CVE Database

9241+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2025-66301
9.6 CRITICAL

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, due to improper authorization checks when modifying critical fields on a POST request to /admin/pages/{page_name}, an …

Dec 1, 2025
CVE-2025-65836
9.1 CRITICAL

PublicCMS V5.202506.b is vulnerable to SSRF. in the chat interface of SimpleAiAdminController.

Dec 1, 2025
CVE-2025-51683
9.8 CRITICAL

A blind SQL Injection (SQLi) vulnerability in mJobtime v15.7.2 allows unauthenticated attackers to execute arbitrary SQL statements via a crafted POST request to the /Default.aspx/update_profile_Server …

Dec 1, 2025
CVE-2025-51682
9.8 CRITICAL

mJobtime 15.7.2 handles authorization on the client side, which allows an attacker to modify the client-side code and gain access to administrative features. Additionally, they …

Dec 1, 2025
CVE-2025-8351
9.0 CRITICAL

Heap-based Buffer Overflow, Out-of-bounds Read vulnerability in Avast Antivirus on MacOS when scanning a malformed file may allow Local Execution of Code or Denial-of-Service of …

Dec 1, 2025
CVE-2025-63535
9.6 CRITICAL

A SQL injection vulnerability exists in the Blood Bank Management System 1.0 within the abs.php component. The application fails to properly sanitize usersupplied input in …

Dec 1, 2025
CVE-2025-63532
9.6 CRITICAL

A SQL injection vulnerability exists in the Blood Bank Management System 1.0 within the cancel.php component. The application fails to properly sanitize user-supplied input in …

Dec 1, 2025
CVE-2025-3500
9.0 CRITICAL

Integer Overflow or Wraparound vulnerability in Avast Antivirus (25.1.981.6) on Windows allows Privilege Escalation.This issue affects Antivirus: from 25.1.981.6 before 25.3.

Dec 1, 2025
CVE-2025-63531
10.0 CRITICAL

A SQL injection vulnerability exists in the Blood Bank Management System 1.0 within the receiverLogin.php component. The application fails to properly sanitize user-supplied input in …

Dec 1, 2025
CVE-2025-63525
9.6 CRITICAL

An issue was discovered in Blood Bank Management System 1.0 allowing authenticated attackers to perform actions with escalated privileges via crafted request to delete.php.

Dec 1, 2025
CVE-2025-12106
9.1 CRITICAL

Insufficient argument validation in OpenVPN 2.7_alpha1 through 2.7_rc1 allows an attacker to trigger a heap buffer over-read when parsing IP addresses

Dec 1, 2025
CVE-2025-35028
9.1 CRITICAL

By providing a command-line argument starting with a semi-colon ; to an API endpoint created by the EnhancedCommandExecutor class of the HexStrike AI MCP server, …

Nov 30, 2025
CVE-2025-13615
9.8 CRITICAL

The StreamTube Core plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 4.78. This is due to the …

Nov 30, 2025
CVE-2025-66216
9.8 CRITICAL

AIS-catcher is a multi-platform AIS receiver. Prior to version 0.64, a heap buffer overflow vulnerability has been identified in the AIS::Message class of AIS-catcher. This …

Nov 29, 2025
CVE-2025-66219
9.8 CRITICAL

willitmerge is a command line tool to check if pull requests are mergeable. In versions 0.2.1 and prior, there is a command Injection vulnerability in …

Nov 29, 2025
CVE-2025-65112
9.4 CRITICAL

PubNet is a self-hosted Dart & Flutter package service. Prior to version 1.1.3, the /api/storage/upload endpoint in PubNet allows unauthenticated users to upload packages as …

Nov 29, 2025
CVE-2025-64314
9.3 CRITICAL

Permission control vulnerability in the memory management module. Impact: Successful exploitation of this vulnerability may affect confidentiality.

Nov 28, 2025
CVE-2025-12421
9.9 CRITICAL

Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to to verify that the token used during the code …

Nov 27, 2025
CVE-2025-12419
9.9 CRITICAL

Mattermost versions 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12, 11.0.x <= 11.0.3 fail to properly validate OAuth state tokens during OpenID Connect authentication …

Nov 27, 2025
CVE-2025-13675
9.8 CRITICAL

The Tiger theme for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 101.2.1. This is due to the 'paypal-submit.php' file …

Nov 27, 2025
CVE-2025-13540
9.8 CRITICAL

The Tiare Membership plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.2. This is due to the 'tiare_membership_init_rest_api_register' …

Nov 27, 2025
CVE-2025-13539
9.8 CRITICAL

The FindAll Membership plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.4. This is due to the plugin …

Nov 27, 2025
CVE-2025-13538
9.8 CRITICAL

The FindAll Listing plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.5. This is due to the 'findall_listing_user_registration_additional_params' …

Nov 27, 2025
CVE-2025-40934
9.3 CRITICAL

XML-Sig versions 0.27 through 0.67 for Perl incorrectly validates XML files if signatures are omitted. An attacker can remove the signature from the XML document …

Nov 26, 2025
CVE-2025-65276
9.8 CRITICAL

An unauthenticated administrative access vulnerability exists in the open-source HashTech project (https://github.com/henzljw/hashtech) 1.0 thru commit 5919decaff2681dc250e934814fc3a35f6093ee5 (2021-07-02). Due to missing authentication checks on /admin_index.php, an …

Nov 26, 2025
CVE-2025-50433
9.8 CRITICAL

An issue was discovered in imonnit.com (2025-04-24) allowing malicious actors to gain escalated privileges via crafted password reset to take over arbitrary user accounts.

Nov 26, 2025
CVE-2025-65669
9.1 CRITICAL

An issue was discovered in classroomio 0.1.13. Student accounts are able to delete courses from the Explore page without any authorization or authentication checks, bypassing …

Nov 26, 2025
CVE-2025-26155
9.8 CRITICAL

NCP Secure Enterprise Client 13.18 and NCP Secure Entry Windows Client 13.19 have an Untrusted Search Path vulnerability.

Nov 26, 2025
CVE-2025-64130
9.8 CRITICAL

Zenitel TCIV-3+ is vulnerable to a reflected cross-site scripting vulnerability, which could allow a remote attacker to execute arbitrary JavaScript on the victim's browser.

Nov 26, 2025
CVE-2025-64128
10.0 CRITICAL

An OS command injection vulnerability exists due to incomplete validation of user-supplied input. Validation fails to enforce sufficient formatting rules, which could permit attackers to …

Nov 26, 2025
CVE-2025-64127
10.0 CRITICAL

An OS command injection vulnerability exists due to insufficient sanitization of user-supplied input. The application accepts parameters that are later incorporated into OS commands without …

Nov 26, 2025
CVE-2025-64126
10.0 CRITICAL

An OS command injection vulnerability exists due to improper input validation. The application accepts a parameter directly from user input without verifying it is a …

Nov 26, 2025
CVE-2025-55469
9.8 CRITICAL

Incorrect access control in youlai-boot v2.21.1 allows attackers to escalate privileges and access the Administrator backend.

Nov 26, 2025
CVE-2025-65236
9.8 CRITICAL

OpenCode Systems USSD Gateway OC Release: 5 was discovered to contain a SQL injection vulnerability via the Session ID parameter in the /occontrolpanel/index.php endpoint.

Nov 26, 2025
CVE-2025-65235
9.8 CRITICAL

OpenCode Systems USSD Gateway OC Release: 5 Version 6.13.11 was discovered to contain a SQL injection vulnerability via the ID parameter in the getSubUsersByProvider function.

Nov 26, 2025
CVE-2025-62354
9.8 CRITICAL

Improper neutralization of special elements used in an OS command ('command injection') in Cursor allows an unauthorized attacker to execute commands that are outside of …

Nov 26, 2025
CVE-2025-50402
9.8 CRITICAL

FAST FAC1200R F400_FAC1200R_Q is vulnerable to Buffer Overflow in the function sub_80435780 via the parameter string fac_password.

Nov 26, 2025
CVE-2025-50399
9.8 CRITICAL

FAST FAC1200R F400_FAC1200R_Q is vulnerable to Buffer Overflow in the function sub_80435780 via the parameter password.

Nov 26, 2025
CVE-2025-59390
9.8 CRITICAL

Apache Druid’s Kerberos authenticator uses a weak fallback secret when the `druid.auth.authenticator.kerberos.cookieSignatureSecret` configuration is not explicitly set. In this case, the secret is generated using …

Nov 26, 2025
CVE-2025-66022
9.6 CRITICAL

FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to version 1.7.1, an extension execution path in Faction’s extension framework permits untrusted extension code …

Nov 26, 2025
CVE-2025-66262
9.8 CRITICAL

Arbitrary File Overwrite via Tar Extraction Path Traversal in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, …

Nov 26, 2025
CVE-2025-66261
9.8 CRITICAL

Unauthenticated OS Command Injection (restore_settings.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 …

Nov 26, 2025
CVE-2025-66259
9.8 CRITICAL

Authenticated Root Remote Code Execution via improrer user input filtering in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, …

Nov 26, 2025
CVE-2025-66257
9.1 CRITICAL

Unauthenticated Arbitrary File Deletion (patch_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 …

Nov 26, 2025
CVE-2025-66256
9.8 CRITICAL

Unauthenticated Arbitrary File Upload (patch_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 …

Nov 26, 2025
CVE-2025-66255
9.8 CRITICAL

Unauthenticated Arbitrary File Upload (upgrade_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 …

Nov 26, 2025
CVE-2025-66254
9.1 CRITICAL

Unauthenticated Arbitrary File Deletion (upgrade_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 …

Nov 26, 2025
CVE-2025-66253
9.8 CRITICAL

Unauthenticated OS Command Injection (start_upgrade.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 …

Nov 26, 2025
CVE-2025-66251
9.1 CRITICAL

Unauthenticated Path Traversal with Arbitrary File Deletion in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, …

Nov 26, 2025
CVE-2025-66250
9.8 CRITICAL

Unauthenticated Arbitrary File Upload (status_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 …

Nov 26, 2025

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.