CVE Database

9241+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2025-6388
9.8 CRITICAL

The Spirit Framework plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.2.14. This is due to the custom_actions() …

Oct 3, 2025
CVE-2025-61605
9.8 CRITICAL

WeGIA is an open source web manager with a focus on charitable institutions. Versions 3.4.12 and below contain an SQL Injection vulnerability which was identified …

Oct 2, 2025
CVE-2025-61603
9.8 CRITICAL

WeGIA is a Web manager for charitable institutions. Versions 3.4.12 and below include an SQL Injection vulnerability which was identified in the /controle/control.php endpoint, specifically …

Oct 2, 2025
CVE-2025-59407
9.8 CRITICAL

The Flock Safety DetectionProcessing com.flocksafety.android.objects application 6.35.33 for Android (installed on Falcon and Sparrow License Plate Readers and Bravo Edge AI Compute Devices) bundles a …

Oct 2, 2025
CVE-2025-59403
9.8 CRITICAL

The Flock Safety Android Collins application (aka com.flocksafety.android.collins) 6.35.31 for Android lacks authentication. It is responsible for the camera feed on Falcon, Sparrow, and Bravo …

Oct 2, 2025
CVE-2025-59743
9.8 CRITICAL

SQL injection vulnerability in AndSoft's e-TMS v25.03. This vulnerability could allow an attacker to retrieve, create, update, and delete databases by sending a POST request. …

Oct 2, 2025
CVE-2025-59742
9.8 CRITICAL

SQL injection vulnerability in AndSoft's e-TMS v25.03. This vulnerability could allow an attacker to retrieve, create, update, and delete databases by sending a POST request. …

Oct 2, 2025
CVE-2025-59741
9.8 CRITICAL

Operating system command injection vulnerability in AndSoft's e-TMS v25.03. This vulnerability allows an attacker to execute operating system commands on the server by sending a …

Oct 2, 2025
CVE-2025-59740
9.8 CRITICAL

Operating system command injection vulnerability in AndSoft's e-TMS v25.03. This vulnerability allows an attacker to execute operating system commands on the server by sending a …

Oct 2, 2025
CVE-2025-59739
9.8 CRITICAL

Operating system command injection vulnerability in AndSoft's e-TMS v25.03. This vulnerability allows an attacker to execute operating system commands on the server by sending a …

Oct 2, 2025
CVE-2025-59738
9.8 CRITICAL

Operating system command injection vulnerability in AndSoft's e-TMS v25.03. This vulnerability allows an attacker to execute operating system commands on the server by sending a …

Oct 2, 2025
CVE-2025-59737
9.8 CRITICAL

Operating system command injection vulnerability in AndSoft's e-TMS v25.03. This vulnerability allows an attacker to execute operating system commands on the server by sending a …

Oct 2, 2025
CVE-2025-59736
9.8 CRITICAL

Operating system command injection vulnerability in AndSoft's e-TMS v25.03. This vulnerability allows an attacker to execute operating system commands on the server by sending a …

Oct 2, 2025
CVE-2025-59735
9.8 CRITICAL

Operating system command injection vulnerability in AndSoft's e-TMS v25.03. This vulnerability allows an attacker to execute operating system commands on the server by sending a …

Oct 2, 2025
CVE-2025-9697
9.8 CRITICAL

The Ajax WooSearch WordPress plugin through 1.0.0 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX …

Oct 2, 2025
CVE-2025-59951
9.1 CRITICAL

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. The official Docker image for Termix versions 1.5.0 and below, …

Oct 1, 2025
CVE-2025-8679
9.8 CRITICAL

In ExtremeGuest Essentials before 25.5.0, captive-portal may permit unauthorized access via manual brute-force procedure. Under certain ExtremeGuest Essentials captive-portal SSID configurations, repeated manual login attempts …

Oct 1, 2025
CVE-2025-61045
9.8 CRITICAL

TOTOLINK X18 V9.1.0cu.2053_B20230309 was discovered to contain a command injection vulnerability via the mac parameter in the setEasyMeshAgentCfg function.

Oct 1, 2025
CVE-2025-61044
9.8 CRITICAL

TOTOLINK X18 V9.1.0cu.2053_B20230309 was discovered to contain a command injection vulnerability via the agentName parameter in the setEasyMeshAgentCfg function.

Oct 1, 2025
CVE-2025-61622
9.8 CRITICAL

Deserialization of untrusted data in python in pyfory versions 0.12.0 through 0.12.2, or the legacy pyfury versions from 0.1.0 through 0.10.3: allows arbitrary code execution. …

Oct 1, 2025
CVE-2020-36852
9.1 CRITICAL

The Custom Searchable Data Entry System plugin for WordPress is vulnerable to unauthenticated database wiping in versions up to, and including 1.7.1, due to a …

Oct 1, 2025
CVE-2025-10659
9.8 CRITICAL

The Telenium Online Web Application is vulnerable due to a PHP endpoint accessible to unauthenticated network users that improperly handles user-supplied input. This vulnerability occurs …

Sep 30, 2025
CVE-2025-56513
9.8 CRITICAL

NiceHash QuickMiner 6.12.0 perform software updates over HTTP without validating digital signatures or hash checks. An attacker capable of intercepting or redirecting traffic to the …

Sep 30, 2025
CVE-2025-10725
9.9 CRITICAL

A flaw was found in Red Hat Openshift AI Service. A low-privileged attacker with access to an authenticated account, for example as a data scientist …

Sep 30, 2025
CVE-2025-7493
9.1 CRITICAL

A privilege escalation flaw from host to domain administrator was found in FreeIPA. This vulnerability is similar to CVE-2025-4404, where it fails to validate the …

Sep 30, 2025
CVE-2025-34217
9.8 CRITICAL

Vasion Print (formerly PrinterLogic) Virtual Appliance Host and Application (VA/SaaS deployments) contain an undocumented 'printerlogic' user with a hardcoded SSH public key in '~/.ssh/authorized_keys' and …

Sep 30, 2025
CVE-2025-9762
9.8 CRITICAL

The Post By Email plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the save_attachments function in all …

Sep 30, 2025
CVE-2025-8625
9.8 CRITICAL

The Copypress Rest API plugin for WordPress is vulnerable to Remote Code Execution via copyreap_handle_image() Function in versions 1.1 to 1.2. The plugin falls back …

Sep 30, 2025
CVE-2025-8120
9.8 CRITICAL

Due to client-controlled permission check parameter, PAD CMS's upload photo functionality allows an unauthenticated remote attacker to upload files of any type and extension without …

Sep 30, 2025
CVE-2025-7065
9.8 CRITICAL

Due to client-controlled permission check parameter, PAD CMS's photo upload functionality allows an unauthenticated remote attacker to upload files of any type and extension without …

Sep 30, 2025
CVE-2025-7063
9.8 CRITICAL

Due to client-controlled permission check parameter, PAD CMS's file upload functionality allows an unauthenticated remote attacker to upload files of any type and extension without …

Sep 30, 2025
CVE-2025-59954
9.8 CRITICAL

Knowage is an open source analytics and business intelligence suite. Versions 8.1.26 and below are vulnerable to Remote Code Exection through using an unsafe org.apache.commons.jxpath.JXPathContext …

Sep 30, 2025
CVE-2025-11148
9.8 CRITICAL

All versions of the package check-branches are vulnerable to Command Injection check-branches is a command-line tool that is interacted with locally, or via CI, to …

Sep 30, 2025
CVE-2024-58040
9.1 CRITICAL

Crypt::RandomEncryption for Perl version 0.01 uses insecure rand() function during encryption.

Sep 30, 2025
CVE-2025-59937
9.1 CRITICAL

go-mail is a comprehensive library for sending mails with Go. In versions 0.7.0 and below, due to incorrect handling of the mail.Address values when a …

Sep 29, 2025
CVE-2025-54875
9.8 CRITICAL

FreshRSS is a free, self-hostable RSS aggregator. In versions 1.16.0 and above through 1.26.3, an unprivileged attacker can create a new admin user when registration …

Sep 29, 2025
CVE-2025-54592
9.8 CRITICAL

FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below do not properly terminate the session during logout. After a user logs out, the …

Sep 29, 2025
CVE-2025-57266
9.8 CRITICAL

An issue was discovered in file AssistantController.java in ThriveX Blogging Framework 2.5.9 thru 3.1.3 allowing unauthenticated attackers to gain sensitive information such as API Keys …

Sep 29, 2025
CVE-2025-34224
9.1 CRITICAL

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.1049 and Application prior to version 20.0.2786 (VA/SaaS deployments) expose a set of PHP scripts …

Sep 29, 2025
CVE-2025-34223
9.8 CRITICAL

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.1049 and Application prior to version 20.0.2786 (VA/SaaS deployments) contain a default admin account and …

Sep 29, 2025
CVE-2025-34222
9.1 CRITICAL

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.1049 and Application prior to version 20.0.2786 (VA/SaaS deployments) expose four admin routes – /admin/hp/cert_upload, …

Sep 29, 2025
CVE-2025-34221
9.8 CRITICAL

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 25.2.1518 (VA/SaaS deployments) expose every internal Docker container to …

Sep 29, 2025
CVE-2025-34218
9.8 CRITICAL

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.1049 and Application prior to version 20.0.2786 (VA/SaaS deployments) expose internal Docker containers through the …

Sep 29, 2025
CVE-2025-34216
9.8 CRITICAL

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.1026 and Application prior to version 20.0.2702 (VA deployments only) expose a set of unauthenticated …

Sep 29, 2025
CVE-2025-34215
9.8 CRITICAL

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.1026 and Application prior to version 20.0.2702 (only VA deployments) expose an unauthenticated firmware-upload flow: …

Sep 29, 2025
CVE-2025-34212
9.8 CRITICAL

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.843 and Application prior to version 20.0.1923 (VA/SaaS deployments) possess CI/CD weaknesses: the build pulls …

Sep 29, 2025
CVE-2025-34207
9.8 CRITICAL

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to 22.0.1049 and Application prior to 20.0.2786 (VA and SaaS deployments) configure the SSH client within Docker …

Sep 29, 2025
CVE-2025-34196
9.8 CRITICAL

Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 25.1.102 and Application prior to 25.1.1413 (Windows client deployments) contain a hardcoded private key for …

Sep 29, 2025
CVE-2025-56795
9.0 CRITICAL

Mealie 3.0.1 and earlier is vulnerable to Stored Cross-Site Scripting (XSS) in the recipe creation functionality. Unsanitized user input in the "note" and "text" fields …

Sep 29, 2025
CVE-2024-13150
9.8 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Fayton Software and Consulting Services fayton.Pro ERP allows SQL Injection.This issue …

Sep 29, 2025

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.