CVE Database

9241+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2025-6553
9.8 CRITICAL

The Ovatheme Events Manager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the process_checkout() function in all …

Oct 11, 2025
CVE-2025-11533
9.8 CRITICAL

The WP Freeio plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.2.21. This is due to the process_register() …

Oct 11, 2025
CVE-2025-61929
9.6 CRITICAL

Cherry Studio is a desktop client that supports for multiple LLM providers. Cherry Studio registers a custom protocol called `cherrystudio://`. When handling the MCP installation …

Oct 10, 2025
CVE-2025-60306
9.9 CRITICAL

code-projects Simple Car Rental System 1.0 has a permission bypass issue where low privilege users can forge high privilege sessions and perform sensitive operations.

Oct 10, 2025
CVE-2025-60269
9.4 CRITICAL

JEEWMS 20250820 is vulnerable to SQL Injection in the exportXls function located in the src/main/java/org/jeecgframework/web/cgreport/controller/excel/CgExportExcelController.java file.

Oct 10, 2025
CVE-2025-60307
9.8 CRITICAL

code-projects Computer Laboratory System 1.0 has a SQL injection vulnerability, where entering a universal password in the Password field on the login page can bypass …

Oct 10, 2025
CVE-2025-59286
9.3 CRITICAL

Improper neutralization of special elements used in a command ('command injection') in Copilot allows an unauthorized attacker to disclose information over a network.

Oct 9, 2025
CVE-2025-59272
9.3 CRITICAL

Improper neutralization of special elements used in a command ('command injection') in Copilot allows an unauthorized attacker to perform information disclosure locally.

Oct 9, 2025
CVE-2025-59252
9.3 CRITICAL

Improper neutralization of special elements used in a command ('command injection') in Copilot allows an unauthorized attacker to disclose information over a network.

Oct 9, 2025
CVE-2025-59246
9.8 CRITICAL

Azure Entra ID Elevation of Privilege Vulnerability

Oct 9, 2025
CVE-2025-59218
9.6 CRITICAL

Azure Entra ID Elevation of Privilege Vulnerability

Oct 9, 2025
CVE-2025-55321
9.3 CRITICAL

Improper neutralization of input during web page generation ('cross-site scripting') in Azure Monitor allows an unauthorized attacker to perform spoofing over a network.

Oct 9, 2025
CVE-2025-35051
9.8 CRITICAL

Newforma Project Center Server (NPCS) accepts serialized .NET data via the '/ProjectCenter.rem' endpoint on 9003/tcp, allowing a remote, unauthenticated attacker to execute arbitrary code with …

Oct 9, 2025
CVE-2025-35050
9.8 CRITICAL

Newforma Info Exchange (NIX) accepts serialized .NET data via the '/remoteweb/remote.rem' endpoint, allowing a remote, unauthenticated attacker to execute arbitrary code with 'NT AUTHORITY\NetworkService' privileges. …

Oct 9, 2025
CVE-2025-60316
9.4 CRITICAL

SourceCodester Pet Grooming Management Software 1.0 is vulnerable to SQL Injection in admin/view_customer.php via the ID parameter.

Oct 9, 2025
CVE-2025-59978
9.0 CRITICAL

An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Juniper Networks Junos Space allows an attacker to store script tags directly …

Oct 9, 2025
CVE-2025-10284
9.6 CRITICAL

BBOT's unarchive module could be abused by supplying malicious archives files and when extracted can then perform an arbitrary file write, resulting in remote code …

Oct 9, 2025
CVE-2025-10283
9.6 CRITICAL

BBOT's gitdumper module could be abused to execute commands through a malicious git repository.

Oct 9, 2025
CVE-2025-56683
9.6 CRITICAL

A cross-site scripting (XSS) vulnerability in the component /app/marketplace.html of Logseq v0.10.9 allows attackers to execute arbitrary code via injecting arbitrary Javascript into a crafted …

Oct 9, 2025
CVE-2025-11539
9.9 CRITICAL

Grafana Image Renderer is vulnerable to remote code execution due to an arbitrary file write vulnerability. This is due to the fact that the /render/csv …

Oct 9, 2025
CVE-2025-11522
9.8 CRITICAL

The Search & Go - Directory WordPress Theme theme for WordPress is vulnerable to Authentication Bypass via account takeover in all versions up to, and …

Oct 9, 2025
CVE-2025-7634
9.8 CRITICAL

The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to Local File Inclusion in all versions up …

Oct 9, 2025
CVE-2025-7526
9.8 CRITICAL

The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to arbitrary file deletion (via renaming) due to …

Oct 9, 2025
CVE-2025-10586
9.8 CRITICAL

The Community Events plugin for WordPress is vulnerable to SQL Injection via the ‘event_venue’ parameter in all versions up to, and including, 1.5.1 due to …

Oct 9, 2025
CVE-2025-61913
9.9 CRITICAL

Flowise is a drag & drop user interface to build a customized large language model flow. In versions prior to 3.0.8, WriteFileTool and ReadFileTool in …

Oct 8, 2025
CVE-2025-10587
9.8 CRITICAL

The Community Events plugin for WordPress is vulnerable to SQL Injection via the event_category parameter in all versions up to, and including, 1.5.1 due to …

Oct 8, 2025
CVE-2025-11423
9.8 CRITICAL

A vulnerability was found in Tenda CH22 1.0.0.1. This affects the function formSafeEmailFilter of the file /goform/SafeEmailFilter. Performing a manipulation of the argument page results …

Oct 8, 2025
CVE-2025-11418
9.8 CRITICAL

A security vulnerability has been detected in Tenda CH22 up to 1.0.0.1. This issue affects the function formWrlsafeset of the file /goform/AdvSetWrlsafeset of the component …

Oct 8, 2025
CVE-2025-44823
9.9 CRITICAL

Nagios Log Server before 2024R1.3.2 allows authenticated users to retrieve cleartext administrative API keys via a /nagioslogserver/index.php/api/system/get_users call. This is GL:NLS#475.

Oct 7, 2025
CVE-2025-3450
10.0 CRITICAL

An Improper Resource Locking vulnerability in the SDM component of B&R Automation Runtime versions before 6.3 and before Q4.93 may allow an unauthenticated network-based attacker …

Oct 7, 2025
CVE-2025-52021
9.8 CRITICAL

A SQL Injection vulnerability exists in the edit_product.php file of PuneethReddyHC Online Shopping System Advanced 1.0. The product_id GET parameter is unsafely passed to a …

Oct 7, 2025
CVE-2025-0603
9.8 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Callvision Healthcare Callvision Emergency Code allows SQL Injection, Blind SQL Injection.This …

Oct 7, 2025
CVE-2025-57515
9.8 CRITICAL

A SQL injection vulnerability has been identified in Uniclare Student Portal v2. This flaw allows remote attackers to inject arbitrary SQL commands via vulnerable input …

Oct 6, 2025
CVE-2025-61777
9.4 CRITICAL

Flag Forge is a Capture The Flag (CTF) platform. Starting in version 2.0.0 and prior to version 2.3.2, the `/api/admin/badge-templates` (GET) and `/api/admin/badge-templates/create` (POST) endpoints …

Oct 6, 2025
CVE-2025-60965
9.1 CRITICAL

OS Command Injection vulnerability in EndRun Technologies Sonoma D12 Network Time Server (GPS) F/W 6010-0071-000 Ver 4.00 allows attackers to execute arbitrary code, cause a …

Oct 6, 2025
CVE-2025-60964
9.1 CRITICAL

OS Command Injection vulnerability in EndRun Technologies Sonoma D12 Network Time Server (GPS) F/W 6010-0071-000 Ver 4.00 allows attackers to execute arbitrary code, cause a …

Oct 6, 2025
CVE-2025-60957
9.9 CRITICAL

OS Command Injection vulnerability in EndRun Technologies Sonoma D12 Network Time Server (GPS) F/W 6010-0071-000 Ver 4.00 allows attackers to execute arbitrary code, cause a …

Oct 6, 2025
CVE-2025-57247
9.1 CRITICAL

The BATBToken smart contract (address 0xfbf1388408670c02f0dbbb74251d8ded1d63b7a2, Compiler Version v0.8.26+commit.8a97fa7a) contains incorrect access control implementation in whitelist management functions. The setColdWhiteList() and setSpecialAddress() functions in the …

Oct 6, 2025
CVE-2025-36356
9.3 CRITICAL

IBM Security Verify Access and IBM Security Verify Access Docker 10.0.0.0 through 10.0.9.0 and 11.0.0.0 through 11.0.1.0 could allow a locally authenticated user to escalate …

Oct 6, 2025
CVE-2025-59159
9.6 CRITICAL

SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. …

Oct 6, 2025
CVE-2023-49886
9.8 CRITICAL

IBM Standards Processing Engine 10.0.1.10 could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe java deserialization. By sending …

Oct 6, 2025
CVE-2025-61882
9.8 CRITICAL KEV

Vulnerability in the Oracle Concurrent Processing product of Oracle E-Business Suite (component: BI Publisher Integration). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability …

Oct 5, 2025
CVE-2025-39946
9.8 CRITICAL

In the Linux kernel, the following vulnerability has been resolved: tls: make sure to abort the stream if headers are bogus Normally we wait for …

Oct 4, 2025
CVE-2025-9485
9.8 CRITICAL

The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress is vulnerable to Improper Verification of Cryptographic Signature in versions up to, and …

Oct 4, 2025
CVE-2025-49844
9.9 CRITICAL

Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua …

Oct 3, 2025
CVE-2025-9286
9.8 CRITICAL

The Appy Pie Connect for WooCommerce plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization within the reset_user_password() REST handler in all …

Oct 3, 2025
CVE-2025-9209
9.8 CRITICAL

The RestroPress – Online Food Ordering System plugin for WordPress is vulnerable to Authentication Bypass in versions 3.0.0 to 3.1.9.2. This is due to the …

Oct 3, 2025
CVE-2025-7721
9.8 CRITICAL

The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to Local File Inclusion in all versions up …

Oct 3, 2025
CVE-2025-10726
9.1 CRITICAL

The WPRecovery plugin for WordPress is vulnerable to SQL Injection via the 'data[id]' parameter in all versions up to, and including, 2.0. This is due …

Oct 3, 2025
CVE-2025-10547
9.8 CRITICAL

An uninitialized variable in the HTTP CGI request arguments processing component of Vigor Routers running DrayOS may allow an attacker the ability to perform RCE …

Oct 3, 2025

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.