CVE Database

9241+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2024-9408
9.8 CRITICAL

In Eclipse GlassFish since version 6.2.5 it is possible to perform a Server Side Request Forgery attack in specific endpoints.

Jul 16, 2025
CVE-2025-54010
9.6 CRITICAL

Cross-Site Request Forgery (CSRF) vulnerability in Shahjahan Jewel FluentSnippets easy-code-manager allows Cross Site Request Forgery.This issue affects FluentSnippets: from n/a through <= 10.50.

Jul 16, 2025
CVE-2024-9342
9.8 CRITICAL

In Eclipse GlassFish version 7.0.16 or earlier it is possible to perform Login Brute Force attacks as there is no limitation in the number of …

Jul 16, 2025
CVE-2025-7673
9.8 CRITICAL

A buffer overflow vulnerability in the URL parser of the zhttpd web server in Zyxel VMG8825-T50K firmware versions prior to V5.50(ABOM.5)C0 could allow an unauthenticated …

Jul 16, 2025
CVE-2025-52689
9.8 CRITICAL

Successful exploitation of the vulnerability could allow an unauthenticated attacker to obtain a valid session ID with administrator privileges by spoofing the login request, potentially …

Jul 16, 2025
CVE-2025-52688
9.8 CRITICAL

Successful exploitation of the vulnerability could allow an attacker to inject commands with root privileges on the access point, potentially leading to the loss of …

Jul 16, 2025
CVE-2025-49841
9.8 CRITICAL

GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. In versions 20250228v3 and prior, there is an unsafe deserialization vulnerability in process_ckpt.py. The SoVITS_dropdown variable takes …

Jul 15, 2025
CVE-2025-49840
9.8 CRITICAL

GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. In versions 20250228v3 and prior, there is an unsafe deserialization vulnerability in inference_webui.py. The GPT_dropdown variable takes …

Jul 15, 2025
CVE-2025-49839
9.8 CRITICAL

GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. In versions 20250228v3 and prior, there is an unsafe deserialization vulnerability in bsroformer.py. The model_choose variable takes …

Jul 15, 2025
CVE-2025-49838
9.8 CRITICAL

GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. In versions 20250228v3 and prior, there is an unsafe deserialization vulnerability in vr.py AudioPreDeEcho. The model_choose variable …

Jul 15, 2025
CVE-2025-49837
9.8 CRITICAL

GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. In versions 20250228v3 and prior, there is an unsafe deserialization vulnerability in vr.py AudioPre. The model_choose variable …

Jul 15, 2025
CVE-2025-49836
9.8 CRITICAL

GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. In versions 20250228v3 and prior, there is a command injection vulnerability in webui.py change_label function. path_list takes …

Jul 15, 2025
CVE-2025-49835
9.8 CRITICAL

GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. In versions 20250228v3 and prior, there is a command injection vulnerability in webui.py open_asr function. asr_inp_dir (and …

Jul 15, 2025
CVE-2025-49834
9.8 CRITICAL

GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. In versions 20250228v3 and prior, there is a command injection vulnerability in webui.py open_denoise function. denoise_inp_dir and …

Jul 15, 2025
CVE-2025-49833
9.8 CRITICAL

GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. In versions 20250228v3 and prior, there is a command injection vulnerability in the webui.py open_slice function. slice_opt_root …

Jul 15, 2025
CVE-2025-49831
9.8 CRITICAL

An attacker of Secrets Manager, Self-Hosted installations that route traffic from Secrets Manager to AWS through a misconfigured network device can reroute authentication requests to …

Jul 15, 2025
CVE-2025-50067
9.0 CRITICAL

Vulnerability in Oracle Application Express (component: Strategic Planner Starter App). Supported versions that are affected are 24.2.4 and 24.2.5. Easily exploitable vulnerability allows low privileged …

Jul 15, 2025
CVE-2025-49827
9.8 CRITICAL

Conjur provides secrets management and application identity for infrastructure. Conjur OSS versions 1.19.5 through 1.22.0 and Secrets Manager, Self-Hosted (formerly known as Conjur Enterprise) 13.1 …

Jul 15, 2025
CVE-2025-41238
9.3 CRITICAL

VMware ESXi, Workstation, and Fusion contain a heap-overflow vulnerability in the PVSCSI (Paravirtualized SCSI) controller that leads to an out of-bounds write. A malicious actor …

Jul 15, 2025
CVE-2025-41237
9.3 CRITICAL

VMware ESXi, Workstation, and Fusion contain an integer-underflow in VMCI (Virtual Machine Communication Interface) that leads to an out-of-bounds write. A malicious actor with local …

Jul 15, 2025
CVE-2025-41236
9.3 CRITICAL

VMware ESXi, Workstation, and Fusion contain an integer-overflow vulnerability in the VMXNET3 virtual network adapter. A malicious actor with local administrative privileges on a virtual …

Jul 15, 2025
CVE-2025-53826
9.8 CRITICAL

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename, and edit files. In …

Jul 15, 2025
CVE-2025-6965
9.8 CRITICAL

There exists a vulnerability in SQLite versions before 3.50.2 where the number of aggregate terms could exceed the number of columns available. This could lead …

Jul 15, 2025
CVE-2025-52376
9.8 CRITICAL

An authentication bypass vulnerability in the /web/um_open_telnet.cgi endpoint in Nexxt Solutions NCM-X1800 Mesh Router firmware UV1.2.7 and below, allowing an attacker to remotely enable the …

Jul 15, 2025
CVE-2025-34111
9.8 CRITICAL

An unauthenticated arbitrary file upload vulnerability exists in Tiki Wiki CMS Groupware version 15.1 and earlier via the ELFinder component's default connector (connector.minimal.php), which allows …

Jul 15, 2025
CVE-2025-3621
9.6 CRITICAL

Vulnerabilities* in ActADUR local server product, developed and maintained by ProTNS, allows Remote Code Inclusion on host systems. * vulnerabilities: * Improper Neutralization of Special …

Jul 15, 2025
CVE-2025-7360
9.1 CRITICAL

The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder plugin for WordPress is vulnerable to arbitrary file moving due …

Jul 15, 2025
CVE-2025-7341
9.1 CRITICAL

The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder plugin for WordPress is vulnerable to arbitrary file deletion due …

Jul 15, 2025
CVE-2025-7340
9.8 CRITICAL

The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due …

Jul 15, 2025
CVE-2025-5394
9.8 CRITICAL

The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the …

Jul 15, 2025
CVE-2025-5393
9.1 CRITICAL

The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the …

Jul 15, 2025
CVE-2025-53890
9.8 CRITICAL

pyload is an open-source Download Manager written in pure Python. An unsafe JavaScript evaluation vulnerability in pyLoad’s CAPTCHA processing code allows unauthenticated remote attackers to …

Jul 15, 2025
CVE-2025-53836
9.9 CRITICAL

XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Starting …

Jul 15, 2025
CVE-2025-53835
9.0 CRITICAL

XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Starting …

Jul 14, 2025
CVE-2025-53833
10.0 CRITICAL

LaRecipe is an application that allows users to create documentation with Markdown inside a Laravel app. Versions prior to 2.8.1 are vulnerable to Server-Side Template …

Jul 14, 2025
CVE-2025-53825
9.4 CRITICAL

Dokploy is a free, self-hostable Platform as a Service (PaaS). Prior to version 0.24.3, an unauthenticated preview deployment vulnerability in Dokploy allows any user to …

Jul 14, 2025
CVE-2025-53639
9.8 CRITICAL

MeterSphere is an open source continuous testing platform. Prior to version 3.6.5-lts, the sortField parameter in certain API endpoints is not properly validated or sanitized. …

Jul 14, 2025
CVE-2025-50756
9.8 CRITICAL

Wavlink WN535K3 20191010 was found to contain a command injection vulnerability in the set_sys_adm function via the newpass parameter. This vulnerability allows attackers to execute …

Jul 14, 2025
CVE-2025-7574
9.8 CRITICAL

A vulnerability, which was classified as critical, was found in LB-LINK BL-AC1900, BL-AC2100_AZ3, BL-AC3600, BL-AX1800, BL-AX5400P and BL-WR9000 up to 20250702. Affected is the function …

Jul 14, 2025
CVE-2025-7451
9.8 CRITICAL

The iSherlock developed by Hgiga has an OS Command Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary OS commands and execute them on the …

Jul 14, 2025
CVE-2020-36849
9.8 CRITICAL

The AIT CSV import/export plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the /wp-content/plugins/ait-csv-import-export/admin/upload-handler.php file in versions …

Jul 12, 2025
CVE-2020-36847
9.8 CRITICAL

The Simple-File-List Plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 4.2.2 via the rename function which can be …

Jul 12, 2025
CVE-2025-6058
9.8 CRITICAL

The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the image_upload_handle() function hooked via the 'add_booking_type' …

Jul 12, 2025
CVE-2023-38036
9.8 CRITICAL

A security vulnerability within Ivanti Avalanche Manager before version 6.4.1 may allow an unauthenticated attacker to create a buffer overflow that could result in service …

Jul 12, 2025
CVE-2025-52950
9.6 CRITICAL

A Missing Authorization vulnerability in Juniper Networks Security Director allows an unauthenticated network-based attacker to read or tamper with multiple sensitive resources via the web …

Jul 11, 2025
CVE-2025-5392
9.8 CRITICAL

The GB Forms DB plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.0.2 via the gbfdb_talk_to_front() function. …

Jul 11, 2025
CVE-2025-30026
9.8 CRITICAL

The AXIS Camera Station Server had a flaw that allowed to bypass authentication that is normally required.

Jul 11, 2025
CVE-2025-30023
9.0 CRITICAL

The communication protocol used between client and server had a flaw that could lead to an authenticated user performing a remote code execution attack.

Jul 11, 2025
CVE-2025-7401
9.8 CRITICAL

The Premium Age Verification / Restriction for WordPress plugin for WordPress is vulnerable to arbitrary file read and write due to the existence of an …

Jul 11, 2025
CVE-2025-52579
9.4 CRITICAL

Emerson ValveLink Products store sensitive information in cleartext in memory. The sensitive memory might be saved to disk, stored in a core dump, or remain …

Jul 11, 2025

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.