CVE Database

9262+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2025-46557
9.8 CRITICAL

XWiki is a generic wiki platform. In versions starting from 15.3-rc-1 to before 15.10.14, from 16.0.0-rc-1 to before 16.4.6, and from 16.5.0-rc-1 to before 16.10.0-rc-1, …

Apr 30, 2025
CVE-2025-46331
9.8 CRITICAL

OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.8.10 to v1.3.6 (Helm chart <= openfga-0.2.28, docker …

Apr 30, 2025
CVE-2025-44192
9.8 CRITICAL

SourceCodester Simple Barangay Management System v1.0 has a SQL injection vulnerability in /barangay_management/admin/?page=view_clearance.

Apr 30, 2025
CVE-2025-30392
9.8 CRITICAL

Improper authorization in Azure Bot Framework SDK allows an unauthorized attacker to elevate privileges over a network.

Apr 30, 2025
CVE-2025-30390
9.9 CRITICAL

Improper authorization in Azure allows an authorized attacker to elevate privileges over a network.

Apr 30, 2025
CVE-2025-32974
9.0 CRITICAL

XWiki is a generic wiki platform. In versions starting from 15.9-rc-1 to before 15.10.8 and from 16.0.0-rc-1 to before 16.2.0, the required rights analysis doesn't …

Apr 30, 2025
CVE-2025-32973
9.0 CRITICAL

XWiki is a generic wiki platform. In versions starting from 15.9-rc-1 to before 15.10.12, from 16.0.0-rc-1 to before 16.4.3, and from 16.5.0-rc-1 to before 16.8.0-rc-1, …

Apr 30, 2025
CVE-2025-45018
9.8 CRITICAL

A SQL Injection vulnerability was discovered in the foreigner-bwdates-reports-details.php file of PHPGurukul Park Ticketing Management System v2.0. This vulnerability allows remote attackers to execute arbitrary …

Apr 30, 2025
CVE-2025-45017
9.8 CRITICAL

A SQL injection vulnerability was discovered in edit-ticket.php of PHPGurukul Park Ticketing Management System v2.0. This vulnerability allows remote attackers to execute arbitrary code via …

Apr 30, 2025
CVE-2025-32444
10.0 CRITICAL

vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Versions starting from 0.6.5 and prior to 0.8.5, having vLLM integration with mooncake, …

Apr 30, 2025
CVE-2025-46348
10.0 CRITICAL

YesWiki is a wiki system written in PHP. Prior to version 4.5.4, the request to commence a site backup can be performed and downloaded without …

Apr 29, 2025
CVE-2025-46347
9.8 CRITICAL

YesWiki is a wiki system written in PHP. Prior to version 4.5.4, YesWiki vulnerable to remote code execution. An arbitrary file write can be used …

Apr 29, 2025
CVE-2025-40618
9.8 CRITICAL

SQL injection vulnerability in Bookgy. This vulnerability could allow an attacker to retrieve, create, update and delete databases by sending an HTTP request through the …

Apr 29, 2025
CVE-2025-40617
9.8 CRITICAL

SQL injection vulnerability in Bookgy. This vulnerability could allow an attacker to retrieve, create, update and delete databases by sending an HTTP request through the …

Apr 29, 2025
CVE-2025-25962
9.8 CRITICAL

An issue in Coresmartcontracts Uniswap v.3.0 and fixed in v.4.0 allows a remote attacker to escalate privileges via the _modifyPosition function

Apr 29, 2025
CVE-2025-25403
9.8 CRITICAL

Slims (Senayan Library Management Systems) 9 Bulian V9.6.1 is vulnerable to SQL Injection in admin/modules/master_file/coll_type.php.

Apr 29, 2025
CVE-2025-4083
9.1 CRITICAL

A process isolation vulnerability in Thunderbird stemmed from improper handling of javascript: URIs, which could allow content to execute in the top-level document's process instead …

Apr 29, 2025
CVE-2025-45953
9.1 CRITICAL

A vulnerability was found in PHPGurukul Hostel Management System 2.1 in the /hostel/change-password.php file of the user panel - Change Password component. Improper handling of …

Apr 28, 2025
CVE-2025-45949
9.8 CRITICAL

A critical vulnerability was found in PHPGurukul User Registration & Login and User Management System V3.3 in the /loginsystem/change-password.php file of the user panel - …

Apr 28, 2025
CVE-2025-45947
9.8 CRITICAL

An issue in phpgurukul Online Banquet Booking System V1.2 allows an attacker to execute arbitrary code via the /obbs/change-password.php file of the My Account - …

Apr 28, 2025
CVE-2025-31651
9.8 CRITICAL

Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible for a …

Apr 28, 2025
CVE-2015-2079
9.9 CRITICAL

Usermin 0.980 through 1.x before 1.660 allows uconfig_save.cgi sig_file_free remote code execution because it uses the two argument (not three argument) form of Perl open.

Apr 28, 2025
CVE-2025-46661
10.0 CRITICAL

IPW Systems Metazo through 8.1.3 allows unauthenticated Remote Code Execution because smartyValidator.php enables the attacker to provide template expressions, aka Server-Side Template-Injection. All instances have …

Apr 28, 2025
CVE-2025-3200
9.1 CRITICAL

An unauthenticated remote attacker could exploit the used, insecure TLS 1.0 and TLS 1.1 protocols to intercept and manipulate encrypted communications between the Com-Server and …

Apr 28, 2025
CVE-2025-2907
9.8 CRITICAL

The Order Delivery Date WordPress plugin before 12.3.1 does not have authorization and CSRF checks when importing settings. Furthermore it also lacks proper checks to …

Apr 26, 2025
CVE-2025-32985
9.8 CRITICAL

NETSCOUT nGeniusONE before 6.4.0 b2350 has Hardcoded Credentials that can be obtained from JAR files.

Apr 25, 2025
CVE-2025-32980
9.8 CRITICAL

NETSCOUT nGeniusONE before 6.4.0 P11 b3245 has a Weak Sudo Configuration.

Apr 25, 2025
CVE-2025-25775
9.8 CRITICAL

Codeastro Bus Ticket Booking System v1.0 is vulnerable to SQL injection via the kodetiket parameter in /BusTicket-CI/tiket/cekorder.

Apr 25, 2025
CVE-2024-56156
9.0 CRITICAL

Halo is an open source website building tool. Prior to version 2.20.13, a vulnerability in Halo allows attackers to bypass file type validation controls. This …

Apr 25, 2025
CVE-2025-32432
10.0 CRITICAL KEV

Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to …

Apr 25, 2025
CVE-2025-2470
9.8 CRITICAL

The Service Finder Bookings plugin for WordPress, used by the Service Finder - Directory and Job Board WordPress Theme, is vulnerable to privilege escalation in …

Apr 25, 2025
CVE-2025-46616
9.9 CRITICAL

Quantum StorNext Web GUI API before 7.2.4 allows potential Arbitrary Remote Code Execution (RCE) via upload of a file. This affects StorNext RYO before 7.2.4, …

Apr 25, 2025
CVE-2025-46275
9.8 CRITICAL

WGS-80HPT-V2 and WGS-4215-8T2S are missing authentication that could allow an attacker to create an administrator account without knowing any existing credentials.

Apr 24, 2025
CVE-2025-46274
9.8 CRITICAL

UNI-NMS-Lite uses hard-coded credentials that could allow an unauthenticated attacker to read, manipulate and create entries in the managed database.

Apr 24, 2025
CVE-2025-46273
9.8 CRITICAL

UNI-NMS-Lite uses hard-coded credentials that could allow an unauthenticated attacker to gain administrative privileges to all UNI-NMS managed devices.

Apr 24, 2025
CVE-2025-46272
9.1 CRITICAL

WGS-80HPT-V2 and WGS-4215-8T2S are vulnerable to a command injection attack that could allow an unauthenticated attacker to execute OS commands on the host system.

Apr 24, 2025
CVE-2025-46271
9.1 CRITICAL

UNI-NMS-Lite is vulnerable to a command injection attack that could allow an unauthenticated attacker to read or manipulate device data.

Apr 24, 2025
CVE-2025-43859
9.1 CRITICAL

h11 is a Python implementation of HTTP/1.1. Prior to version 0.16.0, a leniency in h11's parsing of line terminators in chunked-coding message bodies can lead …

Apr 24, 2025
CVE-2025-43858
9.2 CRITICAL

YoutubeDLSharp is a wrapper for the command-line video downloaders youtube-dl and yt-dlp. In versions starting from 1.0.0-beta4 and prior to 1.1.2, an unsafe conversion of …

Apr 24, 2025
CVE-2025-31324
10.0 CRITICAL KEV

SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely …

Apr 24, 2025
CVE-2025-46264
9.9 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in blubrry PowerPress Podcasting powerpress allows Upload a Web Shell to a Web Server.This issue affects PowerPress …

Apr 24, 2025
CVE-2025-46248
9.3 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in M A Vinoth Kumar Frontend Dashboard frontend-dashboard allows SQL Injection.This issue …

Apr 24, 2025
CVE-2025-3604
9.8 CRITICAL

The Flynax Bridge plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.2.0. This is due …

Apr 24, 2025
CVE-2025-3603
9.8 CRITICAL

The Flynax Bridge plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.2.0. This is due …

Apr 24, 2025
CVE-2025-3065
9.1 CRITICAL

The Database Toolset plugin is vulnerable to arbitrary file deletion due to insufficient file path validation in a function in all versions up to, and …

Apr 24, 2025
CVE-2025-2767
9.6 CRITICAL

Arista NG Firewall User-Agent Cross-Site Scripting Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Arista NG …

Apr 23, 2025
CVE-2025-45429
9.8 CRITICAL

In the Tenda ac9 v1.0 router with firmware V15.03.05.14_multi, there is a stack overflow vulnerability in /goform/WifiWpsStart, which may lead to remote arbitrary code execution.

Apr 23, 2025
CVE-2025-32969
9.8 CRITICAL

XWiki is a generic wiki platform. In versions starting from 1.8 and prior to 15.10.16, 16.4.6, and 16.10.1, it is possible for a remote unauthenticated …

Apr 23, 2025
CVE-2025-32966
9.8 CRITICAL

DataEase is an open-source BI tool alternative to Tableau. Prior to version 2.10.8, authenticated users can complete RCE through the backend JDBC link. This issue …

Apr 23, 2025
CVE-2025-45428
9.8 CRITICAL

In Tenda ac9 v1.0 with firmware V15.03.05.14_multi, the rebootTime parameter of /goform/SetSysAutoRebbotCfg has a stack overflow vulnerability, which can lead to remote arbitrary code execution.

Apr 23, 2025

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.