CVEs from 2025
Total
8,818
critical
critical 1,314
high
high 1,959
medium
medium 1,968
low
low 200
% Critical
14.9%
% with KEV
2.1%
% with exploit
2.8%
Top vendors
- qualcomm 1,123
- fabian 285
- campcodes 232
- phpgurukul 189
- code-projects 121
- redhat 108
- microsoft 107
- portabilis 94
Top products
- i-educar 80
- office_long_term_servicing_channel 35
- office 34
- best_salon_management_system 33
- apartment_management_system 30
- gcp 29
- inventory_management_system 28
- online_learning_management_system 21
Top packages
- Go/github.com/mattermost/mattermost/server/v8 258
- Go/github.com/mattermost/mattermost-server 249
- Packagist/magento/community-edition 231
- Packagist/moodle/moodle 162
- Go/github.com/mattermost/mattermost-server/v5 99
- Go/github.com/mattermost/mattermost-server/v6 99
- Maven/com.liferay.portal:release.dxp.bom 61
- Maven/org.apache.tomcat.embed:tomcat-embed-core 53
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-34291 | high | 8.8 | 10.0 | 6mo ago | Langflow contains an origin validation error vulnerability in which an overly permissive CORS configuration combined with a refresh token cookie configured as SameSite=None allows a malicious webpage… | |||
| CVE-2025-54236 | critical | 9.1 | 10.0 | 9mo ago | Adobe Commerce and Magento Open Source contain an improper input validation vulnerability that could allow an attacker to take over customer accounts through the Commerce REST API. | |||
| CVE-2025-49113 | critical | — | 10.0 | 1y ago | RoundCube Webmail contains a deserialization of untrusted data vulnerability that allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/… | |||
| CVE-2025-48595 | high | 8.4 | 9.9 | 2d ago | Android Framework contains an integer overflow vulnerability that allows for code execution that could allow for local privilege escalation. | |||
| CVE-2025-43529 | high | — | 9.5 | 6mo ago | Apple iOS, iPadOS, macOS, and other Apple products contain a use-after-free vulnerability in WebKit. Processing maliciously crafted web content may lead to memory corruption. This vulnerability could… | |||
| CVE-2025-14174 | high | — | 9.5 | 6mo ago | Google Chromium contains an out of bounds memory access vulnerability in ANGLE that could allow a remote attacker to perform out of bounds memory access via a crafted HTML page. This vulnerability co… | |||
| CVE-2025-31277 | high | — | 9.5 | 8mo ago | Apple Safari, iOS, watchOS, visionOS, iPadOS, macOS, and tvOS contain a buffer overflow vulnerability that could allow the processing of maliciously crafted web content which may lead to memory corru… | |||
| CVE-2025-41244 | high | — | 9.5 | 8mo ago | Broadcom VMware Aria Operations and VMware Tools contain a privilege defined with unsafe actions vulnerability. A malicious local actor with non-administrative privileges having access to a VM with V… | |||
| CVE-2025-38352 | high | — | 9.5 | 9mo ago | Linux kernel contains a time-of-check time-of-use (TOCTOU) race condition vulnerability that has a high impact on confidentiality, integrity, and availability. | |||
| CVE-2025-6558 | high | — | 9.5 | 10mo ago | Google Chromium contains an improper input validation vulnerability in ANGLE and GPU. This vulnerability could allow a remote attacker to potentially perform a sandbox escape via a crafted HTML page.… | |||
| CVE-2025-48384 | high | — | 9.5 | 11mo ago | Git contains a link following vulnerability that stems from Git’s inconsistent handling of carriage return characters in configuration files. | |||
| CVE-2025-27363 | high | — | 9.5 | 1y ago | FreeType contains an out-of-bounds write vulnerability when attempting to parse font subglyph structures related to TrueType GX and variable font files that may allow for arbitrary code execution. | |||
| CVE-2025-24201 | high | — | 9.5 | 1y ago | Apple iOS, iPadOS, macOS, and other Apple products contain an out-of-bounds write vulnerability in WebKit that may allow maliciously crafted web content to break out of Web Content sandbox. This vuln… |