CVE Database

111255+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2025-34442
7.5 HIGH

AVideo versions prior to 20.1 disclose absolute filesystem paths via multiple public API endpoints. Returned metadata includes full server paths to media files, revealing underlying …

Dec 17, 2025
CVE-2025-34441
7.5 HIGH

AVideo versions prior to 20.1 expose sensitive user information through an unauthenticated public API endpoint. Responses include emails, usernames, administrative status, and last login times, …

Dec 17, 2025
CVE-2025-34440
6.1 MEDIUM

AVideo versions prior to 20.1 contain an open redirect vulnerability caused by insufficient validation of the siteRedirectUri parameter during user registration. Attackers can redirect users …

Dec 17, 2025
CVE-2025-34439
6.1 MEDIUM

AVideo versions prior to 20.1 are vulnerable to an open redirect flaw due to missing validation of the cancelUri parameter during user login. An attacker …

Dec 17, 2025
CVE-2025-34438
8.1 HIGH

AVideo versions prior to 20.1 contain an insecure direct object reference vulnerability allowing users with upload permissions to modify the rotation metadata of any video. …

Dec 17, 2025
CVE-2025-34437
8.8 HIGH

AVideo versions prior to 20.1 permit any authenticated user to upload comment images to videos owned by other users. The endpoint validates authentication but omits …

Dec 17, 2025
CVE-2025-34436
8.8 HIGH

AVideo versions prior to 20.1 allow any authenticated user to upload files into directories belonging to other users due to an insecure direct object reference. …

Dec 17, 2025
CVE-2025-34435
6.5 MEDIUM

AVideo versions prior to 20.1 are vulnerable to an insecure direct object reference (IDOR) that allows any authenticated user to delete media files belonging to …

Dec 17, 2025
CVE-2025-34434
9.1 CRITICAL

AVideo versions prior to 20.1 with the ImageGallery plugin enabled is vulnerable to unauthenticated file upload and deletion. Plugin endpoints responsible for managing gallery images …

Dec 17, 2025
CVE-2025-14760
5.3 MEDIUM

Missing cryptographic key commitment in the AWS SDK for C++ may allow a user with write access to the S3 bucket to introduce a new …

Dec 17, 2025
CVE-2025-14759
5.3 MEDIUM

Missing cryptographic key commitment in the Amazon S3 Encryption Client for .NET may allow a user with write access to the S3 bucket to introduce …

Dec 17, 2025
CVE-2025-67174
7.5 HIGH

A local file inclusion (LFI) vulnerability in RiteCMS v3.1.0 allows attackers to read arbitrary files on the host via a directory traversal in the admin_language_file …

Dec 17, 2025
CVE-2025-67173
6.8 MEDIUM

A Cross-Site Request Forgery (CSRF) in the page creation/editing function of RiteCMS v3.1.0 allows attackers to arbitrarily create pages via a crafted POST request.

Dec 17, 2025
CVE-2025-67171
7.5 HIGH

Incorrect access control in the /templates/ component of RiteCMS v3.1.0 allows attackers to access sensitive files via directory traversal.

Dec 17, 2025
CVE-2025-67170
6.1 MEDIUM

A reflected cross-site scripting (XSS) vulnerability in RiteCMS v3.1.0 allows attackers to execute arbitrary code in the context of a user's browser via a crafted …

Dec 17, 2025
CVE-2025-67168
5.3 MEDIUM

RiteCMS v3.1.0 was discovered to use insecure encryption to store passwords.

Dec 17, 2025
CVE-2025-66953
8.8 HIGH

CSRF vulnerability in narda miteq Uplink Power Contril Unit UPC2 v.1.17 allows a remote attacker to execute arbitrary code via the Web-based management interface and …

Dec 17, 2025
CVE-2025-66395
8.8 HIGH

ChurchCRM is an open-source church management system. Prior to version 6.5.3, a SQL injection vulnerability exists in the `src/ListEvents.php` file. When filtering events by type, …

Dec 17, 2025
CVE-2025-62521
10.0 CRITICAL

ChurchCRM is an open-source church management system. Prior to version 5.21.0, a pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard allows unauthenticated attackers to …

Dec 17, 2025
CVE-2025-14081
4.3 MEDIUM

The Ultimate Member plugin for WordPress is vulnerable to Profile Privacy Setting Bypass in all versions up to, and including, 2.11.0. This is due to …

Dec 17, 2025
CVE-2025-13537
6.4 MEDIUM

The Live Composer – Free WordPress Website Builder plugin for WordPress is vulnerable to multiple Stored Cross-Site Scripting vulnerabilities via DOM manipulation in all versions …

Dec 17, 2025
CVE-2025-13326
3.9 LOW

Mattermost Desktop App versions <6.0.0 fail to enable the Hardened Runtime on the Mattermost Desktop App when packaged for Mac App Store which allows an …

Dec 17, 2025
CVE-2025-13324
3.7 LOW

Mattermost versions 10.11.x <= 10.11.5, 11.0.x <= 11.0.4, 10.12.x <= 10.12.2 fail to invalidate remote cluster invite tokens when using the legacy (version 1) protocol …

Dec 17, 2025
CVE-2025-13321
3.3 LOW

Mattermost Desktop App versions <6.0.0 fail to sanitize sensitive information from Mattermost logs and clear data on server deletion which allows an attacker with access …

Dec 17, 2025
CVE-2025-13217
6.4 MEDIUM

The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the …

Dec 17, 2025
CVE-2025-12689
6.5 MEDIUM

Mattermost versions 11.0.x <= 11.0.4, 10.12.x <= 10.12.2, 10.11.x <= 10.11.6 fail to check WebSocket request field for proper UTF-8 format, which allows attacker to …

Dec 17, 2025
CVE-2024-46062
7.8 HIGH

Miniconda3 macOS installers before 23.11.0-1 contain a local privilege escalation vulnerability when installed outside the user's home directory. During installation, world-writable files are created and …

Dec 17, 2025
CVE-2024-46060
7.8 HIGH

Anaconda3 macOS installers before 2024.06-1 contain a local privilege escalation vulnerability when installed outside the user's home directory. During installation, world-writable files are created and …

Dec 17, 2025
CVE-2025-67172
7.2 HIGH

RiteCMS v3.1.0 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the parse_special_tags() function.

Dec 17, 2025
CVE-2025-66924
6.1 MEDIUM

A Cross-site scripting (XSS) vulnerability in Create/Update Item Kit(s) in Open Source Point of Sale v3.4.1 allows remote attackers to inject arbitrary web script or …

Dec 17, 2025
CVE-2025-66923
7.2 HIGH

A Cross-site scripting (XSS) vulnerability in Create/Update Customer(s) in Open Source Point of Sale v3.4.1 allows remote attackers to inject arbitrary web script or HTML …

Dec 17, 2025
CVE-2025-65203
7.1 HIGH

KeePassXC-Browser thru 1.9.9.2 autofills or prompts to fill stored credentials into documents rendered under a browser-enforced CSP directive and iframe attribute sandbox, allowing attacker-controlled script …

Dec 17, 2025
CVE-2025-67285
7.3 HIGH

A SQL injection vulnerability was found in the '/cts/admin/?page=zone' file of ITSourcecode COVID Tracking System Using QR-Code v1.0. The reason for this issue is that …

Dec 17, 2025
CVE-2025-67165
9.8 CRITICAL

An Insecure Direct Object Reference (IDOR) in Pagekit CMS v1.0.18 allows attackers to escalate privileges.

Dec 17, 2025
CVE-2025-67164
9.9 CRITICAL

An authenticated arbitrary file upload vulnerability in the /storage/poc.php component of Pagekit CMS v1.0.18 allows attackers to execute arbitrary code via uploading a crafted PHP …

Dec 17, 2025
CVE-2025-66921
7.2 HIGH

A Cross-site scripting (XSS) vulnerability in Create/Update Item(s) Module in Open Source Point of Sale v3.4.1 allows remote attackers to inject arbitrary web script or …

Dec 17, 2025
CVE-2025-65855
6.6 MEDIUM

The OTA firmware update mechanism in Netun Solutions HelpFlash IoT (firmware v18_178_221102_ASCII_PRO_1R5_50) uses hard-coded WiFi credentials identical across all devices and does not authenticate update …

Dec 17, 2025
CVE-2025-65185
2.8 LOW

There is a username enumeration via local user login in Entrinsik Informer v5.10.1 which allows malicious users to enumerate users by entering an OTP code …

Dec 17, 2025
CVE-2025-53919
7.8 HIGH

An issue was discovered in the Portrait Dell Color Management application through 3.3.008 for Dell monitors, It creates a temporary folder, with weak permissions, during …

Dec 17, 2025
CVE-2025-53398
7.8 HIGH

The Portrait Dell Color Management application 3.3.8 for Dell monitors has Insecure Permissions,

Dec 17, 2025
CVE-2025-26381

Successful exploitation of this vulnerability could allow an attacker to gain unauthorized access to sensitive information.

Dec 17, 2025
CVE-2025-20393
10.0 CRITICAL KEV

A vulnerability in the Spam Quarantine feature of Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager could allow …

Dec 17, 2025
CVE-2025-44005
10.0 CRITICAL

An attacker can bypass authorization checks and force a Step CA ACME or SCEP provisioner to create certificates without completing certain protocol authorization checks.

Dec 17, 2025
CVE-2025-43873

Successful exploitation of these vulnerabilities could allow an attacker to modify firmware and gain full access to the device.

Dec 17, 2025
CVE-2025-14727
8.3 HIGH

A vulnerability exists in NGINX Ingress Controller's nginx.org/rewrite-target annotation validation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Dec 17, 2025
CVE-2024-29371
7.5 HIGH

In jose4j before 0.9.6, an attacker can cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high …

Dec 17, 2025
CVE-2024-29370
5.3 MEDIUM

In python-jose 3.3.0 (specifically jwe.decrypt), a vulnerability allows an attacker to cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token …

Dec 17, 2025
CVE-2022-23851
9.8 CRITICAL

Netaxis API Orchestrator (APIO) before 0.19.3 allows server side template injection (SSTI).

Dec 17, 2025
CVE-2025-14266

CSRF in Ercom Cryptobox administration console allows attacker to trigger some actions on behalf of a Cryptobox administrator. The attack requires the administrator to browse …

Dec 17, 2025
CVE-2025-62690
3.1 LOW

Mattermost versions 10.11.x <= 10.11.4 fail to validate redirect URLs on the /error page, which allows an attacker to redirect a victim to a malicious …

Dec 17, 2025

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.