CVE Database

9241+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2025-58819
9.1 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in CreedAlly Bulk Featured Image bulk-featured-image allows Upload a Web Shell to a Web Server.This issue affects …

Sep 5, 2025
CVE-2025-55037
9.8 CRITICAL

Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in TkEasyGUI versions prior to v1.0.22. If this vulnerability is …

Sep 5, 2025
CVE-2025-55244
9.0 CRITICAL

Azure Bot Service Elevation of Privilege Vulnerability

Sep 4, 2025
CVE-2025-55241
10.0 CRITICAL

Azure Entra ID Elevation of Privilege Vulnerability

Sep 4, 2025
CVE-2025-55190
9.9 CRITICAL

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. In versions 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12 and 3.1.0-rc1 through …

Sep 4, 2025
CVE-2025-54914
10.0 CRITICAL

Azure Networking Elevation of Privilege Vulnerability

Sep 4, 2025
CVE-2025-58361
9.3 CRITICAL

Promptcraft Forge Studio is a toolkit for evaluating, optimizing, and maintaining LLM-powered applications. All versions contain an non-exhaustive URL scheme check that does not protect …

Sep 4, 2025
CVE-2025-41034
9.8 CRITICAL

An SQL injection vulnerability has been found in appRain CMF 4.0.5. This vulnerability allows an attacker to retrieve, create, update, and delete the database, through …

Sep 4, 2025
CVE-2025-41033
9.8 CRITICAL

An SQL injection vulnerability has been found in appRain CMF 4.0.5. This vulnerability allows an attacker to retrieve, create, update, and delete the database, through …

Sep 4, 2025
CVE-2025-41032
9.8 CRITICAL

An SQL injection vulnerability has been found in appRain CMF 4.0.5. This vulnerability allows an attacker to retrieve, create, update, and delete the database, through …

Sep 4, 2025
CVE-2025-58357
9.6 CRITICAL

5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. Version 0.13.2 contains a vulnerability in the chat page's script gadgets that …

Sep 4, 2025
CVE-2025-36904
9.8 CRITICAL

WLAN in Android before 2025-09-05 on Google Pixel devices allows elevation of privilege, aka A-396458384.

Sep 4, 2025
CVE-2025-36897
9.8 CRITICAL

In unknown of cd_CnMsgCodecUserApi.cpp, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution …

Sep 4, 2025
CVE-2025-36896
9.8 CRITICAL

WLAN in Android before 2025-09-05 on Google Pixel devices allows elevation of privilege, aka A-394765106.

Sep 4, 2025
CVE-2025-36890
9.8 CRITICAL

Elevation of Privilege

Sep 4, 2025
CVE-2025-55747
9.1 CRITICAL

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 6.1-milestone-2 through 16.10.6, configuration files are …

Sep 3, 2025
CVE-2025-53690
9.0 CRITICAL KEV

Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Code Injection.This issue affects Experience Manager (XM): through 9.0; Experience …

Sep 3, 2025
CVE-2025-56752
9.4 CRITICAL

A vulnerability in the Ruijie RG-ES series switch firmware ESW_1.0(1)B1P39 enables remote attackers to fully bypass authentication mechanisms, providing them with unrestricted access to alter …

Sep 3, 2025
CVE-2025-57148
9.1 CRITICAL

phpgurukul Online Shopping Portal 2.0 is vulnerable to Arbitrary File Upload in /admin/insert-product.php, due to the lack of extension validation.

Sep 3, 2025
CVE-2025-57052
9.8 CRITICAL

cJSON 1.5.0 through 1.7.18 allows out-of-bounds access via the decode_array_index_from_pointer function in cJSON_Utils.c, allowing remote attackers to bypass array bounds checking and access restricted data …

Sep 3, 2025
CVE-2025-53693
9.8 CRITICAL

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in Sitecore Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Cache Poisoning.This …

Sep 3, 2025
CVE-2024-43166
9.8 CRITICAL

Incorrect Default Permissions vulnerability in Apache DolphinScheduler. This issue affects Apache DolphinScheduler: before 3.2.2. Users are recommended to upgrade to version 3.3.1, which fixes the …

Sep 3, 2025
CVE-2025-1740
9.8 CRITICAL

Improper Restriction of Excessive Authentication Attempts vulnerability in Akinsoft MyRezzta allows Authentication Bypass, Password Recovery Exploitation, Brute Force.This issue affects MyRezzta: from s2.03.01 before v2.05.01.

Sep 3, 2025
CVE-2024-32444
9.8 CRITICAL

Incorrect Privilege Assignment vulnerability in InspiryThemes RealHomes realhomes allows Privilege Escalation.This issue affects RealHomes: from n/a through <= 4.3.6.

Sep 3, 2025
CVE-2025-26416
9.8 CRITICAL

In initializeSwizzler of SkBmpStandardCodec.cpp, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote escalation of …

Sep 2, 2025
CVE-2025-22435
9.8 CRITICAL

In avdt_msg_ind of avdt_msg.cc, there is a possible memory corruption due to type confusion. This could lead to paired device escalation of privilege with no …

Sep 2, 2025
CVE-2025-22429
9.8 CRITICAL

In multiple locations, there is a possible way to execute arbitrary code due to a logic error in the code. This could lead to local …

Sep 2, 2025
CVE-2025-9276
9.8 CRITICAL

Cockroach Labs cockroach-k8s-request-cert Empty Root Password Authentication Bypass Vulnerability. This vulnerability could allow remote attackers to bypass authentication on systems that use the affected version …

Sep 2, 2025
CVE-2025-6519
9.8 CRITICAL

E3 Site Supervisor (firmware version < 2.31F01) has a default admin user "ONEDAY" with a daily generated password. An attacker can predictably generate the password …

Sep 2, 2025
CVE-2025-5662
9.8 CRITICAL

A deserialization vulnerability exists in the H2O-3 REST API (POST /99/ImportSQLTable) that affects all versions up to 3.46.0.7. This vulnerability allows remote code execution (RCE) …

Sep 2, 2025
CVE-2025-57140
9.8 CRITICAL

rsbi-pom 4.7 is vulnerable to SQL Injection in the /bi/service/model/DatasetService path.

Sep 2, 2025
CVE-2025-52549
9.8 CRITICAL

E3 Site Supervisor Control (firmware version < 2.31F01) generates the root linux password on each boot. An attacker can generate the root linux password for …

Sep 2, 2025
CVE-2024-28988
9.8 CRITICAL

SolarWinds Web Help Desk was found to be susceptible to a Java Deserialization Remote Code Execution vulnerability that, if exploited, would allow an attacker to …

Sep 1, 2025
CVE-2025-9809
9.8 CRITICAL

Out-of-bounds write in cdfs_open_cue_track in libretro libretro-common latest on all platforms allows remote attackers to execute arbitrary code via a crafted .cue file with a …

Sep 1, 2025
CVE-2022-38696
9.8 CRITICAL

In BootRom, there's a possible missing payload size check. This could lead to memory buffer overflow without requiring additional execution privileges.

Sep 1, 2025
CVE-2022-38693
9.8 CRITICAL

In FDL1, there is a possible missing payload size check. This could lead to memory buffer overflow without requiring additional execution privileges.

Sep 1, 2025
CVE-2022-38692
9.8 CRITICAL

In BootROM, there is a missing size check for RSA keys in Certificate Type 0 validation. This could lead to memory buffer overflow without requiring …

Sep 1, 2025
CVE-2025-6507
9.8 CRITICAL

A vulnerability in the h2oai/h2o-3 repository allows attackers to exploit deserialization of untrusted data, potentially leading to arbitrary code execution and reading of system files. …

Sep 1, 2025
CVE-2025-54857
9.8 CRITICAL

Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in SkyBridge BASIC MB-A130 Ver.1.5.8 and earlier. If exploited, a …

Sep 1, 2025
CVE-2025-31100
9.9 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in Mojoomla School Management allows Upload a Web Shell to a Web Server.This issue affects School Management: …

Aug 31, 2025
CVE-2024-32832
9.8 CRITICAL

Missing Authorization vulnerability in Hamid Alinia Login with phone number login-with-phone-number.This issue affects Login with phone number: from n/a through <= 1.6.93.

Aug 31, 2025
CVE-2025-54946
9.8 CRITICAL

A SQL injection vulnerability in SUNNET Corporate Training Management System before 10.11 allows remote attackers to execute arbitrary SQL commands.

Aug 30, 2025
CVE-2025-54945
9.8 CRITICAL

An external control of file name or path vulnerability in SUNNET Corporate Training Management System before 10.11 allows remote attackers to execute arbitrary system commands …

Aug 30, 2025
CVE-2025-54944
9.8 CRITICAL

An unrestricted upload of file with dangerous type vulnerability in SUNNET Corporate Training Management System before 10.11 allows remote attackers to write malicious code in …

Aug 30, 2025
CVE-2025-54943
9.8 CRITICAL

A missing authorization vulnerability in SUNNET Corporate Training Management System before 10.11 allows remote attackers to perform unauthorized application deployment due to the absence of …

Aug 30, 2025
CVE-2025-54942
9.8 CRITICAL

A missing authentication for critical function vulnerability in SUNNET Corporate Training Management System before 10.11 allows remote attackers to access deployment functionality without prior authentication.

Aug 30, 2025
CVE-2025-58159
9.9 CRITICAL

WeGIA is a Web manager for charitable institutions. Prior to version 3.4.11, a remote code execution vulnerability was identified, caused by improper validation of uploaded …

Aug 29, 2025
CVE-2025-58068
9.1 CRITICAL

Eventlet is a concurrent networking library for Python. Prior to version 0.40.3, the Eventlet WSGI parser is vulnerable to HTTP Request Smuggling due to improper …

Aug 29, 2025
CVE-2024-46484
9.8 CRITICAL

TRENDnet TV-IP410 vA1.0R was discovered to contain an OS command injection vulnerability via the /server/cgi-bin/testserv.cgi component.

Aug 29, 2025
CVE-2025-43773
9.1 CRITICAL

Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0, 2025.Q1.0 through 2025.Q1.14, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.18 and …

Aug 29, 2025

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.