CVE Database

9262+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2025-46801
9.8 CRITICAL

Pgpool-II provided by PgPool Global Development Group contains an authentication bypass by primary weakness vulnerability. if the vulnerability is exploited, an attacker may be able …

May 19, 2025
CVE-2025-23123
10.0 CRITICAL

A malicious actor with access to the management network could execute a remote code execution (RCE) by exploiting a heap buffer overflow vulnerability in the …

May 19, 2025
CVE-2025-4918
9.8 CRITICAL

An attacker was able to perform an out-of-bounds read or write on a JavaScript `Promise` object. This vulnerability was fixed in Firefox 138.0.4, Firefox ESR …

May 17, 2025
CVE-2025-47945
9.1 CRITICAL

Donetick an open-source app for managing tasks and chores. Prior to version 0.1.44, the application uses JSON Web Tokens (JWT) for authentication, but the signing …

May 17, 2025
CVE-2025-48187
9.1 CRITICAL

RAGFlow through 0.18.1 allows account takeover because it is possible to conduct successful brute-force attacks against email verification codes to perform arbitrary account registration, login, …

May 17, 2025
CVE-2025-4391
9.8 CRITICAL

The Echo RSS Feed Post Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the echo_generate_featured_image() function …

May 17, 2025
CVE-2025-4389
9.8 CRITICAL

The Crawlomatic Multipage Scraper Post Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the crawlomatic_generate_featured_image() function …

May 17, 2025
CVE-2025-40906
9.8 CRITICAL

BSON::XS versions 0.8.4 and earlier for Perl includes a bundled libbson 1.1.7, which has several vulnerabilities. Those include CVE-2017-14227, CVE-2018-16790, CVE-2023-0437, CVE-2024-6381, CVE-2024-6383, and CVE-2025-0755. …

May 16, 2025
CVE-2025-39481
9.3 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in imithemes Eventer eventer allows Blind SQL Injection.This issue affects Eventer: from …

May 16, 2025
CVE-2025-32643
9.3 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mojoomla WPGYM allows Blind SQL Injection. This issue affects WPGYM: from …

May 16, 2025
CVE-2025-47916
10.0 CRITICAL

Invision Community 5.0.0 before 5.0.7 allows remote code execution via crafted template strings to themeeditor.php. The issue lies within the themeeditor controller (file: /applications/core/modules/front/system/themeeditor.php), where …

May 16, 2025
CVE-2025-47275
9.1 CRITICAL

Auth0-PHP provides the PHP SDK for Auth0 Authentication and Management APIs. Starting in version 8.0.0-BETA1 and prior to version 8.14.0, session cookies of applications using …

May 15, 2025
CVE-2025-47928
9.1 CRITICAL

Spotipy is a Python library for the Spotify Web API. As of commit 4f5759dbfb4506c7b6280572a4db1aabc1ac778d, using `pull_request_target` on `.github/workflows/integration_tests.yml` followed by the checking out the head.sha …

May 15, 2025
CVE-2025-47787
9.8 CRITICAL

Emlog is an open source website building system. Emlog Pro prior to version 2.5.10 contains a file upload vulnerability. The store.php component contains a critical …

May 15, 2025
CVE-2025-47784
9.8 CRITICAL

Emlog is an open source website building system. Versions 2.5.13 and prior have a deserialization vulnerability. A user who creates a carefully crafted nickname can …

May 15, 2025
CVE-2024-8673
9.1 CRITICAL

The Z-Downloads WordPress plugin before 1.11.7 does not properly validate uploaded files allowing for the uploading of SVGs containing malicious JavaScript.

May 15, 2025
CVE-2024-6809
9.8 CRITICAL

The Simple Video Directory WordPress plugin before 1.4.3 does not properly sanitise and escape a parameter before using it in a SQL statement via an …

May 15, 2025
CVE-2024-6584
9.1 CRITICAL

The 'wp_ajax_boost_proxy_ig' action allows administrators to make GET requests to arbitrary URLs.

May 15, 2025
CVE-2024-6159
9.8 CRITICAL

The Push Notification for Post and BuddyPress WordPress plugin before 1.9.4 does not properly sanitise and escape a parameter before using it in a SQL …

May 15, 2025
CVE-2025-46052
9.8 CRITICAL

An error-based SQL Injection (SQLi) vulnerability in WebERP v4.15.2 allows attackers to execute arbitrary SQL command and extract sensitive data by injecting a crafted payload …

May 15, 2025
CVE-2025-4564
9.8 CRITICAL

The TicketBAI Facturas para WooCommerce plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation via the 'delpdf' action in …

May 15, 2025
CVE-2025-32002
9.8 CRITICAL

Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in I-O DATA network attached hard disk 'HDL-T Series' firmware …

May 15, 2025
CVE-2025-3917
9.8 CRITICAL

The 百度站长SEO合集(支持百度/神马/Bing/头条推送) plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the download_remote_image_to_media_library function in all versions up …

May 15, 2025
CVE-2025-47889
9.8 CRITICAL

In Jenkins WSO2 Oauth Plugin 1.0 and earlier, authentication claims are accepted without validation by the "WSO2 Oauth" security realm, allowing unauthenticated attackers to log …

May 14, 2025
CVE-2025-47884
9.1 CRITICAL

In Jenkins OpenID Connect Provider Plugin 96.vee8ed882ec4d and earlier the generation of build ID Tokens uses potentially overridden values of environment variables, in conjunction with …

May 14, 2025
CVE-2025-27891
9.1 CRITICAL

An issue was discovered in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, W920, …

May 14, 2025
CVE-2025-32363
9.8 CRITICAL

mediDOK before 2.5.18.43 allows remote attackers to achieve remote code execution on a target system via deserialization of untrusted data.

May 14, 2025
CVE-2025-4638
9.8 CRITICAL

A vulnerability exists in the inftrees.c component of the zlib library, which is bundled within the PointCloudLibrary (PCL). This issue may allow context-dependent attackers to …

May 14, 2025
CVE-2025-47781
9.8 CRITICAL

Rallly is an open-source scheduling and collaboration tool. Versions up to and including 3.22.1 of the application features token based authentication. When a user attempts …

May 14, 2025
CVE-2025-47777
9.6 CRITICAL

5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. Versions prior to 0.11.1 are vulnerable to stored cross-site scripting in chatbot …

May 14, 2025
CVE-2025-47436
9.8 CRITICAL

Heap-based Buffer Overflow vulnerability in Apache ORC. A vulnerability has been identified in the ORC C++ LZO decompression logic, where specially crafted malformed ORC files …

May 14, 2025
CVE-2024-24780
9.8 CRITICAL

Remote Code Execution with untrusted URI of UDF vulnerability in Apache IoTDB. The attacker who has privilege to create UDF can register malicious function from …

May 14, 2025
CVE-2025-3623
9.1 CRITICAL

The Uncanny Automator plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.4.0.1 via deserialization of untrusted input …

May 14, 2025
CVE-2025-43567
9.3 CRITICAL

Adobe Connect versions 12.8 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious …

May 13, 2025
CVE-2025-43564
9.1 CRITICAL

ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary file system read. A high-privileged …

May 13, 2025
CVE-2025-43563
9.1 CRITICAL

ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary file system read. A high-privileged …

May 13, 2025
CVE-2025-43562
9.1 CRITICAL

ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability …

May 13, 2025
CVE-2025-43561
9.1 CRITICAL

ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of …

May 13, 2025
CVE-2025-43560
9.1 CRITICAL

ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context …

May 13, 2025
CVE-2025-43559
9.1 CRITICAL

ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context …

May 13, 2025
CVE-2025-45863
9.8 CRITICAL

TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a buffer overflow via the macstr parameter in the formMapDelDevice interface.

May 13, 2025
CVE-2025-45865
9.8 CRITICAL

TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a buffer overflow via the dnsaddr parameter in the formDhcpv6s interface.

May 13, 2025
CVE-2025-45861
9.8 CRITICAL

TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a buffer overflow via the routername parameter in the formDnsv6 interface.

May 13, 2025
CVE-2025-4660
9.8 CRITICAL

A remote code execution vulnerability exists in the Windows agent component of SecureConnector due to improper access controls on a named pipe. The pipe is …

May 13, 2025
CVE-2025-4658
9.8 CRITICAL

Versions of OpenPubkey library prior to 0.10.0 contained a vulnerability that would allow a specially crafted JWS to bypass signature verification. As OPKSSH depends on …

May 13, 2025
CVE-2025-3757
9.8 CRITICAL

Versions of OpenPubkey library prior to 0.10.0 contained a vulnerability that would allow a specially crafted JWS to bypass signature verification.

May 13, 2025
CVE-2025-30387
9.8 CRITICAL

Improper limitation of a pathname to a restricted directory ('path traversal') in Azure allows an unauthorized attacker to elevate privileges over a network.

May 13, 2025
CVE-2025-45858
9.8 CRITICAL

TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a command injection vulnerability via the FUN_00459fdc function.

May 13, 2025
CVE-2025-45857
9.8 CRITICAL

EDIMAX CV7428NS v1.20 was discovered to contain a remote code execution (RCE) vulnerability via the command parameter in the mp function.

May 13, 2025
CVE-2025-31493
9.1 CRITICAL

Kirby is an open-source content management system. A vulnerability in versions prior to 3.9.8.3, 3.10.1.2, and 4.7.1 affects all Kirby sites that use the `collection()` …

May 13, 2025

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.