CVE Database

9262+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2025-45427
9.8 CRITICAL

In Tenda AC9 v1.0 with firmware V15.03.05.14_multi, the security parameter of /goform/WifiBasicSet has a stack overflow vulnerability, which can lead to remote arbitrary code execution.

Apr 23, 2025
CVE-2025-37087
9.8 CRITICAL

A vulnerability in the cmdb service of the HPE Performance Cluster Manager (HPCM) could allow an attacker to gain access to an arbitrary file on …

Apr 22, 2025
CVE-2025-43951
9.8 CRITICAL

LabVantage before LV 8.8.0.13 HF6 allows local file inclusion. Authenticated users can retrieve arbitrary files from the environment via the objectname request parameter.

Apr 22, 2025
CVE-2025-43949
9.8 CRITICAL

MuM (aka Mensch und Maschine) MapEdit (aka mapedit-web) 24.2.3 is vulnerable to SQL Injection that allows an attacker to execute malicious SQL statements that control …

Apr 22, 2025
CVE-2025-43946
9.8 CRITICAL

TCPWave DDI 11.34P1C2 allows Remote Code Execution via Unrestricted File Upload (combined with Path Traversal).

Apr 22, 2025
CVE-2025-28039
9.8 CRITICAL

TOTOLINK EX1200T V4.1.2cu.5232_B20210713 was found to contain a pre-auth remote command execution vulnerability in the setUpgradeFW function through the FileName parameter.

Apr 22, 2025
CVE-2025-28038
9.8 CRITICAL

TOTOLINK EX1200T V4.1.2cu.5232_B20210713 was found to contain a pre-auth remote command execution vulnerability in the setWebWlanIdx function through the webWlanIdx parameter.

Apr 22, 2025
CVE-2025-28036
9.8 CRITICAL

TOTOLINK A950RG V4.1.2cu.5161_B20200903 was found to contain a pre-auth remote command execution vulnerability in the setNoticeCfg function through the NoticeUrl parameter.

Apr 22, 2025
CVE-2025-28035
9.8 CRITICAL

TOTOLINK A830R V4.1.2cu.5182_B20201102 was found to contain a pre-auth remote command execution vulnerability in the setNoticeCfg function through the NoticeUrl parameter.

Apr 22, 2025
CVE-2023-44755
9.8 CRITICAL

Sacco Management system v1.0 was discovered to contain a SQL injection vulnerability via the password parameter at /sacco/ajax.php.

Apr 22, 2025
CVE-2023-44752
9.8 CRITICAL

An issue in Student Study Center Desk Management System v1.0 allows attackers to bypass authentication via a crafted GET request to /php-sscdms/admin/login.php.

Apr 22, 2025
CVE-2023-43958
9.8 CRITICAL

An arbitrary file upload vulnerability in the component /jquery-file-upload/server/php/index.php of Hospital Management System v4.0 allows an unauthenticated attacker to upload any file to the server …

Apr 22, 2025
CVE-2025-34028
10.0 CRITICAL KEV

The Commvault Command Center Innovation Release allows an unauthenticated actor to upload ZIP files that represent install packages that, when expanded by the target server, …

Apr 22, 2025
CVE-2025-28037
9.8 CRITICAL

TOTOLINK A810R V4.1.2cu.5182_B20201026 and A950RG V4.1.2cu.5161_B20200903 were found to contain a pre-auth remote command execution vulnerability in the setDiagnosisCfg function through the ipDomain parameter.

Apr 22, 2025
CVE-2025-28024
9.8 CRITICAL

TOTOLINK A810R V4.1.2cu.5182_B20201026 was found to contain a buffer overflow vulnerability in the cstecgi.cgi

Apr 22, 2025
CVE-2025-1950
9.3 CRITICAL

IBM Hardware Management Console - Power Systems V10.2.1030.0 and V10.3.1050.0 could allow a local user to execute commands locally due to improper validation of libraries …

Apr 22, 2025
CVE-2025-28034
9.8 CRITICAL

TOTOLINK A800R V4.1.2cu.5137_B20200730, A810R V4.1.2cu.5182_B20201026, A830R V4.1.2cu.5182_B20201102, A950RG V4.1.2cu.5161_B20200903, A3000RU V5.9c.5185_B20201128, and A3100R V4.1.2cu.5247_B20211129 were found to contain a pre-auth remote command execution vulnerability in …

Apr 22, 2025
CVE-2024-40446
9.8 CRITICAL

An issue in forkosh Mime Tex before v.1.77 allows an attacker to execute arbitrary code via a crafted script

Apr 22, 2025
CVE-2024-58250
9.3 CRITICAL

The passprompt plugin in pppd in ppp before 2.5.2 mishandles privileges.

Apr 22, 2025
CVE-2025-32958
9.8 CRITICAL

Adept is a language for general purpose programming. Prior to commit a1a41b7, the remoteBuild.yml workflow file uses actions/upload-artifact@v4 to upload the mac-standalone artifact. This artifact …

Apr 21, 2025
CVE-2025-28104
9.1 CRITICAL

Incorrect access control in laskBlog v2.6.1 allows attackers to access all usernames via a crafted input.

Apr 21, 2025
CVE-2025-32431
9.1 CRITICAL

Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. In versions prior to 2.11.24, 3.3.6, and 3.4.0-rc2. There is a potential vulnerability in …

Apr 21, 2025
CVE-2025-29660
9.8 CRITICAL

A vulnerability exists in the daemon process of the Yi IOT XY-3820 v6.0.24.10, which exposes a TCP service on port 6789. This service lacks proper …

Apr 21, 2025
CVE-2025-29659
9.8 CRITICAL

Yi IOT XY-3820 6.0.24.10 is vulnerable to Remote Command Execution via the "cmd_listen" function located in the "cmd" binary.

Apr 21, 2025
CVE-2025-29287
9.8 CRITICAL

An arbitrary file upload vulnerability in the ueditor component of MCMS v5.4.3 allows attackers to execute arbitrary code via uploading a crafted file.

Apr 21, 2025
CVE-2021-4455
9.8 CRITICAL

The Wordpress Plugin Smart Product Review plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up …

Apr 19, 2025
CVE-2025-1093
9.8 CRITICAL

The AIHub theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the generate_image function in all versions up …

Apr 19, 2025
CVE-2025-3278
9.8 CRITICAL

The UrbanGo Membership plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.0.4. This is due to the plugin allowing …

Apr 19, 2025
CVE-2025-29058
9.8 CRITICAL

An issue in Qimou CMS v.3.34.0 allows a remote attacker to execute arbitrary code via the upgrade.php component.

Apr 18, 2025
CVE-2024-53591
9.8 CRITICAL

An issue in the login page of Seclore v3.27.5.0 allows attackers to bypass authentication via a brute force attack.

Apr 18, 2025
CVE-2025-28197
9.1 CRITICAL

Crawl4AI <=0.4.247 is vulnerable to SSRF in /crawl4ai/async_dispatcher.py.

Apr 18, 2025
CVE-2025-28242
9.8 CRITICAL

Improper session management in the /login_ok.htm endpoint of DAEnetIP4 METO v1.25 allows attackers to execute a session hijacking attack.

Apr 18, 2025
CVE-2025-28238
9.8 CRITICAL

Improper session management in Elber REBLE310 Firmware v5.5.1.R , Equipment Model: REBLE310/RX10/4ASI allows attackers to execute a session hijacking attack.

Apr 18, 2025
CVE-2025-28236
9.8 CRITICAL

Nautel VX Series transmitters VX SW v6.4.0 and below was discovered to contain a remote code execution (RCE) vulnerability in the firmware update process. This …

Apr 18, 2025
CVE-2025-28233
9.1 CRITICAL

Incorrect access control in BW Broadcast TX600 (14980), TX300 (32990) (31448), TX150, TX1000, TX30, and TX50 Hardware Version: 2, Software Version: 1.6.0, Control Version: 1.0, …

Apr 18, 2025
CVE-2025-28231
9.1 CRITICAL

Incorrect access control in Itel Electronics IP Stream v1.7.0.6 allows unauthorized attackers to execute arbitrary commands with Administrator privileges.

Apr 18, 2025
CVE-2025-32434
9.8 CRITICAL

PyTorch is a Python package that provides tensor computation with strong GPU acceleration and deep neural networks built on a tape-based autograd system. In version …

Apr 18, 2025
CVE-2025-29953
9.8 CRITICAL

Deserialization of Untrusted Data vulnerability in Apache ActiveMQ NMS OpenWire Client. This issue affects Apache ActiveMQ NMS OpenWire Client before 2.1.1 when performing connections to …

Apr 18, 2025
CVE-2025-29209
9.8 CRITICAL

TOTOLINK X18 v9.1.0cu.2024_B20220329 has an unauthorized arbitrary command execution in the enable parameter' of the sub_41105C function of cstecgi .cgi.

Apr 18, 2025
CVE-2025-28232
9.1 CRITICAL

Incorrect access control in the HOME.php endpoint of JMBroadcast JMB0150 Firmware v1.0 allows attackers to access the Admin panel without authentication.

Apr 18, 2025
CVE-2025-28230
9.1 CRITICAL

Incorrect access control in JMBroadcast JMB0150 Firmware v1.0 allows attackers to access hardcoded administrator credentials.

Apr 18, 2025
CVE-2025-28229
9.8 CRITICAL

Incorrect access control in Orban OPTIMOD 5950 Firmware v1.0.0.2 and System v2.2.15 allows attackers to bypass authentication and gain Administrator privileges.

Apr 18, 2025
CVE-2024-29643
9.1 CRITICAL

An issue in croogo v.3.0.2 allows an attacker to perform Host header injection via the feed.rss component.

Apr 18, 2025
CVE-2025-1863
9.8 CRITICAL

Insecure default settings have been found in recorder products provided by Yokogawa Electric Corporation. The default setting of the authentication function is disabled on the …

Apr 18, 2025
CVE-2025-39471
9.3 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in pantherius Modal Survey modal-survey.This issue affects Modal Survey: from n/a through …

Apr 18, 2025
CVE-2025-42599
9.8 CRITICAL KEV

Active! mail 6 BuildInfo: 6.60.05008561 and earlier contains a stack-based buffer overflow vulnerability. Receiving a specially crafted request created and sent by a remote unauthenticated …

Apr 18, 2025
CVE-2025-28009
9.8 CRITICAL

A SQL Injection vulnerability exists in the `u` parameter of the progress-body-weight.php endpoint of Dietiqa App v1.0.20.

Apr 17, 2025
CVE-2024-53924
9.8 CRITICAL

Pycel through 1.0b30, when operating on an untrusted spreadsheet, allows code execution via a crafted formula in a cell, such as one beginning with the …

Apr 17, 2025
CVE-2025-29662
9.8 CRITICAL

A RCE vulnerability in the core application in LandChat 3.25.12.18 allows an unauthenticated attacker to execute system code via remote network access.

Apr 17, 2025
CVE-2025-39596
9.8 CRITICAL

Weak Authentication vulnerability in Quentn.com GmbH Quentn WP quentn-wp allows Privilege Escalation.This issue affects Quentn WP: from n/a through <= 1.2.8.

Apr 17, 2025

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.