CVE Database

111255+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2025-68389
6.5 MEDIUM

Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana can allow a low-privileged authenticated user to cause Excessive Allocation (CAPEC-130) of computing resources and …

Dec 18, 2025
CVE-2025-68387
6.1 MEDIUM

Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an unauthenticated user to embed a malicious script in content that will be …

Dec 18, 2025
CVE-2025-68386
4.3 MEDIUM

Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to change a document's sharing type to "global," even …

Dec 18, 2025
CVE-2025-68385
7.2 HIGH

Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to embed a malicious script in content that will be …

Dec 18, 2025
CVE-2025-68279
7.7 HIGH

Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to read arbitrary files from the server file system using …

Dec 18, 2025
CVE-2025-68388
5.3 MEDIUM

Allocation of resources without limits or throttling (CWE-770) allows an unauthenticated remote attacker to cause excessive allocation (CAPEC-130) of memory and CPU via the integration …

Dec 18, 2025
CVE-2025-68384
6.5 MEDIUM

Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow a low-privileged authenticated user to cause Excessive Allocation (CAPEC-130) causing a persistent denial …

Dec 18, 2025
CVE-2025-68383
6.5 MEDIUM

Improper Validation of Specified Index, Position, or Offset in Input (CWE-1285) in Filebeat Syslog parser and the Libbeat Dissect processor can allow a user to …

Dec 18, 2025
CVE-2025-68382
6.5 MEDIUM

Out-of-bounds read (CWE-125) allows an unauthenticated remote attacker to perform a buffer overflow (CAPEC-100) via the NFS protocol dissector, leading to a denial-of-service (DoS) through …

Dec 18, 2025
CVE-2025-68381
6.5 MEDIUM

Improper Bounds Check (CWE-787) in Packetbeat can allow a remote unauthenticated attacker to exploit a Buffer Overflow (CAPEC-100) and reliably crash the application or cause …

Dec 18, 2025
CVE-2025-65046
3.1 LOW

Microsoft Edge (Chromium-based) Spoofing Vulnerability

Dec 18, 2025
CVE-2025-65041
10.0 CRITICAL

Improper authorization in Microsoft Partner Center allows an unauthorized attacker to elevate privileges over a network.

Dec 18, 2025
CVE-2025-65037
10.0 CRITICAL

Improper control of generation of code ('code injection') in Azure Container Apps allows an unauthorized attacker to execute code over a network.

Dec 18, 2025
CVE-2025-64677
8.2 HIGH

Improper neutralization of input during web page generation ('cross-site scripting') in Office Out-of-Box Experience allows an unauthorized attacker to perform spoofing over a network.

Dec 18, 2025
CVE-2025-64676
7.2 HIGH

'.../...//' in Microsoft Purview allows an authorized attacker to execute code over a network.

Dec 18, 2025
CVE-2025-64663
9.9 CRITICAL

Custom Question Answering Elevation of Privilege Vulnerability

Dec 18, 2025
CVE-2025-34452

Streama versions 1.10.0 through 1.10.5 and prior to commit b7c8767 contain a combination of path traversal and server-side request forgery (SSRF) vulnerabilities in that allow …

Dec 18, 2025
CVE-2025-34451
7.8 HIGH

rofl0r/proxychains-ng versions up to and including 4.17 and prior to commit cc005b7 contain a stack-based buffer overflow vulnerability in the function proxy_from_string() located in src/libproxychains.c. …

Dec 18, 2025
CVE-2025-34450
7.8 HIGH

merbanan/rtl_433 versions up to and including 25.02 and prior to commit 25e47f8 contain a stack-based buffer overflow vulnerability in the function parse_rfraw() located in src/rfraw.c. …

Dec 18, 2025
CVE-2025-34449
9.1 CRITICAL

Genymobile/scrcpy versions up to and including 3.3.3, prior to commit 3e40b24, contain a buffer overflow vulnerability in the sc_device_msg_deserialize() function. A compromised device can send …

Dec 18, 2025
CVE-2025-13427

An authentication bypass vulnerability in Google Cloud Dialogflow CX Messenger allowed unauthenticated users to interact with restricted chat agents, gaining access to the agents' knowledge …

Dec 18, 2025
CVE-2025-68161
4.8 MEDIUM

The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName …

Dec 18, 2025
CVE-2025-67653
4.3 MEDIUM

Advantech WebAccess/SCADA is vulnerable to directory traversal, which may allow an attacker to determine the existence of arbitrary files.

Dec 18, 2025
CVE-2025-63951
7.5 HIGH

An insecure deserialization vulnerability exists in the rss-mp3.php script of the MiczFlor RPi-Jukebox-RFID project through commit 4b2334f0ae0e87c0568876fc41c48c38aa9a7014 (2025-10-07). The 'rss' GET parameter receives data that …

Dec 18, 2025
CVE-2025-63950
7.5 HIGH

An insecure deserialization vulnerability exists in the download.php script of the to3k Twittodon application through commit b1c58a7d1dc664b38deb486ca290779621342c0b (2023-02-28). The 'obj' parameter receives base64-encoded data that …

Dec 18, 2025
CVE-2025-63949
6.1 MEDIUM

A Reflected Cross-Site Scripting (XSS) vulnerability in yohanawi Hotel Management System (commit 87e004a) allows a remote attacker to execute arbitrary web script via the 'error' …

Dec 18, 2025
CVE-2025-63948
5.4 MEDIUM

A SQL Injection vulnerability exists in phpMsAdmin version 2.2 in the database_mode.php file. An attacker can execute arbitrary SQL commands via the dbname parameter, potentially …

Dec 18, 2025
CVE-2025-63947
5.4 MEDIUM

A Reflected Cross-Site Scripting (XSS) vulnerability exists in phpMsAdmin version 2.2 in the database_mode.php file. An attacker can execute arbitrary web script or HTML via …

Dec 18, 2025
CVE-2025-62004
7.5 HIGH

BullWall Server Intrusion Protection (SIP) services are initialized after login services during system startup. A local, authenticated attacker can log in after boot and before …

Dec 18, 2025
CVE-2025-62003
7.5 HIGH

BullWall Server Intrusion Protection has a noticeable configuration-dependent delay before the MFA check for RDP connections. A remote, authenticated attacker can potentially bypass detection during …

Dec 18, 2025
CVE-2025-62002
4.3 MEDIUM

BullWall Ransomware Containment considers the number of files modified to trigger detection. An authenticated attacker could encrypt a single (possibly large) file without triggering detection …

Dec 18, 2025
CVE-2025-62001
8.8 HIGH

BullWall Ransomware Containment supports configurable file and directory exclusions such as '$RECYCLE.BIN' to balance monitoring scope and performance. Certain exclusion patterns could allow an authenticated …

Dec 18, 2025
CVE-2025-62000
7.1 HIGH

BullWall Ransomware Containment may not always detect an encrypted file. This issue affects a specific file inspection method that evaluates file content based on header …

Dec 18, 2025
CVE-2025-59529
5.5 MEDIUM

Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions up to and including 0.9-rc2, the …

Dec 18, 2025
CVE-2025-53710
7.5 HIGH

Due to a product misconfiguration in certain deployment types, it was possible from different pods in the same namespace to communicate with each other. This …

Dec 18, 2025
CVE-2025-46268
6.3 MEDIUM

Advantech WebAccess/SCADA is vulnerable to SQL injection, which may allow an attacker to execute arbitrary SQL commands.

Dec 18, 2025
CVE-2025-14850
8.1 HIGH

Advantech WebAccess/SCADA is vulnerable to directory traversal, which may allow an attacker to delete arbitrary files.

Dec 18, 2025
CVE-2025-14849
8.8 HIGH

Advantech WebAccess/SCADA is vulnerable to unrestricted file upload, which may allow an attacker to remotely execute arbitrary code.

Dec 18, 2025
CVE-2025-14848
4.3 MEDIUM

Advantech WebAccess/SCADA is vulnerable to absolute directory traversal, which may allow an attacker to determine the existence of arbitrary files.

Dec 18, 2025
CVE-2025-13911
6.4 MEDIUM

The vulnerability affects Ignition SCADA applications where Python scripting is utilized for automation purposes. The vulnerability arises from the absence of proper security controls that …

Dec 18, 2025
CVE-2025-67163
6.1 MEDIUM

A stored cross-site scripting (XSS) vulnerability in Simple Machines Forum v2.1.6 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload …

Dec 18, 2025
CVE-2025-65566
7.5 HIGH

A denial-of-service vulnerability exists in the omec-project UPF (pfcpiface component) in version upf-epc-pfcpiface:2.1.3-dev. When the UPF receives a PFCP Session Report Response that is missing …

Dec 18, 2025
CVE-2025-64400
4.1 MEDIUM

Control Panel provides an API for pre-registering into an enrollment and organization prior to a user's first login. The API for creating users checks that …

Dec 18, 2025
CVE-2025-14889
5.4 MEDIUM

A security flaw has been discovered in Campcodes Advanced Voting Management System 1.0. The impacted element is an unknown function of the file /admin/voters_edit.php of …

Dec 18, 2025
CVE-2024-58323
5.4 MEDIUM

A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via the Checkbox form component. This allows malicious scripts to execute …

Dec 18, 2025
CVE-2024-58322
5.4 MEDIUM

A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious code into shipping options configuration. This could lead to potential theft of …

Dec 18, 2025
CVE-2024-58321
5.4 MEDIUM

A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via form validation rule configuration. Attackers can exploit this vulnerability to …

Dec 18, 2025
CVE-2024-58320
5.3 MEDIUM

An information disclosure vulnerability in Kentico Xperience allows public users to access sensitive administration interface hostname details during authentication. Attackers can retrieve confidential hostname configuration …

Dec 18, 2025
CVE-2024-58319
6.1 MEDIUM

A reflected cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via the Pages dashboard widget configuration dialog. Attackers can exploit this …

Dec 18, 2025
CVE-2024-58318
6.1 MEDIUM

A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via the rich text editor component for page and form builders. …

Dec 18, 2025

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.