CVE Database

9241+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2025-11366
9.8 CRITICAL

N-central < 2025.4 is vulnerable to authentication bypass via path traversal

Nov 12, 2025
CVE-2025-63666
9.8 CRITICAL

Tenda AC15 v15.03.05.18_multi) issues an authentication cookie that exposes the account password hash to the client and uses a short, low-entropy suffix as the session …

Nov 12, 2025
CVE-2025-12871
9.8 CRITICAL

The a+HRD developed by aEnrich has an Authentication Abuse vulnerability, allowing unauthenticated remote attackers to craft administrator access tokens and use them to access the …

Nov 12, 2025
CVE-2025-12870
9.8 CRITICAL

The a+HRD developed by aEnrich has an Authentication Abuse vulnerability, allowing unauthenticated remote attackers to send crafted packets to obtain administrator access tokens and use …

Nov 12, 2025
CVE-2025-60724
9.8 CRITICAL

Heap-based buffer overflow in Microsoft Graphics Component allows an unauthorized attacker to execute code over a network.

Nov 11, 2025
CVE-2025-13032
9.9 CRITICAL

Double fetch in sandbox kernel driver in Avast/AVG Antivirus <25.3 on windows allows local attacker to escalate privelages via pool overflow.

Nov 11, 2025
CVE-2025-13026
9.8 CRITICAL

Sandbox escape due to incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 145 and Thunderbird 145.

Nov 11, 2025
CVE-2025-13024
9.8 CRITICAL

JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 145 and Thunderbird 145.

Nov 11, 2025
CVE-2025-13023
9.8 CRITICAL

Sandbox escape due to incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 145 and Thunderbird 145.

Nov 11, 2025
CVE-2025-13022
9.8 CRITICAL

Incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 145 and Thunderbird 145.

Nov 11, 2025
CVE-2025-13021
9.8 CRITICAL

Incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 145 and Thunderbird 145.

Nov 11, 2025
CVE-2025-8324
9.8 CRITICAL

Zohocorp ManageEngine Analytics Plus versions 6170 and below are vulnerable to Unauthenticated SQL Injection due to the improper filter configuration.

Nov 11, 2025
CVE-2025-12539
10.0 CRITICAL

The TNC Toolbox: Web Performance plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.2. This is due …

Nov 11, 2025
CVE-2017-20210
9.8 CRITICAL

Photo Station 5.4.1 & 5.2.7 include the security fix for the vulnerability related to the XMR mining programs identified by internal research.

Nov 11, 2025
CVE-2025-12813
9.8 CRITICAL

The Holiday class post calendar plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.1 via the 'contents' …

Nov 11, 2025
CVE-2025-11457
9.8 CRITICAL

The EasyCommerce – AI-Powered, Fast & Beautiful WordPress Ecommerce Plugin plugin for WordPress is vulnerable to Privilege Escalation in versions 0.9.0-beta2 to 1.8.2. This is …

Nov 11, 2025
CVE-2025-11170
9.8 CRITICAL

The WP移行専用プラグイン for CPI plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the Cpiwm_Import_Controller::import function in all …

Nov 11, 2025
CVE-2025-42890
10.0 CRITICAL

SQL Anywhere Monitor (Non-GUI) baked credentials into the code,exposing the resources or functionality to unintended users and providing attackers with the possibility of arbitrary code …

Nov 11, 2025
CVE-2025-42887
9.9 CRITICAL

Due to missing input sanitation, SAP Solution Manager allows an authenticated attacker to insert malicious code when calling a remote-enabled function module. This could provide …

Nov 11, 2025
CVE-2025-64522
9.1 CRITICAL

Soft Serve is a self-hostable Git server for the command line. Versions prior to 0.11.1 have a SSRF vulnerability where webhook URLs are not validated, …

Nov 10, 2025
CVE-2025-11892
9.6 CRITICAL

An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allows DOM-based cross-site scripting via Issues search label filter that could lead …

Nov 10, 2025
CVE-2021-4462
9.8 CRITICAL

Employee Records System version 1.0 contains an unrestricted file upload vulnerability that allows a remote unauthenticated attacker to upload arbitrary files via the uploadID.php endpoint; …

Nov 10, 2025
CVE-2025-12480
9.1 CRITICAL KEV

Triofox versions prior to 16.7.10368.56560, are vulnerable to an Improper Access Control flaw that allows access to initial setup pages even after setup is complete.

Nov 10, 2025
CVE-2025-12868
9.8 CRITICAL

New Site Server developed by CyberTutor has a Use of Client-Side Authentication vulnerability, allowing unauthenticated remote attackers to modify the frontend code to gain administrator …

Nov 10, 2025
CVE-2025-12866
9.8 CRITICAL

EIP Plus developed by Hundred Plus has a Weak Password Recovery Mechanism vulnerability, allowing unauthenticated remote attacker to predict or brute-force the 'forgot password' link, …

Nov 10, 2025
CVE-2025-10230
10.0 CRITICAL

A flaw was found in Samba, in the front-end WINS hook handling: NetBIOS names from registration packets are passed to a shell without proper validation …

Nov 7, 2025
CVE-2025-63691
9.6 CRITICAL

In pig-mesh In Pig version 3.8.2 and below, within the Token Management function under the System Management module, the token query interface (/api/admin/sys-token/page) has an …

Nov 7, 2025
CVE-2025-63690
9.1 CRITICAL

In pig-mesh Pig versions 3.8.2 and below, when setting up scheduled tasks in the Quartz management function under the system management module, it is possible …

Nov 7, 2025
CVE-2025-63689
10.0 CRITICAL

Multiple SQL injection vulnerabilitites in ycf1998 money-pos system before commit 11f276bd20a41f089298d804e43cb1c39d041e59 (2025-09-14) allows a remote attacker to execute arbitrary code via the orderby parameter

Nov 7, 2025
CVE-2025-52425
9.8 CRITICAL

An SQL injection vulnerability has been reported to affect QuMagie. A remote attacker can exploit the vulnerability to execute unauthorized code or commands. We have …

Nov 7, 2025
CVE-2025-34299
9.8 CRITICAL

Monsta FTP versions 2.11 and earlier contain a vulnerability that allows unauthenticated arbitrary file uploads. This flaw enables attackers to execute arbitrary code by uploading …

Nov 7, 2025
CVE-2025-64338
9.0 CRITICAL

ClipBucket v5 is an open source video sharing platform. In versions 5.5.2 - #156 and below, an authenticated regular user can create a photo collection …

Nov 7, 2025
CVE-2025-12352
9.8 CRITICAL

The Gravity Forms plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the copy_post_image() function in all versions …

Nov 7, 2025
CVE-2025-64180
10.0 CRITICAL

Manager-io/Manager is accounting software. In Manager Desktop and Server versions 25.11.1.3085 and below, a critical vulnerability permits unauthorized access to internal network resources. The flaw …

Nov 7, 2025
CVE-2025-12488
9.8 CRITICAL

oobabooga text-generation-webui trust_remote_code Reliance on Untrusted Inputs Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of oobabooga …

Nov 6, 2025
CVE-2025-12487
9.8 CRITICAL

oobabooga text-generation-webui trust_remote_code Reliance on Untrusted Inputs Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of oobabooga …

Nov 6, 2025
CVE-2022-50596
9.8 CRITICAL

D-Link DIR-1260 Wi-Fi router firmware versions up to and including v1.20B05 contain a command injection vulnerability within the web management interface that allows for unauthenticated …

Nov 6, 2025
CVE-2022-50593
9.8 CRITICAL

Advantech iView versions prior to v5.7.04 build 6425 contain a vulnerability within the SNMP management tool that allows for remote attackers to bypass authentication checks …

Nov 6, 2025
CVE-2022-50591
9.8 CRITICAL

Advantech iView versions prior to v5.7.04 build 6425 contain a vulnerability within the SNMP management tool that allows for remote attackers to bypass authentication checks …

Nov 6, 2025
CVE-2022-50589
9.8 CRITICAL

SuiteCRM versions prior to 7.12.6 contain a SQL injection vulnerability within the processing of the ‘uid’ parameter within the ‘export’ functionality. Successful exploitation allows remote …

Nov 6, 2025
CVE-2025-27918
9.8 CRITICAL

An issue was discovered in AnyDesk for Windows before 9.0.5, AnyDesk for macOS before 9.0.1, AnyDesk for Linux before 7.0.0, AnyDesk for iOS before 7.1.2, …

Nov 6, 2025
CVE-2025-6327
10.0 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in KingAddons.com King Addons for Elementor king-addons allows Upload a Web Shell to a Web Server.This issue …

Nov 6, 2025
CVE-2025-6325
9.8 CRITICAL

Incorrect Privilege Assignment vulnerability in KingAddons.com King Addons for Elementor king-addons allows Privilege Escalation.This issue affects King Addons for Elementor: from n/a through <= 51.1.36.

Nov 6, 2025
CVE-2025-62065
9.9 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in Rometheme RTMKit rometheme-for-elementor.This issue affects RTMKit: from n/a through <= 1.6.5.

Nov 6, 2025
CVE-2025-62064
9.8 CRITICAL

Authentication Bypass Using an Alternate Path or Channel vulnerability in Elated-Themes Search & Go search-and-go allows Password Recovery Exploitation.This issue affects Search & Go: from …

Nov 6, 2025
CVE-2025-62047
9.9 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in Case-Themes Case Addons case-addons.This issue affects Case Addons: from n/a through < 1.3.0.

Nov 6, 2025
CVE-2025-62016
9.9 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in hogash KALLYAS kallyas.This issue affects KALLYAS: from n/a through <= 4.22.0.

Nov 6, 2025
CVE-2025-60245
9.8 CRITICAL

Deserialization of Untrusted Data vulnerability in WP User Manager WP User Manager wp-user-manager allows Object Injection.This issue affects WP User Manager: from n/a through <= …

Nov 6, 2025
CVE-2025-60243
9.8 CRITICAL

Incorrect Privilege Assignment vulnerability in Holest Engineering Selling Commander for WooCommerce selling-commander-connector allows Privilege Escalation.This issue affects Selling Commander for WooCommerce: from n/a through <= …

Nov 6, 2025
CVE-2025-60235
10.0 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in Plugify Support Ticket System for WooCommerce (Premium) support-ticket-system-for-woocommerce allows Using Malicious Files.This issue affects Support Ticket …

Nov 6, 2025

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.