a buffer overflow vulnerability in the 'pwd' command that allows remote attackers to execute arbitrary code. Attackers can send a …

Dec 12, 2025
CVE-2024-14010
9.8 CRITICAL

Typora 1.7.4 contains a command injection vulnerability in the PDF export preferences that allows attackers to execute arbitrary system commands. Attackers can inject malicious commands …

Dec 12, 2025
CVE-2025-66430
9.1 CRITICAL

Plesk 18.0 has Incorrect Access Control.

Dec 12, 2025
CVE-2025-65854
9.8 CRITICAL

Insecure permissions in the scheduled tasks feature of MineAdmin v3.x allows attackers to execute arbitrary commands and execute a full account takeover.

Dec 12, 2025
CVE-2025-54947
9.8 CRITICAL

In Apache StreamPark versions 2.0.0 through 2.1.7, a security vulnerability involving a hard-coded encryption key exists. This vulnerability occurs because the system uses a fixed, …

Dec 12, 2025
CVE-2025-58130
9.1 CRITICAL

Insufficiently Protected Credentials vulnerability in Apache Fineract. This issue affects Apache Fineract: through 1.11.0. The issue is fixed in version 1.12.1. Users are encouraged to …

Dec 12, 2025

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.