CVE Database

111255+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2025-68936
6.4 MEDIUM

ONLYOFFICE Docs before 9.2.1 allows XSS via the Color theme name. This is related to DocumentServer.

Dec 25, 2025
CVE-2025-68935
6.4 MEDIUM

ONLYOFFICE Docs before 9.2.1 allows XSS via the Font field for the Multilevel list settings window. This is related to DocumentServer.

Dec 25, 2025
CVE-2025-15085
4.3 MEDIUM

A security flaw has been discovered in youlaitech youlai-mall 1.0.0/2.0.0. This affects the function deductBalance of the file mall-ums/ums-boot/src/main/java/com/youlai/mall/ums/controller/app/MemberController.java of the component Balance Handler. The …

Dec 25, 2025
CVE-2025-15084
3.1 LOW

A vulnerability was identified in youlaitech youlai-mall 1.0.0/2.0.0. The impacted element is the function orderService.payOrder of the file mall-oms/oms-boot/src/main/java/com/youlai/mall/oms/controller/app/OrderController.java of the component Order Payment Handler. …

Dec 25, 2025
CVE-2025-15083
2.0 LOW

A vulnerability was determined in TOZED ZLT M30s up to 1.47. The affected element is an unknown function of the component UART Interface. Executing manipulation …

Dec 25, 2025
CVE-2025-15082
5.3 MEDIUM

A vulnerability was found in TOZED ZLT M30s up to 1.47. Impacted is an unknown function of the file /reqproc/proc_post of the component Web Management …

Dec 25, 2025
CVE-2025-15081
6.3 MEDIUM

A vulnerability has been found in JD Cloud BE6500 4.4.1.r4308. This issue affects the function sub_4780 of the file /jdcapi. Such manipulation of the argument …

Dec 25, 2025
CVE-2025-2406
7.6 HIGH

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Verisay Communication and Information Technology Industry and Trade Ltd. Co. Trizbi …

Dec 25, 2025
CVE-2025-2405
7.6 HIGH

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Verisay Communication and Information Technology Industry and Trade Ltd. Co. Titarus …

Dec 25, 2025
CVE-2025-2307
7.6 HIGH

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Verisay Communication and Information Technology Industry and Trade Ltd. Co. Aidango …

Dec 25, 2025
CVE-2025-66443
7.5 HIGH

Pexip Infinity 35.0 through 38.1 before 39.0, in non-default configurations that use Direct Media for WebRTC, has Improper Input Validation in signalling that allows an …

Dec 25, 2025
CVE-2025-66379
7.5 HIGH

Pexip Infinity before 39.0 has Improper Input Validation in the media implementation, allowing a remote attacker to trigger a software abort via a crafted media …

Dec 25, 2025
CVE-2025-66378
5.9 MEDIUM

Pexip Infinity 38.0 and 38.1 before 39.0 has insufficient access control in the RTMP implementation, allowing an attacker to disconnect RTMP streams traversing a Proxy …

Dec 25, 2025
CVE-2025-66377
7.5 HIGH

Pexip Infinity before 39.0 has Missing Authentication for a Critical Function in a product-internal API, allowing an attacker (who already has access to execute code …

Dec 25, 2025
CVE-2025-59683
8.2 HIGH

Pexip Infinity 15.0 through 38.0 before 38.1 has Improper Access Control in the Secure Scheduler for Exchange service, when used with Office 365 Legacy Exchange …

Dec 25, 2025
CVE-2025-49088
5.9 MEDIUM

Pexip Infinity 32.0 through 37.1 before 37.2, in certain configurations of OTJ (One Touch Join) for Teams SIP Guest Join, has Improper Input Validation in …

Dec 25, 2025
CVE-2025-48704
7.5 HIGH

Pexip Infinity 35.0 through 37.2 before 38.0 has Improper Input Validation in signalling that allows an attacker to trigger a software abort, resulting in a …

Dec 25, 2025
CVE-2025-32096
7.5 HIGH

Pexip Infinity 33.0 through 37.0 before 37.1 has improper input validation in signaling that allows an attacker to trigger a software abort, resulting in a …

Dec 25, 2025
CVE-2025-32095
7.5 HIGH

Pexip Infinity before 37.0 has improper input validation in signalling that allows a remote attacker to trigger a software abort via a crafted signalling message, …

Dec 25, 2025
CVE-2025-15078
7.3 HIGH

A vulnerability was detected in itsourcecode Student Management System 1.0. The impacted element is an unknown function of the file /list_report.php. The manipulation of the …

Dec 25, 2025
CVE-2025-15077
7.3 HIGH

A security vulnerability has been detected in itsourcecode Student Management System 1.0. The affected element is an unknown function of the file /form137.php. The manipulation …

Dec 25, 2025
CVE-2025-15076
7.3 HIGH

A weakness has been identified in Tenda CH22 1.0.0.1. Impacted is an unknown function of the file /public/. Executing a manipulation can lead to path …

Dec 25, 2025
CVE-2025-15075
7.3 HIGH

A security flaw has been discovered in itsourcecode Student Management System 1.0. This issue affects some unknown processing of the file /student_p.php. Performing manipulation of …

Dec 25, 2025
CVE-2025-15074
7.3 HIGH

A vulnerability was identified in itsourcecode Online Frozen Foods Ordering System 1.0. This vulnerability affects unknown code of the file /customer_details.php. Such manipulation leads to …

Dec 25, 2025
CVE-2025-68922
7.4 HIGH

OpenOps before 0.6.11 allows remote code execution in the Terraform block.

Dec 25, 2025
CVE-2025-15073
7.3 HIGH

A vulnerability was determined in itsourcecode Online Frozen Foods Ordering System 1.0. This affects an unknown part of the file /contact_us.php. This manipulation of the …

Dec 24, 2025
CVE-2025-68920
8.9 HIGH

C-Kermit (aka ckermit) through 10.0 Beta.12 (aka 416-beta12) before 244644d allows a remote Kermit system to overwrite files on the local system, or retrieve arbitrary …

Dec 24, 2025
CVE-2025-8769
9.8 CRITICAL

Telenium Online Web Application is vulnerable due to a Perl script that is called to load the login page. Due to improper input validation, an …

Dec 24, 2025
CVE-2025-68919
5.6 MEDIUM

Fujitsu / Fsas Technologies ETERNUS SF ACM/SC/Express (DX / AF Management Software) before 16.8-16.9.1 PA 2025-12, when collected maintenance data is accessible by a principal/authority …

Dec 24, 2025
CVE-2025-68917
6.4 MEDIUM

ONLYOFFICE Docs before 9.2.1 allows XSS in the textarea of the comment editing form. This is related to DocumentServer.

Dec 24, 2025
CVE-2025-68916
9.1 CRITICAL

Riello UPS NetMan 208 Application before 1.12 allows cgi-bin/certsupload.cgi /../ directory traversal for file upload with resultant code execution.

Dec 24, 2025
CVE-2025-68915
5.5 MEDIUM

Riello UPS NetMan 208 Application before 1.12 allows cgi-bin/loginbanner_w.cgi XSS via a crafted banner.

Dec 24, 2025
CVE-2025-68914
6.5 MEDIUM

Riello UPS NetMan 208 Application before 1.12 allows cgi-bin/login.cgi username SQL Injection. For example, an attacker can delete the LOGINFAILEDTABLE table.

Dec 24, 2025
CVE-2025-3232
7.5 HIGH

A remote unauthenticated attacker may be able to bypass authentication by utilizing a specific API route to execute arbitrary OS commands.

Dec 24, 2025
CVE-2019-25258
7.5 HIGH

LogicalDOC Enterprise 7.7.4 contains multiple post-authentication file disclosure vulnerabilities that allow attackers to read arbitrary files through unverified 'suffix' and 'fileVersion' parameters. Attackers can exploit …

Dec 24, 2025
CVE-2019-25257
6.5 MEDIUM

LogicalDOC Enterprise 7.7.4 contains multiple authenticated OS command execution vulnerabilities that allow attackers to manipulate binary paths when changing system settings. Attackers can exploit these …

Dec 24, 2025
CVE-2019-25256
6.5 MEDIUM

VideoFlow Digital Video Protection DVP 2.10 contains an authenticated directory traversal vulnerability that allows attackers to access arbitrary system files through unvalidated 'ID' parameters. Attackers …

Dec 24, 2025
CVE-2019-25255
4.3 MEDIUM

VideoFlow Digital Video Protection DVP 2.10 contains an authenticated remote code execution vulnerability that allows attackers to execute system commands with root privileges. Attackers can …

Dec 24, 2025
CVE-2019-25254
8.8 HIGH

KYOCERA Net Admin 3.4.0906 contains a cross-site request forgery vulnerability that allows attackers to create administrative users without proper request validation. Attackers can craft malicious …

Dec 24, 2025
CVE-2019-25253
7.5 HIGH

KYOCERA Net Admin 3.4.0906 contains an XML External Entity (XXE) injection vulnerability in the Multi-Set Template Editor that allows unauthenticated attackers to read arbitrary system …

Dec 24, 2025
CVE-2019-25252
4.3 MEDIUM

Teradek VidiU Pro 3.0.3 contains a cross-site request forgery vulnerability that allows attackers to change administrative passwords without proper request validation. Attackers can craft malicious …

Dec 24, 2025
CVE-2019-25251
6.5 MEDIUM

Teradek VidiU Pro 3.0.3 contains a server-side request forgery vulnerability in the management interface that allows attackers to manipulate GET parameters 'url' and 'xml_url'. Attackers …

Dec 24, 2025
CVE-2019-25250
5.3 MEDIUM

Devolo dLAN 500 AV Wireless+ 3.1.0-1 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without proper request validation. Attackers can …

Dec 24, 2025
CVE-2019-25249
9.8 CRITICAL

devolo dLAN 500 AV Wireless+ 3.1.0-1 contains an authentication bypass vulnerability that allows attackers to enable hidden services through the htmlmgr CGI script. Attackers can …

Dec 24, 2025
CVE-2019-25248
7.5 HIGH

Beward N100 M2.1.6.04C014 contains an unauthenticated vulnerability that allows remote attackers to access live video streams without credentials. Attackers can directly retrieve the camera's RTSP …

Dec 24, 2025
CVE-2019-25247
5.3 MEDIUM

Beward N100 H.264 VGA IP Camera M2.1.6 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without proper request validation. Attackers …

Dec 24, 2025
CVE-2019-25246
8.8 HIGH

Beward N100 H.264 VGA IP Camera M2.1.6 contains an authenticated file disclosure vulnerability that allows attackers to read arbitrary system files via the 'READ.filePath' parameter. …

Dec 24, 2025
CVE-2019-25245
8.8 HIGH

Ross Video DashBoard 8.5.1 contains an elevation of privileges vulnerability that allows authenticated users to modify executable files due to improper permission settings. Attackers can …

Dec 24, 2025
CVE-2019-25244
5.3 MEDIUM

Legrand BTicino Driver Manager F454 1.0.51 contains multiple web vulnerabilities that allow attackers to perform administrative actions without proper request validation. Attackers can exploit cross-site …

Dec 24, 2025
CVE-2019-25243
8.8 HIGH

FaceSentry 6.4.8 contains an authenticated remote command injection vulnerability in pingTest.php and tcpPortTest.php scripts. Attackers can exploit unsanitized input parameters to inject and execute arbitrary …

Dec 24, 2025

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.