CVE Database

9241+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2025-48293
9.8 CRITICAL

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Dylan Kuhn Geo Mashup geo-mashup allows PHP Local File …

Aug 14, 2025
CVE-2025-25174
10.0 CRITICAL

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in beeteam368 BeeTeam368 Extensions beeteam368-extensions allows PHP Local File Inclusion.This …

Aug 14, 2025
CVE-2025-24775
9.9 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in Made I.T. Forms forms-by-made-it allows Upload a Web Shell to a Web Server.This issue affects Forms: …

Aug 14, 2025
CVE-2025-8943
9.8 CRITICAL

The Custom MCPs feature is designed to execute OS commands, for instance, using tools like `npx` to spin up local MCP Servers. However, Flowise's inherent …

Aug 14, 2025
CVE-2025-8047
9.8 CRITICAL

The disable-right-click-powered-by-pixterme through v1.2 and pixter-image-digital-license thtough v1.0 WordPress plugins load a JavaScript file which has been compromised from an apparent abandoned S3 bucket. It …

Aug 14, 2025
CVE-2025-55346
9.8 CRITICAL

User-controlled input flows to an unsafe implementation of a dynamic Function constructor, allowing network attackers to run arbitrary unsandboxed JS code in the context of …

Aug 14, 2025
CVE-2012-10060
9.8 CRITICAL

Sysax Multi Server versions prior to 5.55 contains a stack-based buffer overflow in its SSH service. When a remote attacker supplies an overly long username …

Aug 13, 2025
CVE-2012-10054
9.8 CRITICAL

Umbraco CMS versions prior to 4.7.1 are vulnerable to unauthenticated remote code execution via the codeEditorSave.asmx SOAP endpoint, which exposes a SaveDLRScript operation that permits …

Aug 13, 2025
CVE-2011-10019
9.8 CRITICAL

Spreecommerce versions prior to 0.60.2 contains a remote command execution vulnerability in its search functionality. The application fails to properly sanitize input passed via the …

Aug 13, 2025
CVE-2011-10018
9.8 CRITICAL

myBB version 1.6.4 was distributed with an unauthorized backdoor embedded in the source code. The backdoor allowed remote attackers to execute arbitrary PHP code by …

Aug 13, 2025
CVE-2025-43986
9.8 CRITICAL

An issue was discovered on KuWFi GC111 GC111-GL-LM321_V3.0_20191211 devices. The TELNET service is enabled by default and exposed over the WAN interface without authentication.

Aug 13, 2025
CVE-2025-43982
9.8 CRITICAL

Shenzhen Tuoshi NR500-EA RG500UEAABxCOMSLICv3.4.2731.16.43 devices enable the SSH service by default. There is a hidden hard-coded root account that cannot be disabled in the GUI.

Aug 13, 2025
CVE-2025-52385
9.8 CRITICAL

An issue in Studio 3T v.2025.1.0 and before allows a remote attacker to execute arbitrary code via a crafted payload to the child_process module

Aug 13, 2025
CVE-2025-51451
9.8 CRITICAL

In TOTOLINK EX1200T firmware 4.1.2cu.5215, an attacker can bypass login by sending a specific request through formLoginAuth.htm.

Aug 13, 2025
CVE-2025-50594
9.8 CRITICAL

An issue was discovered in /Code/Websites/DanpheEMR/Controllers/Settings/SecuritySettingsController.cs in Danphe Health Hospital Management System EMR 3.2 allowing attackers to reset any account password.

Aug 13, 2025
CVE-2025-51452
9.8 CRITICAL

In TOTOLINK A7000R firmware 9.1.0u.6115_B20201022, an attacker can bypass login by sending a specific request through formLoginAuth.htm.

Aug 13, 2025
CVE-2025-50251
9.1 CRITICAL

Server side request forgery (SSRF) vulnerability in makeplane plane 0.23.1 via the password recovery.

Aug 13, 2025
CVE-2025-54382
9.6 CRITICAL

Cherry Studio is a desktop client that supports for multiple LLM providers. In version 1.5.1, a remote code execution (RCE) vulnerability exists in the Cherry …

Aug 13, 2025
CVE-2025-54074
9.8 CRITICAL

Cherry Studio is a desktop client that supports for multiple LLM providers. From versions 1.2.5 to 1.5.1, Cherry Studio is vulnerable to OS Command Injection …

Aug 13, 2025
CVE-2025-8913
9.8 CRITICAL

Organization Portal System developed by WellChoose has a Local File Inclusion vulnerability, allowing unauthenticated remote attackers to execute arbitrary code on the server.

Aug 13, 2025
CVE-2025-8760
9.8 CRITICAL

A vulnerability was identified in INSTAR 2K+ and 4K 3.11.1 Build 1124. This affects the function base64_decode of the component fcgi_server. The manipulation of the …

Aug 13, 2025
CVE-2025-6715
9.8 CRITICAL

The LatePoint WordPress plugin before 5.1.94 is vulnerable to Local File Inclusion via the layout parameter. This makes it possible for attackers to include and …

Aug 13, 2025
CVE-2025-7384
9.8 CRITICAL

The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, …

Aug 13, 2025
CVE-2025-49457
9.6 CRITICAL

Untrusted search path in certain Zoom Clients for Windows may allow an unauthenticated user to conduct an escalation of privilege via network access

Aug 12, 2025
CVE-2025-55168
9.8 CRITICAL

WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. Prior to version 3.4.8, a SQL Injection vulnerability …

Aug 12, 2025
CVE-2025-25256
9.8 CRITICAL

An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in Fortinet FortiSIEM version 7.3.0 through 7.3.1, 7.2.0 through …

Aug 12, 2025
CVE-2025-53766
9.8 CRITICAL

Heap-based buffer overflow in Windows GDI+ allows an unauthorized attacker to execute code over a network.

Aug 12, 2025
CVE-2025-50171
9.1 CRITICAL

Missing authorization in Remote Desktop Server allows an unauthorized attacker to perform spoofing over a network.

Aug 12, 2025
CVE-2025-50165
9.8 CRITICAL

Untrusted pointer dereference in Microsoft Graphics Component allows an unauthorized attacker to execute code over a network.

Aug 12, 2025
CVE-2025-55167
9.8 CRITICAL

WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. Prior to version 3.4.8, a SQL Injection vulnerability …

Aug 12, 2025
CVE-2025-55010
9.1 CRITICAL

Kanboard is project management software that focuses on the Kanban methodology. Prior to version 1.2.47, an unsafe deserialization vulnerability in the ProjectEventActvityFormatter allows admin users …

Aug 12, 2025
CVE-2025-40746
9.1 CRITICAL

A vulnerability has been identified in SIMATIC RTLS Locating Manager (All versions < V3.2). Affected products do not properly validate input for a backup script. …

Aug 12, 2025
CVE-2025-8059
9.8 CRITICAL

The B Blocks plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization and improper input validation within the rgfr_registration() function in all …

Aug 12, 2025
CVE-2025-42957
9.9 CRITICAL

SAP S/4HANA allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of …

Aug 12, 2025
CVE-2025-42950
9.9 CRITICAL

SAP Landscape Transformation (SLT) allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the …

Aug 12, 2025
CVE-2024-32640
9.8 CRITICAL

MASA CMS is an Enterprise Content Management platform based on open source technology. Versions prior to 7.4.5, 7.3.12, and 7.2.7 contain a SQL injection vulnerability …

Aug 11, 2025
CVE-2025-53187
9.8 CRITICAL

Due to an issue in configuration, code that was intended for debugging purposes was included in the market release of the ASPECT FW allowing an …

Aug 11, 2025
CVE-2025-45146
9.8 CRITICAL

ModelCache for LLM through v0.2.0 was discovered to contain an deserialization vulnerability via the component /manager/data_manager.py. This vulnerability allows attackers to execute arbitrary code via …

Aug 11, 2025
CVE-2025-8853
9.8 CRITICAL

Official Document Management System developed by 2100 Technology has an Authentication Bypass vulnerability, allowing unauthenticated remote attackers to obtain any user's connection token and use …

Aug 11, 2025
CVE-2025-8660
9.8 CRITICAL

Privilege escalation occurs when a user gets access to more resources or functionality than they are normally allowed.

Aug 11, 2025
CVE-2025-8854
9.8 CRITICAL

Stack-based buffer overflow in LoadOFF in bulletphysics bullet3 before 3.26 on all platforms allows remote attackers to execute arbitrary code via a crafted OFF file …

Aug 11, 2025
CVE-2025-54997
9.1 CRITICAL

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, some …

Aug 9, 2025
CVE-2025-6573
9.8 CRITICAL

Kernel software installed and running inside an untrusted/rich execution environment (REE) could leak information from the trusted execution environment (TEE).

Aug 9, 2025
CVE-2025-5095
9.8 CRITICAL

Burk Technology ARC Solo's password change mechanism can be utilized without proper authentication procedures, allowing an attacker to take over the device. A password change …

Aug 8, 2025
CVE-2025-52913
9.8 CRITICAL

A vulnerability in the NuPoint Unified Messaging (NPM) component of Mitel MiCollab through 9.8 SP2 (9.8.2.12) could allow an unauthenticated attacker to conduct a path …

Aug 8, 2025
CVE-2025-8284
9.8 CRITICAL

By default, the Packet Power Monitoring and Control Web Interface do not enforce authentication mechanisms. This vulnerability could allow unauthorized users to access and manipulate …

Aug 8, 2025
CVE-2025-8731
9.8 CRITICAL

A vulnerability was identified in TRENDnet TI-G160i, TI-PG102i and TPL-430AP up to 20250724. This affects an unknown part of the component SSH Service. The manipulation …

Aug 8, 2025
CVE-2025-8356
9.8 CRITICAL

In Xerox FreeFlow Core version 8.0.4, an attacker can exploit a Path Traversal vulnerability to access unauthorized files on the server. This can lead to …

Aug 8, 2025
CVE-2025-8730
9.8 CRITICAL

A vulnerability was found in Belkin F9K1009 and F9K1010 2.00.04/2.00.09 and classified as critical. Affected by this issue is some unknown functionality of the component …

Aug 8, 2025
CVE-2025-53606
9.8 CRITICAL

Deserialization of Untrusted Data vulnerability in Apache Seata (incubating). This issue affects Apache Seata (incubating): 2.4.0. Users are recommended to upgrade to version 2.5.0, which …

Aug 8, 2025

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.