CVEs from 2025
Total
8,818
critical
critical 1,314
high
high 1,959
medium
medium 1,968
low
low 200
% Critical
14.9%
% with KEV
2.1%
% with exploit
2.8%
Top vendors
- qualcomm 1,123
- fabian 285
- campcodes 232
- phpgurukul 189
- code-projects 121
- redhat 108
- microsoft 107
- portabilis 94
Top products
- i-educar 80
- office_long_term_servicing_channel 35
- office 34
- best_salon_management_system 33
- apartment_management_system 30
- gcp 29
- inventory_management_system 28
- online_learning_management_system 21
Top packages
- Go/github.com/mattermost/mattermost/server/v8 258
- Go/github.com/mattermost/mattermost-server 249
- Packagist/magento/community-edition 231
- Packagist/moodle/moodle 162
- Go/github.com/mattermost/mattermost-server/v5 99
- Go/github.com/mattermost/mattermost-server/v6 99
- Maven/com.liferay.portal:release.dxp.bom 61
- Maven/org.apache.tomcat.embed:tomcat-embed-core 53
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-10327 | critical | 9.8 | 10.0 | 9mo ago | A weakness has been identified in MiczFlor RPi-Jukebox-RFID up to 2.8.0. Affected by this vulnerability is an unknown functionality of the file /htdocs/api/playlist/shuffle.php. Executing manipulatio… | |||
| CVE-2025-54236 | critical | 9.1 | 10.0 | 9mo ago | Adobe Commerce and Magento Open Source contain an improper input validation vulnerability that could allow an attacker to take over customer accounts through the Commerce REST API. | |||
| CVE-2025-9090 | critical | 9.8 | 10.0 | 10mo ago | A vulnerability was identified in Tenda AC20 16.03.08.12. Affected is the function websFormDefine of the file /goform/telnet of the component Telnet Service. The manipulation leads to command injecti… | |||
| CVE-2025-8471 | critical | 9.8 | 10.0 | 10mo ago | A vulnerability, which was classified as critical, has been found in projectworlds Online Admission System 1.0. This issue affects some unknown processing of the file /adminlogin.php. The manipulatio… | |||
| CVE-2025-6095 | critical | 9.8 | 10.0 | 1y ago | A vulnerability, which was classified as critical, was found in codesiddhant Jasmin Ransomware 1.0.1. Affected is an unknown function of the file /checklogin.php. The manipulation of the argument use… | |||
| CVE-2025-49113 | critical | — | 10.0 | 1y ago | RoundCube Webmail contains a deserialization of untrusted data vulnerability that allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/… | |||
| CVE-2025-4524 | critical | 9.8 | 10.0 | 1y ago | The Madara – Responsive and modern WordPress theme for manga sites theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.2.2 via the 'template' parameter. … | |||
| CVE-2025-9140 | high | 8.8 | 9.8 | 10mo ago | A vulnerability was identified in Shanghai Lingdang Information Technology Lingdang CRM up to 8.6.4.7. Affected by this issue is some unknown functionality of the file /crm/crmapi/erp/tabdetail_modul… | |||
| CVE-2025-12744 | high | — | 9.0 | 6mo ago | RHSA-2025:22760: abrt security update (Important) | |||
| CVE-2025-55315 | high | — | 9.0 | 7mo ago | RHSA-2025:18150: .NET 9.0 security update (Important) | |||
| CVE-2025-6965 | high | — | 9.0 | 10mo ago | RHSA-2025:14101: mingw-sqlite security update (Important) | |||
| CVE-2025-32023 | high | — | 9.0 | 11mo ago | RHSA-2025:12006: redis:6 security update (Important) | |||
| CVE-2025-31650 | high | — | 9.0 | 11mo ago | Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory … | |||
| CVE-2025-32462 | high | — | 9.0 | 11mo ago | Sudo before 1.9.17p1, when used with a sudoers file that specifies a host that is neither the current host nor ALL, allows listed users to execute commands on unintended machines. | |||
| CVE-2025-1094 | high | — | 9.0 | 1y ago | RHSA-2025:3082: postgresql:12 security update (Important) | |||
| CVE-2025-67888 | high | 7.3 | 8.3 | 27d ago | An issue was discovered in Control Web Panel (CWP) before 0.9.8.1209. User input passed via the "key" GET parameter to /admin/index.php (when the "api" parameter is set) is not properly sanitized bef… | |||
| CVE-2025-8518 | high | 7.2 | 8.2 | 10mo ago | A vulnerability was found in givanz Vvveb 1.0.5. It has been rated as critical. Affected by this issue is the function Save of the file admin/controller/editor/code.php of the component Code Editor. … | |||
| CVE-2025-24813 | medium | — | 8.0 | 1y ago | Apache Tomcat contains a path equivalence vulnerability that allows a remote attacker to execute code, disclose information, or inject malicious content via a partial PUT request. | |||
| CVE-2025-4123 | medium | 6.1 | 7.1 | 1y ago | RHSA-2025:7894: grafana security update (Important) | |||
| CVE-2025-40271 | medium | — | 6.5 | 4mo ago | In the Linux kernel, the following vulnerability has been resolved: fs/proc: fix uaf in proc_readdir_de() Pde is erased from subdir rbtree through rb_erase(), but not set the node to EMPTY, which m… | |||
| CVE-2025-10370 | medium | 5.4 | 6.4 | 9mo ago | A vulnerability was identified in MiczFlor RPi-Jukebox-RFID up to 2.8.0. This vulnerability affects unknown code of the file /htdocs/userScripts.php. The manipulation of the argument Custom script le… | |||
| CVE-2025-8550 | medium | 5.4 | 6.4 | 10mo ago | A vulnerability was found in atjiu pybbs up to 6.0.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /admin/topic/list. The manipulation o… | |||
| CVE-2025-8191 | medium | 5.4 | 6.4 | 10mo ago | A vulnerability, which was classified as problematic, was found in macrozheng mall up to 1.0.3. Affected is an unknown function of the file /swagger-ui/index.html of the component Swagger UI. The man… | |||
| CVE-2025-40536 | unknown | — | 2.5 | 4mo ago | SolarWinds Web Help Desk contains a security control bypass vulnerability that could allow an unauthenticated attacker to gain access to certain restricted functionality. | |||
| CVE-2025-64328 | unknown | — | 2.5 | 4mo ago | Sangoma FreePBX Endpoint Manager contains an OS command injection vulnerability that could allow for a post-authentication command injection by an authenticated known user via the testconnection -> c… | |||
| CVE-2025-40551 | unknown | — | 2.5 | 4mo ago | SolarWinds Web Help Desk contains a deserialization of untrusted data vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This c… | |||
| CVE-2025-52691 | unknown | — | 2.5 | 4mo ago | SmarterTools SmarterMail contains an unrestricted upload of file with dangerous type vulnerability that could allow an unauthenticated attacker to upload arbitrary files to any location on the mail s… | |||
| CVE-2025-37164 | unknown | — | 2.5 | 5mo ago | Hewlett Packard Enterprise (HPE) OneView contains a code injection vulnerability that allows a remote unauthenticated user to perform remote code execution. | |||
| CVE-2025-14847 | unknown | — | 2.5 | 5mo ago | MongoDB Server contains an improper handling of length parameter inconsistency vulnerability in Zlib compressed protocol headers. This vulnerability may allow a read of uninitialized heap memory by a… | |||
| CVE-2025-68613 | unknown | — | 2.5 | 5mo ago | n8n contains an improper control of dynamically managed code resources vulnerability in its workflow expression evaluation system that allows for remote code execution. | |||
| CVE-2025-14611 | unknown | — | 2.5 | 6mo ago | Gladinet CentreStack and TrioFox contain a hardcoded cryptographic keys vulnerability for their implementation of the AES cryptoscheme. This vulnerability degrades security for public exposed endpoin… | |||
| CVE-2025-55182 | unknown | — | 2.5 | 6mo ago | Meta React Server Components contains a remote code execution vulnerability that could allow unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Ser… | |||
| CVE-2025-58360 | unknown | — | 2.5 | 6mo ago | OSGeo GeoServer contains an improper restriction of XML external entity reference vulnerability that occurs when the application accepts XML input through a specific endpoint /geoserver/wms operation… | |||
| CVE-2025-58034 | unknown | — | 2.5 | 7mo ago | Fortinet FortiWeb contains an OS command Injection vulnerability that may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests or CLI comman… | |||
| CVE-2025-64446 | unknown | — | 2.5 | 7mo ago | Fortinet FortiWeb contains a relative path traversal vulnerability that may allow an unauthenticated attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests. | |||
| CVE-2025-62215 | unknown | — | 2.5 | 7mo ago | Microsoft Windows Kernel contains a race condition vulnerability that allows a local attacker with low-level privileges to escalate privileges. Successful exploitation of this vulnerability could ena… | |||
| CVE-2025-11371 | unknown | — | 2.5 | 7mo ago | Gladinet CentreStack and Triofox contains a files or directories accessible to external parties vulnerability that allows unintended disclosure of system files. | |||
| CVE-2025-59287 | unknown | — | 2.5 | 7mo ago | Microsoft Windows Server Update Service (WSUS) contains a deserialization of untrusted data vulnerability that allows for remote code execution. | |||
| CVE-2025-33073 | unknown | — | 2.5 | 8mo ago | Microsoft Windows SMB Client contains an improper access control vulnerability that could allow for privilege escalation. An attacker could execute a specially crafted malicious script to coerce the … | |||
| CVE-2025-61882 | unknown | — | 2.5 | 8mo ago | Oracle E-Business Suite contains an unspecified vulnerability in the BI Publisher Integration component. The vulnerability allows unauthenticated attacker with network access via HTTP to compromise O… | |||
| CVE-2025-32463 | unknown | — | 2.5 | 8mo ago | Sudo contains an inclusion of functionality from untrusted control sphere vulnerability. This vulnerability could allow local attacker to leverage sudo’s -R (--chroot) option to run arbitrary command… | |||
| CVE-2025-57819 | unknown | — | 2.5 | 9mo ago | Sangoma FreePBX contains an authentication bypass vulnerability due to insufficiently sanitized user-supplied data allows unauthenticated access to FreePBX Administrator leading to arbitrary database… | |||
| CVE-2025-49704 | unknown | — | 2.5 | 11mo ago | Microsoft SharePoint contains a code injection vulnerability that could allow an authorized attacker to execute code over a network. This vulnerability could be chained with CVE-2025-49706. CVE-2025-… | |||
| CVE-2025-49706 | unknown | — | 2.5 | 11mo ago | Microsoft SharePoint contains an improper authentication vulnerability that allows an authorized attacker to perform spoofing over a network. Successfully exploitation could allow an attacker to view… | |||
| CVE-2025-53770 | unknown | — | 2.5 | 11mo ago | Microsoft SharePoint Server on-premises contains a deserialization of untrusted data vulnerability that could allow an unauthorized attacker to execute code over a network. This vulnerability could b… | |||
| CVE-2025-25257 | unknown | — | 2.5 | 11mo ago | Fortinet FortiWeb contains a SQL injection vulnerability that may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests. | |||
| CVE-2025-47812 | unknown | — | 2.5 | 11mo ago | Wing FTP Server contains an improper neutralization of null byte or NUL character vulnerability that can allow injection of arbitrary Lua code into user session files. This can be used to execute arb… | |||
| CVE-2025-5777 | unknown | — | 2.5 | 11mo ago | Citrix NetScaler ADC and Gateway contain an out-of-bounds read vulnerability due to insufficient input validation. This vulnerability can lead to memory overread when the NetScaler is configured as a… | |||
| CVE-2025-3248 | unknown | — | 2.5 | 1y ago | Langflow contains a missing authentication vulnerability in the /api/v1/validate/code endpoint that allows a remote, unauthenticated attacker to execute arbitrary code via crafted HTTP requests. | |||
| CVE-2025-33053 | unknown | — | 2.5 | 1y ago | Microsoft Windows contains an external control of file name or path vulnerability that could allow an attacker to execute code from a remote WebDAV location specified by the WorkingDirectory attribut… | |||
| CVE-2025-32433 | unknown | — | 2.5 | 1y ago | Erlang Erlang/OTP SSH server contains a missing authentication for critical function vulnerability. This could allow an attacker to execute arbitrary commands without valid credentials, potentially l… | |||
| CVE-2025-4427 | unknown | — | 2.5 | 1y ago | Ivanti Endpoint Manager Mobile (EPMM) contains an authentication bypass vulnerability in the API component that allows an attacker to access protected resources without proper credentials via crafted… | |||
| CVE-2025-4428 | unknown | — | 2.5 | 1y ago | Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability in the API component that allows an authenticated attacker to remotely execute arbitrary code via crafted API requests. T… | |||
| CVE-2025-30397 | unknown | — | 2.5 | 1y ago | Microsoft Windows Scripting Engine contains a type confusion vulnerability that allows an unauthorized attacker to execute code over a network via a specially crafted URL. | |||
| CVE-2025-32432 | unknown | — | 2.5 | 1y ago | Craft CMS contains a code injection vulnerability that allows a remote attacker to execute arbitrary code. | |||
| CVE-2025-24016 | unknown | — | 2.5 | 1y ago | Wazuh contains a deserialization of untrusted data vulnerability that allows for remote code execution on Wazuh servers. | |||
| CVE-2025-24054 | unknown | — | 2.5 | 1y ago | Microsoft Windows NTLM contains an external control of file name or path vulnerability that allows an unauthorized attacker to perform spoofing over a network. | |||
| CVE-2025-30406 | unknown | — | 2.5 | 1y ago | Gladinet CentreStack and Triofox contains a use of hard-coded cryptographic key vulnerability in the way that the application manages keys used for ViewState integrity verification. Successful exploi… | |||
| CVE-2025-31161 | unknown | — | 2.5 | 1y ago | CrushFTP contains an authentication bypass vulnerability in the HTTP authorization header that allows a remote unauthenticated attacker to authenticate to any known or guessable user account (e.g., c… | |||
| CVE-2025-22457 | unknown | — | 2.5 | 1y ago | Ivanti Connect Secure, Policy Secure, and ZTA Gateways contains a stack-based buffer overflow vulnerability that allows a remote unauthenticated attacker to achieve remote code execution. | |||
| CVE-2025-2783 | unknown | — | 2.5 | 1y ago | Google Chromium Mojo on Windows contains a sandbox escape vulnerability caused by a logic error, which results from an incorrect handle being provided in unspecified circumstances. This vulnerability… | |||
| CVE-2025-26633 | unknown | — | 2.5 | 1y ago | Microsoft Windows Management Console (MMC) contains an improper neutralization vulnerability that allows an unauthorized attacker to bypass a security feature locally. | |||
| CVE-2025-24893 | unknown | — | 2.5 | 1y ago | XWiki Platform contains an eval injection vulnerability that could allow any guest to perform arbitrary remote code execution through a request to SolrSearch. | |||
| CVE-2025-24085 | unknown | — | 2.5 | 1y ago | Apple iOS, macOS, and other Apple products contain a user-after-free vulnerability that could allow a malicious application to elevate privileges. | |||
| CVE-2025-21333 | unknown | — | 2.5 | 1y ago | Microsoft Windows Hyper-V NT Kernel Integration VSP contains a heap-based buffer overflow vulnerability that allows a local attacker to gain SYSTEM privileges. | |||
| CVE-2025-0282 | unknown | — | 2.5 | 1y ago | Ivanti Connect Secure, Policy Secure, and ZTA Gateways contain a stack-based buffer overflow which can lead to unauthenticated remote code execution. | |||
| CVE-2025-37928 | unknown | — | 1.0 | — | In the Linux kernel, the following vulnerability has been resolved: dm-bufio: don't schedule in atomic context A BUG was reported as below when CONFIG_DEBUG_ATOMIC_SLEEP and try_verify_in_tasklet a… | |||
| CVE-2025-34104 | unknown | — | 1.0 | — | An authenticated remote code execution vulnerability exists in Piwik (now Matomo) versions prior to 3.0.3 via the plugin upload mechanism. In vulnerable versions, an authenticated user with Superuser… | |||
| CVE-2025-60751 | unknown | — | 1.0 | — | GeographicLib 2.5 is vulnerable to Buffer Overflow in GeoConvert DMS::InternalDecode. | |||
| CVE-2025-6018 | unknown | — | 1.0 | — | A Local Privilege Escalation (LPE) vulnerability has been discovered in pam-config within Linux Pluggable Authentication Modules (PAM). This flaw allows an unprivileged local attacker (for example, a… | |||
| CVE-2025-27210 | unknown | — | 1.0 | — | An incomplete fix has been identified for CVE-2025-23084 in Node.js, specifically affecting Windows device names like CON, PRN, and AUX. This vulnerability affects Windows users of `path.join` AP… | |||
| CVE-2025-24367 | unknown | — | 1.0 | — | Cacti is an open source performance and fault management framework. An authenticated Cacti user can abuse graph creation and graph template functionality to create arbitrary PHP scripts in the web ro… | |||
| CVE-2025-47917 | unknown | — | 1.0 | — | Mbed TLS before 3.6.4 allows a use-after-free in certain situations of applications that are developed in accordance with the documentation. The function mbedtls_x509_string_to_names() takes a head a… | |||
| CVE-2025-11001 | unknown | — | 1.0 | — | 7-Zip ZIP File Parsing Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of 7-Zip. Interaction wi… | |||
| CVE-2025-46811 | unknown | — | 1.0 | — | ||||
| CVE-2025-69985 | unknown | — | 1.0 | 3mo ago | FUXA has JWT Authentication Bypass via HTTP Referer header spoofing | |||
| CVE-2025-69210 | unknown | — | 1.0 | 5mo ago | FacturaScripts is Vulnerable to Stored Cross-Site Scripting (XSS) via XML File Upload | |||
| CVE-2025-68664 | unknown | — | 1.0 | 5mo ago | LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIs | |||
| CVE-2025-66294 | unknown | — | 1.0 | 6mo ago | Grav is vulnerable to RCE via SSTI through Twig Sandbox Bypass | |||
| CVE-2025-66301 | unknown | — | 1.0 | 6mo ago | Grav has Broken Access Control which allows an Editor to modify the page's YAML Frontmatter to alter form processing actions | |||
| CVE-2025-64459 | unknown | — | 1.0 | 7mo ago | An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to… | |||
| CVE-2025-60787 | unknown | — | 1.0 | 7mo ago | motionEye vulnerable to RCE via unsanitized motion config parameter | |||
| CVE-2025-59342 | unknown | — | 1.0 | 9mo ago | esm.sh has arbitrary file write via path traversal in `X-Zone-Id` header in github.com/esm-dev/esm.sh | |||
| CVE-2025-59528 | unknown | — | 1.0 | 9mo ago | Flowise has Remote Code Execution vulnerability | |||
| CVE-2025-58434 | unknown | — | 1.0 | 9mo ago | Flowise Cloud and Local Deployments have Unauthenticated Password Reset Token Disclosure that Leads to Account Takeover | |||
| CVE-2025-58180 | unknown | — | 1.0 | 9mo ago | OctoPrint is Vulnerable to RCE Attacks via Unsanitized Filename in File Upload | |||
| CVE-2025-8943 | unknown | — | 1.0 | 10mo ago | Flowise OS command remote code execution | |||
| CVE-2025-52392 | unknown | — | 1.0 | 10mo ago | Soosyze CMS's /user/login endpoint missing rate-limiting and lockout mechanisms | |||
| CVE-2025-8573 | unknown | — | 1.0 | 10mo ago | Concrete CMS is vulnerable to Stored XSS from Home Folder on Members Dashboard page | |||
| CVE-2025-54589 | unknown | — | 1.0 | 10mo ago | copyparty Reflected XSS via Filter Parameter | |||
| CVE-2025-32429 | unknown | — | 1.0 | 10mo ago | XWiki Platform vulnerable to SQL injection through getdeleteddocuments.vm template sort parameter | |||
| CVE-2025-50481 | unknown | — | 1.0 | 11mo ago | A cross-site scripting (XSS) vulnerability in the component /blog/blogpost/add of Mezzanine CMS v6.1.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into a… | |||
| CVE-2025-34086 | unknown | — | 1.0 | 11mo ago | Bolt CMS vulnerable to authenticated remote code execution | |||
| CVE-2025-34076 | unknown | — | 1.0 | 11mo ago | Microweber CMS API has authenticated local file inclusion vulnerability | |||
| CVE-2025-34040 | unknown | — | 1.0 | 1y ago | An arbitrary file upload vulnerability exists in the Zhiyuan OA platform via the wpsAssistServlet interface. The realFileType and fileId parameters are improperly validated during multipart file uplo… | |||
| CVE-2025-49132 | unknown | — | 1.0 | 1y ago | Pterodactyl Panel Allows Unauthenticated Arbitrary Remote Code Execution | |||
| CVE-2025-49136 | unknown | — | 1.0 | 1y ago | listmonk's Sprig template Injection vulnerability leads to reading of Environment Variable for low privilege user in github.com/knadh/listmonk | |||
| CVE-2025-49619 | unknown | — | 1.0 | 1y ago | Skyvern has a Jinja runtime leak | |||
| CVE-2025-27533 | unknown | — | 1.0 | 1y ago | Apache ActiveMQ: Unchecked buffer length can cause excessive memory allocation | |||
| CVE-2025-47226 | unknown | — | 1.0 | 1y ago | Grokability Snipe-IT has incorrect authorization for accessing asset information |