CVE Database

9241+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2025-45854
10.0 CRITICAL

/server/executeExec of JEHC-BPM 2.0.1 allows attackers to execute arbitrary code via execParams.

Jun 3, 2025
CVE-2025-44148
9.8 CRITICAL

Cross Site Scripting (XSS) vulnerability in MailEnable before v10 allows a remote attacker to execute arbitrary code via the failure.aspx component

Jun 3, 2025
CVE-2025-25022
9.6 CRITICAL

IBM QRadar Suite Software 1.10.12.0 through 1.11.2.0 and IBM Cloud Pak for Security 1.10.0.0 through 1.10.11.0 could allow an unauthenticated user in the environment to …

Jun 3, 2025
CVE-2025-4517
9.4 CRITICAL

Allows arbitrary filesystem writes outside the extraction directory during extraction with filter="data". You are affected by this vulnerability if using the tarfile module to extract …

Jun 3, 2025
CVE-2025-4797
9.8 CRITICAL

The Golo - City Travel Guide WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and …

Jun 3, 2025
CVE-2025-23099
9.1 CRITICAL

An issue was discovered in Samsung Mobile Processor Exynos 1480 and 2400. The lack of a length check leads to out-of-bounds writes.

Jun 2, 2025
CVE-2025-5086
9.0 CRITICAL KEV

A deserialization of untrusted data vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025 could lead to a remote code execution.

Jun 2, 2025
CVE-2025-37096
9.8 CRITICAL

A command injection remote code execution vulnerability exists in HPE StoreOnce Software.

Jun 2, 2025
CVE-2025-37095
9.8 CRITICAL

A directory traversal information disclosure vulnerability exists in HPE StoreOnce Software.

Jun 2, 2025
CVE-2025-37093
9.8 CRITICAL

An authentication bypass vulnerability exists in HPE StoreOnce Software.

Jun 2, 2025
CVE-2025-37092
9.8 CRITICAL

A command injection remote code execution vulnerability exists in HPE StoreOnce Software.

Jun 2, 2025
CVE-2025-37090
9.8 CRITICAL

A server-side request forgery vulnerability exists in HPE StoreOnce Software.

Jun 2, 2025
CVE-2025-37089
9.8 CRITICAL

A command injection remote code execution vulnerability exists in HPE StoreOnce Software.

Jun 2, 2025
CVE-2025-1750
9.8 CRITICAL

An SQL injection vulnerability exists in the delete function of DuckDBVectorStore in run-llama/llama_index version v0.12.19. This vulnerability allows an attacker to manipulate the ref_doc_id parameter, …

Jun 2, 2025
CVE-2025-0324
9.4 CRITICAL

The VAPIX Device Configuration framework allowed a privilege escalation, enabling a lower-privileged user to gain administrator privileges.

Jun 2, 2025
CVE-2025-49113
9.9 CRITICAL KEV

Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated …

Jun 2, 2025
CVE-2025-20674
9.8 CRITICAL

In wlan AP driver, there is a possible way to inject arbitrary packet due to a missing permission check. This could lead to remote escalation …

Jun 2, 2025
CVE-2025-20672
9.8 CRITICAL

In Bluetooth driver, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege …

Jun 2, 2025
CVE-2025-5408
9.8 CRITICAL

A vulnerability was found in WAVLINK QUANTUM D2G, QUANTUM D3G, WL-WN530G3A, WL-WN530HG3, WL-WN532A3 and WL-WN576K1 up to V1410_240222 and classified as critical. Affected by this …

Jun 1, 2025
CVE-2025-40908
9.1 CRITICAL

YAML-LibYAML prior to 0.903.0 for Perl uses 2-args open, allowing existing files to be modified

Jun 1, 2025
CVE-2025-4631
9.8 CRITICAL

The Profitori plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the stocktend_object endpoint in versions 2.0.6.0 to 2.1.1.3. …

May 31, 2025
CVE-2025-4607
9.8 CRITICAL

The PSW Front-end Login & Registration plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.12 via the customer_registration() …

May 31, 2025
CVE-2025-48949
9.8 CRITICAL

Navidrome is an open source web-based music collection server and streamer. Versions 0.55.0 through 0.55.2 have a vulnerability due to improper input validation on the …

May 30, 2025
CVE-2025-48938
9.8 CRITICAL

go-gh is a collection of Go modules to make authoring GitHub CLI extensions easier. A security vulnerability has been identified in versions prior to 2.12.1 …

May 30, 2025
CVE-2023-26226
9.8 CRITICAL

A use after free memory corruption issue exists in Yandex Browser for Desktop prior to version 24.4.0.682

May 30, 2025
CVE-2025-48865
9.1 CRITICAL

Fabio is an HTTP(S) and TCP router for deploying applications managed by consul. Prior to version 1.6.6, Fabio allows clients to remove X-Forwarded headers (except …

May 30, 2025
CVE-2025-48481
9.8 CRITICAL

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, an attacker with an unactivated email invitation containing invite_hash, can exploit …

May 30, 2025
CVE-2025-47952
9.1 CRITICAL

Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. Prior to versions 2.11.25 and 3.4.1, there is a potential vulnerability in Traefik managing …

May 30, 2025
CVE-2025-48757
9.3 CRITICAL

An insufficient database Row-Level Security policy in Lovable through 2025-04-15 allows remote unauthenticated attackers to read or write to arbitrary database tables of generated sites. …

May 30, 2025
CVE-2025-44619
9.1 CRITICAL

Tinxy WiFi Lock Controller v1 RF was discovered to be configured to transmit on an open Wi-Fi network, allowing attackers to join the network without …

May 30, 2025
CVE-2020-36846
9.8 CRITICAL

A buffer overflow, as described in CVE-2020-8927, exists in the embedded Brotli library. Versions of IO::Compress::Brotli prior to 0.007 included a version of the brotli …

May 30, 2025
CVE-2025-46352
9.8 CRITICAL

The CS5000 Fire Panel is vulnerable due to a hard-coded password that runs on a VNC server and is visible as a string in the …

May 30, 2025
CVE-2025-41438
9.8 CRITICAL

The CS5000 Fire Panel is vulnerable due to a default account that exists on the panel. Even though it is possible to change this by …

May 30, 2025
CVE-2025-1907
9.8 CRITICAL

Instantel Micromate lacks authentication on a configuration port which could allow an attacker to execute commands if connected.

May 30, 2025
CVE-2025-31263
9.1 CRITICAL

The issue was addressed with improved memory handling. This issue is fixed in macOS Sequoia 15.4. An app may be able to corrupt coprocessor memory.

May 29, 2025
CVE-2025-30466
9.8 CRITICAL

This issue was addressed through improved state management. This issue is fixed in Safari 18.4, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4, visionOS 2.4. …

May 29, 2025
CVE-2025-4967
9.1 CRITICAL

Esri Portal for ArcGIS 11.4 and prior allows a remote, unauthenticated attacker to bypass the Portal’s SSRF protections.

May 29, 2025
CVE-2025-47933
9.0 CRITICAL

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.13.8, 2.14.13, and 3.0.4, an attacker can perform arbitrary actions on …

May 29, 2025
CVE-2025-48336
9.8 CRITICAL

Deserialization of Untrusted Data vulnerability in ThimPress Course Builder course-builder allows Object Injection.This issue affects Course Builder: from n/a through < 3.6.6.

May 29, 2025
CVE-2023-41591
9.8 CRITICAL

An issue in Open Network Foundation ONOS v2.7.0 allows attackers to create fake IP/MAC addresses and potentially execute a man-in-the-middle attack on communications between fake …

May 29, 2025
CVE-2025-48471
9.8 CRITICAL

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.179, the application does not check or performs insufficient checking of files …

May 29, 2025
CVE-2025-48748
10.0 CRITICAL

Netwrix Directory Manager (formerly Imanami GroupID) through v.10.0.7784.0 has a hard-coded password.

May 29, 2025
CVE-2025-3755
9.1 CRITICAL

Improper Validation of Specified Index, Position, or Offset in Input vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series CPU modules allows a remote unauthenticated attacker …

May 29, 2025
CVE-2025-48749
9.1 CRITICAL

Netwrix Directory Manager (formerly Imanami GroupID) v11.0.0.0 and before & after v.11.1.25134.03 inserts Sensitive Information into Sent Data.

May 28, 2025
CVE-2025-45343
9.8 CRITICAL

An issue in Tenda W18E v.2.0 v.16.01.0.11 allows an attacker to execute arbitrary code via the editing functionality of the account module in the goform/setmodules …

May 28, 2025
CVE-2025-3357
9.8 CRITICAL

IBM Tivoli Monitoring 6.3.0.7 through 6.3.0.7 Service Pack 19 could allow a remote attacker to execute arbitrary code due to improper validation of an index …

May 28, 2025
CVE-2025-5277
9.6 CRITICAL

aws-mcp-server MCP server is vulnerable to command injection. An attacker can craft a prompt that once accessed by the MCP client will run arbitrary commands …

May 28, 2025
CVE-2025-27528
9.1 CRITICAL

Deserialization of Untrusted Data vulnerability in Apache InLong. This issue affects Apache InLong: from 1.13.0 through 2.1.0. This vulnerability allows attackers to bypass the security …

May 28, 2025
CVE-2025-22252
9.8 CRITICAL

A missing authentication for critical function in Fortinet FortiProxy versions 7.6.0 through 7.6.1, FortiSwitchManager version 7.2.5, and FortiOS versions 7.4.4 through 7.4.6 and version 7.6.0 …

May 28, 2025
CVE-2025-32440
10.0 CRITICAL

NetAlertX is a network, presence scanner and alert framework. Prior to version 25.4.14, it is possible to bypass the authentication mechanism of NetAlertX to update …

May 27, 2025

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.