CVE Database

9241+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2025-58448
9.1 CRITICAL

rAthena is an open-source cross-platform massively multiplayer online role playing game (MMORPG) server. Versions prior to commit 0d89ae0 have a SQL Injection in the PartyBooking …

Sep 9, 2025
CVE-2025-58447
9.8 CRITICAL

rAthena is an open-source cross-platform massively multiplayer online role playing game (MMORPG) server. Versions prior to commit 2f5248b have a heap-based buffer overflow in the …

Sep 9, 2025
CVE-2025-58768
9.6 CRITICAL

DeepChat is a smart assistant uses artificial intelligence. Prior to version 0.3.5, in the Mermaid chart rendering component, there is a risky operation of directly …

Sep 9, 2025
CVE-2025-58462
9.8 CRITICAL

OPEXUS FOIAXpress Public Access Link (PAL) before version 11.13.1.0 allows SQL injection via SearchPopularDocs.aspx. A remote, unauthenticated attacker could read, write, or delete any content …

Sep 9, 2025
CVE-2025-57633
9.8 CRITICAL

A command injection vulnerability in FTP-Flask-python through 5173b68 allows unauthenticated remote attackers to execute arbitrary OS commands. The /ftp.html endpoint's "Upload File" action constructs a …

Sep 9, 2025
CVE-2025-43491
9.8 CRITICAL

A vulnerability in the Poly Lens Desktop application running on the Windows platform might allow modifications to the filesystem, which might lead to SYSTEM level …

Sep 9, 2025
CVE-2025-10159
9.8 CRITICAL

An authentication bypass vulnerability allows remote attackers to gain administrative privileges on Sophos AP6 Series Wireless Access Points older than firmware version 1.7.2563 (MR7).

Sep 9, 2025
CVE-2025-58762
9.1 CRITICAL

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. In Tautulli v2.15.3 and earlier, an attacker with administrative access can use …

Sep 9, 2025
CVE-2025-44594
9.1 CRITICAL

halo v2.20.17 and before is vulnerable to server-side request forgery (SSRF) in /apis/uc.api.storage.halo.run/v1alpha1/attachments/-/upload-from-url.

Sep 9, 2025
CVE-2025-55730
10.0 CRITICAL

XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Starting in version 1.0 and prior to version 1.26.5, missing …

Sep 9, 2025
CVE-2025-55729
10.0 CRITICAL

XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Starting in version 1.0 and prior to version 1.26.5, missing …

Sep 9, 2025
CVE-2025-55728
10.0 CRITICAL

XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Starting in version 1.0 and prior to version 1.26.5, missing …

Sep 9, 2025
CVE-2025-55727
10.0 CRITICAL

XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Starting in version 1.0 and prior to version 1.26.5, missing …

Sep 9, 2025
CVE-2025-55051
10.0 CRITICAL

CWE-1392: Use of Default Credentials

Sep 9, 2025
CVE-2025-55050
9.8 CRITICAL

CWE-1242: Inclusion of Undocumented Features

Sep 9, 2025
CVE-2025-55049
9.1 CRITICAL

Use of Default Cryptographic Key (CWE-1394)

Sep 9, 2025
CVE-2025-55048
9.8 CRITICAL

Multiple CWE-78

Sep 9, 2025
CVE-2025-57085
9.8 CRITICAL

Tenda W30E V16.01.0.19 (5037) was discovered to contain a stack overflow in the v17 parameter in the UploadCfg function. This vulnerability allows attackers to cause …

Sep 9, 2025
CVE-2025-58997
9.6 CRITICAL

Cross-Site Request Forgery (CSRF) vulnerability in Frenify Mow mow allows Code Injection.This issue affects Mow: from n/a through <= 4.10.

Sep 9, 2025
CVE-2025-55232
9.8 CRITICAL

Deserialization of untrusted data in Microsoft High Performance Compute Pack (HPC) allows an unauthorized attacker to execute code over a network.

Sep 9, 2025
CVE-2025-54261
10.0 CRITICAL

ColdFusion versions 2025.3, 2023.15, 2021.21 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could …

Sep 9, 2025
CVE-2025-47579
9.0 CRITICAL

Deserialization of Untrusted Data vulnerability in ThemeGoods Photography photography allows Object Injection.This issue affects Photography: from n/a through <= 7.7.2.

Sep 9, 2025
CVE-2025-47569
9.3 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPSwings WooCommerce Ultimate Gift Card woocommerce-ultimate-gift-card allows Blind SQL Injection.This issue …

Sep 9, 2025
CVE-2025-32486
9.8 CRITICAL

Weak Password Recovery Mechanism for Forgotten Password vulnerability in Hossein Material Dashboard material-dashboard.This issue affects Material Dashboard: from n/a through <= 1.4.6.

Sep 9, 2025
CVE-2025-10183
9.1 CRITICAL

A blind XML External Entity (XXE) injection in the OpenMessaging webservice in TecCom TecConnect 4.1 allows an unauthenticated attacker to exfiltrate arbitrary files to an …

Sep 9, 2025
CVE-2025-9994
9.8 CRITICAL

The Amp’ed RF BT-AP 111 Bluetooth access point's HTTP admin interface does not have an authentication feature, allowing unauthorized access to anyone with network access.

Sep 9, 2025
CVE-2025-54236
9.1 CRITICAL KEV

Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Improper Input Validation vulnerability. A successful attacker can abuse this …

Sep 9, 2025
CVE-2025-40804
9.1 CRITICAL

A vulnerability has been identified in SIMATIC Virtualization as a Service (SIVaaS) (All versions). The affected application exposes a network share without any authentication. This …

Sep 9, 2025
CVE-2025-40795
9.8 CRITICAL

A vulnerability has been identified in SIMATIC PCS neo V4.1 (All versions), SIMATIC PCS neo V5.0 (All versions), SIMATIC PCS neo V6.0 (All versions), User …

Sep 9, 2025
CVE-2025-10134
9.1 CRITICAL

The Goza - Nonprofit Charity WordPress Theme theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the alone_import_pack_restore_data() …

Sep 9, 2025
CVE-2025-42958
9.1 CRITICAL

Due to a missing authentication check in the SAP NetWeaver application on IBM i-series, the application allows high privileged unauthorized users to read, modify, or …

Sep 9, 2025
CVE-2025-42944
10.0 CRITICAL

Due to a deserialization vulnerability in SAP NetWeaver, an unauthenticated attacker could exploit the system through the RMI-P4 module by submitting malicious payload to an …

Sep 9, 2025
CVE-2025-42922
9.9 CRITICAL

SAP NetWeaver AS Java allows an attacker authenticated as a non-administrative user to use a flaw in an available service to upload an arbitrary file. …

Sep 9, 2025
CVE-2025-58746
9.0 CRITICAL

The Volkov Labs Business Links panel for Grafana provides an interface to navigate using external links, internal dashboards, time pickers, and dropdown menus. Prior to …

Sep 8, 2025
CVE-2025-58745
9.9 CRITICAL

WeGIA is a Web manager for charitable institutions. The fix for CVE-2025-22133 was not enough to remediate the arbitrary file upload vulnerability. The WeGIA only …

Sep 8, 2025
CVE-2025-9114
9.8 CRITICAL

The Doccure theme for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 1.5.0. This is due to the plugin …

Sep 8, 2025
CVE-2025-9113
9.8 CRITICAL

The Doccure Core plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'doccure_temp_upload_to_media' function in all versions …

Sep 8, 2025
CVE-2025-57285
9.8 CRITICAL

codeceptjs 3.7.3 contains a command injection vulnerability in the emptyFolder function (lib/utils.js). The execSync command directly concatenates the user-controlled directoryPath parameter without sanitization or escaping, …

Sep 8, 2025
CVE-2025-56267
9.8 CRITICAL

A CSV injection vulnerability in the /id_profiles endpoint of Avigilon ACM v7.10.0.20 allows attackers to execute arbitrary code via suuplying a crafted Excel file.

Sep 8, 2025
CVE-2025-56266
9.8 CRITICAL

A Host Header Injection vulnerability in Avigilon ACM v7.10.0.20 allows attackers to execute arbitrary code via supplying a crafted URL.

Sep 8, 2025
CVE-2025-57141
9.8 CRITICAL

rsbi-os 4.7 is vulnerable to Remote Code Execution (RCE) in sqlite-jdbc.

Sep 8, 2025
CVE-2025-52161
9.8 CRITICAL

Scholl Communications AG Weblication CMS Core v019.004.000.000 was discovered to contain a cross-site scripting (XSS) vulnerability.

Sep 8, 2025
CVE-2025-22956
9.8 CRITICAL

OPSI before 4.3 allows any client to retrieve any ProductPropertyState, including those of other clients. This can lead to privilege escalation if any ProductPropertyState contains …

Sep 8, 2025
CVE-2025-58443
9.1 CRITICAL

FOG is a free open-source cloning/imaging/rescue suite/inventory management system. Versions 1.5.10.1673 and below contain an authentication bypass vulnerability. It is possible for an attacker to …

Sep 6, 2025
CVE-2025-8359
9.8 CRITICAL

The AdForest theme for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 6.0.9. This is due to the plugin not …

Sep 6, 2025
CVE-2025-58371
9.8 CRITICAL

Roo Code is an AI-powered autonomous coding agent that lives in users' editors. In versions 3.26.6 and below, a Github workflow used unsanitized pull request …

Sep 5, 2025
CVE-2025-35452
9.8 CRITICAL

PTZOptics and possibly other ValueHD-based pan-tilt-zoom cameras use default, shared credentials for the administrative web interface.

Sep 5, 2025
CVE-2025-35451
9.8 CRITICAL

PTZOptics and possibly other ValueHD-based pan-tilt-zoom cameras use hard-coded, default administrative credentials. The passwords can readily be cracked. Many cameras have SSH or telnet listening …

Sep 5, 2025
CVE-2025-58628
9.3 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in kamleshyadav Miraculous miraculous allows Blind SQL Injection.This issue affects Miraculous: from …

Sep 5, 2025
CVE-2025-49401
9.8 CRITICAL

Incorrect Privilege Assignment vulnerability in axiomthemes smart SEO smartSEO allows Privilege Escalation.This issue affects smart SEO: from n/a through <= 4.0.

Sep 5, 2025

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.