CVE Database

9241+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2025-13613
9.8 CRITICAL

The Elated Membership plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.2. This is due to the plugin …

Dec 10, 2025
CVE-2025-67506
9.8 CRITICAL

PipesHub is a fully extensible workplace AI platform for enterprise search and workflow automation. Versions prior to 0.1.0-beta expose POST /api/v1/record/buffer/convert through missing authentication. The …

Dec 10, 2025
CVE-2025-61811
9.1 CRITICAL

ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary code execution in the context …

Dec 10, 2025
CVE-2025-61809
9.1 CRITICAL

ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. An attacker …

Dec 10, 2025
CVE-2025-61808
9.1 CRITICAL

ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability that could lead to arbitrary code …

Dec 10, 2025
CVE-2025-67494
9.3 CRITICAL

ZITADEL is an open-source identity infrastructure tool. Versions 4.7.0 and below are vulnerable to an unauthenticated, full-read SSRF vulnerability. The ZITADEL Login UI (V2) treats …

Dec 9, 2025
CVE-2025-66039
9.8 CRITICAL

FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. Versions are vulnerable to authentication bypass when the authentication type is set …

Dec 9, 2025
CVE-2025-67489
9.8 CRITICAL

@vitejs/plugin-rs provides React Server Components (RSC) support for Vite. Versions 0.5.5 and below are vulnerable to arbitrary remote code execution on the development server through …

Dec 9, 2025
CVE-2023-53774
9.8 CRITICAL

MiniDVBLinux 5.4 contains a remote code execution vulnerability in the SVDRP protocol that allows remote attackers to send commands to manipulate TV systems. Attackers can …

Dec 9, 2025
CVE-2023-53771
9.8 CRITICAL

MiniDVBLinux 5.4 contains an authentication bypass vulnerability that allows remote attackers to change the root password without authentication. Attackers can send crafted POST requests to …

Dec 9, 2025
CVE-2021-47731
9.8 CRITICAL

Selea Targa IP OCR-ANPR Camera contains a hard-coded developer password vulnerability that allows unauthorized configuration access through an undocumented page. Attackers can exploit the hidden …

Dec 9, 2025
CVE-2021-47728
9.8 CRITICAL

Selea Targa IP OCR-ANPR Camera contains an unauthenticated command injection vulnerability in utils.php that allows remote attackers to execute arbitrary shell commands. Attackers can exploit …

Dec 9, 2025
CVE-2025-66456
9.8 CRITICAL

Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. Versions 1.4.0 through 1.4.16 contain a prototype pollution vulnerability in …

Dec 9, 2025
CVE-2025-65741
9.8 CRITICAL

Sublime Text 3 Build 3208 or prior for MacOS is vulnerable to Dylib Injection. An attacker could compile a .dylib file and force the execution …

Dec 9, 2025
CVE-2025-64113
9.8 CRITICAL

Emby Server is a user-installable home media server. Versions below 4.9.1.81 allow an attacker to gain full administrative access to an Emby Server (for Emby …

Dec 9, 2025
CVE-2025-65882
9.8 CRITICAL

An issue was discovered in openmptcprouter thru 0.64 in file common/package/utils/sys-upgrade-helper/src/tools/sysupgrade.c in function create_xor_ipad_opad allowing attackers to potentially write arbitrary files or execute arbitrary commands.

Dec 9, 2025
CVE-2025-59719
9.8 CRITICAL

An improper verification of cryptographic signature vulnerability in Fortinet FortiWeb 8.0.0, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9 may allow an unauthenticated attacker to …

Dec 9, 2025
CVE-2025-59718
9.8 CRITICAL KEV

A improper verification of cryptographic signature vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0.0 through 7.0.17, …

Dec 9, 2025
CVE-2025-63742
9.8 CRITICAL

SQL Injection vulnerability in function setwxqyAction in file webmain/task/api/loginAction.php in Xinhu Rainrock RockOA 2.7.0 allowing attackers gain sensitive information, including administrator accounts, password hashes, database …

Dec 9, 2025
CVE-2025-67504
9.1 CRITICAL

WBCE CMS is a content management system. Versions 1.6.4 and below use function GenerateRandomPassword() to create passwords using PHP's rand(). rand() is not cryptographically secure, …

Dec 9, 2025
CVE-2025-66631
9.8 CRITICAL

CSLA .NET is a framework designed for the development of reusable, object-oriented business layers for applications. Versions 5.5.4 and below allow the use of WcfProxy. …

Dec 9, 2025
CVE-2025-66568
9.1 CRITICAL

The ruby-saml library implements the client side of an SAML authorization. Versions up to and including 1.12.4, are vulnerable to authentication bypass through the libxml2 …

Dec 9, 2025
CVE-2025-66567
9.1 CRITICAL

The ruby-saml library is for implementing the client side of a SAML authorization. ruby-saml versions up to and including 1.12.4 contain an authentication bypass vulnerability …

Dec 9, 2025
CVE-2025-66565
9.8 CRITICAL

Fiber Utils is a collection of common functions created for Fiber. In versions 2.0.0-rc.3 and below, when the system's cryptographic random number generator (crypto/rand) fails, …

Dec 9, 2025
CVE-2025-42928
9.1 CRITICAL

Under certain conditions, a high privileged user could exploit a deserialization vulnerability in SAP jConnect to launch remote code execution. The system may be vulnerable …

Dec 9, 2025
CVE-2025-42880
9.9 CRITICAL

Due to missing input sanitation, SAP Solution Manager allows an authenticated attacker to insert malicious code when calling a remote-enabled function module. This could provide …

Dec 9, 2025
CVE-2025-14330
9.8 CRITICAL

JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 146, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6.

Dec 9, 2025
CVE-2025-14326
9.8 CRITICAL

Use-after-free in the Audio/Video: GMP component. This vulnerability was fixed in Firefox 146 and Thunderbird 146.

Dec 9, 2025
CVE-2025-14324
9.8 CRITICAL

JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 146, Firefox ESR 115.31, Firefox ESR 140.6, Thunderbird 146, and Thunderbird …

Dec 9, 2025
CVE-2025-14321
9.8 CRITICAL

Use-after-free in the WebRTC: Signaling component. This vulnerability was fixed in Firefox 146, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6.

Dec 9, 2025
CVE-2025-14308
9.8 CRITICAL

An integer overflow vulnerability exists in the write method of the Buffer class in Robocode version 1.9.3.6. The method fails to properly validate the length …

Dec 9, 2025
CVE-2025-14306
9.1 CRITICAL

A directory traversal vulnerability exists in the CacheCleaner component of Robocode version 1.9.3.6. The recursivelyDelete method fails to properly sanitize file paths, allowing attackers to …

Dec 9, 2025
CVE-2025-12504
9.8 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Talent Software UNIS allows SQL Injection.This issue affects UNIS: before 42321.

Dec 9, 2025
CVE-2025-11022
9.6 CRITICAL

Cross-Site Request Forgery (CSRF) vulnerability in Personal Project Panilux allows Cross Site Request Forgery. This CSRF vulnerability resulting in Command Injection has been identified. This …

Dec 9, 2025
CVE-2025-10573
9.6 CRITICAL

Stored XSS in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote unauthenticated attacker to execute arbitrary JavaScript in the context of …

Dec 9, 2025
CVE-2025-66481
9.6 CRITICAL

DeepChat is an open-source AI chat platform that supports cloud models and LLMs. Versions 0.5.1 and below are vulnerable to XSS attacks through improperly sanitized …

Dec 9, 2025
CVE-2025-65849
9.1 CRITICAL

A cryptanalytic break in Altcha Proof-of-Work obfuscation mode version 0.8.0 and later allows for remote visitors to recover the Proof-of-Work nonce in constant time via …

Dec 8, 2025
CVE-2025-65548
9.1 CRITICAL

NUT-14 allows cashu tokens to be created with a preimage hash. However, nutshell (cashubtc/nuts) before 0.18.0 do not validate the size of preimage when the …

Dec 8, 2025
CVE-2025-64081
9.8 CRITICAL

SQL injection vulnerability in /php/api_patient_schedule.php in SourceCodester Patients Waiting Area Queue Management System v1 allows attackers to execute arbitrary SQL commands via the appointmentID parameter.

Dec 8, 2025
CVE-2025-48626
9.8 CRITICAL

In multiple locations, there is a possible way to launch an application from the background due to a precondition check failure. This could lead to …

Dec 8, 2025
CVE-2025-61318
9.1 CRITICAL

Emlog Pro 2.5.20 has an arbitrary file deletion vulnerability. This vulnerability stems from the admin/template.php component and the admin/plugin.php component. They fail to perform path …

Dec 8, 2025
CVE-2025-27020
9.8 CRITICAL

Improper configuration of the SSH service in Infinera MTC-9 allows an unauthenticated attacker to execute arbitrary commands and access data on file system . This …

Dec 8, 2025
CVE-2025-27019
9.8 CRITICAL

Remote shell service (RSH) in Infinera MTC-9 version R22.1.1.0275 allows an attacker to utilize password-less user accounts and obtain system access by activating a reverse …

Dec 8, 2025
CVE-2025-13377
9.6 CRITICAL

The 10Web Booster – Website speed optimization, Cache & Page Speed optimizer plugin for WordPress is vulnerable to arbitrary folder deletion due to insufficient file …

Dec 6, 2025
CVE-2025-12673
9.8 CRITICAL

The Flex QR Code Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the update_qr_code() function in …

Dec 6, 2025
CVE-2025-66570
10.0 CRITICAL

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.27.0, a vulnerability allows attacker-controlled HTTP headers to influence server-visible metadata, logging, and …

Dec 5, 2025
CVE-2025-66562
9.6 CRITICAL

TUUI is a desktop MCP client designed as a tool unitary utility integration. Prior to 1.3.4, a critical Remote Code Execution (RCE) vulnerability exists in …

Dec 5, 2025
CVE-2025-34256
9.8 CRITICAL

Advantech WISE-DeviceOn Server versions prior to 5.4 contain a hard-coded cryptographic key vulnerability. The product uses a static HS512 HMAC secret for signing EIRMMToken JWTs …

Dec 5, 2025
CVE-2025-64054
9.6 CRITICAL

A reflected Cross Site Scripting (XSS) vulnerability on Fanvil x210 2.12.20 devices allows attackers to cause a denial of service or potentially execute arbitrary commands …

Dec 5, 2025
CVE-2025-12374
9.8 CRITICAL

The Email Verification, Email OTP, Block Spam Email, Passwordless login, Hide Login, Magic Login – User Verification plugin for WordPress is vulnerable to authentication bypass …

Dec 5, 2025

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.