CVE Database

9262+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2025-45615
9.8 CRITICAL

Incorrect access control in the /admin/ API of yaoqishan v0.0.1-SNAPSHOT allows attackers to gain access to Admin rights via a crafted request.

May 5, 2025
CVE-2025-45612
9.8 CRITICAL

Incorrect access control in xmall v1.1 allows attackers to bypass authentication via a crafted GET request to /index.

May 5, 2025
CVE-2025-45611
9.8 CRITICAL

Incorrect access control in the /user/edit/ component of hope-boot v1.0.0 allows attackers to bypass authentication via a crafted GET request.

May 5, 2025
CVE-2025-45607
9.8 CRITICAL

An issue in the component /manage/ of itranswarp v2.19 allows attackers to bypass authentication via a crafted request.

May 5, 2025
CVE-2025-1909
9.8 CRITICAL

The BuddyBoss Platform Pro plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.7.01. This is due to insufficient verification …

May 5, 2025
CVE-2025-43852
9.8 CRITICAL

Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to unsafe deserialization. The model_choose variable takes user input (e.g. …

May 5, 2025
CVE-2025-43851
9.8 CRITICAL

Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to unsafe deserialization. The model_choose variable takes user input (e.g. …

May 5, 2025
CVE-2025-43850
9.8 CRITICAL

Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to unsafe deserialization. The ckpt_dir variable takes user input (e.g. …

May 5, 2025
CVE-2025-43849
9.8 CRITICAL

Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to unsafe deserialization. The ckpt_a and cpkt_b variables take user …

May 5, 2025
CVE-2025-4052
9.8 CRITICAL

Inappropriate implementation in DevTools in Google Chrome prior to 136.0.7103.59 allowed a remote attacker who convinced a user to engage in specific UI gestures to …

May 5, 2025
CVE-2025-45238
9.1 CRITICAL

foxcms v1.2.5 was discovered to contain an arbitrary file deletion vulnerability via the delRestoreSerie method.

May 5, 2025
CVE-2025-43848
9.8 CRITICAL

Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to unsafe deserialization. The ckpt_path0 variable takes user input (e.g. …

May 5, 2025
CVE-2025-43847
9.8 CRITICAL

Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to unsafe deserialization. The ckpt_path2 variable takes user input (e.g. …

May 5, 2025
CVE-2025-43846
9.8 CRITICAL

Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to unsafe deserialization. The ckpt_path1 variable takes user input (e.g. …

May 5, 2025
CVE-2025-43845
9.8 CRITICAL

Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to code injection. The ckpt_path2 variable takes user input (e.g. …

May 5, 2025
CVE-2025-43844
9.8 CRITICAL

Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to command injection. The variables exp_dir1, among others, take user …

May 5, 2025
CVE-2025-43843
9.8 CRITICAL

Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to command injection. The variables exp_dir1, np7 and f0method8 take …

May 5, 2025
CVE-2025-43842
9.8 CRITICAL

Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to command injection. The variables exp_dir1, np7, trainset_dir4 and sr2 …

May 5, 2025
CVE-2025-24977
9.1 CRITICAL

OpenCTI is an open cyber threat intelligence (CTI) platform. Prior to version 6.4.11 any user with the capability `manage customizations` can execute commands on the …

May 5, 2025
CVE-2024-57235
9.8 CRITICAL

NETGEAR RAX5 (AX1600 WiFi Router) V1.0.2.26 was discovered to contain a command injection vulnerability via the iface parameter in the vif_enable function.

May 5, 2025
CVE-2024-57234
9.8 CRITICAL

NETGEAR RAX5 (AX1600 WiFi Router) V1.0.2.26 was discovered to contain a command injection vulnerability via the ifname parameter in the apcli_cancel_wps function.

May 5, 2025
CVE-2024-57233
9.8 CRITICAL

NETGEAR RAX5 (AX1600 WiFi Router) v1.0.2.26 was discovered to contain a command injection vulnerability via the iface parameter in the vif_disable function.

May 5, 2025
CVE-2024-57232
9.8 CRITICAL

NETGEAR RAX5 (AX1600 WiFi Router) V1.0.2.26 was discovered to contain a command injection vulnerability via the ifname parameter in the apcli_wps_gen_pincode function.

May 5, 2025
CVE-2024-57231
9.8 CRITICAL

NETGEAR RAX5 (AX1600 WiFi Router) V1.0.2.26 was discovered to contain a command injection vulnerability via the ifname parameter in the apcli_do_enr_pbc_wps function.

May 5, 2025
CVE-2024-57230
9.8 CRITICAL

NETGEAR RAX5 (AX1600 WiFi Router) V1.0.2.26 was discovered to contain a command injection vulnerability via the ifname parameter in the apcli_do_enr_pin_wps function.

May 5, 2025
CVE-2024-57229
9.8 CRITICAL

NETGEAR RAX5 (AX1600 WiFi Router) V1.0.2.26 was discovered to contain a command injection vulnerability via the devname parameter in the reset_wifi function.

May 5, 2025
CVE-2025-45042
9.8 CRITICAL

Tenda AC9 v15.03.05.14 was discovered to contain a command injection vulnerability via the Telnet function.

May 5, 2025
CVE-2025-2905
9.1 CRITICAL

Due to the improper configuration of XML parser, user-supplied XML is parsed without applying sufficient restrictions, enabling XML External Entity (XXE) resolution in multiple WSO2 …

May 5, 2025
CVE-2025-3918
9.8 CRITICAL

The Job Listings plugin for WordPress is vulnerable to Privilege Escalation due to improper authorization within the register_action() function in versions 0.1 to 0.1.1. The …

May 3, 2025
CVE-2025-45800
9.8 CRITICAL

TOTOLINK A950RG V4.1.2cu.5204_B20210112 contains a command execution vulnerability in the setDeviceName interface of the /lib/cste_modules/global.so library, specifically in the processing of the deviceMac parameter.

May 2, 2025
CVE-2025-44877
9.8 CRITICAL

Tenda AC9 V15.03.06.42_multi was found to contain a command injection vulnerability in the formSetSambaConf function via the usbname parameter. This vulnerability allows attackers to execute …

May 2, 2025
CVE-2025-44872
9.8 CRITICAL

Tenda AC9 V15.03.06.42_multi was found to contain a command injection vulnerability in the formsetUsbUnload function via the deviceName parameter. This vulnerability allows attackers to execute …

May 2, 2025
CVE-2025-44868
9.8 CRITICAL

Wavlink WL-WN530H4 20220801 was found to contain a command injection vulnerability in the ping_test function of the adm.cgi via the pingIp parameter. This vulnerability allows …

May 2, 2025
CVE-2025-3927
9.8 CRITICAL

Digigram's PYKO-OUT audio-over-IP (AoIP) web-server does not require a password by default, allowing any attacker with the target IP address to connect and compromise the …

May 2, 2025
CVE-2025-2605
9.9 CRITICAL

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Honeywell MB-Secure allows Privilege Abuse. This issue affects MB-Secure: from …

May 2, 2025
CVE-2025-2421
9.8 CRITICAL

Improper Control of Generation of Code ('Code Injection') vulnerability in Profelis Informatics SambaBox allows Code Injection.This issue affects SambaBox: before 5.1.

May 2, 2025
CVE-2025-2812
9.8 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mydata Informatics Ticket Sales Automation allows Blind SQL Injection.This issue affects …

May 2, 2025
CVE-2025-3709
9.8 CRITICAL

Agentflow from Flowring Technology has an Account Lockout Bypass vulnerability, allowing unauthenticated remote attackers to exploit this vulnerability to perform password brute force attack.

May 2, 2025
CVE-2025-3708
9.8 CRITICAL

Le-show medical practice management system from Le-yan has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and …

May 2, 2025
CVE-2025-3746
9.8 CRITICAL

The OTP-less one tap Sign in plugin for WordPress is vulnerable to privilege escalation via account takeover in versions 2.0.14 to 2.0.59. This is due …

May 2, 2025
CVE-2024-48905
9.1 CRITICAL

Sematell ReplyOne 7.4.3.0 has Insecure Permissions for the /rest/sessions endpoint.

May 1, 2025
CVE-2025-35996
9.0 CRITICAL

KUNBUS PiCtory version 2.11.1 and earlier are vulnerable when an authenticated remote attacker crafts a special filename that can be stored by API endpoints. That …

May 1, 2025
CVE-2025-32011
9.8 CRITICAL

KUNBUS PiCtory versions 2.5.0 through 2.11.1 have an authentication bypass vulnerability where a remote attacker can bypass authentication to get access due to a path …

May 1, 2025
CVE-2025-24522
10.0 CRITICAL

KUNBUS Revolution Pi OS Bookworm 01/2025 is vulnerable because authentication is not configured by default for the Node-RED server. This can give an unauthenticated remote …

May 1, 2025
CVE-2025-46566
9.8 CRITICAL

DataEase is an open-source BI tool alternative to Tableau. Prior to version 2.10.9, authenticated users can complete RCE through the backend JDBC link. This issue …

May 1, 2025
CVE-2025-46337
10.0 CRITICAL

ADOdb is a PHP database class library that provides abstractions for performing queries and managing databases. Prior to version 5.22.9, improper escaping of a query …

May 1, 2025
CVE-2025-27007
9.8 CRITICAL

Incorrect Privilege Assignment vulnerability in Brainstorm Force OttoKit suretriggers allows Privilege Escalation.This issue affects OttoKit: from n/a through <= 1.0.82.

May 1, 2025
CVE-2025-47154
9.0 CRITICAL

LibJS in Ladybird before f5a6704 mishandles the freeing of the vector that arguments_list references, leading to a use-after-free, and allowing remote attackers to execute arbitrary …

May 1, 2025
CVE-2025-4144
9.8 CRITICAL

PKCE was implemented in the OAuth implementation in workers-oauth-provider that is part of MCP framework https://github.com/cloudflare/workers-mcp . However, it was found that an attacker could …

May 1, 2025
CVE-2025-46558
9.0 CRITICAL

XWiki Contrib's Syntax Markdown allows importing Markdown content into wiki pages and creating wiki content in Markdown. In versions starting from 8.2 to before 8.9, …

Apr 30, 2025

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.