CVE Database

111521+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2013-10031
7.5 HIGH

Plack-Middleware-Session versions before 0.17 may be vulnerable to HMAC comparison timing attacks

Dec 9, 2025
CVE-2025-66469
6.1 MEDIUM

NiceGUI is a Python-based UI framework. Versions 3.3.1 and below are vulnerable to Reflected XSS through its ui.add_css, ui.add_scss, and ui.add_sass functions. The functions lack …

Dec 9, 2025
CVE-2025-66204
8.1 HIGH

WBCE CMS is a content management system. Version 1.6.4 contains a brute-force protection bypass where an attacker can indefinitely reset the counter by modifying `X-Forwarded-For` …

Dec 9, 2025
CVE-2025-66202
6.5 MEDIUM

Astro is a web framework. Versions 5.15.7 and below have a double URL encoding bypass which allows any unauthenticated attacker to bypass path-based authentication checks …

Dec 9, 2025
CVE-2025-65964
8.8 HIGH

n8n is an open source workflow automation platform. Versions 0.123.1 through 1.119.1 do not have adequate protections to prevent RCE through the project's pre-commit hooks. …

Dec 9, 2025
CVE-2025-65962
4.6 MEDIUM

Tuleap is a free and open source suite for management of software development and collaboration. Versions of Tuleap Community Edition prior to 17.0.99.1763803709 and Tuleap …

Dec 9, 2025
CVE-2025-64760
4.6 MEDIUM

Tuleap is a free and open source suite for management of software development and collaboration. Versions of Tuleap Community Edition prior to 17.0.99.1763126988 and Tuleap …

Dec 8, 2025
CVE-2025-64499
4.6 MEDIUM

Tuleap is a free and open source suite for management of software development and collaboration. Tuleap Community Editon versions prior to 17.0.99.1762456922 and Tuleap Enterprise …

Dec 8, 2025
CVE-2025-64498
4.6 MEDIUM

Tuleap is an Open Source Suite for management of software development and collaboration. Tuleap Community Edition versions below 17.0.99.1762444754 and Tuleap Enterprise Edition versions prior …

Dec 8, 2025
CVE-2025-64497
6.5 MEDIUM

Tuleap is an Open Source Suite for management of software development and collaboration. Versions below 17.0.99.1762431347 of Tuleap Community Edition and Tuleap Enterprise Edition below …

Dec 8, 2025
CVE-2025-36140
6.5 MEDIUM

IBM watsonx.data 2.2 through 2.2.1 could allow an authenticated user to cause a denial of service through ingestion pods due to improper allocation of resources …

Dec 8, 2025
CVE-2025-64650
6.5 MEDIUM

IBM Storage Defender - Resiliency Service 2.0.0 through 2.0.18 could disclose sensitive user credentials in log files.

Dec 8, 2025
CVE-2025-62408
5.9 MEDIUM

c-ares is an asynchronous resolver library. Versions 1.32.3 through 1.34.5 terminate a query after maximum attempts when using read_answer() and process_answer(), which can cause a …

Dec 8, 2025
CVE-2025-36102
2.7 LOW

IBM Controller 11.1.0 through 11.1.1 and IBM Cognos Controller 11.0.0 through 11.0.1 FP6 could allow a privileged user to bypass validation, passing user input into …

Dec 8, 2025
CVE-2025-36017
6.5 MEDIUM

IBM Controller 11.1.0 through 11.1.1 and IBM Cognos Controller 11.0.0 through 11.0.1 FP6 stores unencrypted sensitive information in environmental variables files which can be obtained …

Dec 8, 2025
CVE-2025-36015
6.5 MEDIUM

IBM Controller 11.1.0 through 11.1.1 and IBM Cognos Controller 11.0.0 through 11.0.1 FP6 could allow an authenticated user to cause a denial of service due …

Dec 8, 2025
CVE-2025-33111
4.3 MEDIUM

IBM Controller 11.1.0 through 11.1.1 and IBM Cognos Controller 11.0.0 through 11.0.1 FP6 is vulnerable to creation of temporary files without atomic operations which may …

Dec 8, 2025
CVE-2025-14276
5.6 MEDIUM

A vulnerability was determined in Ilevia EVE X1 Server up to 4.6.5.0.eden. Impacted is an unknown function of the file /ajax/php/leaf_search.php. This manipulation of the …

Dec 8, 2025
CVE-2025-12832
4.6 MEDIUM

IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from …

Dec 8, 2025
CVE-2025-12635
5.4 MEDIUM

IBM WebSphere Application Server 8.5, 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 25.0.0.12 are affected by cross-site scripting due to improper validation of …

Dec 8, 2025
CVE-2025-65228
3.5 LOW

A stored cross-site scripting vulnerability exists in the web management interface of the R.V.R. Elettronica TLK302T telemetry controller (firmware 1.5.1799).

Dec 8, 2025
CVE-2025-65230
5.4 MEDIUM

Barix Instreamer v04.06 and v04.05 contains a stored cross-site scripting (XSS) vulnerability in the Web UI Configuration Streaming Destination input.

Dec 8, 2025
CVE-2025-65229
4.6 MEDIUM

A stored cross-site scripting (XSS) vulnerability exists in the web interface of Lyrion Music Server <= 9.0.3. An authenticated user with access to Settings Player …

Dec 8, 2025
CVE-2025-65849
9.1 CRITICAL

A cryptanalytic break in Altcha Proof-of-Work obfuscation mode version 0.8.0 and later allows for remote visitors to recover the Proof-of-Work nonce in constant time via …

Dec 8, 2025
CVE-2025-65548
9.1 CRITICAL

NUT-14 allows cashu tokens to be created with a preimage hash. However, nutshell (cashubtc/nuts) before 0.18.0 do not validate the size of preimage when the …

Dec 8, 2025
CVE-2025-65271
8.8 HIGH

Client-side template injection (CSTI) in Azuriom CMS admin dashboard allows a low-privilege user to execute arbitrary template code in the context of an administrator's session. …

Dec 8, 2025
CVE-2025-65231
6.1 MEDIUM

Barix Instreamer v04.06 and earlier is vulnerable to Cross Site Scripting (XSS) in the Web UI I/O & Serial configuration page, specifically the CTS close …

Dec 8, 2025
CVE-2025-14261
7.1 HIGH

The Litmus platform uses JWT for authentication and authorization, but the secret being used for signing the JWT is only 6 bytes long at its …

Dec 8, 2025
CVE-2025-65804
6.5 MEDIUM

Tenda AX3 v16.03.12.11 contains a stack overflow in formSetIptv via the iptvType parameter, which can cause memory corruption and enable remote code execution (RCE).

Dec 8, 2025
CVE-2025-64081
9.8 CRITICAL

SQL injection vulnerability in /php/api_patient_schedule.php in SourceCodester Patients Waiting Area Queue Management System v1 allows attackers to execute arbitrary SQL commands via the appointmentID parameter.

Dec 8, 2025
CVE-2025-48625
7.0 HIGH

In multiple locations of UsbDataAdvancedProtectionHook.java, there is a possible way to access USB data when the screen is off due to a race condition. This …

Dec 8, 2025
CVE-2025-48608
5.5 MEDIUM

In isValidMediaUri of SettingsProvider.java, there is a possible cross user media read due to a missing permission check. This could lead to local information disclosure …

Dec 8, 2025
CVE-2025-48606
7.8 HIGH

In preparePackage of InstallPackageHelper.java, there is a possible way for an app to appear hidden upon installation without a mechanism to uninstall it due to …

Dec 8, 2025
CVE-2025-48569
5.5 MEDIUM

In multiple locations, there is a possible permanent denial of service due to resource exhaustion. This could lead to local denial of service with no …

Dec 8, 2025
CVE-2025-14259
6.3 MEDIUM

A vulnerability was found in Jihai Jshop MiniProgram Mall System 2.9.0. Affected by this issue is some unknown functionality of the file /index.php/api.html. The manipulation …

Dec 8, 2025
CVE-2025-14258
7.3 HIGH

A vulnerability has been found in itsourcecode Student Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /newsubject.php. The manipulation …

Dec 8, 2025
CVE-2025-65799
4.3 MEDIUM

A lack of file name validation or verification in the Attachment service of usememos memos v0.25.2 allows attackers to execute a path traversal.

Dec 8, 2025
CVE-2025-65797
6.5 MEDIUM

Incorrect access control in the Identity Provider service of usememos memos v0.25.2 allows attackers with low-level privileges to arbitrarily modify or delete registered identity providers, …

Dec 8, 2025
CVE-2025-65795
7.5 HIGH

Incorrect access control in the /api/v1/user endpoint of usememos memos v0.25.2 allows unauthorized attackers to create arbitrary accounts via a crafted request.

Dec 8, 2025
CVE-2025-65363
7.2 HIGH

Authenticated append-style command-injection Ruijie APs (AP_RGOS 11.1.x) allows an authenticated web user to execute appended shell expressions as root, enabling file disclosure, device disruption, and …

Dec 8, 2025
CVE-2025-63721
8.8 HIGH

HummerRisk thru v1.5.0 is using a vulnerable Snakeyaml component, allowing attackers with normal user privileges to hit the /rule/add API and thereby achieve RCE and …

Dec 8, 2025
CVE-2025-59391
6.5 MEDIUM

A memory disclosure vulnerability exists in libcoap's OSCORE configuration parser in libcoap before release-4.3.5-patches. An out-of-bounds read may occur when parsing certain configuration values, allowing …

Dec 8, 2025
CVE-2025-48639
7.3 HIGH

In DefaultTransitionHandler.java, there is a possible way to unknowingly grant permissions to an app due to a tapjacking/overlay attack. This could lead to local escalation …

Dec 8, 2025
CVE-2025-48638
7.8 HIGH

In __pkvm_load_tracing of trace.c, there is a possible out-of-bounds write due to improper input validation. This could lead to local escalation of privilege with no …

Dec 8, 2025
CVE-2025-48637
7.8 HIGH

In multiple functions of mem_protect.c, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of …

Dec 8, 2025
CVE-2025-48633
5.5 MEDIUM KEV

In hasAccountsOnAnyUser of DevicePolicyManagerService.java, there is a possible way to add a Device Owner after provisioning due to a logic error in the code. This …

Dec 8, 2025
CVE-2025-48632
7.8 HIGH

In setDisplayName of AssociationRequest.java, there is a possible way to cause CDM associations to persist after the user has disassociated them due to improper input …

Dec 8, 2025
CVE-2025-48631
6.5 MEDIUM

In onHeaderDecoded of LocalImageResolver.java, there is a possible persistent denial of service due to resource exhaustion. This could lead to remote denial of service with …

Dec 8, 2025
CVE-2025-48629
7.8 HIGH

In findAvailRecognizer of VoiceInteractionManagerService.java, there is a possible way to become the default speech recognizer app due to an insecure default value. This could lead …

Dec 8, 2025
CVE-2025-48628
7.8 HIGH

In validateIconUserBoundary of PrintManagerService.java, there is a possible cross-user image leak due to a confused deputy. This could lead to local escalation of privilege with …

Dec 8, 2025

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.