CVE Database

9241+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2025-49408
10.0 CRITICAL

Insertion of Sensitive Information Into Sent Data vulnerability in WPDeveloper Templately allows Retrieve Embedded Sensitive Data. This issue affects Templately: from n/a through 3.2.7.

Aug 20, 2025
CVE-2025-49400
9.8 CRITICAL

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in osama.esh WP Visitor Statistics (Real Time Traffic) allows Stored XSS. This issue affects …

Aug 20, 2025
CVE-2025-49381
9.6 CRITICAL

Cross-Site Request Forgery (CSRF) vulnerability in ads.txt Guru ads.txt Guru Connect adstxt-guru-connect allows Cross Site Request Forgery.This issue affects ads.txt Guru Connect: from n/a through …

Aug 20, 2025
CVE-2025-48169
9.9 CRITICAL

Improper Control of Generation of Code ('Code Injection') vulnerability in Jordy Meow Code Engine code-engine allows Remote Code Inclusion.This issue affects Code Engine: from n/a …

Aug 20, 2025
CVE-2025-48148
10.0 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in StoreKeeper B.V. StoreKeeper for WooCommerce storekeeper-for-woocommerce allows Using Malicious Files.This issue affects StoreKeeper for WooCommerce: from …

Aug 20, 2025
CVE-2025-9187
9.8 CRITICAL

Memory safety bugs present in Firefox 141 and Thunderbird 141. Some of these bugs showed evidence of memory corruption and we presume that with enough …

Aug 19, 2025
CVE-2025-9179
9.8 CRITICAL

An attacker was able to perform memory corruption in the GMP process which processes encrypted media. This process is also heavily sandboxed, but represents slightly …

Aug 19, 2025
CVE-2025-8042
9.8 CRITICAL

Firefox for Android allowed a sandboxed iframe without the `allow-downloads` attribute to start downloads. This vulnerability was fixed in Firefox 141.

Aug 19, 2025
CVE-2025-55031
9.8 CRITICAL

Malicious pages could use Firefox for iOS to pass FIDO: links to the OS and trigger the hybrid passkey transport. An attacker within Bluetooth range …

Aug 19, 2025
CVE-2025-54145
9.1 CRITICAL

The QR scanner could allow arbitrary websites to be opened if a user was tricked into scanning a malicious link that leveraged Firefox's open-text URL …

Aug 19, 2025
CVE-2025-54143
9.8 CRITICAL

Sandboxed iframes on webpages could potentially allow downloads to the device, bypassing the expected sandbox restrictions declared on the parent page. This vulnerability was fixed …

Aug 19, 2025
CVE-2025-51543
9.8 CRITICAL

An issue was discovered in Cicool builder 3.4.4 allowing attackers to reset the administrator's password via the /administrator/auth/reset_password endpoint.

Aug 19, 2025
CVE-2025-55733
9.6 CRITICAL

DeepChat is a smart assistant that connects powerful AI to your personal world. DeepChat before 0.3.1 has a one-click remote code execution vulnerability. An attacker …

Aug 19, 2025
CVE-2025-55306
9.8 CRITICAL

GenX_FX is an advance IA trading platform that will focus on forex trading. A vulnerability was identified in the GenX FX backend where API keys …

Aug 19, 2025
CVE-2024-44373
9.8 CRITICAL

A Path Traversal vulnerability in AllSky v2023.05.01 through v2024.12.06_06 allows an unauthenticated attacker to create a webshell and remote code execution via the path, content …

Aug 19, 2025
CVE-2025-55294
9.8 CRITICAL

screenshot-desktop allows capturing a screenshot of your local machine. This vulnerability is a command injection issue. When user-controlled input is passed into the format option …

Aug 19, 2025
CVE-2025-54336
9.8 CRITICAL

In Plesk Obsidian 18.0.70, _isAdminPasswordValid uses an == comparison. Thus, if the correct password is "0e" followed by any digit string, then an attacker can …

Aug 19, 2025
CVE-2025-50567
10.0 CRITICAL

Saurus CMS Community Edition 4.7.1 contains a vulnerability in the custom DB::prepare() function, which uses preg_replace() with the deprecated /e (eval) modifier to interpolate SQL …

Aug 19, 2025
CVE-2025-8723
9.8 CRITICAL

The Cloudflare Image Resizing plugin for WordPress is vulnerable to Remote Code Execution due to missing authentication and insufficient sanitization within its hook_rest_pre_dispatch() method in …

Aug 19, 2025
CVE-2025-6758
9.8 CRITICAL

The Real Spaces - WordPress Properties Directory Theme theme for WordPress is vulnerable to privilege escalation via the 'imic_agent_register' function in all versions up to, …

Aug 19, 2025
CVE-2025-55591
9.8 CRITICAL

TOTOLINK-A3002R v4.0.0-B20230531.1404 was discovered to contain a command injection vulnerability in the devicemac parameter in the formMapDel endpoint.

Aug 18, 2025
CVE-2025-55213
9.8 CRITICAL

OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.9.3 to v1.9.4 ( openfga-0.2.40 <= Helm chart …

Aug 18, 2025
CVE-2025-55299
9.4 CRITICAL

VaulTLS is a modern solution for managing mTLS (mutual TLS) certificates. Prior to 0.9.1, user accounts created through the User web UI have an empty …

Aug 18, 2025
CVE-2025-55293
9.4 CRITICAL

Meshtastic is an open source mesh networking solution. Prior to v2.6.3, an attacker can send NodeInfo with a empty publicKey first, then overwrite it with …

Aug 18, 2025
CVE-2025-55283
9.1 CRITICAL

aiven-db-migrate is an Aiven database migration tool. Prior to 1.0.7, there is a privilege escalation vulnerability that allows elevation to superuser inside PostgreSQL databases during …

Aug 18, 2025
CVE-2025-55282
9.1 CRITICAL

aiven-db-migrate is an Aiven database migration tool. Prior to 1.0.7, there is a privilege escalation vulnerability that allows a user to elevate to superuser inside …

Aug 18, 2025
CVE-2025-55205
9.0 CRITICAL

Capsule is a multi-tenancy and policy-based framework for Kubernetes. A namespace label injection vulnerability in Capsule v0.10.3 and earlier allows authenticated tenant users to inject …

Aug 18, 2025
CVE-2025-54117
9.0 CRITICAL

NamelessMC is a free, easy to use & powerful website software for Minecraft servers. Cross-site scripting (XSS) vulnerability in NamelessMC before 2.2.3 allows remote authenticated …

Aug 18, 2025
CVE-2025-31715
9.8 CRITICAL

In vowifi service, there is a possible command injection due to improper input validation. This could lead to remote escalation of privilege with no additional …

Aug 18, 2025
CVE-2025-8898
9.8 CRITICAL

The Taxi Booking Manager for Woocommerce | E-cab plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and …

Aug 16, 2025
CVE-2025-7441
9.8 CRITICAL

The StoryChief plugin for WordPress is vulnerable to arbitrary file uploads in all versions up to, and including, 1.0.42. This vulnerability occurs through the /wp-json/storychief/webhook …

Aug 16, 2025
CVE-2025-9060
9.1 CRITICAL

A vulnerability has been found in the MSoft MFlash application that allows execution of arbitrary code on the server. The issue occurs in the integration …

Aug 15, 2025
CVE-2025-8995
9.8 CRITICAL

Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Authenticator Login allows Authentication Bypass.This issue affects Authenticator Login: from 0.0.0 before 2.1.4.

Aug 15, 2025
CVE-2025-54466
9.8 CRITICAL

Improper Control of Generation of Code ('Code Injection') vulnerability leading to a possible RCE in Apache OFBiz scrum plugin. This issue affects Apache OFBiz: before …

Aug 15, 2025
CVE-2025-7778
9.8 CRITICAL

The Icons Factory plugin for WordPress is vulnerable to Arbitrary File Deletion due to insufficient authorization and improper path validation within the delete_files() function in …

Aug 15, 2025
CVE-2025-6679
9.8 CRITICAL

The Bit Form builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and …

Aug 15, 2025
CVE-2025-20265
10.0 CRITICAL

A vulnerability in the RADIUS subsystem implementation of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to inject arbitrary shell …

Aug 14, 2025
CVE-2025-50518
9.8 CRITICAL

A use-after-free vulnerability exists in the coap_delete_pdu_lkd function within coap_pdu.c of the libcoap library. This issue occurs due to improper handling of memory after the …

Aug 14, 2025
CVE-2025-7972
9.1 CRITICAL

A security issue exists within the FactoryTalk Linx Network Browser. By modifying the process.env.NODE_ENV to ‘development’, the attacker can disable FTSP token validation. This bypass …

Aug 14, 2025
CVE-2025-43983
9.1 CRITICAL

KuWFi CPF908-CP5 WEB5.0_LCD_20210125 devices have multiple unauthenticated access control vulnerabilities within goform/goform_set_cmd_process and goform/goform_get_cmd_process. These allow an unauthenticated attacker to retrieve sensitive information (including the …

Aug 14, 2025
CVE-2025-27845
9.8 CRITICAL

In ESPEC North America Web Controller 3 before 3.3.4, /api/v4/auth/ with any invalid authentication request results in exposing a JWT secret. This allows for elevated …

Aug 14, 2025
CVE-2025-43984
9.8 CRITICAL

An issue was discovered on KuWFi GC111 devices (Hardware Version: CPE-LM321_V3.2, Software Version: GC111-GL-LM321_V3.0_20191211). They are vulnerable to unauthenticated /goform/goform_set_cmd_process requests. A crafted POST request, …

Aug 14, 2025
CVE-2025-54707
9.3 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RealMag777 MDTF wp-meta-data-filter-and-taxonomy-filter allows SQL Injection.This issue affects MDTF: from n/a …

Aug 14, 2025
CVE-2025-54693
9.0 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in epiphyt Form Block form-block allows Upload a Web Shell to a Web Server.This issue affects Form …

Aug 14, 2025
CVE-2025-54686
9.8 CRITICAL

Deserialization of Untrusted Data vulnerability in scriptsbundle Exertio exertio allows Object Injection.This issue affects Exertio: from n/a through <= 1.3.2.

Aug 14, 2025
CVE-2025-54678
9.3 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in hassantafreshi Easy Form Builder easy-form-builder allows Blind SQL Injection.This issue affects …

Aug 14, 2025
CVE-2025-54669
9.3 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RomanCode MapSVG mapsvg allows SQL Injection.This issue affects MapSVG: from n/a …

Aug 14, 2025
CVE-2025-52720
9.3 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in highwarden Super Store Finder superstorefinder-wp allows SQL Injection.This issue affects Super …

Aug 14, 2025
CVE-2025-49887
9.9 CRITICAL

Improper Control of Generation of Code ('Code Injection') vulnerability in WPFactory Product XML Feed Manager for WooCommerce product-xml-feeds-for-woocommerce allows Remote Code Inclusion.This issue affects Product …

Aug 14, 2025
CVE-2025-49059
9.3 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CleverReach® CleverReach® WP cleverreach-wp allows SQL Injection.This issue affects CleverReach® WP: …

Aug 14, 2025

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.