CVE Database

9241+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2025-8868
9.8 CRITICAL

In Progress Chef Automate, versions earlier than 4.13.295, on Linux x86 platform, an authenticated attacker can gain access to Chef Automate restricted functionality in the …

Sep 29, 2025
CVE-2025-48006
9.1 CRITICAL

Improper restriction of XML external entity reference issue exists in DataSpider Servista 4.4 and earlier. If a specially crafted request is processed, arbitrary files on …

Sep 29, 2025
CVE-2025-11126
9.8 CRITICAL

A security flaw has been discovered in Apeman ID71 218.53.203.117. This vulnerability affects unknown code of the file /system/www/system.ini. The manipulation results in hard-coded credentials. …

Sep 29, 2025
CVE-2025-59936
9.4 CRITICAL

get-jwks contains fetch utils for JWKS keys. In versions prior to 11.0.2, a vulnerability in get-jwks can lead to cache poisoning in the JWKS key-fetching …

Sep 27, 2025
CVE-2025-59934
9.4 CRITICAL

Formbricks is an open source qualtrics alternative. Prior to version 4.0.1, Formbricks is missing JWT signature verification. This vulnerability stems from a token validation routine …

Sep 26, 2025
CVE-2025-58384
10.0 CRITICAL

In DOXENSE WATCHDOC before 6.1.1.5332, Deserialization of Untrusted Data can lead to remote code execution through the .NET Remoting library in the Watchdoc administration interface.

Sep 26, 2025
CVE-2025-55187
9.9 CRITICAL

In DriveLock 24.1.4 before 24.1.5, 24.2.5 before 24.2.6, and 25.1.2 before 25.1.4, attackers can gain elevated privileges.

Sep 26, 2025
CVE-2025-60219
10.0 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in HaruTheme WooCommerce Designer Pro wc-designer-pro allows Upload a Web Shell to a Web Server.This issue affects …

Sep 26, 2025
CVE-2025-60156
9.6 CRITICAL

Cross-Site Request Forgery (CSRF) vulnerability in webandprint AR For WordPress ar-for-wordpress allows Upload a Web Shell to a Web Server.This issue affects AR For WordPress: …

Sep 26, 2025
CVE-2025-11005
9.8 CRITICAL

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in TOTOLINK X6000R allows OS Command Injection.This issue affects X6000R: through …

Sep 25, 2025
CVE-2025-59841
9.8 CRITICAL

Flag Forge is a Capture The Flag (CTF) platform. In versions from 2.2.0 to before 2.3.1, the FlagForge web application improperly handles session invalidation. Authenticated …

Sep 25, 2025
CVE-2025-20363
9.0 CRITICAL

A vulnerability in the web services of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software, Cisco Secure Firewall Threat Defense (FTD) Software, Cisco IOS Software, …

Sep 25, 2025
CVE-2025-20333
9.9 CRITICAL KEV

A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could …

Sep 25, 2025
CVE-2025-59832
9.9 CRITICAL

Horilla is a free and open source Human Resource Management System (HRMS). Prior to version 1.4.0, there is a stored XSS vulnerability in the ticket …

Sep 25, 2025
CVE-2025-59823
9.9 CRITICAL

Project Gardener implements the automated management and operation of Kubernetes clusters as a service. Code injection may be possible in Gardener Extensions for AWS providers …

Sep 25, 2025
CVE-2025-40836
9.8 CRITICAL

Ericsson Indoor Connect 8855 contains an improper input validation vulnerability which if exploited can allow an attacker to execute commands with escalated privileges.

Sep 25, 2025
CVE-2025-10542
9.8 CRITICAL

iMonitor EAM 9.6394 ships with default administrative credentials that are also displayed within the management client’s connection dialog. If the administrator does not change these …

Sep 25, 2025
CVE-2025-59834
9.8 CRITICAL

ADB MCP Server is a MCP (Model Context Protocol) server for interacting with Android devices through ADB. In versions 0.1.0 and prior, the MCP Server …

Sep 25, 2025
CVE-2025-27261
9.8 CRITICAL

Ericsson Indoor Connect 8855 contains an SQL injection vulnerability which if exploited can result in unauthorized disclosure or modification of data.

Sep 25, 2025
CVE-2025-10894
9.6 CRITICAL

Malicious code was inserted into the Nx (build system) package and several related plugins. The tampered package was published to the npm software registry, via …

Sep 24, 2025
CVE-2025-59827
9.8 CRITICAL

Flag Forge is a Capture The Flag (CTF) platform. In version 2.1.0, the /api/admin/assign-badge endpoint lacks proper access control, allowing any authenticated user to assign …

Sep 24, 2025
CVE-2025-59828
9.8 CRITICAL

Claude Code is an agentic coding tool. Prior to Claude Code version 1.0.39, when using Claude Code with Yarn versions 2.0+, Yarn plugins are auto-executed …

Sep 24, 2025
CVE-2025-57321
9.8 CRITICAL

A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions thru 1.2.10 allows attackers to inject properties on Object.prototype via supplying a crafted payload, …

Sep 24, 2025
CVE-2025-57347
9.8 CRITICAL

A vulnerability exists in the 'dagre-d3-es' Node.js package version 7.0.9, specifically within the 'bk' module's addConflict function, which fails to properly sanitize user-supplied input during …

Sep 24, 2025
CVE-2025-52906
9.8 CRITICAL

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in TOTOLINK X6000R allows OS Command Injection.This issue affects X6000R: through …

Sep 24, 2025
CVE-2025-10890
9.1 CRITICAL

Side-channel information leakage in V8 in Google Chrome prior to 140.0.7339.207 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium …

Sep 24, 2025
CVE-2025-10585
9.8 CRITICAL KEV

Type confusion in V8 in Google Chrome prior to 140.0.7339.185 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium …

Sep 24, 2025
CVE-2025-56819
9.8 CRITICAL

An issue in Datart v.1.0.0-rc.3 allows a remote attacker to execute arbitrary code via the INIT connection parameter.

Sep 24, 2025
CVE-2025-27034
9.8 CRITICAL

Memory corruption while selecting the PLMN from SOR failed list.

Sep 24, 2025
CVE-2025-21483
9.8 CRITICAL

Memory corruption when the UE receives an RTP packet from the network, during the reassembly of NALUs.

Sep 24, 2025
CVE-2025-9054
9.8 CRITICAL

The MultiLoca - WooCommerce Multi Locations Inventory Management plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due …

Sep 24, 2025
CVE-2025-41715
9.8 CRITICAL

The database for the web application is exposed without authentication, allowing an unauthenticated remote attacker to gain unauthorized access and potentially compromise it.

Sep 24, 2025
CVE-2025-59545
9.0 CRITICAL

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.1.0, the Prompt module allows execution of …

Sep 23, 2025
CVE-2025-4993
9.1 CRITICAL

Untrusted Pointer Dereference vulnerability in RTI Connext Professional (Core Libraries) allows Pointer Manipulation.This issue affects Connext Professional: from 7.4.0 before 7.6.0, from 7.0.0 before 7.3.0.10, …

Sep 23, 2025
CVE-2025-1255
9.1 CRITICAL

Untrusted Pointer Dereference vulnerability in RTI Connext Professional (Core Libraries) allows Pointer Manipulation.This issue affects Connext Professional: from 7.4.0 before 7.6.0, from 7.2.0 before 7.3.0.9.

Sep 23, 2025
CVE-2025-9846
10.0 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in TalentSys Consulting Information Technology Industry Inc. Inka.Net allows Command Injection.This issue affects Inka.Net: before 6.7.1.

Sep 23, 2025
CVE-2025-10412
9.8 CRITICAL

The Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) plugin for WordPress is vulnerable to arbitrary file uploads due to misconfigured …

Sep 23, 2025
CVE-2025-10147
9.8 CRITICAL

The Podlove Podcast Publisher plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'move_as_original_file' function in all …

Sep 23, 2025
CVE-2025-9588
10.0 CRITICAL

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Iron Mountain Archiving Services Inc. EnVision allows Command Injection.This issue …

Sep 23, 2025
CVE-2025-9321
9.8 CRITICAL

The WPCasa plugin for WordPress is vulnerable to Code Injection in all versions up to, and including, 1.4.1. This is due to insufficient input validation …

Sep 23, 2025
CVE-2025-26399
9.8 CRITICAL KEV

SolarWinds Web Help Desk was found to be susceptible to an unauthenticated AjaxProxy deserialization remote code execution vulnerability that, if exploited, would allow an attacker …

Sep 23, 2025
CVE-2025-59528
10.0 CRITICAL

Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5, Flowise is vulnerable to remote code …

Sep 22, 2025
CVE-2025-59434
9.6 CRITICAL

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to August 2025 Cloud-Hosted Flowise, an authenticated vulnerability …

Sep 22, 2025
CVE-2025-58255
9.6 CRITICAL

Cross-Site Request Forgery (CSRF) vulnerability in yonisink Custom Post Type Images custom-post-types-image allows Code Injection.This issue affects Custom Post Type Images: from n/a through <= …

Sep 22, 2025
CVE-2025-57441
9.8 CRITICAL

The Blackmagic ATEM Mini Pro 2.7 exposes sensitive device and stream configuration information via an unauthenticated Telnet service on port 9990. Upon connection, the attacker …

Sep 22, 2025
CVE-2025-57437
9.8 CRITICAL

The Blackmagic Web Presenter HD firmware version 3.3 exposes sensitive information via an unauthenticated Telnet service on port 9977. When connected, the service reveals extensive …

Sep 22, 2025
CVE-2025-57602
9.8 CRITICAL

Insufficient hardening of the proxyuser account in the AiKaan IoT management platform, combined with the use of a shared, hardcoded SSH private key, allows remote …

Sep 22, 2025
CVE-2025-57601
9.8 CRITICAL

AiKaan Cloud Controller uses a single hardcoded SSH private key and the username `proxyuser` for remote terminal access to all managed IoT/edge devices. When an …

Sep 22, 2025
CVE-2025-57432
9.8 CRITICAL

Blackmagic Web Presenter version 3.3 exposes a Telnet service on port 9977 that accepts unauthenticated commands. This service allows remote attackers to manipulate stream settings, …

Sep 22, 2025
CVE-2025-35042
9.8 CRITICAL

Airship AI Acropolis includes a default administrative account that uses the same credentials on every installation. Instances of Airship AI that do not change this …

Sep 22, 2025

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.