CVE Database

9241+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2025-60207
10.0 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in Addify Custom User Registration Fields for WooCommerce user-registration-plugin-for-woocommerce allows Upload a Web Shell to a Web …

Nov 6, 2025
CVE-2025-60195
9.8 CRITICAL

Incorrect Privilege Assignment vulnerability in Vito Peleg Atarim atarim-visual-collaboration allows Privilege Escalation.This issue affects Atarim: from n/a through <= 4.2.1.

Nov 6, 2025
CVE-2025-58998
9.8 CRITICAL

Deserialization of Untrusted Data vulnerability in Cristián Lávaque s2Member s2member allows Object Injection.This issue affects s2Member: from n/a through <= 250701.

Nov 6, 2025
CVE-2025-58996
9.1 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in Helmut Wandl Advanced Settings advanced-settings allows Upload a Web Shell to a Web Server.This issue affects …

Nov 6, 2025
CVE-2025-58636
9.8 CRITICAL

Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms Keap/Infusionsoft gf-infusionsoft allows Object Injection.This issue affects WP Gravity Forms Keap/Infusionsoft: from n/a through …

Nov 6, 2025
CVE-2025-58627
9.8 CRITICAL

Authorization Bypass Through User-Controlled Key vulnerability in kamleshyadav Miraculous Core Plugin miraculouscore allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Miraculous Core Plugin: …

Nov 6, 2025
CVE-2025-53283
10.0 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in borisolhor Drop Uploader for CF7 - Drag&Drop File Uploader Addon drop-uploader-for-contact-form-7-dragdrop-file-uploader-addon allows Upload a Web Shell …

Nov 6, 2025
CVE-2025-53242
9.8 CRITICAL

Deserialization of Untrusted Data vulnerability in VictorThemes Seil seil allows Object Injection.This issue affects Seil: from n/a through <= 1.7.1.

Nov 6, 2025
CVE-2025-52773
9.3 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in hiecor HieCOR Payment Gateway Plugin hcv4-payment-gateway allows SQL Injection.This issue affects …

Nov 6, 2025
CVE-2025-49393
9.8 CRITICAL

Deserialization of Untrusted Data vulnerability in Fetch Designs Sign-up Sheets sign-up-sheets allows Object Injection.This issue affects Sign-up Sheets: from n/a through <= 2.3.2.

Nov 6, 2025
CVE-2025-49372
10.0 CRITICAL

Improper Control of Generation of Code ('Code Injection') vulnerability in VillaTheme HAPPY happy-helpdesk-support-ticket-system allows Remote Code Inclusion.This issue affects HAPPY: from n/a through <= 1.0.7.

Nov 6, 2025
CVE-2025-48089
9.3 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Rainbow-Themes Education WordPress Theme | HiStudy histudy allows SQL Injection.This issue …

Nov 6, 2025
CVE-2025-47588
9.1 CRITICAL

Improper Control of Generation of Code ('Code Injection') vulnerability in acowebs Dynamic Pricing With Discount Rules for WooCommerce aco-woo-dynamic-pricing allows Code Injection.This issue affects Dynamic …

Nov 6, 2025
CVE-2025-32222
9.9 CRITICAL

Improper Control of Generation of Code ('Code Injection') vulnerability in Widgetlogic.org Widget Logic widget-logic allows Code Injection.This issue affects Widget Logic: from n/a through <= …

Nov 6, 2025
CVE-2025-64164
9.8 CRITICAL

Dataease is an open source data visualization analysis tool. In versions 2.10.14 and below, DataEase did not properly filter when establishing JDBC connections to Oracle, …

Nov 6, 2025
CVE-2025-64163
9.8 CRITICAL

DataEase is an open source data visualization analysis tool. In versions 2.10.14 and below, the vendor added a blacklist to filter ldap:// and ldaps://. However, …

Nov 6, 2025
CVE-2025-62596
10.0 CRITICAL

Youki is a container runtime written in Rust. In versions 0.5.6 and below, youki’s apparmor handling performs insufficiently strict write-target validation, and when combined with …

Nov 6, 2025
CVE-2025-62161
10.0 CRITICAL

Youki is a container runtime written in Rust. In versions 0.5.6 and below, the initial validation of the source /dev/null is insufficient, allowing container escape …

Nov 6, 2025
CVE-2025-63334
9.8 CRITICAL

PocketVJ CP PocketVJ-CP-v3 pvj version 3.9.1 contains an unauthenticated remote code execution vulnerability in the submit_opacity.php component. The application fails to sanitize user input in …

Nov 5, 2025
CVE-2025-63416
9.1 CRITICAL

** exclusively-hosted-service ** A Stored Cross-Site Scripting (XSS) vulnerability in the chat functionality of the SelfBest platform 2023.3 allows authenticated low-privileged attackers to execute arbitrary …

Nov 5, 2025
CVE-2025-55343
9.9 CRITICAL

Quipux 4.0.1 through e1774ac allows authenticated users to conduct SQL injection attacks via busqueda/busqueda.php txt_depe_codi, busqueda/busqueda.php txt_usua_codi, anexos_lista.php radi_temp, Administracion/listas/formArea_ajax.php codDepe, Administracion/listas/formDepeHijo_ajax.php codDepe, Administracion/listas/formDepePadre_ajax.php codInst, …

Nov 5, 2025
CVE-2025-56231
9.1 CRITICAL

Tonec Internet Download Manager 6.42.41.1 and earlier suffers from Missing SSL Certificate Validation, which allows attackers to bypass update protections.

Nov 5, 2025
CVE-2025-46364
9.1 CRITICAL

Dell CloudLink, versions prior to 8.1.1, contain a vulnerability where a privileged user with known password can run CLI Escape Vulnerability to gain control of …

Nov 5, 2025
CVE-2025-45378
9.1 CRITICAL

Dell CloudLink, versions 8.0 through 8.1.2, contain vulnerability on restricted shell. A Privileged user with known password can break into command shell of CloudLink server …

Nov 5, 2025
CVE-2025-20358
9.4 CRITICAL

A vulnerability in the Contact Center Express (CCX) Editor application of Cisco Unified CCX could allow an unauthenticated, remote attacker to bypass authentication and obtain …

Nov 5, 2025
CVE-2025-20354
9.8 CRITICAL

A vulnerability in the Java Remote Method Invocation (RMI) process of Cisco Unified CCX could allow an unauthenticated, remote attacker to upload arbitrary files and …

Nov 5, 2025
CVE-2025-63601
9.9 CRITICAL

Snipe-IT before version 8.3.3 contains a remote code execution vulnerability that allows an authenticated attacker to upload a malicious backup file containing arbitrary files and …

Nov 5, 2025
CVE-2025-61304
9.8 CRITICAL

OS command injection vulnerability in Dynatrace ActiveGate ping extension up to 1.016 via crafted ip address.

Nov 5, 2025
CVE-2025-64459
9.1 CRITICAL

An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, …

Nov 5, 2025
CVE-2025-47151
9.8 CRITICAL

A type confusion vulnerability exists in the lasso_node_impl_init_from_xml functionality of Entr&#39;ouvert Lasso 2.5.1 and 2.8.2. A specially crafted SAML response can lead to an arbitrary …

Nov 5, 2025
CVE-2025-55108
10.0 CRITICAL

The Control-M/Agent is vulnerable to unauthenticated remote code execution, arbitrary file read and write and similar unauthorized actions when mutual SSL/TLS authentication is not enabled …

Nov 5, 2025
CVE-2025-12674
9.8 CRITICAL

The KiotViet Sync plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the create_media() function in all versions …

Nov 5, 2025
CVE-2025-11749
9.8 CRITICAL

The AI Engine plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.1.3 via the /mcp/v1/ REST API …

Nov 5, 2025
CVE-2025-12735
9.8 CRITICAL

The expr-eval library is a JavaScript expression parser and evaluator designed to safely evaluate mathematical expressions with user-defined variables. However, due to insufficient input validation, …

Nov 5, 2025
CVE-2025-52910
9.8 CRITICAL

An issue was discovered in the GPU in Samsung Mobile Processor and Wearable Processor Exynos 1280, 2200, 1330, 1380, 1480, 2400. A Use-After-Free leads to …

Nov 4, 2025
CVE-2025-47776
9.1 CRITICAL

Mantis Bug Tracker (MantisBT) is an open source issue tracker. Due to incorrect use of loose (==) instead of strict (===) comparison in the authentication …

Nov 4, 2025
CVE-2025-61956
10.0 CRITICAL

Radiometrics VizAir is vulnerable to a lack of authentication mechanisms for critical functions, such as admin access and API requests. Attackers can modify configurations without …

Nov 4, 2025
CVE-2025-61945
10.0 CRITICAL

Radiometrics VizAir is vulnerable to any remote attacker via access to the admin panel of the VizAir system without authentication. Once inside, the attacker can …

Nov 4, 2025
CVE-2025-54863
10.0 CRITICAL

Radiometrics VizAir is vulnerable to exposure of the system's REST API key through a publicly accessible configuration file. This allows attackers to remotely alter weather …

Nov 4, 2025
CVE-2025-12682
9.8 CRITICAL

The Easy Upload Files During Checkout plugin for WordPress is vulnerable to arbitrary JavaScript file uploads due to missing file type validation in the 'file_during_checkout' …

Nov 4, 2025
CVE-2025-12493
9.8 CRITICAL

The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution (formerly WooLentor) plugin for WordPress is vulnerable to Local …

Nov 4, 2025
CVE-2025-12158
9.8 CRITICAL

The Simple User Capabilities plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the suc_submit_capabilities() function in all versions …

Nov 4, 2025
CVE-2025-11008
9.8 CRITICAL

The CE21 Suite plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.3.1 via the log file. This …

Nov 4, 2025
CVE-2025-11007
9.8 CRITICAL

The CE21 Suite plugin for WordPress is vulnerable to unauthorized plugin settings update due to a missing capability check on the wp_ajax_nopriv_ce21_single_sign_on_save_api_settings AJAX action in …

Nov 4, 2025
CVE-2025-12642
9.1 CRITICAL

lighttpd1.4.80 incorrectly merged trailer fields into headers after http request parsing. This behavior can be exploited to conduct HTTP Header Smuggling attacks. Successful exploitation may …

Nov 3, 2025
CVE-2025-12463
9.8 CRITICAL

An unauthenticated SQL Injection was discovered within the Geutebruck G-Cam E-Series Cameras through the `Group` parameter in the `/uapi-cgi/viewer/Param.cgi` script. This has been confirmed on …

Nov 3, 2025
CVE-2025-11953
9.8 CRITICAL KEV

The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes an endpoint that …

Nov 3, 2025
CVE-2025-63453
9.8 CRITICAL

Car-Booking-System-PHP v.1.0 is vulnerable to SQL Injection in /carlux/contact.php.

Nov 3, 2025
CVE-2025-63452
9.4 CRITICAL

Car-Booking-System-PHP v.1.0 is vulnerable to SQL Injection in /carlux/forgot-pass.php.

Nov 3, 2025
CVE-2025-63451
9.8 CRITICAL

Car-Booking-System-PHP v.1.0 is vulnerable to SQL Injection in /carlux/sign-in.php.

Nov 3, 2025

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.