CVE Database

9241+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2025-52856
9.8 CRITICAL

An improper authentication vulnerability has been reported to affect VioStor. If a remote attacker, they can then exploit the vulnerability to compromise the security of …

Aug 29, 2025
CVE-2025-44033
9.8 CRITICAL

SQL injection vulnerability in oa_system oasys v.1.1 allows a remote attacker to execute arbitrary code via the allDirector() method declaration in src/main/java/cn/gson/oasys/mappers/AddressMapper.java

Aug 29, 2025
CVE-2025-8861
9.8 CRITICAL

TSA developed by Changing has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to read, modify, and delete database contents.

Aug 29, 2025
CVE-2025-8857
9.8 CRITICAL

Clinic Image System developed by Changing contains hard-coded Credentials, allowing unauthenticated remote attackers to log into the system using administrator credentials embedded in the source …

Aug 29, 2025
CVE-2025-9605
9.8 CRITICAL

A security vulnerability has been detected in Tenda AC21 and AC23 16.03.08.16. Affected is the function GetParentControlInfo of the file /goform/GetParentControlInfo. Such manipulation of the …

Aug 29, 2025
CVE-2025-58059
9.1 CRITICAL

Valtimo is a platform for Business Process Automation. In versions before 12.16.0.RELEASE, and from 13.0.0.RELEASE to before 13.1.2.RELEASE, any admin that can create or modify …

Aug 28, 2025
CVE-2025-58048
9.9 CRITICAL

Paymenter is a free and open-source webshop solution for hostings. Prior to version 1.2.11, the ticket attachments functionality in Paymenter allows a malicious authenticated user …

Aug 28, 2025
CVE-2025-57819
9.8 CRITICAL KEV

FreePBX is an open-source web-based graphical user interface. FreePBX 15, 16, and 17 endpoints are vulnerable due to insufficiently sanitized user-supplied data allowing unauthenticated access …

Aug 28, 2025
CVE-2025-55583
9.8 CRITICAL

D-Link DIR-868L B1 router firmware version FW2.05WWB02 contains an unauthenticated OS command injection vulnerability in the fileaccess.cgi component. The endpoint /dws/api/UploadFile accepts a pre_api_arg parameter …

Aug 28, 2025
CVE-2025-54738
9.8 CRITICAL

Authentication Bypass Using an Alternate Path or Channel vulnerability in NooTheme Jobmonster noo-jobmonster allows Authentication Abuse.This issue affects Jobmonster: from n/a through <= 4.7.9.

Aug 28, 2025
CVE-2025-54725
9.8 CRITICAL

Authentication Bypass Using an Alternate Path or Channel vulnerability in uxper Golo golo allows Authentication Abuse.This issue affects Golo: from n/a through <= 1.7.0.

Aug 28, 2025
CVE-2025-54720
9.3 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in SteelThemes Nest Addons nest-addons allows SQL Injection.This issue affects Nest Addons: …

Aug 28, 2025
CVE-2025-52761
9.8 CRITICAL

Deserialization of Untrusted Data vulnerability in manfcarlo WP Funnel Manager wp-funnel-manager allows Object Injection.This issue affects WP Funnel Manager: from n/a through <= 1.4.0.

Aug 28, 2025
CVE-2025-49388
9.8 CRITICAL

Incorrect Privilege Assignment vulnerability in kamleshyadav Miraculous Core Plugin miraculouscore allows Privilege Escalation.This issue affects Miraculous Core Plugin: from n/a through <= 2.0.7.

Aug 28, 2025
CVE-2025-49387
10.0 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in add-ons.org Drag and Drop File Upload for Elementor Forms drag-and-drop-file-upload-for-elementor-forms allows Upload a Web Shell to …

Aug 28, 2025
CVE-2025-48100
9.1 CRITICAL

Improper Control of Generation of Code ('Code Injection') vulnerability in extremeidea bidorbuy Store Integrator bidorbuystoreintegrator allows Remote Code Inclusion.This issue affects bidorbuy Store Integrator: from …

Aug 28, 2025
CVE-2025-39496
9.3 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WBW WooBeWoo Product Filter Pro allows SQL Injection.This issue affects WooBeWoo …

Aug 28, 2025
CVE-2025-54762
9.8 CRITICAL

SS1 Ver.16.0.0.10 and earlier (Media version:16.0.0a and earlier) allows a remote unauthenticated attacker to upload arbitrary files and execute OS commands with SYSTEM privileges.

Aug 28, 2025
CVE-2025-53970
9.8 CRITICAL

SS1 Ver.16.0.0.10 and earlier (Media version:16.0.0a and earlier) allows a remote unauthenticated attacker to upload arbitrary files and execute OS commands with SYSTEM privileges.

Aug 28, 2025
CVE-2025-7955
9.8 CRITICAL

The RingCentral Communications plugin for WordPress is vulnerable to Authentication Bypass due to improper validation within the ringcentral_admin_login_2fa_verify() function in versions 1.5 to 1.6.8. This …

Aug 28, 2025
CVE-2025-34523
9.8 CRITICAL

A heap-based buffer overflow vulnerability exists in the exists in the network-facing input handling routines of Arcserve Unified Data Protection (UDP). This flaw is reachable …

Aug 27, 2025
CVE-2025-34522
9.8 CRITICAL

A heap-based buffer overflow vulnerability exists in the input parsing logic of Arcserve Unified Data Protection (UDP). This flaw can be triggered without authentication by …

Aug 27, 2025
CVE-2025-34520
9.8 CRITICAL

An authentication bypass vulnerability in Arcserve Unified Data Protection (UDP) allows unauthenticated attackers to gain unauthorized access to protected functionality or user accounts. By manipulating …

Aug 27, 2025
CVE-2024-13979
9.8 CRITICAL

A SQL injection vulnerability exists in the St. Joe ERP system ("圣乔ERP系统") that allows unauthenticated remote attackers to execute arbitrary SQL commands via crafted HTTP …

Aug 27, 2025
CVE-2018-25115
9.8 CRITICAL

Multiple D-Link DIR-series routers, including DIR-110, DIR-412, DIR-600, DIR-610, DIR-615, DIR-645, and DIR-815 firmware version 1.03, contain a vulnerability in the service.cgi endpoint that allows …

Aug 27, 2025
CVE-2025-58050
9.1 CRITICAL

The PCRE2 library is a set of C functions that implement regular expression pattern matching. In version 10.45, a heap-buffer-overflow read vulnerability exists in the …

Aug 27, 2025
CVE-2025-50428
9.8 CRITICAL

In RaspAP raspap-webgui 3.3.2 and earlier, a command injection vulnerability exists in the includes/hostapd.php script. The vulnerability is due to improper sanitizing of user input …

Aug 27, 2025
CVE-2025-34157
9.0 CRITICAL

Coolify versions prior to v4.0.0-beta.420.6 are vulnerable to a stored cross-site scripting (XSS) attack in the project creation workflow. An authenticated user with low privileges …

Aug 27, 2025
CVE-2025-52122
9.8 CRITICAL

Freeform 5.0.0 to before 5.10.16, a plugin for CraftCMS, contains an Server-side template injection (SSTI) vulnerability, resulting in arbitrary code injection for all users that …

Aug 27, 2025
CVE-2025-50989
9.1 CRITICAL

OPNsense before 25.1.8 contains an authenticated command injection vulnerability in its Bridge Interface Edit endpoint (interfaces_bridge_edit.php). The span POST parameter is concatenated into a system-level …

Aug 27, 2025
CVE-2025-50972
9.8 CRITICAL

SQL Injection vulnerability in AbanteCart 1.4.2, allows unauthenticated attackers to execute arbitrary SQL commands via the tmpl_id parameter to index.php. Three techniques have been demonstrated: …

Aug 27, 2025
CVE-2025-43728
9.6 CRITICAL

Dell ThinOS 10, versions prior to 2508_10.0127, contain a Protection Mechanism Failure vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading …

Aug 27, 2025
CVE-2025-9523
9.8 CRITICAL

A vulnerability was detected in Tenda AC1206 15.03.06.23. Affected is the function GetParentControlInfo of the file /goform/GetParentControlInfo. The manipulation of the argument mac results in …

Aug 27, 2025
CVE-2025-22408
9.8 CRITICAL

In rfc_check_send_cmd of rfc_utils.cc, there is a possible way to execute arbitrary code due to a use after free. This could lead to remote code …

Aug 26, 2025
CVE-2025-22403
9.8 CRITICAL

In sdp_snd_service_search_req of sdp_discovery.cc, there is a possible way to execute arbitrary code due to a use after free. This could lead to remote code …

Aug 26, 2025
CVE-2025-0075
9.8 CRITICAL

In process_service_search_attr_req of sdp_server.cc, there is a possible way to execute arbitrary code due to a use after free. This could lead to remote code …

Aug 26, 2025
CVE-2025-0074
9.8 CRITICAL

In process_service_attr_rsp of sdp_discovery.cc, there is a possible way to execute arbitrary code due to a use after free. This could lead to remote code …

Aug 26, 2025
CVE-2025-55443
9.1 CRITICAL

Telpo MDM 1.4.6 thru 1.4.9 for Android contains sensitive administrator credentials and MQTT server connection details (IP/port) that are stored in plaintext within log files …

Aug 26, 2025
CVE-2025-52353
9.8 CRITICAL

An arbitrary code execution vulnerability in Badaso CMS 2.9.11. The Media Manager allows authenticated users to upload files containing embedded PHP code via the file-upload …

Aug 26, 2025
CVE-2024-39335
9.1 CRITICAL

Supported versions of Mahara 24.04 before 24.04.1 and 23.04 before 23.04.6 are vulnerable to information being disclosed to an institution administrator under certain conditions via …

Aug 26, 2025
CVE-2025-55526
9.1 CRITICAL

n8n-workflows Main Commit ee25413 allows attackers to execute a directory traversal via the download_workflow function within api_server.py

Aug 26, 2025
CVE-2025-7776
9.8 CRITICAL

Memory overflow vulnerability leading to unpredictable or erroneous behavior and Denial of Service in NetScaler ADC and NetScaler Gateway when NetScaler is configured as a …

Aug 26, 2025
CVE-2025-7775
9.8 CRITICAL KEV

Memory overflow vulnerability leading to Remote Code Execution and/or Denial of Service in NetScaler ADC and NetScaler Gateway when NetScaler is configured as Gateway (VPN …

Aug 26, 2025
CVE-2025-41702
9.8 CRITICAL

The JWT secret key is embedded in the egOS WebGUI backend and is readable to the default user. An unauthenticated remote attacker can generate valid …

Aug 26, 2025
CVE-2025-57773
9.8 CRITICAL

DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.12, because DB2 parameters are not filtered, a JNDI injection attack …

Aug 25, 2025
CVE-2025-57772
9.8 CRITICAL

DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.12, there is a H2 JDBC RCE bypass in DataEase. If …

Aug 25, 2025
CVE-2025-53120
9.4 CRITICAL

A path traversal vulnerability in unauthenticated upload functionality allows a malicious actor to upload binaries and scripts to the server’s configuration and web root directories, …

Aug 25, 2025
CVE-2025-50722
9.8 CRITICAL

Insecure Permissions vulnerability in sparkshop v.1.1.7 allows a remote attacker to execute arbitrary code via the Common.php component

Aug 25, 2025
CVE-2025-55575
9.8 CRITICAL

SQL Injection vulnerability in SMM Panel 3.1 allowing remote attackers to gain sensitive information via a crafted HTTP request with action=service_detail.

Aug 25, 2025
CVE-2025-53118
9.8 CRITICAL

An authentication bypass vulnerability exists which allows an unauthenticated attacker to control administrator backup functions, leading to compromise of passwords, secrets, and application session tokens …

Aug 25, 2025

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.