CVE Database

111255+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2025-12963
9.8 CRITICAL

The LazyTasks – Project & Task Management with Collaboration, Kanban and Gantt Chart plugin for WordPress is vulnerable to privilege escalation via account takeover in …

Dec 12, 2025
CVE-2025-12883
5.3 MEDIUM

The Campay Woocommerce Payment Gateway plugin for WordPress is vulnerable to Unauthenticated Payment Bypass in all versions up to, and including, 1.2.2. This is due …

Dec 12, 2025
CVE-2025-12834
6.1 MEDIUM

The Accept Stripe Payments Using Contact Form 7 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'failure_message' parameter in versions up to, …

Dec 12, 2025
CVE-2025-12830
6.4 MEDIUM

The Better Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Slider widget in all versions up to, and including, 1.5.5 …

Dec 12, 2025
CVE-2025-12824
8.8 HIGH

The Player Leaderboard plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.0.2 via the 'player_leaderboard' shortcode. This …

Dec 12, 2025
CVE-2025-12783
4.3 MEDIUM

The Premmerce Brands for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the saveBrandsSettings function …

Dec 12, 2025
CVE-2025-12650
6.4 MEDIUM

The Simple post listing plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class_name' parameter in the postlist shortcode in all versions up …

Dec 12, 2025
CVE-2025-13886
7.5 HIGH

The LT Unleashed plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1.1 via the 'template' parameter in …

Dec 12, 2025
CVE-2025-13839
6.4 MEDIUM

The LJUsers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' parameter of the 'ljuser' shortcode in all versions up to, and …

Dec 12, 2025
CVE-2025-13670
6.7 MEDIUM

The High Level Synthesis Compiler i++ command for Windows is vulnerable to a DLL planting vulnerability

Dec 12, 2025
CVE-2025-13669
6.7 MEDIUM

Uncontrolled Search Path Element vulnerability in Altera High Level Synthesis Compiler on Windows allows Search Order Hijacking.This issue affects High Level Synthesis Compiler: from 19.1 …

Dec 12, 2025
CVE-2025-13665
6.7 MEDIUM

The System Console Utility for Windows is vulnerable to a DLL planting vulnerability

Dec 12, 2025
CVE-2025-13053
3.7 LOW

When a user configures the NAS to retrieve UPS status or control the UPS, a non-enforced TLS certificate verification can allow an attacker able to …

Dec 12, 2025
CVE-2025-13052
5.9 MEDIUM

When the user set the Notification's sender to send emails to the SMTP server via msmtp, an improper validated TLS/SSL certificates allows an attacker who …

Dec 12, 2025
CVE-2025-10451
8.2 HIGH

Unchecked output buffer may allowed arbitrary code execution in SMM and potentially result in SMM memory corruption.

Dec 12, 2025
CVE-2025-67779
7.5 HIGH

It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a …

Dec 12, 2025
CVE-2025-67780
4.2 MEDIUM

SpaceX Starlink Dish devices with firmware 2024.12.04.mr46620 (e.g., on Mini1_prod2) allow administrative actions via unauthenticated LAN gRPC requests, aka MARMALADE 2. The cross-origin policy can …

Dec 11, 2025
CVE-2025-66452
6.1 MEDIUM

LibreChat is a ChatGPT clone with additional features. In versions 0.8.0 and below, there is no handler for JSON parsing errors; SyntaxError from express.json() includes …

Dec 11, 2025
CVE-2025-66451
6.5 MEDIUM

LibreChat is a ChatGPT clone with additional features. In versions 0.8.0 and below, when creating prompts, JSON requests are sent to define and modify the …

Dec 11, 2025
CVE-2025-66450
5.4 MEDIUM

LibreChat is a ChatGPT clone with additional features. In versions 0.8.0 and below, when a user posts a question, the iconURL parameter of the POST …

Dec 11, 2025
CVE-2025-66446
8.8 HIGH

MaxKB is an open-source AI assistant for enterprise. Versions 2.3.1 and below have improper file permissions which allow attackers to overwrite the built-in dynamic linker …

Dec 11, 2025
CVE-2025-66419
8.8 HIGH

MaxKB is an open-source AI assistant for enterprise. In versions 2.3.1 and below, the tool module allows an attacker to escape the sandbox environment and …

Dec 11, 2025
CVE-2025-64721
10.0 CRITICAL

Sandboxie is a sandbox-based isolation software for 32-bit and 64-bit Windows NT-based operating systems. In versions 1.16.6 and below, the SYSTEM-level service SbieSvc.exe exposes SbieIniServer::RC4Crypt …

Dec 11, 2025
CVE-2025-34506
8.8 HIGH

WBCE CMS version 1.6.3 and prior contains an authenticated remote code execution vulnerability that allows administrators to upload malicious modules. Attackers can craft a specially …

Dec 11, 2025
CVE-2025-34504
6.1 MEDIUM

KodExplorer 4.52 contains an open redirect vulnerability in the user login page that allows attackers to manipulate the 'link' parameter. Attackers can craft malicious URLs …

Dec 11, 2025
CVE-2025-34499

AnyDesk 7.0.15 and 9.0.1 contains an unquoted service path vulnerability that allows local non-privileged users to potentially execute code with elevated SYSTEM privileges. Attackers can …

Dec 11, 2025
CVE-2025-13668
6.7 MEDIUM

A potential security vulnerability in Quartus® Prime Pro Edition Design Software may allow escalation of privilege.

Dec 11, 2025
CVE-2024-58313
7.2 HIGH

xbtitFM 4.1.18 contains an insecure file upload vulnerability that allows authenticated attackers with administrative privileges to upload and execute arbitrary PHP code through the file_hosting …

Dec 11, 2025
CVE-2024-58312
7.5 HIGH

xbtitFM 4.1.18 contains a path traversal vulnerability that allows unauthenticated attackers to access sensitive system files by manipulating URL parameters. Attackers can exploit directory traversal …

Dec 11, 2025
CVE-2024-58310

APC Network Management Card 4 contains a path traversal vulnerability that allows unauthenticated attackers to access sensitive system files by manipulating URL parameters. Attackers can …

Dec 11, 2025
CVE-2024-58309
9.8 CRITICAL

xbtitFM 4.1.18 contains an unauthenticated SQL injection vulnerability that allows remote attackers to manipulate database queries by injecting malicious SQL code through the msgid parameter. …

Dec 11, 2025
CVE-2024-58308
9.8 CRITICAL

Quick.CMS 6.7 contains a SQL injection vulnerability that allows unauthenticated attackers to bypass login authentication by manipulating the login form. Attackers can inject specific SQL …

Dec 11, 2025
CVE-2024-58307
8.8 HIGH

CSZCMS 1.3.0 contains an authenticated SQL injection vulnerability in the members view functionality that allows authenticated attackers to manipulate database queries. Attackers can inject malicious …

Dec 11, 2025
CVE-2024-58306

minaliC 2.0.0 contains a denial of service vulnerability that allows remote attackers to crash the web server by sending oversized GET requests. Attackers can send …

Dec 11, 2025
CVE-2024-58304
7.5 HIGH

SPA-CART CMS 1.9.0.3 contains a stored cross-site scripting vulnerability in the product description parameter that allows authenticated administrators to inject malicious scripts. Attackers can submit …

Dec 11, 2025
CVE-2024-58303

FoF Pretty Mail 1.1.2 contains a server-side template injection vulnerability that allows administrative users to inject malicious code into email templates. Attackers can execute system …

Dec 11, 2025
CVE-2024-58302

FoF Pretty Mail 1.1.2 contains a local file inclusion vulnerability that allows administrative users to include arbitrary server files in email templates. Attackers can exploit …

Dec 11, 2025
CVE-2024-58301

Purei CMS 1.0 contains a time-based blind SQL injection vulnerability that allows attackers to manipulate database queries through unfiltered user input parameters. Attackers can exploit …

Dec 11, 2025
CVE-2024-58300

Siklu MultiHaul TG series devices before version 2.0.0 contain an unauthenticated vulnerability that allows remote attackers to retrieve randomly generated credentials via a network request. …

Dec 11, 2025
CVE-2024-58298

Compuware iStrobe Web 20.13 contains a pre-authentication remote code execution vulnerability that allows unauthenticated attackers to upload malicious JSP files through a path traversal in …

Dec 11, 2025
CVE-2024-58297
5.4 MEDIUM

PyroCMS v3.0.1 contains a stored cross-site scripting vulnerability in the admin redirects configuration that allows attackers to inject malicious scripts. Attackers can insert a payload …

Dec 11, 2025
CVE-2024-58296

CE Phoenix v3.0.1 contains a stored cross-site scripting vulnerability in the currencies administration panel that allows attackers to inject malicious scripts. Attackers can insert XSS …

Dec 11, 2025
CVE-2024-58295

ElkArte Forum 1.1.9 contains a remote code execution vulnerability that allows authenticated administrators to upload malicious PHP files through the theme installation process. Attackers can …

Dec 11, 2025
CVE-2024-58294
8.8 HIGH

FreePBX 16 contains an authenticated remote code execution vulnerability in the API module that allows attackers with valid session credentials to execute arbitrary commands. Attackers …

Dec 11, 2025
CVE-2024-58293

Akaunting 3.1.8 contains a server-side template injection vulnerability that allows authenticated administrators to execute template expressions in multiple form input fields. Attackers can inject template …

Dec 11, 2025
CVE-2024-58292

XMB Forum 1.9.12.06 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious JavaScript into templates and front page settings. Attackers can …

Dec 11, 2025
CVE-2024-58291

Flatboard 3.2 contains a stored cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts in forum information fields. Attackers can insert JavaScript payloads …

Dec 11, 2025
CVE-2024-58290

Xhibiter NFT Marketplace 1.10.2 contains a SQL injection vulnerability in the collections endpoint that allows attackers to manipulate database queries through the 'id' parameter. Attackers …

Dec 11, 2025
CVE-2024-58289
5.4 MEDIUM

Microweber 2.0.15 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts into user profile fields. Attackers can input script payloads …

Dec 11, 2025
CVE-2024-58288

Genexus Protection Server 9.7.2.10 contains an unquoted service path vulnerability in the protsrvservice Windows service configuration. Attackers can exploit the unquoted binary path to execute …

Dec 11, 2025

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.