CVE Database

111255+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2023-53878

Member Login Script 3.3 contains a client-side desynchronization vulnerability that allows attackers to manipulate HTTP request handling by exploiting Content-Length header parsing. Attackers can send …

Dec 15, 2025
CVE-2023-53877
9.8 CRITICAL

Bus Reservation System 1.1 contains a SQL injection vulnerability in the pickup_id parameter that allows attackers to manipulate database queries. Attackers can exploit boolean-based, error-based, …

Dec 15, 2025
CVE-2023-53876
5.4 MEDIUM

Academy LMS 6.1 contains a file upload vulnerability that allows authenticated users to upload malicious SVG files with stored cross-site scripting payloads. Attackers can inject …

Dec 15, 2025
CVE-2023-53875
8.8 HIGH

GOM Player 2.3.90.5360 contains a remote code execution vulnerability in its Internet Explorer component that allows attackers to execute arbitrary code through DNS spoofing. Attackers …

Dec 15, 2025
CVE-2023-53874
9.8 CRITICAL

GOM Player 2.3.90.5360 contains a buffer overflow vulnerability in the equalizer preset name input field that allows attackers to crash the application. Attackers can overwrite …

Dec 15, 2025
CVE-2023-53873

SyncBreeze 15.2.24 contains a denial of service vulnerability in the login authentication mechanism that allows attackers to crash the service. Attackers can send an oversized …

Dec 15, 2025
CVE-2023-53872

Wp2Fac 1.0 contains an OS command injection vulnerability in the send.php endpoint that allows remote attackers to execute arbitrary system commands. Attackers can inject shell …

Dec 15, 2025
CVE-2023-53871
9.8 CRITICAL

Soosyze 2.0.0 contains a file upload vulnerability that allows attackers to upload arbitrary HTML files with embedded PHP code to the application. Attackers can exploit …

Dec 15, 2025
CVE-2023-53870

Jorani 1.0.3 contains a reflected cross-site scripting vulnerability in the language parameter that allows attackers to inject malicious scripts. Attackers can craft XSS payloads in …

Dec 15, 2025
CVE-2023-53869

WEBIGniter 28.7.23 contains a file upload vulnerability that allows authenticated attackers to upload and execute dangerous PHP files through the media function. Attackers can leverage …

Dec 15, 2025
CVE-2023-53868
8.8 HIGH

Coppermine Gallery 1.6.25 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files through the plugin manager. Attackers can upload …

Dec 15, 2025
CVE-2023-38913
5.3 MEDIUM

SQL injection vulnerability in anirbandutta9 NEWS-BUZZ v.1.0 allows a remote attacker to execute arbitrary code via a crafted script.

Dec 15, 2025
CVE-2023-36338
5.3 MEDIUM

Inventory Management System 1 was discovered to contain a SQL injection vulnerability.

Dec 15, 2025
CVE-2025-67809
4.7 MEDIUM

An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A hardcoded Flickr API key and secret are present in the publicly accessible Flickr …

Dec 15, 2025
CVE-2025-55703
2.5 LOW

An error-based SQL injection vulnerability exists in the Sunbird Power IQ 9.2.0 API. The vulnerability is due to an outdated API endpoint that applied arrays …

Dec 15, 2025
CVE-2025-36360
5.0 MEDIUM

IBM UCD - IBM UrbanCode Deploy 7.1 through 7.1.2.27, 7.2 through 7.2.3.20, and 7.3 through 7.3.2.15 and IBM UCD - IBM DevOps Deploy 8.0 through …

Dec 15, 2025
CVE-2025-14503
7.2 HIGH

An overly-permissive IAM trust policy in the Harmonix on AWS framework may allow IAM principals in the same AWS account to escalate privileges via role …

Dec 15, 2025
CVE-2025-14148
6.5 MEDIUM

IBM UCD - IBM DevOps Deploy 8.1 through 8.1.2.3 could allow an authenticated user with LLM integration configuration privileges to recover a previously saved LLM …

Dec 15, 2025
CVE-2025-13489
5.9 MEDIUM

IBM UCD - IBM DevOps Deploy 8.1 through 8.1.2.3 IBM DevOps Deploy transmits data in clear text that could allow an attacker to obtain sensitive …

Dec 15, 2025
CVE-2025-12035
6.5 MEDIUM

An integer overflow condition exists in Bluetooth Host stack, within the bt_br_acl_recv routine a critical path for processing inbound BR/EDR L2CAP traffic.

Dec 15, 2025
CVE-2025-65835
6.2 MEDIUM

The Cordova plugin cordova-plugin-x-socialsharing (SocialSharing-PhoneGap-Plugin) for Android 6.0.4, registers an exported broadcast receiver nl.xservices.plugins.ShareChooserPendingIntent with an android.intent.action.SEND intent filter. The onReceive implementation accesses Intent.EXTRA_CHOSEN_COMPONENT without …

Dec 15, 2025
CVE-2025-65213
9.8 CRITICAL

MooreThreads torch_musa through all versions contains an unsafe deserialization vulnerability in torch_musa.utils.compare_tool. The compare_for_single_op() and nan_inf_track_for_single_op() functions use pickle.load() on user-controlled file paths without validation, …

Dec 15, 2025
CVE-2025-65176
7.5 HIGH

An issue was discovered in Dynatrace OneAgent before 1.325.47. When attempting to access a remote network share from a machine where OneAgent is installed and …

Dec 15, 2025
CVE-2025-51962
6.1 MEDIUM

A HTML Injection vulnerability in the comment section of the project page in MicroStudio 24.01.29 allows remote attackers to inject arbitrary web script or HTML …

Dec 15, 2025
CVE-2023-36337
6.1 MEDIUM

A reflected cross-site scripting (XSS) vulnerability in the component /index.php/cuzh4 of PHP Inventory Management System 1 allows attackers to execute arbitrary web scripts or HTML …

Dec 15, 2025
CVE-2025-66440
8.8 HIGH

An issue was discovered in Frappe ERPNext through 15.89.0. Function get_outstanding_reference_documents() at erpnext/accounts/doctype/payment_entry/payment_entry.py is vulnerable to SQL Injection. It allows an attacker to extract arbitrary …

Dec 15, 2025
CVE-2025-66439
8.8 HIGH

An issue was discovered in Frappe ERPNext through 15.89.0. Function get_outstanding_reference_documents() at erpnext.accounts.doctype.payment_entry.payment_entry.py is vulnerable to SQL Injection. It allows an attacker to extract arbitrary …

Dec 15, 2025
CVE-2025-66438
8.8 HIGH

A Server-Side Template Injection (SSTI) vulnerability exists in the Frappe ERPNext through 15.89.0 Print Format rendering mechanism. Specifically, the API frappe.www.printview.get_html_and_style() triggers the rendering of …

Dec 15, 2025
CVE-2025-66437
8.8 HIGH

An SSTI (Server-Side Template Injection) vulnerability exists in the get_address_display method of Frappe ERPNext through 15.89.0. This function renders address templates using frappe.render_template() with a …

Dec 15, 2025
CVE-2025-66436
4.3 MEDIUM

An SSTI (Server-Side Template Injection) vulnerability exists in the get_terms_and_conditions method of Frappe ERPNext through 15.89.0. The function renders attacker-controlled Jinja2 templates (terms) using frappe.render_template() …

Dec 15, 2025
CVE-2025-14038
7.0 HIGH

EDB Hybrid Manager contains a flaw that allows an unauthenticated attacker to directly access certain gRPC endpoints. This could allow an attacker to read potentially …

Dec 15, 2025
CVE-2025-66435
4.3 MEDIUM

An SSTI (Server-Side Template Injection) vulnerability exists in the get_contract_template method of Frappe ERPNext through 15.89.0. The function renders attacker-controlled Jinja2 templates (contract_terms) using frappe.render_template() …

Dec 15, 2025
CVE-2025-66434
8.8 HIGH

An SSTI (Server-Side Template Injection) vulnerability exists in the get_dunning_letter_text method of Frappe ERPNext through 15.89.0. The function renders attacker-controlled Jinja2 templates (body_text) using frappe.render_template() …

Dec 15, 2025
CVE-2025-65742
8.2 HIGH

An unauthenticated Broken Function Level Authorization (BFLA) vulnerability in Newgen OmniDocs v11.0 allows attackers to obtain sensitive information and execute a full account takeover via …

Dec 15, 2025
CVE-2025-55901
6.5 MEDIUM

TOTOLINK A3300R V17.0.0cu.596_B20250515 is vulnerable to command injection in the function NTPSyncWithHost via the host_time parameter.

Dec 15, 2025
CVE-2025-55893
6.5 MEDIUM

TOTOLINK N200RE V9.3.5u.6437_B20230519 is vulnerable to command Injection in setOpModeCfg via hostName.

Dec 15, 2025
CVE-2025-11393
8.7 HIGH

A flaw was found in runtimes-inventory-rhel8-operator. An internal proxy component is incorrectly configured. Because of this flaw, the proxy attaches the cluster's main administrative credentials …

Dec 15, 2025
CVE-2025-66963
5.5 MEDIUM

An issue in Hitron HI3120 v.7.2.4.5.2b1 allows a local attacker to obtain sensitive information via the Logout option in the index.html

Dec 15, 2025
CVE-2025-66844
9.1 CRITICAL

In grav <1.7.49.5, a SSRF (Server-Side Request Forgery) vector may be triggered via Twig templates when page content is processed by Twig and the configuration …

Dec 15, 2025
CVE-2025-66843
5.4 MEDIUM

grav before v1.7.49.5 has a Stored Cross-Site Scripting (Stored XSS) vulnerability in the page editing functionality. An authenticated low-privileged user with permission to edit content …

Dec 15, 2025
CVE-2025-60786
8.8 HIGH

A Zip Slip vulnerability in the import a Project component of iceScrum v7.54 Pro On-prem allows attackers to execute arbitrary code via uploading a crafted …

Dec 15, 2025
CVE-2025-14387
6.4 MEDIUM

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.3.1 due to …

Dec 15, 2025
CVE-2025-13888
9.1 CRITICAL

A flaw was found in OpenShift GitOps. Namespace admins can create ArgoCD Custom Resources (CRs) that trick the system into granting them elevated permissions in …

Dec 15, 2025
CVE-2025-13824

A security issue exists due to improper handling of malformed CIP packets during fuzzing. The controller enters a hard fault with solid red Fault LED …

Dec 15, 2025
CVE-2025-13823

A security issue was found in the IPv6 stack in the Micro850 and Micro870 controllers when the controllers received multiple malformed packets during fuzzing. The …

Dec 15, 2025
CVE-2024-44599
8.3 HIGH

FNT Command 13.4.0 is vulnerable to Directory Traversal.

Dec 15, 2025
CVE-2024-44598
8.8 HIGH

FNT Command 13.4.0 is vulnerable to Code Execution via the C Base Module.

Dec 15, 2025
CVE-2025-34412

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority because it identified a vulnerability in a SaaS product that …

Dec 15, 2025
CVE-2025-34411

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority because it identified a vulnerability in a SaaS product that …

Dec 15, 2025
CVE-2025-34181

NetSupport Manager < 14.12.0001 contains an arbitrary file write vulnerability in its Connectivity Server/Gateway PUTFILE request handler. An attacker with a valid Gateway Key can …

Dec 15, 2025

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.