CVE Database

111255+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2025-68429
7.3 HIGH

Storybook is a frontend workshop for building user interface components and pages in isolation. A vulnerability present starting in versions 7.0.0 and prior to versions …

Dec 17, 2025
CVE-2025-68147
8.1 HIGH

Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP using CodeIgniter framework. Starting in version 3.4.0 and …

Dec 17, 2025
CVE-2025-68145
9.1 CRITICAL

In mcp-server-git versions prior to 2025.12.17, when the server is started with the --repository flag to restrict operations to a specific repository path, it did …

Dec 17, 2025
CVE-2025-68144
7.1 HIGH

In mcp-server-git versions prior to 2025.12.17, the git_diff and git_checkout functions passed user-controlled arguments directly to git CLI commands without sanitization. Flag-like values (e.g., `--output=/path/to/file` …

Dec 17, 2025
CVE-2025-68143
8.8 HIGH

Model Context Protocol Servers is a collection of reference implementations for the model context protocol (MCP). In mcp-server-git versions prior to 2025.9.25, the git_init tool …

Dec 17, 2025
CVE-2025-66029
7.6 HIGH

Open OnDemand provides remote web access to supercomputers. In versions 4.0.8 and prior, the Apache proxy allows sensitive headers to be passed to origin servers. …

Dec 17, 2025
CVE-2025-14836
2.7 LOW

A flaw has been found in ZZCMS 2025. Affected by this vulnerability is an unknown functionality of the file /reg/user_save.php of the component User Data …

Dec 17, 2025
CVE-2025-14834
6.3 MEDIUM

A weakness has been identified in code-projects Simple Stock System 1.0. This affects an unknown function of the file /checkuser.php. Executing a manipulation of the …

Dec 17, 2025
CVE-2025-14833
7.3 HIGH

A security flaw has been discovered in code-projects Online Appointment Booking System 1.0. The impacted element is an unknown function of the file /admin/deletemanagerclinic.php. Performing …

Dec 17, 2025
CVE-2025-14319

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Dec 17, 2025
CVE-2025-14268

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Dec 17, 2025
CVE-2023-53933
8.8 HIGH

Serendipity 2.4.0 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files with .phar extension. Attackers can upload files with …

Dec 17, 2025
CVE-2023-53932
5.4 MEDIUM

Serendipity 2.4.0 contains a stored cross-site scripting vulnerability that allows authenticated users to inject malicious scripts through blog entry creation. Attackers can craft entries with …

Dec 17, 2025
CVE-2023-53931
6.1 MEDIUM

Revive Adserver 5.4.1 contains a cross-site scripting vulnerability in the banner advanced configuration page that allows attackers to inject malicious scripts. Attackers can craft a …

Dec 17, 2025
CVE-2023-53930
7.5 HIGH

ProjectSend r1605 contains an insecure direct object reference vulnerability that allows unauthenticated attackers to download private files by manipulating the download ID parameter. Attackers can …

Dec 17, 2025
CVE-2023-53929
8.8 HIGH

phpMyFAQ 3.1.12 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into their profile names. Attackers can modify their user profile …

Dec 17, 2025
CVE-2023-53928
5.4 MEDIUM

PHPFusion 9.10.30 contains a stored cross-site scripting vulnerability in the file manager that allows attackers to upload malicious SVG files with embedded JavaScript. Attackers can …

Dec 17, 2025
CVE-2023-53927
5.4 MEDIUM

PHPJabbers Simple CMS 5.0 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through section name parameters. Attackers can create …

Dec 17, 2025
CVE-2023-53926
9.8 CRITICAL

PHPJabbers Simple CMS 5.0 contains a SQL injection vulnerability in the 'column' parameter that allows remote attackers to manipulate database queries. Attackers can inject crafted …

Dec 17, 2025
CVE-2023-53925
6.1 MEDIUM

UliCMS 2023.1 contains a stored cross-site scripting vulnerability that allows attackers to upload malicious SVG files with embedded JavaScript. Attackers can upload crafted SVG files …

Dec 17, 2025
CVE-2023-53924
8.8 HIGH

UliCMS 2023.1-sniffing-vicuna contains a remote code execution vulnerability that allows authenticated attackers to upload PHP files with .phar extension during profile avatar upload. Attackers can …

Dec 17, 2025
CVE-2023-53923
9.8 CRITICAL

UliCMS 2023.1 contains a privilege escalation vulnerability that allows unauthenticated attackers to create administrative accounts through the UserController endpoint. Attackers can send a crafted POST …

Dec 17, 2025
CVE-2023-53922
9.8 CRITICAL

TinyWebGallery v2.5 contains a remote code execution vulnerability in the admin upload functionality that allows unauthenticated attackers to upload malicious PHP files. Attackers can upload …

Dec 17, 2025
CVE-2023-53921
9.8 CRITICAL

SitemagicCMS 4.4.3 contains a remote code execution vulnerability that allows attackers to upload malicious PHP files to the files/images directory. Attackers can upload a .phar …

Dec 17, 2025
CVE-2023-53920
5.4 MEDIUM

PodcastGenerator 3.2.9 contains a stored cross-site scripting vulnerability in the podcast title field accessible through the podcast details interface (podcast_details.php). Malicious JavaScript payloads injected into …

Dec 17, 2025
CVE-2023-53919
5.4 MEDIUM

PodcastGenerator 3.2.9 contains a stored cross-site scripting vulnerability in the Freebox content field accessible through the theme customization interface (theme_freebox.php). Malicious JavaScript payloads injected into …

Dec 17, 2025
CVE-2023-53918
6.1 MEDIUM

PodcastGenerator 3.2.9 contains a stored cross-site scripting vulnerability in the episode title field accessible through the episodes upload interface (episodes_upload.php). Malicious JavaScript payloads injected into …

Dec 17, 2025
CVE-2023-53917
6.5 MEDIUM

Affiliate Me version 5.0.1 contains a SQL injection vulnerability in the admin.php endpoint that allows authenticated administrators to manipulate database queries. Attackers can exploit the …

Dec 17, 2025
CVE-2023-53916
4.6 MEDIUM

Zenphoto 1.6 contains a stored cross-site scripting vulnerability in the user postal code field accessible through the admin-users.php interface. When administrators view user information imported …

Dec 17, 2025
CVE-2023-53915
4.6 MEDIUM

Zenphoto 1.6 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by inserting HTML content into album descriptions. Attackers can …

Dec 17, 2025
CVE-2023-53914
9.8 CRITICAL

UliCMS 2023.1 contains an authentication bypass vulnerability that allows unauthenticated attackers to create admin users through mass assignment in the UserController. Attackers can send a …

Dec 17, 2025
CVE-2023-53913
8.8 HIGH

Rukovoditel 3.3.1 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into the firstname field. Attackers can craft payloads like =calc|a!z| …

Dec 17, 2025
CVE-2023-53912
6.2 MEDIUM

USB Flash Drives Control 4.1.0.0 contains an unquoted service path vulnerability in its service configuration that allows local attackers to potentially execute arbitrary code. Attackers …

Dec 17, 2025
CVE-2023-53911
5.4 MEDIUM

Textpattern CMS 4.8.8 contains a stored cross-site scripting vulnerability in the article excerpt field that allows authenticated users to inject malicious scripts. Attackers can insert …

Dec 17, 2025
CVE-2023-53910
5.4 MEDIUM

WBCE CMS 1.6.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by inserting script tags into page content through …

Dec 17, 2025
CVE-2023-53909
5.4 MEDIUM

WBCE CMS 1.6.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by uploading crafted SVG files through the media …

Dec 17, 2025
CVE-2023-53908
8.8 HIGH

HiSecOS 04.0.01 contains a privilege escalation vulnerability that allows authenticated users to modify their access role through XML-based NETCONF configuration. Attackers can send crafted XML …

Dec 17, 2025
CVE-2023-53907
6.5 MEDIUM

Bludit versions before 3.13.1 contain an authenticated file download vulnerability in the Backup Plugin that allows logged-in users to access arbitrary files. Attackers can exploit …

Dec 17, 2025
CVE-2023-53906
4.8 MEDIUM

projectSend r1605 contains a stored cross-site scripting vulnerability that allows authenticated administrators to inject malicious JavaScript through the custom assets configuration page. Attackers can craft …

Dec 17, 2025
CVE-2023-53905
8.0 HIGH

ProjectSend r1605 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into user profile names. Attackers can craft payloads like =calc|a!z| …

Dec 17, 2025
CVE-2023-53904
4.6 MEDIUM

Xenforo 2.2.13 contains a stored cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts through the smilie category title parameter. Attackers can create …

Dec 17, 2025
CVE-2025-68401
4.8 MEDIUM

ChurchCRM is an open-source church management system. Prior to version 6.0.0, the application stores user-supplied HTML/JS without sufficient sanitization/encoding. When other users later view this …

Dec 17, 2025
CVE-2025-68400
8.8 HIGH

ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in the legacy endpoint `/Reports/ConfirmReportEmail.php` in ChurchCRM prior to version 6.5.3. Although the …

Dec 17, 2025
CVE-2025-68399
5.4 MEDIUM

ChurchCRM is an open-source church management system. In versions prior to 6.5.4, there is a Stored Cross-Site Scripting (XSS) vulnerability within the GroupEditor.php page of …

Dec 17, 2025
CVE-2025-68275
4.8 MEDIUM

ChurchCRM is an open-source church management system. Versions prior to 6.5.3 have a stored cross-site scripting vulnerability on the pages `View Active People`, `View Inactive …

Dec 17, 2025
CVE-2025-68129
6.8 MEDIUM

Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. In applications built with the Auth0-PHP SDK, the audience validation in access tokens is …

Dec 17, 2025
CVE-2025-68118
9.1 CRITICAL

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.20.0, a vulnerability exists in FreeRDP’s certificate handling code on Windows platforms. …

Dec 17, 2025
CVE-2025-68114
4.8 MEDIUM

Capstone is a disassembly framework. In versions 6.0.0-Alpha5 and prior, an unchecked vsnprintf return in SStream_concat lets a malicious cs_opt_mem.vsnprintf drive SStream’s index negative or …

Dec 17, 2025
CVE-2025-68112
9.6 CRITICAL

ChurchCRM is an open-source church management system. In versions prior to 6.5.3, a SQL injection vulnerability in ChurchCRM's Event Attendee Editor allows authenticated users to …

Dec 17, 2025
CVE-2025-68111
7.2 HIGH

ChurchCRM is an open-source church management system. In versions prior to 6.5.3, a SQL injection vulnerability exists in the `eGive.php` file within the "ReImport" functionality. …

Dec 17, 2025

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.