CVE Database

9241+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2025-34329
9.8 CRITICAL

AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 expose an unauthenticated backup upload endpoint at AudioCodes_files/ajaxBackupUploadFile.php in the F2MAdmin web …

Nov 19, 2025
CVE-2025-34328
9.8 CRITICAL

AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 include a web administration component (F2MAdmin) that exposes an unauthenticated script-management endpoint …

Nov 19, 2025
CVE-2025-63224
10.0 CRITICAL

The Itel DAB Encoder (IDEnc build 25aec8d) is vulnerable to Authentication Bypass due to improper JWT validation across devices. Attackers can reuse a valid JWT …

Nov 19, 2025
CVE-2025-63223
9.8 CRITICAL

The Axel Technology StreamerMAX MK II devices (firmware versions 0.8.5 to 1.0.3) are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi …

Nov 19, 2025
CVE-2025-63221
9.1 CRITICAL

The Axel Technology puma devices (firmware versions 0.8.5 to 1.0.3) are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenticated …

Nov 19, 2025
CVE-2025-63218
9.8 CRITICAL

The Axel Technology WOLF1MS and WOLF2MS devices (firmware versions 0.8.5 to 1.0.3) are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi …

Nov 19, 2025
CVE-2025-10437
9.8 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Eksagate Electronic Engineering and Computer Industry Trade Inc. Webpack Management System …

Nov 19, 2025
CVE-2025-12057
9.8 CRITICAL

The WavePlayer WordPress plugin before 3.8.0 does not have authorization in an AJAX action as well as does not validate the file to be copied …

Nov 19, 2025
CVE-2025-64325
9.0 CRITICAL

Emby Server is a personal media server. Prior to version 4.8.1.0 and prior to Beta version 4.9.0.0-beta, a malicious user can send an authentication request …

Nov 18, 2025
CVE-2025-63217
9.8 CRITICAL

The Itel DAB MUX (IDMUX build c041640a) is vulnerable to Authentication Bypass due to improper JWT validation across devices. Attackers can reuse a valid JWT …

Nov 18, 2025
CVE-2025-63216
10.0 CRITICAL

The Itel DAB Gateway (IDGat build c041640a) is vulnerable to Authentication Bypass due to improper JWT validation across devices. Attackers can reuse a valid JWT …

Nov 18, 2025
CVE-2025-63228
9.8 CRITICAL

The Mozart FM Transmitter web management interface on version WEBMOZZI-00287, contains an unauthenticated file upload vulnerability in the /upload_file.php endpoint. An attacker can exploit this …

Nov 18, 2025
CVE-2025-63225
9.8 CRITICAL

The Eurolab ELTS100_UBX device (firmware version ELTS100v1.UBX) is vulnerable to Broken Access Control due to missing authentication on critical administrative endpoints. Attackers can directly access …

Nov 18, 2025
CVE-2025-54321
9.8 CRITICAL

In Ascertia SigningHub through 8.6.8, there is a lack of rate limiting on the reset password function, leading to an email bombing vulnerability. An authenticated …

Nov 18, 2025
CVE-2025-63994
9.8 CRITICAL

An arbitrary file upload vulnerability in the /php/UploadHandler.php component of RichFilemanager v2.7.6 allows attackers to execute arbitrary code via uploading a crafted file.

Nov 18, 2025
CVE-2025-63695
9.8 CRITICAL

DzzOffice v2.3.7 and before is vulnerable to Arbitrary File Upload in /dzz/system/ueditor/php/controller.php.

Nov 18, 2025
CVE-2025-63694
9.8 CRITICAL

DzzOffice v2.3.7 and before is vulnerable to SQL Injection in explorer/groupmanage.

Nov 18, 2025
CVE-2025-56643
9.1 CRITICAL

Requarks Wiki.js 2.5.307 does not properly revoke or invalidate active JWT tokens when a user logs out. As a result, previously issued tokens remain valid …

Nov 18, 2025
CVE-2025-9312
9.8 CRITICAL

A missing authentication enforcement vulnerability exists in the mutual TLS (mTLS) implementation used by System REST APIs and SOAP services in multiple WSO2 products. Due …

Nov 18, 2025
CVE-2025-41348
9.8 CRITICAL

SQL injection vulnerability in WinPlus v24.11.27 by Informática del Este. This vulnerability allows an attacker recover, create, update an delete databases by sendng a POST …

Nov 18, 2025
CVE-2025-41734
9.8 CRITICAL

An unauthenticated remote attacker can execute arbitrary php files and gain full access of the affected devices.

Nov 18, 2025
CVE-2025-41733
9.8 CRITICAL

The commissioning wizard on the affected devices does not validate if the device is already initialized. An unauthenticated remote attacker can construct POST requests to …

Nov 18, 2025
CVE-2025-41347
9.8 CRITICAL

Unlimited upload vulnerability for dangerous file types in WinPlus v24.11.27 from Informática del Este. This vulnerability allows an attacker to upload a 'webshell' by sending …

Nov 18, 2025
CVE-2025-41346
9.8 CRITICAL

Faulty authorization control in software WinPlus v24.11.27 by Informática del Este that allows another user to be impersonated simply by knowing their 'numerical ID', meaning …

Nov 18, 2025
CVE-2025-40549
9.1 CRITICAL

A Path Restriction Bypass vulnerability exists in Serv-U that when abused, could give a malicious actor with access to admin privileges the ability to execute …

Nov 18, 2025
CVE-2025-40548
9.1 CRITICAL

A missing validation process exists in Serv U when abused, could give a malicious actor with access to admin privileges the ability to execute code. …

Nov 18, 2025
CVE-2025-40547
9.1 CRITICAL

A logic error vulnerability exists in Serv-U which when abused could give a malicious actor with access to admin privileges the ability to execute code. …

Nov 18, 2025
CVE-2024-44659
9.8 CRITICAL

PHPGurukul Online Shopping Portal 2.0 is vulnerable to SQL Injection via the email parameter in forgot-password.php.

Nov 17, 2025
CVE-2025-63747
9.8 CRITICAL

QaTraq 6.9.2 ships with administrative account credentials which are enabled in default installations and permit immediate login via the web application login page. Because the …

Nov 17, 2025
CVE-2025-9501
9.0 CRITICAL

The W3 Total Cache WordPress plugin before 2.8.13 is vulnerable to command injection via the _parse_dynamic_mfunc function, allowing unauthenticated users to execute PHP commands by …

Nov 17, 2025
CVE-2025-13284
9.8 CRITICAL

ThinPLUS developed by ThinPLUS has an OS Command Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary OS commands and execute them on the server.

Nov 17, 2025
CVE-2025-58083
10.0 CRITICAL

General Industrial Controls Lynx+ Gateway is missing critical authentication in the embedded web server which could allow an attacker to remotely reset the device.

Nov 15, 2025
CVE-2025-13188
9.8 CRITICAL

A vulnerability was detected in D-Link DIR-816L 2_06_b09_beta. Affected by this vulnerability is the function authenticationcgi_main of the file /authentication.cgi. Performing manipulation of the argument …

Nov 14, 2025
CVE-2025-54343
9.6 CRITICAL

An Incorrect Access Control vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 exploitable remotely for Escalation of Privileges.

Nov 14, 2025
CVE-2025-54339
10.0 CRITICAL

An Incorrect Access Control vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 exploitable remotely for Escalation of Privileges.

Nov 14, 2025
CVE-2025-64446
9.8 CRITICAL KEV

A relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 …

Nov 14, 2025
CVE-2025-36251
9.6 CRITICAL

IBM AIX 7.2, and 7.3 and IBM VIOS 3.1, and 4.1 nimsh service SSL/TLS implementations could allow a remote attacker to execute arbitrary commands due …

Nov 13, 2025
CVE-2025-36250
10.0 CRITICAL

IBM AIX 7.2, and 7.3 and IBM VIOS 3.1, and 4.1 NIM server (formerly known as NIM master) service (nimesis) could allow a remote attacker …

Nov 13, 2025
CVE-2025-36096
9.0 CRITICAL

IBM AIX 7.2, and 7.3 and IBM VIOS 3.1, and 4.1 stores NIM private keys used in NIM environments in an insecure way which is …

Nov 13, 2025
CVE-2025-64709
9.6 CRITICAL

Typebot is an open-source chatbot builder. In versions prior to 3.13.1, a Server-Side Request Forgery (SSRF) vulnerability in the Typebot webhook block (HTTP Request component) …

Nov 13, 2025
CVE-2025-64717
9.8 CRITICAL

ZITADEL is an open source identity management platform. Starting in version 2.50.0 and prior to versions 2.71.19, 3.4.4, and 4.6.6, a vulnerability in ZITADEL's federation …

Nov 13, 2025
CVE-2025-12762
9.1 CRITICAL

pgAdmin versions up to 9.9 are affected by a Remote Code Execution (RCE) vulnerability that occurs when running in server mode and performing restores from …

Nov 13, 2025
CVE-2025-59367
9.8 CRITICAL

An authentication bypass vulnerability has been identified in certain DSL series routers, may allow remote attackers to gain unauthorized access into the affected system. Refer …

Nov 13, 2025
CVE-2025-46608
9.1 CRITICAL

Dell Data Lakehouse, versions prior to 1.6.0.0, contain(s) an Improper Access Control vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, …

Nov 12, 2025
CVE-2025-56385
9.8 CRITICAL

A SQL injection vulnerability exists in the login functionality of WellSky Harmony version 4.1.0.2.83 within the 'xmHarmony.asp' endpoint. User-supplied input to the 'TXTUSERID' parameter is …

Nov 12, 2025
CVE-2025-64281
9.8 CRITICAL

An Authentication Bypass issue in CentralSquare Community Development 19.5.7 allows attackers to access the admin panel without admin credentials.

Nov 12, 2025
CVE-2025-64280
9.8 CRITICAL

A SQL Injection Vulnerability in CentralSquare Community Development 19.5.7 allows attackers to inject SQL via the permit_no field.

Nov 12, 2025
CVE-2025-63353
9.8 CRITICAL

A vulnerability in FiberHome GPON ONU HG6145F1 RP4423 allows the device's factory default Wi-Fi password (WPA/WPA2 pre-shared key) to be predicted from the SSID. The …

Nov 12, 2025
CVE-2025-63289
9.1 CRITICAL

Sogexia Android App Compile Affected SDK v35, Max SDK 32 and fixed in v36, was discovered to contain hardcoded encryption keys in the encryption_helper.dart file

Nov 12, 2025
CVE-2025-11367
9.8 CRITICAL

The N-central Software Probe < 2025.4 is vulnerable to Remote Code Execution via deserialization

Nov 12, 2025

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.