CVE Database

9241+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2025-56074
9.8 CRITICAL

A SQL Injection vulnerability was discovered in the foreigner-bwdates-reports-details.php file of PHPGurukul Park Ticketing Management System v2.0. This vulnerability allows remote attackers to execute arbitrary …

Sep 22, 2025
CVE-2025-6544
9.8 CRITICAL

A deserialization vulnerability exists in h2oai/h2o-3 versions <= 3.46.0.8, allowing attackers to read arbitrary system files and execute arbitrary code. The vulnerability arises from improper …

Sep 21, 2025
CVE-2025-40925
9.1 CRITICAL

Starch versions 0.14 and earlier generate session ids insecurely. The default session id generator returns a SHA-1 hash seeded with a counter, the epoch time, …

Sep 20, 2025
CVE-2025-59431
9.8 CRITICAL

MapServer is a system for developing web-based GIS applications. Prior to 8.4.1, the XML Filter Query directive PropertyName is vulnerably to Boolean-based SQL injection. It …

Sep 19, 2025
CVE-2025-10568
9.8 CRITICAL

HyperX NGENUITY software is potentially vulnerable to arbitrary code execution. HP is releasing updated software to address the potential vulnerability.

Sep 19, 2025
CVE-2025-34206
9.8 CRITICAL

Vasion Print (formerly PrinterLogic) Virtual Appliance Host and Application (VA and SaaS deployments) mount host configuration and secret material under /var/www/efs_storage into many Docker containers …

Sep 19, 2025
CVE-2025-34205
9.8 CRITICAL

Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 22.0.843 and Application prior to 20.0.1923 (VA and SaaS deployments) contains dangerous PHP dead code …

Sep 19, 2025
CVE-2025-34204
9.8 CRITICAL

Vasion Print (formerly PrinterLogic) Virtual Appliance Host and Application (VA and SaaS deployments) contains multiple Docker containers that run primary application processes (for example PHP …

Sep 19, 2025
CVE-2025-34203
9.8 CRITICAL

Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 22.0.1002 and Application versions prior to 20.0.2614 (VA and SaaS deployments) contain multiple Docker containers …

Sep 19, 2025
CVE-2025-34198
9.8 CRITICAL

Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 22.0.951 and Application prior to 20.0.2368 (VA and SaaS deployments) contain shared, hardcoded SSH host …

Sep 19, 2025
CVE-2025-34195
9.8 CRITICAL

Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 1.0.735 and Application prior to 20.0.1330 (Windows client deployments) contain a remote code execution vulnerability …

Sep 19, 2025
CVE-2025-34193
9.8 CRITICAL

Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 25.1.102 and Application versions prior to 25.1.1413 include Windows client components (PrinterInstallerClientInterface.exe, PrinterInstallerClient.exe, PrinterInstallerClientLauncher.exe) that …

Sep 19, 2025
CVE-2025-34192
9.8 CRITICAL

Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 22.0.893 and Application versions prior to 20.0.2140 (macOS/Linux client deployments) are built against OpenSSL 1.0.2h-fips …

Sep 19, 2025
CVE-2025-48703
9.0 CRITICAL KEV

CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1205 allows unauthenticated remote code execution via shell metacharacters in the t_total parameter in a …

Sep 19, 2025
CVE-2025-57644
9.1 CRITICAL

Accela Automation Platform 22.2.3.0.230103 contains multiple vulnerabilities in the Test Script feature. An authenticated administrative user can execute arbitrary Java code on the server, resulting …

Sep 19, 2025
CVE-2025-5948
9.8 CRITICAL

The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 6.0. This is …

Sep 19, 2025
CVE-2025-10690
9.8 CRITICAL

The Goza - Nonprofit Charity WordPress Theme theme for WordPress is vulnerable to unauthorized arbitrary file uploads due to a missing capability check on the …

Sep 19, 2025
CVE-2025-10035
10.0 CRITICAL KEV

A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary …

Sep 18, 2025
CVE-2025-54807
9.8 CRITICAL

The secret used for validating authentication tokens is hardcoded in device firmware for affected versions. An attacker who obtains the signing key can bypass authentication, …

Sep 18, 2025
CVE-2025-30519
9.8 CRITICAL

Dover Fueling Solutions ProGauge MagLink LX4 Devices have default root credentials that cannot be changed through standard administrative means. An attacker with network access to …

Sep 18, 2025
CVE-2024-13151
9.8 CRITICAL

CWE - 89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ESBI Information and Telecommunication Industry and Trade …

Sep 18, 2025
CVE-2025-6237
9.8 CRITICAL

A vulnerability in invokeai version v6.0.0a1 and below allows attackers to perform path traversal and arbitrary file deletion via the GET /api/v1/images/download/{bulk_download_item_name} endpoint. By manipulating …

Sep 18, 2025
CVE-2025-9083
9.8 CRITICAL

The Ninja Forms WordPress plugin before 3.11.1 unserializes user input via form field, which could allow Unauthenticated users to perform PHP Object Injection when a …

Sep 18, 2025
CVE-2025-8942
9.1 CRITICAL

The WP Hotel Booking WordPress plugin before 2.2.3 lacks proper server-side validation for review ratings, allowing an attacker to manipulate the rating value (e.g., sending …

Sep 18, 2025
CVE-2025-5305
9.8 CRITICAL

The Password Reset with Code for WordPress REST API WordPress plugin before 0.0.17 does not use cryptographically sound algorithms to generate OTP codes, potentially leading …

Sep 18, 2025
CVE-2025-23316
9.8 CRITICAL

NVIDIA Triton Inference Server for Windows and Linux contains a vulnerability in the Python backend, where an attacker could cause a remote code execution by …

Sep 17, 2025
CVE-2025-10644
9.4 CRITICAL

Wondershare Repairit SAS Token Incorrect Permission Assignment Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on Wondershare Repairit. Authentication is not required …

Sep 17, 2025
CVE-2025-10643
9.1 CRITICAL

Wondershare Repairit Incorrect Permission Assignment Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of Wondershare Repairit. Authentication is not …

Sep 17, 2025
CVE-2025-59352
9.8 CRITICAL

Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the gRPC API and HTTP APIs allow peers to send …

Sep 17, 2025
CVE-2025-59340
9.8 CRITICAL

jinjava is a Java-based template engine based on django template syntax, adapted to render jinja templates. Priori to 2.8.1, by using mapper.getTypeFactory().constructFromCanonical(), it is possible …

Sep 17, 2025
CVE-2025-59345
9.1 CRITICAL

Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, The /api/v1/jobs and /preheats endpoints in Manager web UI are …

Sep 17, 2025
CVE-2025-58766
9.0 CRITICAL

Dyad is a local AI app builder. A critical security vulnerability has been discovered that affected Dyad v0.19.0 and earlier versions that allows attackers to …

Sep 17, 2025
CVE-2025-59304
9.8 CRITICAL

A directory traversal issue in Swetrix Web Analytics API 3.1.1 before 7d8b972 allows a remote attacker to achieve Remote Code Execution via a crafted HTTP …

Sep 17, 2025
CVE-2025-8077
9.8 CRITICAL

A vulnerability exists in NeuVector versions up to and including 5.4.5, where a fixed string is used as the default password for the built-in `admin` …

Sep 17, 2025
CVE-2025-10439
9.8 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Yordam Informatics Yordam Library Automation System allows SQL Injection.This issue affects …

Sep 17, 2025
CVE-2025-10156
9.8 CRITICAL

An Improper Handling of Exceptional Conditions vulnerability in the ZIP archive scanning component of mmaitre314 picklescan allows a remote attacker to bypass security scans. This …

Sep 17, 2025
CVE-2025-9242
9.8 CRITICAL KEV

An Out-of-bounds Write vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to execute arbitrary code. This vulnerability affects both the Mobile User …

Sep 17, 2025
CVE-2025-9972
9.8 CRITICAL

Certain models of Industrial Cellular Gateway developed by Planet Technology have an OS Command Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary OS commands …

Sep 17, 2025
CVE-2025-9971
9.8 CRITICAL

Certain models of Industrial Cellular Gateway developed by Planet Technology have a Missing Authentication vulnerability, allowing unauthenticated remote attackers to manipulate the device via a …

Sep 17, 2025
CVE-2025-54391
9.1 CRITICAL

A vulnerability in the EnableTwoFactorAuthRequest SOAP endpoint of Zimbra Collaboration (ZCS) allows an attacker with valid user credentials to bypass Two-Factor Authentication (2FA) protection. The …

Sep 16, 2025
CVE-2025-57631
9.8 CRITICAL

SQL Injection vulnerability in TDuckCloud v.5.1 allows a remote attacker to execute arbitrary code via the Add a file upload module

Sep 16, 2025
CVE-2025-34186
9.8 CRITICAL

Ilevia EVE X1/X5 Server version ≤ 4.7.18.0.eden contains a vulnerability in its authentication mechanism. Unsanitized input is passed to a system() call for authentication, allowing …

Sep 16, 2025
CVE-2025-34184
9.8 CRITICAL

Ilevia EVE X1 Server version ≤ 4.7.18.0.eden contains an unauthenticated OS command injection vulnerability in the /ajax/php/login.php script. Remote attackers can execute arbitrary system commands …

Sep 16, 2025
CVE-2025-56557
9.1 CRITICAL

An issue discovered in the Tuya Smart Life App 5.6.1 allows attackers to unprivileged control Matter devices via the Matter protocol.

Sep 16, 2025
CVE-2025-59334
9.6 CRITICAL

Linkr is a lightweight file delivery system that downloads files from a webserver. Linkr versions through 2.0.0 do not verify the integrity or authenticity of …

Sep 16, 2025
CVE-2025-10492
9.8 CRITICAL

A Java deserialisation vulnerability has been discovered in Jaspersoft Library. Improper handling of externally supplied data may allow attackers to execute arbitrary code remotely on …

Sep 16, 2025
CVE-2025-41243
10.0 CRITICAL

Spring Cloud Gateway Server Webflux may be vulnerable to Spring Environment property modification. An application should be considered vulnerable when all the following are true: …

Sep 16, 2025
CVE-2024-13149
9.8 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'), CWE - 200 - Exposure of Sensitive Information to an Unauthorized Actor vulnerability …

Sep 16, 2025
CVE-2025-57119
9.8 CRITICAL

An issue in Online Library Management System v.3.0 allows an attacker to escalate privileges via the adminlogin.php component and the Login function

Sep 16, 2025
CVE-2025-55113
9.0 CRITICAL

If the Access Control List is enforced by the Control-M/Agent and the C router is in use (default in Out-of-support Control-M/Agent versions 9.0.18 to 9.0.20 …

Sep 16, 2025

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.