CVE Database

111255+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2025-67734
5.4 MEDIUM

Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Versions prior to 2.42.0 allowed authenticated attackers to enter JavaScript …

Dec 12, 2025
CVE-2025-14578
7.3 HIGH

A weakness has been identified in itsourcecode Student Management System 1.0. The affected element is an unknown function of the file /update_account.php. This manipulation of …

Dec 12, 2025
CVE-2025-14572
8.8 HIGH

A vulnerability was found in UTT 进取 512W up to 1.7.7-171114. This affects an unknown part of the file /goform/formWebAuthGlobalConfig. Performing manipulation of the argument …

Dec 12, 2025
CVE-2025-14373
4.3 MEDIUM

Inappropriate implementation in Toolbar in Google Chrome on Android prior to 143.0.7499.110 allowed a remote attacker to perform domain spoofing via a crafted HTML page. …

Dec 12, 2025
CVE-2025-14372
6.1 MEDIUM

Use after free in Password Manager in Google Chrome prior to 143.0.7499.110 allowed a remote attacker to potentially perform a sandbox escape via a crafted …

Dec 12, 2025
CVE-2025-14174
8.8 HIGH KEV

Out of bounds memory access in ANGLE in Google Chrome on Mac prior to 143.0.7499.110 allowed a remote attacker to perform out of bounds memory …

Dec 12, 2025
CVE-2024-58314
8.8 HIGH

Atcom 100M IP Phones firmware version 2.7.x.x contains an authenticated command injection vulnerability in the web configuration CGI script that allows attackers to execute arbitrary …

Dec 12, 2025
CVE-2024-58311
9.8 CRITICAL

Dormakaba Saflok System 6000 contains a predictable key generation algorithm that allows attackers to derive card access keys from a 32-bit unique identifier. Attackers can …

Dec 12, 2025
CVE-2024-58305
8.8 HIGH

WonderCMS 4.3.2 contains a cross-site scripting vulnerability that allows attackers to inject malicious JavaScript through the module installation endpoint. Attackers can craft a specially designed …

Dec 12, 2025
CVE-2024-58299
9.8 CRITICAL

PCMan FTP Server 2.0 contains a buffer overflow vulnerability in the 'pwd' command that allows remote attackers to execute arbitrary code. Attackers can send a …

Dec 12, 2025
CVE-2024-14010
9.8 CRITICAL

Typora 1.7.4 contains a command injection vulnerability in the PDF export preferences that allows attackers to execute arbitrary system commands. Attackers can inject malicious commands …

Dec 12, 2025
CVE-2025-8082
6.3 MEDIUM

Improper neutralization of the title date in the 'VDatePicker' component in Vuetify, allows unsanitized HTML to be inserted into the page. This can lead to …

Dec 12, 2025
CVE-2025-14571
7.3 HIGH

A vulnerability has been found in projectworlds Advanced Library Management System 1.0. Affected by this issue is some unknown functionality of the file /borrow_book.php. Such …

Dec 12, 2025
CVE-2025-14570
7.3 HIGH

A flaw has been found in projectworlds Advanced Library Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /view_admin.php. This …

Dec 12, 2025
CVE-2025-14569
5.3 MEDIUM

A vulnerability was detected in ggml-org whisper.cpp up to 1.8.2. Affected is the function read_audio_data of the file /whisper.cpp/examples/common-whisper.cpp. The manipulation results in use after …

Dec 12, 2025
CVE-2025-14568
6.3 MEDIUM

A security vulnerability has been detected in haxxorsid Stock-Management-System up to fbbbf213e9c93b87183a3891f77e3cc7095f22b0. This impacts an unknown function of the file model/User.php. The manipulation of the …

Dec 12, 2025
CVE-2025-40345

In the Linux kernel, the following vulnerability has been resolved: usb: storage: sddr55: Reject out-of-bound new_pba Discovered by Atuin - Automated Vulnerability Discovery Engine. new_pba …

Dec 12, 2025
CVE-2025-67819
4.9 MEDIUM

An issue was discovered in Weaviate OSS before 1.33.4. Due to a lack of validation of the fileName field in the transfer logic, an attacker …

Dec 12, 2025
CVE-2025-67818
7.2 HIGH

An issue was discovered in Weaviate OSS before 1.33.4. An attacker with access to insert data into the database can craft an entry name with …

Dec 12, 2025
CVE-2025-67342
4.6 MEDIUM

RuoYi versions 4.8.1 and earlier is affected by a stored XSS vulnerability in the /system/menu/edit endpoint. While the endpoint is protected by an XSS filter, …

Dec 12, 2025
CVE-2025-64011
4.3 MEDIUM

Nextcloud Server 30.0.0 is vulnerable to an Insecure Direct Object Reference (IDOR) in the /core/preview endpoint. Any authenticated user can access previews of arbitrary files …

Dec 12, 2025
CVE-2023-29144
3.3 LOW

Malwarebytes 1.0.14 for Linux doesn't properly compute signatures in some scenarios. This allows a bypass of detection.

Dec 12, 2025
CVE-2025-67344
4.6 MEDIUM

jshERP v3.5 and earlier is affected by a stored Cross Site Scripting (XSS) vulnerability via the /msg/add endpoint.

Dec 12, 2025
CVE-2025-67341
4.6 MEDIUM

jshERP versions 3.5 and earlier are affected by a stored XSS vulnerability. This vulnerability allows attackers to upload PDF files containing XSS payloads. Additionally, these …

Dec 12, 2025
CVE-2025-66430
9.1 CRITICAL

Plesk 18.0 has Incorrect Access Control.

Dec 12, 2025
CVE-2025-65854
9.8 CRITICAL

Insecure permissions in the scheduled tasks feature of MineAdmin v3.x allows attackers to execute arbitrary commands and execute a full account takeover.

Dec 12, 2025
CVE-2025-65530
8.8 HIGH

An eval injection in the malware de-obfuscation routines of CloudLinux ai-bolit before v32.7.4 allows attackers to overwrite arbitrary files as root via scanning a crafted …

Dec 12, 2025
CVE-2025-53960
5.9 MEDIUM

When issuing JSON Web Tokens (JWT), Apache StreamPark directly uses the user's password as the HMAC signing key (e.g., with the HS256 algorithm). An attacker …

Dec 12, 2025
CVE-2025-14567
5.3 MEDIUM

A weakness has been identified in haxxorsid Stock-Management-System up to fbbbf213e9c93b87183a3891f77e3cc7095f22b0. This affects an unknown function of the file /api/employees. Executing manipulation can lead to …

Dec 12, 2025
CVE-2025-14566
7.3 HIGH

A security flaw has been discovered in kidaze CourseSelectionSystem up to 42cd892b40a18d50bd4ed1905fa89f939173a464. The impacted element is an unknown function of the file /Profilers/SProfile/reg.php. Performing a …

Dec 12, 2025
CVE-2025-14565
7.3 HIGH

A vulnerability was identified in kidaze CourseSelectionSystem up to 42cd892b40a18d50bd4ed1905fa89f939173a464. The affected element is an unknown function of the file /Profilers/SProfile/login1.php. Such manipulation of the …

Dec 12, 2025
CVE-2025-13733
7.8 HIGH

BuhoNTFS contains an insecure XPC service that allows local, unprivileged users to escalate their privileges to root via insecure functions.This issue affects BuhoNTFS: 1.3.2.

Dec 12, 2025
CVE-2025-12843
5.5 MEDIUM

Code Injection using Electron Fuses in waveterm on MacOS allows TCC Bypass. This issue affects waveterm: 0.12.2.

Dec 12, 2025
CVE-2025-58770
8.8 HIGH

APTIOV contains a vulnerability in BIOS where a user may cause “Improper Handling of Insufficient Permissions or Privileges” by local access. Successful exploitation of this …

Dec 12, 2025
CVE-2025-54981
7.5 HIGH

Weak Encryption Algorithm in StreamPark, The use of an AES cipher in ECB mode and a weak random number generator for encrypting sensitive data, including …

Dec 12, 2025
CVE-2025-54947
9.8 CRITICAL

In Apache StreamPark versions 2.0.0 through 2.1.7, a security vulnerability involving a hard-coded encryption key exists. This vulnerability occurs because the system uses a fixed, …

Dec 12, 2025
CVE-2025-36755

The CleverDisplay BlueOne hardware player is designed with its USB interfaces physically enclosed and inaccessible under normal operating conditions. Researchers demonstrated that, after cicumventing the …

Dec 12, 2025
CVE-2025-36746
5.4 MEDIUM

SolarEdge monitoring platform contains a Cross‑Site Scripting (XSS) flaw that allows an authenticated user to inject payloads into report names, which may execute in a …

Dec 12, 2025
CVE-2025-36745
7.8 HIGH

SolarEdge SE3680H ships with an outdated Linux kernel containing unpatched vulnerabilities in core subsystems. An attacker with network or local access can exploit these flaws …

Dec 12, 2025
CVE-2025-36744
2.4 LOW

SolarEdge SE3680H has unauthenticated disclosure of sensitive information during the bootloader loop. While the device repeatedly initializes and waits for boot instructions, the bootloader emits …

Dec 12, 2025
CVE-2025-36743
6.8 MEDIUM

SolarEdge SE3680H has an exposed debug/test interface accessible to unauthenticated actors, allowing disclosure of system internals and execution of debug commands.

Dec 12, 2025
CVE-2025-13506
8.8 HIGH

Execution with Unnecessary Privileges vulnerability in Nebim Neyir Computer Industry and Services Inc. Nebim V3 ERP allows Expanding Control over the Operating System from the …

Dec 12, 2025
CVE-2025-14442
5.3 MEDIUM

The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to sensitive information exposure due to storage of exported CSV files in …

Dec 12, 2025
CVE-2025-14159
4.3 MEDIUM

The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.9.2. …

Dec 12, 2025
CVE-2025-14065
4.3 MEDIUM

The Simple Bike Rental plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'simpbire_carica_prenotazioni' AJAX action …

Dec 12, 2025
CVE-2025-14030
6.4 MEDIUM

The AI Feeds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'aife_post_meta' shortcode in all versions up to, and including, 1.0.22 due …

Dec 12, 2025
CVE-2025-12965
6.4 MEDIUM

The Magical Posts Display plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'mpac_title_tag' parameter in the Magical Posts Accordion widget in all …

Dec 12, 2025
CVE-2025-12408
5.3 MEDIUM

The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 7.2.2.2 …

Dec 12, 2025
CVE-2025-12407
4.3 MEDIUM

The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, …

Dec 12, 2025
CVE-2025-12841
5.3 MEDIUM

The Bookit WordPress plugin before 2.5.1 has a publicly accessible REST endpoint that allows unauthenticated update of the plugins Stripe payment options.

Dec 12, 2025

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.