CVE Database

9262+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2025-47733
9.1 CRITICAL

Server-Side Request Forgery (SSRF) in Microsoft Power Apps allows an unauthorized attacker to disclose information over a network

May 8, 2025
CVE-2025-29972
9.9 CRITICAL

Server-side request forgery (ssrf) in Azure Storage Resource Provider allows an authorized attacker to perform spoofing over a network.

May 8, 2025
CVE-2025-29827
9.9 CRITICAL

Improper authorization in Azure Automation allows an authorized attacker to elevate privileges over a network.

May 8, 2025
CVE-2025-29813
10.0 CRITICAL

Authentication bypass by assumed-immutable data in Azure DevOps allows an unauthorized attacker to elevate privileges over a network.

May 8, 2025
CVE-2023-31585
9.8 CRITICAL

Grocery-CMS-PHP-Restful-API v1.3 is vulnerable to File Upload via /admin/add-category.php.

May 8, 2025
CVE-2025-45798
9.8 CRITICAL

A command execution vulnerability exists in the TOTOLINK A950RG V4.1.2cu.5204_B20210112. The vulnerability is located in the setNoticeCfg interface within the /lib/cste_modules/system.so library, specifically in the …

May 8, 2025
CVE-2025-45797
9.8 CRITICAL

TOTOlink A950RG V4.1.2cu.5204_B20210112 contains a buffer overflow vulnerability. The vulnerability arises from the improper input validation of the NoticeUrl parameter in the setNoticeCfg interface of …

May 8, 2025
CVE-2025-45790
9.8 CRITICAL

TOTOLINK A3100R V5.9c.1527 is vulnerable to Buffer Overflow via the priority parameter in the setMacQos interface of /lib/cste_modules/firewall.so.

May 8, 2025
CVE-2025-45789
9.8 CRITICAL

TOTOLINK A3100R V5.9c.1527 is vulnerable to buffer overflow via the urlKeyword parameter in setParentalRules.

May 8, 2025
CVE-2025-45788
9.8 CRITICAL

TOTOLINK A3100R V5.9c.1527 is vulnerable to Buffer Overflow via the comment parameter in setMacFilterRules.

May 8, 2025
CVE-2025-45787
9.8 CRITICAL

TOTOLINK A3100R V5.9c.1527 is vulnerable to Buffer Overflow viathe comment parameter in setIpPortFilterRules.

May 8, 2025
CVE-2025-0505
10.0 CRITICAL

On Arista CloudVision systems (virtual or physical on-premise deployments), Zero Touch Provisioning can be used to gain admin privileges on the CloudVision system, with more …

May 8, 2025
CVE-2024-12378
9.1 CRITICAL

On affected platforms running Arista EOS with secure Vxlan configured, restarting the Tunnelsec agent will result in packets being sent over the secure Vxlan tunnels …

May 8, 2025
CVE-2024-11186
10.0 CRITICAL

On affected versions of the CloudVision Portal, improper access controls could enable a malicious authenticated user to take broader actions on managed EOS devices than …

May 8, 2025
CVE-2025-26845
9.8 CRITICAL

An Eval Injection issue was discovered in Znuny through 7.1.3. A user with write access to the configuration file can use this to execute a …

May 8, 2025
CVE-2025-45841
9.8 CRITICAL

TOTOLINK NR1800X V9.1.0u.6681_B20230703 was discovered to contain an authenticated stack overflow via the text parameter in the setSmsCfg function.

May 8, 2025
CVE-2025-26844
9.8 CRITICAL

An issue was discovered in Znuny through 7.1.3. A cookie is set without the HttpOnly flag.

May 8, 2025
CVE-2025-46828
9.8 CRITICAL

WeGIA is a web manager for charitable institutions. An unauthenticated SQL Injection vulnerability was identified in versions up to and including 3.3.0 in the endpoint …

May 7, 2025
CVE-2025-20188
10.0 CRITICAL

A vulnerability in the Out-of-Band Access Point (AP) Image Download, the Clean Air Spectral Recording, and the client debug bundles features of Cisco IOS XE …

May 7, 2025
CVE-2025-47657
9.3 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Productive Minds Productive Commerce productive-commerce allows SQL Injection.This issue affects Productive …

May 7, 2025
CVE-2025-47549
9.1 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in Themefic BEAF beaf-before-and-after-gallery allows Upload a Web Shell to a Web Server.This issue affects BEAF: from …

May 7, 2025
CVE-2025-2777
9.3 CRITICAL

SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the lshw processing functionality, allowing for administrator account takeover …

May 7, 2025
CVE-2025-2776
9.3 CRITICAL KEV

SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the Server URL processing functionality, allowing for administrator account …

May 7, 2025
CVE-2025-2775
9.3 CRITICAL KEV

SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the Checkin processing functionality, allowing for administrator account takeover …

May 7, 2025
CVE-2025-4104
9.8 CRITICAL

The Frontend Dashboard plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the fed_wp_ajax_fed_login_form_post() function in versions 1.0 to …

May 7, 2025
CVE-2025-0668
9.8 CRITICAL

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in BOINC Server allows Stored XSS.This issue affects BOINC Server: before 1.4.5.

May 7, 2025
CVE-2025-3844
9.8 CRITICAL

The PeproDev Ultimate Profile Solutions plugin for WordPress is vulnerable to Authentication Bypass in versions 1.9.1 to 7.5.2. This is due to handel_ajax_req() function not …

May 7, 2025
CVE-2025-0855
9.8 CRITICAL

The PGS Core plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.8.0 via deserialization of untrusted input …

May 6, 2025
CVE-2025-44899
9.8 CRITICAL

There is a stack overflow vulnerability in Tenda RX3 V1.0br_V16.03.13.11 In the fromSetWifiGusetBasic function of the web url /goform/ WifiGuestSet, the manipulation of the parameter …

May 6, 2025
CVE-2025-44073
9.8 CRITICAL

SeaCMS v13.3 was discovered to contain a SQL injection vulnerability via the component admin_comment_news.php.

May 6, 2025
CVE-2024-12225
9.1 CRITICAL

A vulnerability was found in Quarkus in the quarkus-security-webauthn module. The Quarkus WebAuthn module publishes default REST endpoints for registering and logging users in while …

May 6, 2025
CVE-2025-46816
9.4 CRITICAL

goshs is a SimpleHTTPServer written in Go. Starting in version 0.3.4 and prior to version 1.0.5, running goshs without arguments makes it possible for anyone …

May 6, 2025
CVE-2025-25014
9.1 CRITICAL

A Prototype pollution vulnerability in Kibana leads to arbitrary code execution via crafted HTTP requests to machine learning and reporting endpoints.

May 6, 2025
CVE-2025-45492
9.8 CRITICAL

Netgear EX8000 V1.0.0.126 is vulnerable to Command Injection via the Iface parameter in the action_wireless function.

May 6, 2025
CVE-2025-45491
9.8 CRITICAL

Linksys E5600 v1.1.0.26 was discovered to contain a command injection vulnerability in the runtime.ddnsStatus DynDNS function via the username parameter.

May 6, 2025
CVE-2025-45490
9.8 CRITICAL

Linksys E5600 v1.1.0.26 was discovered to contain a command injection vulnerability in the runtime.ddnsStatus DynDNS function via the password parameter.

May 6, 2025
CVE-2025-45489
9.8 CRITICAL

Linksys E5600 v1.1.0.26 was discovered to contain a command injection vulnerability in the runtime.ddnsStatus DynDNS function via the hostname parameter.

May 6, 2025
CVE-2025-45488
9.8 CRITICAL

Linksys E5600 v1.1.0.26 was discovered to contain a command injection vulnerability in the runtime.ddnsStatus DynDNS function via the mailex parameter.

May 6, 2025
CVE-2025-45487
9.8 CRITICAL

Linksys E5600 v1.1.0.26 was discovered to contain a command injection vulnerability in the runtime.InternetConnection function.

May 6, 2025
CVE-2025-40625
9.8 CRITICAL

Unrestricted file upload in TCMAN's GIM v11. This vulnerability allows an unauthenticated attacker to upload any file within the server, even a malicious file to …

May 6, 2025
CVE-2025-40624
9.8 CRITICAL

SQL injection in TCMAN's GIM v11. This vulnerability allows an unauthenticated attacker to inject an SQL statement to obtain, update and delete all information in …

May 6, 2025
CVE-2025-40623
9.8 CRITICAL

SQL injection in TCMAN's GIM v11. This vulnerability allows an unauthenticated attacker to inject an SQL statement to obtain, update and delete all information in …

May 6, 2025
CVE-2025-40622
9.8 CRITICAL

SQL injection in TCMAN's GIM v11. This vulnerability allows an unauthenticated attacker to inject an SQL statement to obtain, update and delete all information in …

May 6, 2025
CVE-2025-40621
9.8 CRITICAL

SQL injection in TCMAN's GIM v11. This vulnerability allows an unauthenticated attacker to inject an SQL statement to obtain, update and delete all information in …

May 6, 2025
CVE-2025-40620
9.8 CRITICAL

SQL injection in TCMAN's GIM v11. This vulnerability allows an unauthenticated attacker to inject an SQL statement to obtain, update and delete all information in …

May 6, 2025
CVE-2025-44074
9.8 CRITICAL

SeaCMS v13.3 was discovered to contain a SQL injection vulnerability via the component admin_topic.php.

May 5, 2025
CVE-2025-44072
9.8 CRITICAL

SeaCMS v13.3 was discovered to contain a SQL injection vulnerability via the component admin_manager.php.

May 5, 2025
CVE-2025-44071
9.8 CRITICAL

SeaCMS v13.3 was discovered to contain a remote code execution (RCE) vulnerability via the component phomebak.php. This vulnerability allows attackers to execute arbitrary code via …

May 5, 2025
CVE-2025-46726
9.1 CRITICAL

Langroid is a framework for building large-language-model-powered applications. Prior to version 0.53.4, a LLM application leveraging `XMLToolMessage` class may be exposed to untrusted XML input …

May 5, 2025
CVE-2025-45616
9.8 CRITICAL

Incorrect access control in the /admin/** API of brcc v1.2.0 allows attackers to gain access to Admin rights via a crafted request.

May 5, 2025

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.