CVE Database

9241+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2025-24936
9.0 CRITICAL

The web application allows user input to pass unfiltered to a command executed on the underlying operating system. The vulnerable component is bound to the …

Jul 21, 2025
CVE-2025-7918
9.8 CRITICAL

WinMatrix3 Web package developed by Simopro Technology has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and …

Jul 21, 2025
CVE-2025-7916
9.8 CRITICAL

WinMatrix3 developed by Simopro Technology has an Insecure Deserialization vulnerability, allowing unauthenticated remote attackers to execute arbitrary code on the server by sending maliciously crafted …

Jul 21, 2025
CVE-2025-53770
9.8 CRITICAL KEV

Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit …

Jul 20, 2025
CVE-2015-10138
9.8 CRITICAL

The Work The Flow File Upload plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the jQuery-File-Upload-9.5.0 server …

Jul 19, 2025
CVE-2016-15043
9.8 CRITICAL

The WP Mobile Detector plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in resize.php file in versions up …

Jul 19, 2025
CVE-2015-10135
9.8 CRITICAL

The WPshop 2 – E-Commerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajaxUpload function in …

Jul 19, 2025
CVE-2012-10019
9.8 CRITICAL

The Front End Editor plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation via the upload.php file in versions …

Jul 19, 2025
CVE-2025-7697
9.8 CRITICAL

The Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions …

Jul 19, 2025
CVE-2025-7696
9.8 CRITICAL

The Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up …

Jul 19, 2025
CVE-2025-7394
9.8 CRITICAL

In the OpenSSL compatibility layer implementation, the function RAND_poll() was not behaving as expected and leading to the potential for predictable values returned from RAND_bytes() …

Jul 18, 2025
CVE-2025-54309
9.0 CRITICAL KEV

CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to …

Jul 18, 2025
CVE-2025-49747
9.9 CRITICAL

Missing authorization in Azure Machine Learning allows an authorized attacker to elevate privileges over a network.

Jul 18, 2025
CVE-2025-49746
9.9 CRITICAL

Improper authorization in Azure Machine Learning allows an authorized attacker to elevate privileges over a network.

Jul 18, 2025
CVE-2025-47158
9.0 CRITICAL

Authentication bypass by assumed-immutable data in Azure DevOps allows an unauthorized attacker to elevate privileges over a network.

Jul 18, 2025
CVE-2025-53888
9.8 CRITICAL

RIOT-OS, an operating system that supports Internet of Things devices, has an ineffective size check implemented with `assert()` can lead to buffer overflow in versions …

Jul 18, 2025
CVE-2025-46001
9.8 CRITICAL

An arbitrary file upload vulnerability in the is_allowed_file_type() function of Filemanager v2.3.0 allows attackers to execute arbitrary code via uploading a crafted PHP file.

Jul 18, 2025
CVE-2025-7444
9.8 CRITICAL

The LoginPress Pro plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.0.1. This is due to insufficient verification …

Jul 18, 2025
CVE-2025-26855
9.8 CRITICAL

A SQL injection in Articles Calendar extension 1.0.0 - 1.0.1.0007 for Joomla allows attackers to execute arbitrary SQL commands.

Jul 18, 2025
CVE-2025-26854
9.8 CRITICAL

A SQL injection in Articles Good Search extension 1.0.0 - 1.2.4.0011 for Joomla allows attackers to execute arbitrary SQL commands.

Jul 18, 2025
CVE-2025-7643
9.1 CRITICAL

The Attachment Manager plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the handle_actions() function in all versions …

Jul 18, 2025
CVE-2025-6222
9.8 CRITICAL

The WooCommerce Refund And Exchange with RMA - Warranty Management, Refund Policy, Manage User Wallet theme for WordPress is vulnerable to arbitrary file uploads due …

Jul 18, 2025
CVE-2025-6185
9.3 CRITICAL

Leviton AcquiSuite and Energy Monitoring Hub are susceptible to a cross-site scripting vulnerability, allowing an attacker to craft a malicious payload in URL parameters, which …

Jul 18, 2025
CVE-2025-7398
9.1 CRITICAL

Brocade ASCG before 3.3.0 allows for the use of medium strength cryptography algorithms on internal ports ports 9000 and 8036.

Jul 17, 2025
CVE-2025-6391
9.1 CRITICAL

Brocade ASCG before 3.3.0 logs JSON Web Tokens (JWT) in log files. An attacker with access to the log files can withdraw the unencrypted tokens …

Jul 17, 2025
CVE-2025-53964
9.6 CRITICAL

GoldenDict 1.5.0 and 1.5.1 has an exposed dangerous method that allows reading and modifying files when a user adds a crafted dictionary and then searches …

Jul 17, 2025
CVE-2025-23266
9.0 CRITICAL

NVIDIA Container Toolkit for all platforms contains a vulnerability in some hooks used to initialize the container, where an attacker could execute arbitrary code with …

Jul 17, 2025
CVE-2025-54068
9.8 CRITICAL KEV

Livewire is a full-stack framework for Laravel. In Livewire v3 up to and including v3.6.3, a vulnerability allows unauthenticated attackers to achieve remote command execution …

Jul 17, 2025
CVE-2025-50240
9.8 CRITICAL

nbcio-boot v1.0.3 was discovered to contain a SQL injection vulnerability via the userIds parameter at /sys/user/deleteRecycleBin.

Jul 17, 2025
CVE-2025-53644
9.8 CRITICAL

OpenCV is an Open Source Computer Vision Library. Versions 4.10.0 and 4.11.0 have an uninitialized pointer variable on stack that may lead to arbitrary heap …

Jul 17, 2025
CVE-2025-53867
9.8 CRITICAL

Island Lake WebBatch before 2025C allows Remote Code Execution via a crafted URL.

Jul 17, 2025
CVE-2025-52046
9.8 CRITICAL

Totolink A3300R V17.0.0cu.596_B20250515 was found to contain a command injection vulnerability in the sub_4197C0 function via the mac and desc parameters. This vulnerability allows unauthenticated …

Jul 17, 2025
CVE-2025-25257
9.8 CRITICAL KEV

An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] vulnerability in Fortinet FortiWeb 7.6.0 through 7.6.3, FortiWeb 7.4.0 through …

Jul 17, 2025
CVE-2025-53909
9.1 CRITICAL

mailcow: dockerized is an open source groupware/email suite based on docker. A Server-Side Template Injection (SSTI) vulnerability exists in versions prior to 2025-07 in the …

Jul 17, 2025
CVE-2025-51630
9.8 CRITICAL

TOTOLINK N350RT V9.3.5u.6139_B20201216 was discovered to contain a buffer overflow via the ePort parameter in the function setIpPortFilterRules.

Jul 17, 2025
CVE-2025-7712
9.1 CRITICAL

The Madara - Core plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the wp_manga_delete_zip() function in all …

Jul 17, 2025
CVE-2025-5396
9.8 CRITICAL

The Bears Backup plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.0.0. This is due to the …

Jul 17, 2025
CVE-2025-20337
10.0 CRITICAL KEV

A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying …

Jul 16, 2025
CVE-2025-53937
9.8 CRITICAL

WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A SQL Injection vulnerability was identified in the …

Jul 16, 2025
CVE-2025-52836
9.8 CRITICAL

Incorrect Privilege Assignment vulnerability in Unity Business Technology Pty Ltd The E-Commerce ERP profitori allows Privilege Escalation.This issue affects The E-Commerce ERP: from n/a through …

Jul 16, 2025
CVE-2025-52714
9.3 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in shinetheme Traveler traveler allows SQL Injection.This issue affects Traveler: from n/a …

Jul 16, 2025
CVE-2025-48300
9.1 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in Adrian Tobey Groundhogg groundhogg allows Upload a Web Shell to a Web Server.This issue affects Groundhogg: …

Jul 16, 2025
CVE-2025-30973
9.8 CRITICAL

Deserialization of Untrusted Data vulnerability in Codexpert, Inc CoSchool LMS coschool allows Object Injection.This issue affects CoSchool LMS: from n/a through <= 1.4.3.

Jul 16, 2025
CVE-2025-30949
9.8 CRITICAL

Deserialization of Untrusted Data vulnerability in Guru Team Site Chat on Telegram site-chat-on-telegram allows Object Injection.This issue affects Site Chat on Telegram: from n/a through …

Jul 16, 2025
CVE-2025-30936
9.3 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Torod Company for Information Technology Torod torod allows SQL Injection.This issue …

Jul 16, 2025
CVE-2025-29009
10.0 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in Webkul Medical Prescription Attachment Plugin for WooCommerce medical-prescription-attachment-plugin-for-woocommerce allows Upload a Web Shell to a Web …

Jul 16, 2025
CVE-2025-28982
9.3 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ThimPress WP Pipes allows SQL Injection. This issue affects WP Pipes: …

Jul 16, 2025
CVE-2025-28961
9.8 CRITICAL

Deserialization of Untrusted Data vulnerability in Md Yeasin Ul Haider URL Shortener exact-links allows Object Injection.This issue affects URL Shortener: from n/a through <= 3.0.7.

Jul 16, 2025
CVE-2025-28959
9.3 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Md Yeasin Ul Haider URL Shortener exact-links allows SQL Injection.This issue …

Jul 16, 2025
CVE-2025-24759
9.3 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CMSJunkie - WordPress Business Directory Plugins WP-BusinessDirectory wp-businessdirectory allows Blind SQL …

Jul 16, 2025

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.