CVE Database

9262+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2025-32461
9.9 CRITICAL

wikiplugin_includetpl in lib/wiki-plugins/wikiplugin_includetpl.php in Tiki before 28.3 mishandles input to an eval. The fixed versions are 21.12, 24.8, 27.2, and 28.3.

Apr 9, 2025
CVE-2025-30282
9.1 CRITICAL

ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Authentication vulnerability that could result in arbitrary code execution in the context of …

Apr 8, 2025
CVE-2025-30281
9.1 CRITICAL

ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary code execution. A high-privileged attacker …

Apr 8, 2025
CVE-2025-24447
9.1 CRITICAL

ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the …

Apr 8, 2025
CVE-2025-24446
9.1 CRITICAL

ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution. Exploitation of this …

Apr 8, 2025
CVE-2025-22871
9.1 CRITICAL

The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http …

Apr 8, 2025
CVE-2025-25226
9.8 CRITICAL

Improper handling of identifiers lead to a SQL injection vulnerability in the quoteNameStr method of the database package. Please note: the affected method is a …

Apr 8, 2025
CVE-2024-48887
9.8 CRITICAL

A unverified password change vulnerability in Fortinet FortiSwitch GUI may allow a remote unauthenticated attacker to change admin passwords via a specially crafted request

Apr 8, 2025
CVE-2025-32028
9.9 CRITICAL

HAX CMS PHP allows you to manage your microsite universe with PHP backend. Multiple file upload functions within the HAX CMS PHP application call a …

Apr 8, 2025
CVE-2024-54092
9.8 CRITICAL

A vulnerability has been identified in Industrial Edge Device Kit - arm64 V1.17 (All versions), Industrial Edge Device Kit - arm64 V1.18 (All versions), Industrial …

Apr 8, 2025
CVE-2024-41794
10.0 CRITICAL

A vulnerability has been identified in SENTRON 7KT PAC1260 Data Manager (All versions). Affected devices contain hardcoded credentials for remote access to the device operating …

Apr 8, 2025
CVE-2024-41790
9.1 CRITICAL

A vulnerability has been identified in SENTRON 7KT PAC1260 Data Manager (All versions). The web interface of affected devices does not sanitize the region parameter …

Apr 8, 2025
CVE-2024-41789
9.1 CRITICAL

A vulnerability has been identified in SENTRON 7KT PAC1260 Data Manager (All versions). The web interface of affected devices does not sanitize the language parameter …

Apr 8, 2025
CVE-2024-41788
9.1 CRITICAL

A vulnerability has been identified in SENTRON 7KT PAC1260 Data Manager (All versions). The web interface of affected devices does not sanitize the input parameters …

Apr 8, 2025
CVE-2025-31330
9.9 CRITICAL

SAP Landscape Transformation (SLT) allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the …

Apr 8, 2025
CVE-2025-30016
9.8 CRITICAL

SAP Financial Consolidation allows an unauthenticated attacker to gain unauthorized access to the Admin account. The vulnerability arises due to improper authentication mechanisms, due to …

Apr 8, 2025
CVE-2025-27429
9.9 CRITICAL

SAP S/4HANA allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of …

Apr 8, 2025
CVE-2025-2004
9.1 CRITICAL

The Simple WP Events plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the wpe_delete_file AJAX action in …

Apr 8, 2025
CVE-2025-3363
9.8 CRITICAL

The web service of iSherlock from HGiga has an OS Command Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary OS commands and execute them …

Apr 8, 2025
CVE-2025-3362
9.8 CRITICAL

The web service of iSherlock from HGiga has an OS Command Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary OS commands and execute them …

Apr 8, 2025
CVE-2025-3361
9.8 CRITICAL

The web service of iSherlock from HGiga has an OS Command Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary OS commands and execute them …

Apr 8, 2025
CVE-2025-28413
9.8 CRITICAL

An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the SysDictTypeController component

Apr 7, 2025
CVE-2025-28412
9.8 CRITICAL

An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the /editSave method in SysNoticeController

Apr 7, 2025
CVE-2025-28411
9.8 CRITICAL

An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the editSave method in /tool/gen/editSave

Apr 7, 2025
CVE-2025-28410
9.8 CRITICAL

An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the cancelAuthUserAll method does not properly validate whether the requesting user has …

Apr 7, 2025
CVE-2025-28408
9.8 CRITICAL

An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the selectDeptTree method of the /selectDeptTree/{deptId} endpoint does not properly validate the …

Apr 7, 2025
CVE-2025-28406
9.8 CRITICAL

An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the jobLogId parameter

Apr 7, 2025
CVE-2025-28405
9.8 CRITICAL

An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the changeStatus method

Apr 7, 2025
CVE-2025-28402
9.8 CRITICAL

An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the jobId parameter

Apr 7, 2025
CVE-2025-3248
9.8 CRITICAL KEV

Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to …

Apr 7, 2025
CVE-2025-20654
9.8 CRITICAL

In wlan service, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote code execution with …

Apr 7, 2025
CVE-2025-2941
9.8 CRITICAL

The Drag and Drop Multiple File Upload for WooCommerce plugin for WordPress is vulnerable to arbitrary file moving due to insufficient file path validation via …

Apr 5, 2025
CVE-2021-47667
10.0 CRITICAL

An OS command injection vulnerability in lib/NSSDropoff.php in ZendTo 5.24-3 through 6.x before 6.10-7 allows unauthenticated remote attackers to execute arbitrary commands via shell metacharacters …

Apr 5, 2025
CVE-2025-32118
9.1 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in NiteoThemes CMP – Coming Soon & Maintenance cmp-coming-soon-maintenance allows Using Malicious Files.This issue affects CMP – …

Apr 4, 2025
CVE-2025-31480
9.1 CRITICAL

aiven-extras is a PostgreSQL extension. This is a privilege escalation vulnerability, allowing elevation to superuser inside PostgreSQL databases that use the aiven-extras package. The vulnerability …

Apr 4, 2025
CVE-2025-27520
9.8 CRITICAL

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. A Remote Code Execution (RCE) vulnerability caused by …

Apr 4, 2025
CVE-2025-31403
9.3 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in shiptrack Booking Calendar and Notification booking-calendar-and-notification allows Blind SQL Injection.This issue …

Apr 4, 2025
CVE-2025-2798
9.8 CRITICAL

The Woffice CRM theme for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 5.4.21. This is due to a misconfiguration …

Apr 4, 2025
CVE-2025-28146
9.8 CRITICAL

Edimax AC1200 Wave 2 Dual-Band Gigabit Router BR-6478AC V3 1.0.15 was discovered to contain a command injection vulnerability via fota_url in /boafrm/formLtefotaUpgradeQuectel

Apr 4, 2025
CVE-2024-51800
9.8 CRITICAL

Incorrect Privilege Assignment vulnerability in Favethemes Homey allows Privilege Escalation.This issue affects Homey: from n/a through 2.4.1.

Apr 4, 2025
CVE-2025-2244
9.8 CRITICAL

A vulnerability in the sendMailFromRemoteSource method in Emails.php as used in Bitdefender GravityZone Console unsafely uses php unserialize() on user-supplied input without validation. By crafting …

Apr 4, 2025
CVE-2024-13645
9.8 CRITICAL

The tagDiv Composer plugin for WordPress is vulnerable to PHP Object Instantiation in all versions up to, and including, 5.3 via module parameter. This makes …

Apr 4, 2025
CVE-2025-31161
9.8 CRITICAL KEV

CrushFTP 10 before 10.8.4 and 11 before 11.3.1 allows authentication bypass and takeover of the crushadmin account (unless a DMZ proxy instance is used), as …

Apr 3, 2025
CVE-2025-30406
9.0 CRITICAL KEV

Gladinet CentreStack through 16.1.10296.56315 (fixed in 16.4.10315.56368) has a deserialization vulnerability due to the CentreStack portal's hardcoded machineKey use, as exploited in the wild in …

Apr 3, 2025
CVE-2025-29462
9.8 CRITICAL

A buffer overflow vulnerability has been discovered in Tenda Ac15 V15.13.07.13. The vulnerability occurs when the webCgiGetUploadFile function calls the socketRead function to process HTTP …

Apr 3, 2025
CVE-2025-29064
9.8 CRITICAL

An issue in TOTOLINK x18 v.9.1.0cu.2024_B20220329 allows a remote attacker to execute arbitrary code via the sub_410E54 function of the cstecgi.cgi.

Apr 3, 2025
CVE-2025-26818
9.8 CRITICAL

Netwrix Password Secure through 9.2 allows command injection.

Apr 3, 2025
CVE-2025-26817
9.8 CRITICAL

Netwrix Password Secure 9.2.0.32454 allows OS command injection.

Apr 3, 2025
CVE-2025-29647
9.8 CRITICAL

SeaCMS v13.3 has a SQL injection vulnerability in the component admin_tempvideo.php.

Apr 3, 2025
CVE-2024-22611
9.8 CRITICAL

OpenEMR 7.0.2 is vulnerable to SQL Injection via \openemr\library\classes\Pharmacy.class.php, \controllers\C_Pharmacy.class.php and \openemr\controller.php.

Apr 3, 2025

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.