CVE Database

9241+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2025-55100
9.1 CRITICAL

In USBX before 6.4.3, the USB support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _ux_host_class_audio10_sam_parse_func() when parsing …

Oct 17, 2025
CVE-2025-11849
9.3 CRITICAL

Versions of the package mammoth from 0.3.25 and before 1.11.0; versions of the package mammoth from 0.3.25 and before 1.11.0; versions of the package mammoth …

Oct 17, 2025
CVE-2025-11900
9.8 CRITICAL

The iSherlock developed by HGiga has an OS Command Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary OS commands and execute them on the …

Oct 17, 2025
CVE-2025-11492
9.6 CRITICAL

In the ConnectWise Automate Agent, communications could be configured to use HTTP instead of HTTPS. In such cases, an on-path threat actor with a man-in-the-middle …

Oct 16, 2025
CVE-2025-62586
9.8 CRITICAL

OPEXUS FOIAXpress allows a remote, unauthenticated attacker to reset the administrator password. Fixed in FOIAXpress version 11.13.2.0.

Oct 16, 2025
CVE-2025-61922
9.1 CRITICAL

PrestaShop Checkout is the PrestaShop official payment module in partnership with PayPal. Starting in version 1.3.0 and prior to versions 4.4.1 and 5.0.5, missing validation …

Oct 16, 2025
CVE-2025-34516
9.8 CRITICAL

Ilevia EVE X1 Server firmware versions ≤ 4.7.18.0.eden contain a use of default credentials vulnerability that allows an unauthenticated attacker to obtain remote access. Ilevia …

Oct 16, 2025
CVE-2025-34515
9.8 CRITICAL

Ilevia EVE X1 Server firmware versions ≤ 4.7.18.0.eden contain an execution with unnecessary privileges vulnerability in sync_project.sh that allows an attacker to escalate privileges to …

Oct 16, 2025
CVE-2025-34513
9.8 CRITICAL

Ilevia EVE X1 Server firmware versions ≤ 4.7.18.0.eden contain an OS command injection vulnerability in mbus_build_from_csv.php that allows an unauthenticated attacker to execute arbitrary code. …

Oct 16, 2025
CVE-2025-9804
9.6 CRITICAL

An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. …

Oct 16, 2025
CVE-2025-9152
9.8 CRITICAL

An improper privilege management vulnerability exists in WSO2 API Manager due to missing authentication and authorization checks in the keymanager-operations Dynamic Client Registration (DCR) endpoint. …

Oct 16, 2025
CVE-2025-10611
9.8 CRITICAL

Due to an insufficient access control implementation in multiple WSO2 Products, authentication and authorization checks for certain REST APIs can be bypassed, allowing them to …

Oct 16, 2025
CVE-2025-54539
9.8 CRITICAL

A Deserialization of Untrusted Data vulnerability exists in the Apache ActiveMQ NMS AMQP Client. This issue affects all versions of Apache ActiveMQ NMS AMQP up …

Oct 16, 2025
CVE-2025-41018
9.8 CRITICAL

SQL injection in Sergestec's Exito v8.0. This vulnerability allows an attacker to retrieve, create, update, and delete databases through the 'cat' parameter in '/public.php'.

Oct 16, 2025
CVE-2025-62583
9.8 CRITICAL

Whale Browser before 4.33.325.17 allows an attacker to escape the iframe sandbox in a dual-tab environment.

Oct 16, 2025
CVE-2025-55089
9.8 CRITICAL

In FileX before 6.4.2, the file support module for Eclipse Foundation ThreadX, there was a possible buffer overflow in the FileX RAM disk driver. It …

Oct 16, 2025
CVE-2025-10850
9.8 CRITICAL

The Felan Framework plugin for WordPress is vulnerable to improper authentication in versions up to, and including, 1.1.4. This is due to the hardcoded password …

Oct 16, 2025
CVE-2025-10742
9.8 CRITICAL

The Truelysell Core plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 1.8.6. This is due to the …

Oct 16, 2025
CVE-2025-11832
9.8 CRITICAL

Allocation of Resources Without Limits or Throttling vulnerability in Azure Access Technology BLU-IC2, Azure Access Technology BLU-IC4 allows Flooding.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: …

Oct 15, 2025
CVE-2025-56749
9.4 CRITICAL

Creativeitem Academy LMS up to and including 6.14 uses a hardcoded default JWT secret for token signing. This predictable secret allows attackers to forge valid …

Oct 15, 2025
CVE-2025-53521
9.8 CRITICAL KEV

When a BIG-IP APM access policy is configured on a virtual server, specific malicious traffic can lead to Remote Code Execution (RCE). Note: Software versions …

Oct 15, 2025
CVE-2025-55081
9.1 CRITICAL

In Eclipse Foundation NextX Duo before 6.4.4, a module of ThreadX, the _nx_secure_tls_process_clienthello() function was missing length verification of certain SSL/TLS client hello message: the …

Oct 15, 2025
CVE-2025-9967
9.8 CRITICAL

The Orion SMS OTP Verification plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.1.7. This …

Oct 15, 2025
CVE-2025-10294
9.8 CRITICAL

The OwnID Passwordless Login plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.3.4. This is due to the …

Oct 15, 2025
CVE-2025-10041
9.8 CRITICAL

The Flex QR Code Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in thesave_qr_code_to_db() function in all …

Oct 15, 2025
CVE-2025-49553
9.3 CRITICAL

Adobe Connect versions 12.9 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by an attacker to execute malicious …

Oct 14, 2025
CVE-2025-34267
9.9 CRITICAL

Flowise v3.0.1 < 3.0.8 and all versions after with 'ALLOW_BUILTIN_DEP' enabled contain an authenticated remote code execution vulnerability and node VM sandbox escape due to …

Oct 14, 2025
CVE-2025-59287
9.8 CRITICAL KEV

Deserialization of untrusted data in Windows Server Update Service allows an unauthorized attacker to execute code over a network.

Oct 14, 2025
CVE-2025-55315
9.9 CRITICAL

Inconsistent interpretation of http requests ('http request/response smuggling') in ASP.NET Core allows an authorized attacker to bypass a security feature over a network.

Oct 14, 2025
CVE-2025-49708
9.9 CRITICAL

Use after free in Microsoft Graphics Component allows an authorized attacker to elevate privileges over a network.

Oct 14, 2025
CVE-2025-9064
9.1 CRITICAL

A path traversal security issue exists within FactoryTalk View Machine Edition, allowing unauthenticated attackers on the same network as the device to delete any file …

Oct 14, 2025
CVE-2025-9063
9.8 CRITICAL

An authentication bypass security issue exists within FactoryTalk View Machine Edition Web Browser ActiveX control. Exploitation of this vulnerability allows unauthorized access to the PanelView …

Oct 14, 2025
CVE-2025-7328
9.8 CRITICAL

Multiple Broken Authentication security issues exist in the affected product. The security issues are due to missing authentication checks on critical functions. These could result …

Oct 14, 2025
CVE-2025-11721
9.8 CRITICAL

Memory safety bug present in Firefox 143 and Thunderbird 143. This bug showed evidence of memory corruption and we presume that with enough effort this …

Oct 14, 2025
CVE-2025-11719
9.8 CRITICAL

Starting in Thunderbird 143, the use of the native messaging API by web extensions on Windows could lead to crashes caused by use-after-free memory corruption. …

Oct 14, 2025
CVE-2025-11717
9.1 CRITICAL

When switching between Android apps using the card carousel Firefox shows a black screen as its card image when a password-related screen was the last …

Oct 14, 2025
CVE-2025-11710
9.8 CRITICAL

A compromised web process using malicious IPC messages could have caused the privileged browser process to reveal blocks of its memory to the compromised process. …

Oct 14, 2025
CVE-2025-11709
9.8 CRITICAL

A compromised web process was able to trigger out of bounds reads and writes in a more privileged process using manipulated WebGL textures. This vulnerability …

Oct 14, 2025
CVE-2025-11708
9.8 CRITICAL

Use-after-free in MediaTrackGraphImpl::GetInstance(). This vulnerability was fixed in Firefox 144, Firefox ESR 140.4, Thunderbird 144, and Thunderbird 140.4.

Oct 14, 2025
CVE-2025-10610
9.8 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in SFS Consulting Information Processing Industry and Foreign Trade Inc. Winsure allows …

Oct 14, 2025
CVE-2025-40771
9.8 CRITICAL

A vulnerability has been identified in SIMATIC CP 1542SP-1 (6GK7542-6UX00-0XE0) (All versions < V2.4.24), SIMATIC CP 1542SP-1 IRC (6GK7542-6VX00-0XE0) (All versions < V2.4.24), SIMATIC CP …

Oct 14, 2025
CVE-2025-40765
9.8 CRITICAL

A vulnerability has been identified in TeleControl Server Basic V3.1 (All versions >= V3.1.2.2 < V3.1.2.3). The affected application contains an information disclosure vulnerability. This …

Oct 14, 2025
CVE-2025-46581
9.8 CRITICAL

ZTE's ZXCDN product is affected by a Struts remote code execution (RCE) vulnerability. An unauthenticated attacker can remotely execute commands with non-root privileges.

Oct 14, 2025
CVE-2025-42937
9.8 CRITICAL

SAP Print Service (SAPSprint) performs insufficient validation of path information provided by users. An unauthenticated attacker could traverse to the parent directory and over-write system …

Oct 14, 2025
CVE-2025-42910
9.0 CRITICAL

Due to missing verification of file type or content, SAP Supplier Relationship Management allows an authenticated attacker to upload arbitrary files. These files could include …

Oct 14, 2025
CVE-2025-37729
9.1 CRITICAL

Improper neutralization of special elements used in a template engine in Elastic Cloud Enterprise (ECE) can lead to a malicious actor with Admin access exfiltrating …

Oct 13, 2025
CVE-2025-6919
9.8 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cats Information Technology Software Development Technologies Aykome License Tracking System allows …

Oct 13, 2025
CVE-2025-9976
9.0 CRITICAL

An OS Command Injection vulnerability affecting Station Launcher App in 3DEXPERIENCE platform from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2025x could allow an attacker to …

Oct 13, 2025
CVE-2025-27258
9.8 CRITICAL

Ericsson Network Manager (ENM) versions prior to ENM 25.1 GA contain a vulnerability, if exploited, can result in an escalation of privilege.

Oct 13, 2025
CVE-2025-6439
9.8 CRITICAL

The WooCommerce Designer Pro plugin for WordPress, used by the Pricom - Printing Company & Design Services WordPress theme, is vulnerable to arbitrary file deletion …

Oct 11, 2025

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.