CVE Database

111255+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2025-12835
7.3 HIGH

The WooMulti WordPress plugin through 17 does not validate a file parameter when deleting files, which could allow any authenticated users, such as subscriber to …

Dec 12, 2025
CVE-2025-58137
8.1 HIGH

Authorization Bypass Through User-Controlled Key vulnerability in Apache Fineract. This issue affects Apache Fineract: through 1.11.0. The issue is fixed in version 1.12.1. Users are …

Dec 12, 2025
CVE-2025-58130
9.1 CRITICAL

Insufficiently Protected Credentials vulnerability in Apache Fineract. This issue affects Apache Fineract: through 1.11.0. The issue is fixed in version 1.12.1. Users are encouraged to …

Dec 12, 2025
CVE-2025-26866
8.8 HIGH

A remote code execution vulnerability exists where a malicious Raft node can exploit insecure Hessian deserialization within the PD store. The fix enforces IP-based authentication …

Dec 12, 2025
CVE-2025-23408
6.5 MEDIUM

Weak Password Requirements vulnerability in Apache Fineract. This issue affects Apache Fineract: through 1.10.1. The issue is fixed in version 1.11.0. Users are encouraged to …

Dec 12, 2025
CVE-2025-14074
4.3 MEDIUM

The PDF for Contact Form 7 + Drag and Drop Template Builder plugin for WordPress is vulnerable to unauthorized post duplication due to a missing …

Dec 12, 2025
CVE-2025-13993
5.5 MEDIUM

The MailerLite – Signup forms (official) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'form_description' and 'success_message' parameters in versions up to, …

Dec 12, 2025
CVE-2025-12348
5.3 MEDIUM

The Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 5.9.10. …

Dec 12, 2025
CVE-2025-40829
7.8 HIGH

A vulnerability has been identified in Simcenter Femap (All versions < V2512). The affected applications contains an uninitialized memory vulnerability while parsing specially crafted SLDPRT …

Dec 12, 2025
CVE-2025-12960
6.5 MEDIUM

The Simple CSV Table plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.0.1 via the `href` parameter in …

Dec 12, 2025
CVE-2025-67731
7.5 HIGH

Servify Express is a Node.js package to start an Express server and log the port it's running on. Prior to 1.2, the Express server used …

Dec 12, 2025
CVE-2025-67730
5.4 MEDIUM

Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Versions prior to 2.42.0 allow authenticated users to add malicious …

Dec 12, 2025
CVE-2025-4970
5.5 MEDIUM

The BSK PDF Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.7.1 …

Dec 12, 2025
CVE-2025-14169
7.5 HIGH

The FunnelKit - Funnel Builder for WooCommerce Checkout plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'opid' parameter in all versions …

Dec 12, 2025
CVE-2025-14049
6.1 MEDIUM

The VikRentItems Flexible Rental Management System plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'delto' parameter in all versions up to, and …

Dec 12, 2025
CVE-2025-13891
6.5 MEDIUM

The Image Gallery – Photo Grid & Video Gallery plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.13.3. …

Dec 12, 2025
CVE-2025-11876
6.4 MEDIUM

The Mailgun Subscriptions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mailgun_subscription_form' shortcode in all versions up to, and including, 1.3.1 …

Dec 12, 2025
CVE-2025-10583
3.5 LOW

The WP Fastest Cache Premium plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.7.4 via the 'get_server_time_ajax_request' …

Dec 12, 2025
CVE-2025-67737
3.1 LOW

AzuraCast is a self-hosted, all-in-one web radio management suite. Versions 0.23.1 mistakenly include an API endpoint that is intended for internal use by the SFTP …

Dec 12, 2025
CVE-2025-67728
9.8 CRITICAL

Fireshare facilitates self-hosted media and link sharing. Versions 1.2.30 and below allow an authenticated user, or unauthenticated user if the Public Uploads setting is enabled, …

Dec 12, 2025
CVE-2025-67727
9.8 CRITICAL

Parse Server is an open source backend that can be deployed to any infrastructure that runs Node.js. In versions prior to 8.6.0-alpha.2, a GitHub CI …

Dec 12, 2025
CVE-2025-67726
7.5 HIGH

Tornado is a Python web framework and asynchronous networking library. Versions 6.5.2 and below use an inefficient algorithm when parsing parameters for HTTP header values, …

Dec 12, 2025
CVE-2025-14356
4.3 MEDIUM

The Ultra Addons for Contact Form 7 plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the …

Dec 12, 2025
CVE-2025-14068
7.5 HIGH

The WPNakama plugin for WordPress is vulnerable to time-based SQL Injection via the 'order_by' parameter in all versions up to, and including, 0.6.3 due to …

Dec 12, 2025
CVE-2025-13660
5.3 MEDIUM

The Guest Support plugin for WordPress is vulnerable to User Email Disclosure in versions up to, and including, 1.2.3. This is due to the plugin …

Dec 12, 2025
CVE-2025-12655
5.3 MEDIUM

The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to arbitrary file write via a missing authorization check in all versions up to, …

Dec 12, 2025
CVE-2025-12570
7.2 HIGH

The Fancy Product Designer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 6.4.8 …

Dec 12, 2025
CVE-2025-67725
7.5 HIGH

Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, a single maliciously crafted HTTP request can block the server's …

Dec 12, 2025
CVE-2025-67724
5.4 MEDIUM

Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, the supplied reason phrase is used unescaped in HTTP headers …

Dec 12, 2025
CVE-2025-67508
8.4 HIGH

gardenctl is a command-line client for the Gardener which configures access to clusters and cloud provider CLI tools. When using non‑POSIX shells such as Fish …

Dec 12, 2025
CVE-2025-10684
4.3 MEDIUM

The Construction Light WordPress theme before 1.6.8 does not have authorisation and CSRF when activating via an AJAX action, allowing any authenticated users, such as …

Dec 12, 2025
CVE-2025-66492
8.2 HIGH

Masa CMS is an open source Enterprise Content Management platform. Versions 7.2.8 and below, 7.3.1 through 7.3.13, 7.4.0-alpha.1 through 7.4.8 and 7.5.0 through 7.5.1 are …

Dec 12, 2025
CVE-2025-66284
5.4 MEDIUM

Stored cross-site scripting vulnerabilities exist in GroupSession Free edition prior to ver5.7.1, GroupSession byCloud prior to ver5.7.1, and GroupSession ZION prior to ver5.7.1. A logged-in …

Dec 12, 2025
CVE-2025-65120
6.1 MEDIUM

Reflected cross-site scripting vulnerability exists in GroupSession Free edition prior to ver5.7.1, GroupSession byCloud prior to ver5.7.1, and GroupSession ZION prior to ver5.7.1. If a …

Dec 12, 2025
CVE-2025-64781
4.7 MEDIUM

In GroupSession Free edition prior to ver5.7.1, GroupSession byCloud prior to ver5.7.1, and GroupSession ZION prior to ver5.7.1, "External page display restriction" is set to …

Dec 12, 2025
CVE-2025-62192
5.4 MEDIUM

SQL Injection vulnerability exists in GroupSession Free edition prior to ver5.3.0, GroupSession byCloud prior to ver5.3.3, and GroupSession ZION prior to ver5.3.2. If exploited, information …

Dec 12, 2025
CVE-2025-61987
5.3 MEDIUM

GroupSession Free edition prior to ver5.3.0, GroupSession byCloud prior to ver5.3.3, and GroupSession ZION prior to ver5.3.2. do not validate origins in WebSockets. If a …

Dec 12, 2025
CVE-2025-61950
4.3 MEDIUM

In GroupSession, a Circular notice can be created with its memo field non-editable, but the authorization check is improperly implemented. With some crafted request, a …

Dec 12, 2025
CVE-2025-58576
4.3 MEDIUM

Cross-site request forgery vulnerability exists in GroupSession Free edition prior to ver5.3.0, GroupSession byCloud prior to ver5.3.3, and GroupSession ZION prior to ver5.3.2. If a …

Dec 12, 2025
CVE-2025-57883
6.1 MEDIUM

Reflected cross-site scripting vulnerability exists in GroupSession Free edition prior to ver5.3.0, GroupSession byCloud prior to ver5.3.3, and GroupSession ZION prior to ver5.3.2. If a …

Dec 12, 2025
CVE-2025-54407
6.1 MEDIUM

Stored cross-site scripting vulnerability exists in GroupSession Free edition prior to ver5.3.0, GroupSession byCloud prior to ver5.3.3, and GroupSession ZION prior to ver5.3.2. If a …

Dec 12, 2025
CVE-2025-53523
5.4 MEDIUM

Stored cross-site scripting vulnerabilities exist in GroupSession Free edition prior to ver5.3.0, GroupSession byCloud prior to ver5.3.3, and GroupSession ZION prior to ver5.3.2. A logged-in …

Dec 12, 2025
CVE-2025-14467
4.4 MEDIUM

The WP Job Portal plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.4.4. This is due to …

Dec 12, 2025
CVE-2025-14393
6.4 MEDIUM

The Wpik WordPress Basic Ajax Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'dname' parameter in all versions up to, and …

Dec 12, 2025
CVE-2025-14392
4.3 MEDIUM

The Simple Theme Changer plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the user_theme_admin, display_method_admin, and …

Dec 12, 2025
CVE-2025-14391
4.3 MEDIUM

The Simple Theme Changer plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0. This is due to missing …

Dec 12, 2025
CVE-2025-14354
4.3 MEDIUM

The Resource Library for Logged In Users plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5. This …

Dec 12, 2025
CVE-2025-14344
9.8 CRITICAL

The Multi Uploader for Gravity Forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'plupload_ajax_delete_file' function …

Dec 12, 2025
CVE-2025-14170
4.3 MEDIUM

The Vimeo SimpleGallery plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 0.2. This is due to missing authorization …

Dec 12, 2025
CVE-2025-14166
5.3 MEDIUM

The WPMasterToolKit plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 2.13.0. This is due to the plugin …

Dec 12, 2025

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.