CVE Database

9262+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2025-44619
9.1 CRITICAL

Tinxy WiFi Lock Controller v1 RF was discovered to be configured to transmit on an open Wi-Fi network, allowing attackers to join the network without …

May 30, 2025
CVE-2020-36846
9.8 CRITICAL

A buffer overflow, as described in CVE-2020-8927, exists in the embedded Brotli library. Versions of IO::Compress::Brotli prior to 0.007 included a version of the brotli …

May 30, 2025
CVE-2025-46352
9.8 CRITICAL

The CS5000 Fire Panel is vulnerable due to a hard-coded password that runs on a VNC server and is visible as a string in the …

May 30, 2025
CVE-2025-41438
9.8 CRITICAL

The CS5000 Fire Panel is vulnerable due to a default account that exists on the panel. Even though it is possible to change this by …

May 30, 2025
CVE-2025-1907
9.8 CRITICAL

Instantel Micromate lacks authentication on a configuration port which could allow an attacker to execute commands if connected.

May 30, 2025
CVE-2025-31263
9.1 CRITICAL

The issue was addressed with improved memory handling. This issue is fixed in macOS Sequoia 15.4. An app may be able to corrupt coprocessor memory.

May 29, 2025
CVE-2025-30466
9.8 CRITICAL

This issue was addressed through improved state management. This issue is fixed in Safari 18.4, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4, visionOS 2.4. …

May 29, 2025
CVE-2025-4967
9.1 CRITICAL

Esri Portal for ArcGIS 11.4 and prior allows a remote, unauthenticated attacker to bypass the Portal’s SSRF protections.

May 29, 2025
CVE-2025-47933
9.0 CRITICAL

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.13.8, 2.14.13, and 3.0.4, an attacker can perform arbitrary actions on …

May 29, 2025
CVE-2025-48336
9.8 CRITICAL

Deserialization of Untrusted Data vulnerability in ThimPress Course Builder course-builder allows Object Injection.This issue affects Course Builder: from n/a through < 3.6.6.

May 29, 2025
CVE-2023-41591
9.8 CRITICAL

An issue in Open Network Foundation ONOS v2.7.0 allows attackers to create fake IP/MAC addresses and potentially execute a man-in-the-middle attack on communications between fake …

May 29, 2025
CVE-2025-48471
9.8 CRITICAL

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.179, the application does not check or performs insufficient checking of files …

May 29, 2025
CVE-2025-48748
10.0 CRITICAL

Netwrix Directory Manager (formerly Imanami GroupID) through v.10.0.7784.0 has a hard-coded password.

May 29, 2025
CVE-2025-3755
9.1 CRITICAL

Improper Validation of Specified Index, Position, or Offset in Input vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series CPU modules allows a remote unauthenticated attacker …

May 29, 2025
CVE-2025-48749
9.1 CRITICAL

Netwrix Directory Manager (formerly Imanami GroupID) v11.0.0.0 and before & after v.11.1.25134.03 inserts Sensitive Information into Sent Data.

May 28, 2025
CVE-2025-45343
9.8 CRITICAL

An issue in Tenda W18E v.2.0 v.16.01.0.11 allows an attacker to execute arbitrary code via the editing functionality of the account module in the goform/setmodules …

May 28, 2025
CVE-2025-3357
9.8 CRITICAL

IBM Tivoli Monitoring 6.3.0.7 through 6.3.0.7 Service Pack 19 could allow a remote attacker to execute arbitrary code due to improper validation of an index …

May 28, 2025
CVE-2025-5277
9.6 CRITICAL

aws-mcp-server MCP server is vulnerable to command injection. An attacker can craft a prompt that once accessed by the MCP client will run arbitrary commands …

May 28, 2025
CVE-2025-27528
9.1 CRITICAL

Deserialization of Untrusted Data vulnerability in Apache InLong. This issue affects Apache InLong: from 1.13.0 through 2.1.0. This vulnerability allows attackers to bypass the security …

May 28, 2025
CVE-2025-22252
9.8 CRITICAL

A missing authentication for critical function in Fortinet FortiProxy versions 7.6.0 through 7.6.1, FortiSwitchManager version 7.2.5, and FortiOS versions 7.4.4 through 7.4.6 and version 7.6.0 …

May 28, 2025
CVE-2025-32440
10.0 CRITICAL

NetAlertX is a network, presence scanner and alert framework. Prior to version 25.4.14, it is possible to bypass the authentication mechanism of NetAlertX to update …

May 27, 2025
CVE-2025-48057
9.8 CRITICAL

Icinga 2 is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. Prior to …

May 27, 2025
CVE-2025-41652
9.8 CRITICAL

The devices are vulnerable to an authentication bypass due to flaws in the authorization mechanism. An unauthenticated remote attacker could exploit this weakness by performing …

May 27, 2025
CVE-2025-41651
9.8 CRITICAL

Due to missing authentication on a critical function of the devices an unauthenticated remote attacker can execute arbitrary commands, potentially enabling unauthorized upload or download …

May 27, 2025
CVE-2025-48828
9.0 CRITICAL

Certain vBulletin versions might allow attackers to execute arbitrary PHP code by abusing Template Conditionals in the template engine. By crafting template code in an …

May 27, 2025
CVE-2025-48827
10.0 CRITICAL

vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 allows unauthenticated users to invoke protected API controllers' methods when running on PHP 8.1 or later, as …

May 27, 2025
CVE-2025-23394
9.8 CRITICAL

A UNIX Symbolic Link (Symlink) Following vulnerability in openSUSE Tumbleweed cyrus-imapd allows escalation from cyrus to root.This issue affects openSUSE Tumbleweed cyrus-imapd before 3.8.4-2.1.

May 26, 2025
CVE-2025-40666
9.8 CRITICAL

Time-based blind SQL injection vulnerabilities in TCMAN's GIM v11. These allow an attacker to retrieve, create, update and delete databases through ArbolID parameter in/GIMWeb/PC/frmPreventivosList.aspx.

May 26, 2025
CVE-2025-40665
9.8 CRITICAL

Time-based blind SQL injection vulnerabilities in TCMAN's GIM v11. These allow an attacker to retrieve, create, update and delete databases through ArbolID parameter in /GIMWeb/PC/frmCorrectivosList.aspx.

May 26, 2025
CVE-2025-40664
9.1 CRITICAL

Missing authentication vulnerability in TCMAN GIM v11. This allows an unauthenticated attacker to access the resources /frmGestionUser.aspx/GetData, /frmGestionUser.aspx/updateUser and /frmGestionUser.aspx/DeleteUser.

May 26, 2025
CVE-2025-35003
9.8 CRITICAL

Improper Restriction of Operations within the Bounds of a Memory Buffer and Stack-based Buffer Overflow vulnerabilities were discovered in Apache NuttX RTOS Bluetooth Stack (HCI …

May 26, 2025
CVE-2025-2146
9.8 CRITICAL

Buffer overflow in WebService Authentication processing of Small Office Multifunction Printers and Laser Printers(*) which may allow an attacker on the network segment to trigger …

May 26, 2025
CVE-2025-5058
9.8 CRITICAL

The eMagicOne Store Manager for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the set_image() function …

May 24, 2025
CVE-2025-4603
9.1 CRITICAL

The eMagicOne Store Manager for WooCommerce plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_file() function …

May 24, 2025
CVE-2024-51360
9.8 CRITICAL

An issue in Hospital Management System In PHP V4.0 allows a remote attacker to execute arbitrary code via the hms/doctor/edit-profile.php file

May 23, 2025
CVE-2024-51101
9.8 CRITICAL

PHPGURUKUL Restaurant Table Booking System using PHP and MySQL v1.0 was discovered to contain a SQL injection vulnerability via the searchdata parameter at /rtbs/check-status.php.

May 23, 2025
CVE-2025-48289
9.8 CRITICAL

Deserialization of Untrusted Data vulnerability in AncoraThemes Kids Planet kidsplanet allows Object Injection.This issue affects Kids Planet: from n/a through <= 2.2.14.

May 23, 2025
CVE-2025-48287
9.8 CRITICAL

Deserialization of Untrusted Data vulnerability in Pagaleve Pix 4x sem juros - Pagaleve wc-pagaleve allows Object Injection.This issue affects Pix 4x sem juros - Pagaleve: …

May 23, 2025
CVE-2025-48283
9.3 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Majestic Support Majestic Support majestic-support allows SQL Injection.This issue affects Majestic …

May 23, 2025
CVE-2025-47687
10.0 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in StoreKeeper B.V. StoreKeeper for WooCommerce storekeeper-for-woocommerce allows Upload a Web Shell to a Web Server.This issue …

May 23, 2025
CVE-2025-47663
9.9 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in mojoomla Hospital Management System allows Upload a Web Shell to a Web Server. This issue affects …

May 23, 2025
CVE-2025-47658
9.9 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in ELEXtensions ELEX WordPress HelpDesk & Customer Ticketing System elex-helpdesk-customer-support-ticket-system allows Upload a Web Shell to a …

May 23, 2025
CVE-2025-47646
9.8 CRITICAL

Weak Password Recovery Mechanism for Forgotten Password vulnerability in Gilblas Ngunte Possi PSW Front-end Login & Registration psw-login-and-registration allows Password Recovery Exploitation.This issue affects PSW …

May 23, 2025
CVE-2025-47642
10.0 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in Ajar Productions Ajar in5 Embed ajar-productions-in5-embed allows Upload a Web Shell to a Web Server.This issue …

May 23, 2025
CVE-2025-47641
10.0 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in printcart Printcart Web to Print Product Designer for WooCommerce printcart-integration allows Upload a Web Shell to …

May 23, 2025
CVE-2025-47640
9.3 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in printcart Printcart Web to Print Product Designer for WooCommerce printcart-integration allows …

May 23, 2025
CVE-2025-47637
10.0 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in STAGGS STAGGS staggs allows Upload a Web Shell to a Web Server.This issue affects STAGGS: from …

May 23, 2025
CVE-2025-47599
9.3 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in facturante Facturante facturante allows SQL Injection.This issue affects Facturante: from n/a …

May 23, 2025
CVE-2025-47568
9.8 CRITICAL

Deserialization of Untrusted Data vulnerability in ZoomIt ZoomSounds dzs-zoomsounds allows Object Injection.This issue affects ZoomSounds: from n/a through <= 6.91.

May 23, 2025
CVE-2025-47539
9.8 CRITICAL

Incorrect Privilege Assignment vulnerability in Arraytics Eventin wp-event-solution allows Privilege Escalation.This issue affects Eventin: from n/a through <= 4.0.26.

May 23, 2025

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.