CVE Database

37767+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2023-34440
7.5 HIGH

Improper input validation in UEFI firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.

Feb 12, 2025
CVE-2023-31276
8.2 HIGH

Heap-based buffer overflow in BMC Firmware for the Intel(R) Server Board S2600WF, Intel(R) Server Board S2600ST, Intel(R) Server Board S2600BP, before version 02.01.0017 and Intel(R) …

Feb 12, 2025
CVE-2023-29164
7.3 HIGH

Improper access control in BMC Firmware for the Intel(R) Server Board S2600WF, Intel(R) Server Board S2600ST, Intel(R) Server Board S2600BP, before version 02.01.0017 and Intel(R) …

Feb 12, 2025
CVE-2024-12673
7.8 HIGH

An improper privilege vulnerability was reported in a BIOS customization feature of Lenovo Vantage on SMB notebook devices which could allow a local attacker to …

Feb 12, 2025
CVE-2025-25283
7.5 HIGH

parse-duraton is software that allows users to convert a human readable duration to milliseconds. Versions prior to 2.1.3 are vulnerable to an event loop delay …

Feb 12, 2025
CVE-2025-25205
8.2 HIGH

Audiobookshelf is a self-hosted audiobook and podcast server. Starting in version 2.17.0 and prior to version 2.19.1, a flaw in the authentication bypass logic allows …

Feb 12, 2025
CVE-2025-1146
8.1 HIGH

CrowdStrike uses industry-standard TLS (transport layer security) to secure communications from the Falcon sensor to the CrowdStrike cloud. CrowdStrike has identified a validation logic error …

Feb 12, 2025
CVE-2025-0937
7.1 HIGH

Nomad Community and Nomad Enterprise ("Nomad") event stream configured with a wildcard namespace can bypass the ACL Policy allowing reads on other namespaces.

Feb 12, 2025
CVE-2025-25200
7.5 HIGH

Koa is expressive middleware for Node.js using ES2017 async functions. Prior to versions 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3, Koa uses an evil regex to parse …

Feb 12, 2025
CVE-2025-25199
7.5 HIGH

go-crypto-winnative Go crypto backend for Windows using Cryptography API: Next Generation (CNG). Prior to commit f49c8e1379ea4b147d5bff1b3be5b0ff45792e41, calls to `cng.TLS1PRF` don't release the key handle, producing …

Feb 12, 2025
CVE-2025-25198
7.1 HIGH

mailcow: dockerized is an open source groupware/email suite based on docker. Prior to version 2025-01a, a vulnerability in mailcow's password reset functionality allows an attacker …

Feb 12, 2025
CVE-2025-25743
7.2 HIGH

D-Link DIR-853 A1 FW1.20B07 was discovered to contain a command injection vulnerability in the SetVirtualServerSettings module.

Feb 12, 2025
CVE-2024-11629
7.1 HIGH

In Progress® Telerik® Document Processing Libraries, versions prior to 2025 Q1 (2025.1.205), using .NET Standard 2.0, the contents of a file at an arbitrary path …

Feb 12, 2025
CVE-2025-0556
8.8 HIGH

In Progress® Telerik® Report Server, versions prior to 2025 Q1 (11.0.25.211) when using the older .NET Framework implementation, communication of non-sensitive information between the service …

Feb 12, 2025
CVE-2025-0332
7.8 HIGH

In Progress® Telerik® UI for WinForms, versions prior to 2025 Q1 (2025.1.211), using the improper limitation of a target path can lead to decompressing an …

Feb 12, 2025
CVE-2024-11343
8.3 HIGH

In Progress® Telerik® Document Processing Libraries, versions prior to 2025 Q1 (2025.1.205), unzipping an archive can lead to arbitrary file system access.

Feb 12, 2025
CVE-2025-1244
8.8 HIGH

A command injection flaw was found in the text editor Emacs. It could allow a remote, unauthenticated attacker to execute arbitrary shell commands on a …

Feb 12, 2025
CVE-2025-0376
8.7 HIGH

An XSS vulnerability exists in GitLab CE/EE affecting all versions from 13.3 prior to 17.6.5, 17.7 prior to 17.7.4 and 17.8 prior to 17.8.2 that …

Feb 12, 2025
CVE-2024-12251
7.8 HIGH

In Progress Telerik UI for WinUI versions prior to 2025 Q1 (3.0.0), a command injection attack is possible through improper neutralization of hyperlink elements.

Feb 12, 2025
CVE-2025-26378
8.8 HIGH

A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to reset passwords, including …

Feb 12, 2025
CVE-2025-26377
8.1 HIGH

A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to remove users via …

Feb 12, 2025
CVE-2025-26375
8.8 HIGH

A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to create users with …

Feb 12, 2025
CVE-2025-26372
7.1 HIGH

A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to remove users from …

Feb 12, 2025
CVE-2025-26371
8.8 HIGH

A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to add users to …

Feb 12, 2025
CVE-2025-26370
7.1 HIGH

A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to remove privileges from …

Feb 12, 2025
CVE-2025-26369
8.8 HIGH

A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to add privileges to …

Feb 12, 2025
CVE-2025-26368
8.1 HIGH

A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to remove user groups …

Feb 12, 2025
CVE-2025-26366
7.5 HIGH

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to …

Feb 12, 2025
CVE-2025-26365
7.5 HIGH

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to …

Feb 12, 2025
CVE-2025-26364
7.5 HIGH

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to …

Feb 12, 2025
CVE-2025-26363
7.5 HIGH

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to …

Feb 12, 2025
CVE-2025-26362
7.5 HIGH

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to …

Feb 12, 2025
CVE-2025-26356
7.2 HIGH

A CWE-35 "Path Traversal" in maxtime/api/database/database.lua (setActive endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to overwrite …

Feb 12, 2025
CVE-2025-26354
7.2 HIGH

A CWE-35 "Path Traversal" in maxtime/api/database/database.lua (copy endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to overwrite …

Feb 12, 2025
CVE-2025-26349
7.2 HIGH

A CWE-23 "Relative Path Traversal" in the file upload mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker …

Feb 12, 2025
CVE-2025-26343
8.1 HIGH

A CWE-1390 "Weak Authentication" in the PIN authentication mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to …

Feb 12, 2025
CVE-2025-26340
8.8 HIGH

A CWE-321 "Use of Hard-coded Cryptographic Key" in the JWT signing in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote …

Feb 12, 2025
CVE-2024-57951
7.8 HIGH

In the Linux kernel, the following vulnerability has been resolved: hrtimers: Handle CPU state correctly on hotplug Consider a scenario where a CPU transitions from …

Feb 12, 2025
CVE-2025-0511
7.2 HIGH

The Welcart e-Commerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘name’ parameter in all versions up to, and including, 2.11.9 due …

Feb 12, 2025
CVE-2024-13532
7.5 HIGH

The Small Package Quotes – Purolator Edition plugin for WordPress is vulnerable to SQL Injection via the 'edit_id' and 'dropship_edit_id' parameters in all versions up …

Feb 12, 2025
CVE-2024-13480
7.5 HIGH

The LTL Freight Quotes – For Customers of FedEx Freight plugin for WordPress is vulnerable to SQL Injection via the 'edit_id' and 'dropship_edit_id' parameters in …

Feb 12, 2025
CVE-2024-13477
7.5 HIGH

The LTL Freight Quotes – Unishippers Edition plugin for WordPress is vulnerable to SQL Injection via the 'edit_id' parameter in all versions up to, and …

Feb 12, 2025
CVE-2024-12386
8.1 HIGH

The WP Abstracts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.3. This is due to missing …

Feb 12, 2025
CVE-2024-32838
8.8 HIGH

SQL Injection vulnerability in various API endpoints - offices, dashboards, etc. Apache Fineract versions 1.9 and before have a vulnerability that allows an authenticated attacker …

Feb 12, 2025
CVE-2024-13531
7.5 HIGH

The ShipEngine Shipping Quotes plugin for WordPress is vulnerable to SQL Injection via the 'edit_id' parameter in all versions up to, and including, 1.0.7 due …

Feb 12, 2025
CVE-2024-13528
7.5 HIGH

The Customer Email Verification for WooCommerce plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 2.9.5. This is due …

Feb 12, 2025
CVE-2024-13490
7.5 HIGH

The LTL Freight Quotes – XPO Edition plugin for WordPress is vulnerable to SQL Injection via the 'edit_id' and 'dropship_edit_id' parameters in all versions up …

Feb 12, 2025
CVE-2024-13475
7.5 HIGH

The Small Package Quotes – UPS Edition plugin for WordPress is vulnerable to SQL Injection via the 'edit_id' parameter in all versions up to, and …

Feb 12, 2025
CVE-2024-13473
7.5 HIGH

The LTL Freight Quotes – Worldwide Express Edition plugin for WordPress is vulnerable to SQL Injection via the 'dropship_edit_id' and 'edit_id' parameter in all versions …

Feb 12, 2025
CVE-2024-13435
7.5 HIGH

The Ebook Downloader plugin for WordPress is vulnerable to SQL Injection via the 'download' parameter in all versions up to, and including, 1.0 due to …

Feb 12, 2025

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.