CVE Database

9241+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2025-4784
9.8 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Moderec Tourtella allows SQL Injection.This issue affects Tourtella: before 26.05.2025.

Jul 24, 2025
CVE-2025-5243
10.0 CRITICAL

Unrestricted Upload of File with Dangerous Type, Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in SMG Software Information …

Jul 24, 2025
CVE-2025-4822
9.8 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Bayraktar Solar Energies ScadaWatt Otopilot allows SQL Injection.This issue affects ScadaWatt …

Jul 24, 2025
CVE-2025-6441
9.8 CRITICAL

The Webinar Solution: Create live/evergreen/automated/instant webinars, stream & Zoom Meetings | WebinarIgnition plugin for WordPress is vulnerable to unauthenticated login token generation due to a …

Jul 24, 2025
CVE-2025-6380
9.8 CRITICAL

The ONLYOFFICE Docs plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization within its oo.callback REST endpoint in versions 1.1.0 to 2.2.0. …

Jul 24, 2025
CVE-2025-7852
9.8 CRITICAL

The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the image_upload_handle() function hooked via the 'add_new_customer' …

Jul 24, 2025
CVE-2025-7437
9.8 CRITICAL

The Ebook Store plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ebook_store_save_form function in all versions …

Jul 24, 2025
CVE-2025-41240
10.0 CRITICAL

Three Bitnami Helm charts mount Kubernetes Secrets under a predictable path (/opt/bitnami/*/secrets) that is located within the web server document root. In affected versions, this …

Jul 24, 2025
CVE-2025-40599
9.1 CRITICAL

An authenticated arbitrary file upload vulnerability exists in the SMA 100 series web management interface. A remote attacker with administrative privileges can exploit this flaw …

Jul 23, 2025
CVE-2025-41687
9.8 CRITICAL

An unauthenticated remote attacker may use a stack based buffer overflow in the u-link Management API to gain full access on the affected devices.

Jul 23, 2025
CVE-2025-54455
9.1 CRITICAL

Use of Hard-coded Credentials vulnerability in Samsung Electronics MagicINFO 9 Server allows Authentication Bypass.This issue affects MagicINFO 9 Server: less than 21.1080.0.

Jul 23, 2025
CVE-2025-54454
9.1 CRITICAL

Use of Hard-coded Credentials vulnerability in Samsung Electronics MagicINFO 9 Server allows Authentication Bypass.This issue affects MagicINFO 9 Server: less than 21.1080.0.

Jul 23, 2025
CVE-2025-54451
9.8 CRITICAL

Improper Control of Generation of Code ('Code Injection') vulnerability in Samsung Electronics MagicINFO 9 Server allows Code Injection.This issue affects MagicINFO 9 Server: less than …

Jul 23, 2025
CVE-2025-54449
9.8 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in Samsung Electronics MagicINFO 9 Server allows Code Injection.This issue affects MagicINFO 9 Server: less than 21.1080.0.

Jul 23, 2025
CVE-2025-54448
9.8 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in Samsung Electronics MagicINFO 9 Server allows Code Injection.This issue affects MagicINFO 9 Server: less than 21.1080.0.

Jul 23, 2025
CVE-2025-54446
9.8 CRITICAL

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Samsung Electronics MagicINFO 9 Server allows Upload a Web Shell to a …

Jul 23, 2025
CVE-2025-54444
9.8 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in Samsung Electronics MagicINFO 9 Server allows Code Injection.This issue affects MagicINFO 9 Server: less than 21.1080.0.

Jul 23, 2025
CVE-2025-54443
9.8 CRITICAL

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Samsung Electronics MagicINFO 9 Server allows Upload a Web Shell to a …

Jul 23, 2025
CVE-2025-54442
9.8 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in Samsung Electronics MagicINFO 9 Server allows Code Injection.This issue affects MagicINFO 9 Server: less than 21.1080.0.

Jul 23, 2025
CVE-2025-54440
9.8 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in Samsung Electronics MagicINFO 9 Server allows Code Injection.This issue affects MagicINFO 9 Server: less than 21.1080.0.

Jul 23, 2025
CVE-2025-54438
9.8 CRITICAL

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Samsung Electronics MagicINFO 9 Server allows Upload a Web Shell to a …

Jul 23, 2025
CVE-2025-8044
9.8 CRITICAL

Memory safety bugs present in Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of memory corruption and we presume that with enough …

Jul 22, 2025
CVE-2025-8043
9.8 CRITICAL

Focus incorrectly truncated URLs towards the beginning instead of around the origin. This vulnerability was fixed in Firefox 141.

Jul 22, 2025
CVE-2025-8038
9.8 CRITICAL

Thunderbird ignored paths when checking the validity of navigations in a frame. This vulnerability was fixed in Firefox 141, Firefox ESR 140.1, Thunderbird 141, and …

Jul 22, 2025
CVE-2025-8037
9.1 CRITICAL

Setting a nameless cookie with an equals sign in the value shadowed other cookies. Even if the nameless cookie was set over HTTP and the …

Jul 22, 2025
CVE-2025-8031
9.8 CRITICAL

The `username:password` part was not correctly stripped from URLs in CSP reports potentially leaking HTTP Basic Authentication credentials. This vulnerability was fixed in Firefox 141, …

Jul 22, 2025
CVE-2025-8028
9.8 CRITICAL

On arm64, a WASM `br_table` instruction with a lot of entries could lead to the label being too far from the instruction causing truncation and …

Jul 22, 2025
CVE-2025-4285
10.0 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Rolantis Information Technologies Agentis allows SQL Injection.This issue affects Agentis: before …

Jul 22, 2025
CVE-2025-6187
9.8 CRITICAL

The bSecure plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization within its order_info REST endpoint in versions 1.3.7 through 1.7.9. The …

Jul 22, 2025
CVE-2015-10137
9.8 CRITICAL

The Website Contact Form With File Upload plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'upload_file()' …

Jul 22, 2025
CVE-2012-10020
9.8 CRITICAL

The FoxyPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the uploadify.php file in versions up to, …

Jul 22, 2025
CVE-2025-54127
9.8 CRITICAL

HAXcms with nodejs backend allows users to start the server in any HAXsite or HAXcms instance. In versions 11.0.6 and below, the NodeJS version of …

Jul 21, 2025
CVE-2025-54122
10.0 CRITICAL

Manager-io/Manager is accounting software. A critical unauthenticated full read Server-Side Request Forgery (SSRF) vulnerability has been identified in the proxy handler component of both manager …

Jul 21, 2025
CVE-2025-52362
9.1 CRITICAL

Server-Side Request Forgery (SSRF) vulnerability exists in the URL processing functionality of PHProxy version 1.1.1 and prior. The input validation for the _proxurl parameter can …

Jul 21, 2025
CVE-2020-26799
9.8 CRITICAL

A reflected cross-site scripting (XSS) vulnerability was discovered in index.php on Luxcal 4.5.2 which allows an unauthenticated attacker to steal other users' data.

Jul 21, 2025
CVE-2025-44654
9.8 CRITICAL

In Linksys E2500 3.0.04.002, the chroot_local_user option is enabled in the vsftpd configuration file. This could lead to unauthorized access to system files, privilege escalation, …

Jul 21, 2025
CVE-2025-36846
9.8 CRITICAL

An issue was discovered in Eveo URVE Web Manager 27.02.2025. The application exposes a /_internal/pc/vpro.php localhost endpoint to unauthenticated users that is vulnerable to OS …

Jul 21, 2025
CVE-2025-7393
9.8 CRITICAL

Improper Restriction of Excessive Authentication Attempts vulnerability in Drupal Mail Login allows Brute Force.This issue affects Mail Login: from 3.0.0 before 3.2.0, from 4.0.0 before …

Jul 21, 2025
CVE-2025-44658
9.8 CRITICAL

In Netgear RAX30 V1.0.10.94, a PHP-FPM misconfiguration vulnerability is caused by not following the specification to only limit FPM to .php extensions. An attacker may …

Jul 21, 2025
CVE-2025-44655
9.8 CRITICAL

In TOTOLink A7100RU V7.4, A950RG V5.9, and T10 V5.9, the chroot_local_user option is enabled in the vsftpd.conf. This could lead to unauthorized access to system …

Jul 21, 2025
CVE-2025-46122
9.1 CRITICAL

An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.14 and 200.17.7.0.139, where the authenticated diagnostics API endpoint `/admin/_cmdstat.jsp` passes attacker-controlled input to the …

Jul 21, 2025
CVE-2025-46121
9.8 CRITICAL

An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.14 and 200.17.7.0.139, where the functions `stamgr_cfg_adpt_addStaFavourite` and `stamgr_cfg_adpt_addStaIot` pass a client hostname directly to …

Jul 21, 2025
CVE-2025-46120
9.8 CRITICAL

An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.27 and 200.18.7.1.323, and in Ruckus ZoneDirector prior to 10.5.1.0.282, where a path-traversal flaw in …

Jul 21, 2025
CVE-2025-46117
9.1 CRITICAL

An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.14 and 200.17.7.0.139, and in Ruckus ZoneDirector prior to 10.5.1.0.279, where a hidden debug script …

Jul 21, 2025
CVE-2025-7624
9.8 CRITICAL

An SQL injection vulnerability in the legacy (transparent) SMTP proxy of Sophos Firewall versions older than 21.0 MR2 (21.0.2) can lead to remote code execution, …

Jul 21, 2025
CVE-2025-6704
9.8 CRITICAL

An arbitrary file writing vulnerability in the Secure PDF eXchange (SPX) feature of Sophos Firewall versions older than 21.0 MR2 (21.0.2) can lead to pre-auth …

Jul 21, 2025
CVE-2024-6107
9.6 CRITICAL

Due to insufficient verification, an attacker could use a malicious client to bypass authentication checks and run RPC commands in a region. This has been …

Jul 21, 2025
CVE-2025-7921
9.8 CRITICAL

Certain modem models developed by Askey has a Stack-based Buffer Overflow vulnerability, allowing unauthenticated remote attackers to control the program's execution flow and potentially execute …

Jul 21, 2025
CVE-2025-7343
9.8 CRITICAL

The SFT developed by Digiwin has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database …

Jul 21, 2025
CVE-2025-24937
9.0 CRITICAL

File contents could be read from the local file system by an attacker. Additionally, malicious code could be inserted in the file, leading to a …

Jul 21, 2025

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.