CVEs from 2025
Total
8,818
critical
critical 1,314
high
high 1,959
medium
medium 1,968
low
low 200
% Critical
14.9%
% with KEV
2.1%
% with exploit
2.8%
Top vendors
- qualcomm 1,123
- fabian 285
- campcodes 232
- phpgurukul 189
- code-projects 121
- redhat 108
- microsoft 107
- portabilis 94
Top products
- i-educar 80
- office_long_term_servicing_channel 35
- office 34
- best_salon_management_system 33
- apartment_management_system 30
- gcp 29
- inventory_management_system 28
- online_learning_management_system 21
Top packages
- Go/github.com/mattermost/mattermost/server/v8 258
- Go/github.com/mattermost/mattermost-server 249
- Packagist/magento/community-edition 231
- Packagist/moodle/moodle 162
- Go/github.com/mattermost/mattermost-server/v5 99
- Go/github.com/mattermost/mattermost-server/v6 99
- Maven/com.liferay.portal:release.dxp.bom 61
- Maven/org.apache.tomcat.embed:tomcat-embed-core 53
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-34291 | high | 8.8 | 10.0 | 6mo ago | Langflow contains an origin validation error vulnerability in which an overly permissive CORS configuration combined with a refresh token cookie configured as SameSite=None allows a malicious webpage… | |||
| CVE-2025-54236 | critical | 9.1 | 10.0 | 9mo ago | Adobe Commerce and Magento Open Source contain an improper input validation vulnerability that could allow an attacker to take over customer accounts through the Commerce REST API. | |||
| CVE-2025-49113 | critical | — | 10.0 | 1y ago | RoundCube Webmail contains a deserialization of untrusted data vulnerability that allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/… | |||
| CVE-2025-48595 | high | 8.4 | 9.9 | 2d ago | Android Framework contains an integer overflow vulnerability that allows for code execution that could allow for local privilege escalation. | |||
| CVE-2025-43529 | high | — | 9.5 | 6mo ago | Apple iOS, iPadOS, macOS, and other Apple products contain a use-after-free vulnerability in WebKit. Processing maliciously crafted web content may lead to memory corruption. This vulnerability could… | |||
| CVE-2025-14174 | high | — | 9.5 | 6mo ago | Google Chromium contains an out of bounds memory access vulnerability in ANGLE that could allow a remote attacker to perform out of bounds memory access via a crafted HTML page. This vulnerability co… | |||
| CVE-2025-31277 | high | — | 9.5 | 8mo ago | Apple Safari, iOS, watchOS, visionOS, iPadOS, macOS, and tvOS contain a buffer overflow vulnerability that could allow the processing of maliciously crafted web content which may lead to memory corru… | |||
| CVE-2025-41244 | high | — | 9.5 | 8mo ago | Broadcom VMware Aria Operations and VMware Tools contain a privilege defined with unsafe actions vulnerability. A malicious local actor with non-administrative privileges having access to a VM with V… | |||
| CVE-2025-38352 | high | — | 9.5 | 9mo ago | Linux kernel contains a time-of-check time-of-use (TOCTOU) race condition vulnerability that has a high impact on confidentiality, integrity, and availability. | |||
| CVE-2025-6558 | high | — | 9.5 | 10mo ago | Google Chromium contains an improper input validation vulnerability in ANGLE and GPU. This vulnerability could allow a remote attacker to potentially perform a sandbox escape via a crafted HTML page.… | |||
| CVE-2025-48384 | high | — | 9.5 | 11mo ago | Git contains a link following vulnerability that stems from Git’s inconsistent handling of carriage return characters in configuration files. | |||
| CVE-2025-27363 | high | — | 9.5 | 1y ago | FreeType contains an out-of-bounds write vulnerability when attempting to parse font subglyph structures related to TrueType GX and variable font files that may allow for arbitrary code execution. | |||
| CVE-2025-24201 | high | — | 9.5 | 1y ago | Apple iOS, iPadOS, macOS, and other Apple products contain an out-of-bounds write vulnerability in WebKit that may allow maliciously crafted web content to break out of Web Content sandbox. This vuln… | |||
| CVE-2025-24813 | medium | — | 8.0 | 1y ago | Apache Tomcat contains a path equivalence vulnerability that allows a remote attacker to execute code, disclose information, or inject malicious content via a partial PUT request. | |||
| CVE-2025-40536 | unknown | — | 2.5 | 4mo ago | SolarWinds Web Help Desk contains a security control bypass vulnerability that could allow an unauthenticated attacker to gain access to certain restricted functionality. | |||
| CVE-2025-64328 | unknown | — | 2.5 | 4mo ago | Sangoma FreePBX Endpoint Manager contains an OS command injection vulnerability that could allow for a post-authentication command injection by an authenticated known user via the testconnection -> c… | |||
| CVE-2025-40551 | unknown | — | 2.5 | 4mo ago | SolarWinds Web Help Desk contains a deserialization of untrusted data vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This c… | |||
| CVE-2025-52691 | unknown | — | 2.5 | 4mo ago | SmarterTools SmarterMail contains an unrestricted upload of file with dangerous type vulnerability that could allow an unauthenticated attacker to upload arbitrary files to any location on the mail s… | |||
| CVE-2025-37164 | unknown | — | 2.5 | 5mo ago | Hewlett Packard Enterprise (HPE) OneView contains a code injection vulnerability that allows a remote unauthenticated user to perform remote code execution. | |||
| CVE-2025-14847 | unknown | — | 2.5 | 5mo ago | MongoDB Server contains an improper handling of length parameter inconsistency vulnerability in Zlib compressed protocol headers. This vulnerability may allow a read of uninitialized heap memory by a… | |||
| CVE-2025-68613 | unknown | — | 2.5 | 5mo ago | n8n contains an improper control of dynamically managed code resources vulnerability in its workflow expression evaluation system that allows for remote code execution. | |||
| CVE-2025-14611 | unknown | — | 2.5 | 6mo ago | Gladinet CentreStack and TrioFox contain a hardcoded cryptographic keys vulnerability for their implementation of the AES cryptoscheme. This vulnerability degrades security for public exposed endpoin… | |||
| CVE-2025-55182 | unknown | — | 2.5 | 6mo ago | Meta React Server Components contains a remote code execution vulnerability that could allow unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Ser… | |||
| CVE-2025-58360 | unknown | — | 2.5 | 6mo ago | OSGeo GeoServer contains an improper restriction of XML external entity reference vulnerability that occurs when the application accepts XML input through a specific endpoint /geoserver/wms operation… | |||
| CVE-2025-58034 | unknown | — | 2.5 | 7mo ago | Fortinet FortiWeb contains an OS command Injection vulnerability that may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests or CLI comman… | |||
| CVE-2025-64446 | unknown | — | 2.5 | 7mo ago | Fortinet FortiWeb contains a relative path traversal vulnerability that may allow an unauthenticated attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests. | |||
| CVE-2025-62215 | unknown | — | 2.5 | 7mo ago | Microsoft Windows Kernel contains a race condition vulnerability that allows a local attacker with low-level privileges to escalate privileges. Successful exploitation of this vulnerability could ena… | |||
| CVE-2025-11371 | unknown | — | 2.5 | 7mo ago | Gladinet CentreStack and Triofox contains a files or directories accessible to external parties vulnerability that allows unintended disclosure of system files. | |||
| CVE-2025-59287 | unknown | — | 2.5 | 7mo ago | Microsoft Windows Server Update Service (WSUS) contains a deserialization of untrusted data vulnerability that allows for remote code execution. | |||
| CVE-2025-33073 | unknown | — | 2.5 | 8mo ago | Microsoft Windows SMB Client contains an improper access control vulnerability that could allow for privilege escalation. An attacker could execute a specially crafted malicious script to coerce the … | |||
| CVE-2025-61882 | unknown | — | 2.5 | 8mo ago | Oracle E-Business Suite contains an unspecified vulnerability in the BI Publisher Integration component. The vulnerability allows unauthenticated attacker with network access via HTTP to compromise O… | |||
| CVE-2025-32463 | unknown | — | 2.5 | 8mo ago | Sudo contains an inclusion of functionality from untrusted control sphere vulnerability. This vulnerability could allow local attacker to leverage sudo’s -R (--chroot) option to run arbitrary command… | |||
| CVE-2025-57819 | unknown | — | 2.5 | 9mo ago | Sangoma FreePBX contains an authentication bypass vulnerability due to insufficiently sanitized user-supplied data allows unauthenticated access to FreePBX Administrator leading to arbitrary database… | |||
| CVE-2025-49706 | unknown | — | 2.5 | 11mo ago | Microsoft SharePoint contains an improper authentication vulnerability that allows an authorized attacker to perform spoofing over a network. Successfully exploitation could allow an attacker to view… | |||
| CVE-2025-49704 | unknown | — | 2.5 | 11mo ago | Microsoft SharePoint contains a code injection vulnerability that could allow an authorized attacker to execute code over a network. This vulnerability could be chained with CVE-2025-49706. CVE-2025-… | |||
| CVE-2025-53770 | unknown | — | 2.5 | 11mo ago | Microsoft SharePoint Server on-premises contains a deserialization of untrusted data vulnerability that could allow an unauthorized attacker to execute code over a network. This vulnerability could b… | |||
| CVE-2025-25257 | unknown | — | 2.5 | 11mo ago | Fortinet FortiWeb contains a SQL injection vulnerability that may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests. | |||
| CVE-2025-47812 | unknown | — | 2.5 | 11mo ago | Wing FTP Server contains an improper neutralization of null byte or NUL character vulnerability that can allow injection of arbitrary Lua code into user session files. This can be used to execute arb… | |||
| CVE-2025-5777 | unknown | — | 2.5 | 11mo ago | Citrix NetScaler ADC and Gateway contain an out-of-bounds read vulnerability due to insufficient input validation. This vulnerability can lead to memory overread when the NetScaler is configured as a… | |||
| CVE-2025-3248 | unknown | — | 2.5 | 1y ago | Langflow contains a missing authentication vulnerability in the /api/v1/validate/code endpoint that allows a remote, unauthenticated attacker to execute arbitrary code via crafted HTTP requests. | |||
| CVE-2025-33053 | unknown | — | 2.5 | 1y ago | Microsoft Windows contains an external control of file name or path vulnerability that could allow an attacker to execute code from a remote WebDAV location specified by the WorkingDirectory attribut… | |||
| CVE-2025-32433 | unknown | — | 2.5 | 1y ago | Erlang Erlang/OTP SSH server contains a missing authentication for critical function vulnerability. This could allow an attacker to execute arbitrary commands without valid credentials, potentially l… | |||
| CVE-2025-4427 | unknown | — | 2.5 | 1y ago | Ivanti Endpoint Manager Mobile (EPMM) contains an authentication bypass vulnerability in the API component that allows an attacker to access protected resources without proper credentials via crafted… | |||
| CVE-2025-4428 | unknown | — | 2.5 | 1y ago | Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability in the API component that allows an authenticated attacker to remotely execute arbitrary code via crafted API requests. T… | |||
| CVE-2025-30397 | unknown | — | 2.5 | 1y ago | Microsoft Windows Scripting Engine contains a type confusion vulnerability that allows an unauthorized attacker to execute code over a network via a specially crafted URL. | |||
| CVE-2025-32432 | unknown | — | 2.5 | 1y ago | Craft CMS contains a code injection vulnerability that allows a remote attacker to execute arbitrary code. | |||
| CVE-2025-24016 | unknown | — | 2.5 | 1y ago | Wazuh contains a deserialization of untrusted data vulnerability that allows for remote code execution on Wazuh servers. | |||
| CVE-2025-24054 | unknown | — | 2.5 | 1y ago | Microsoft Windows NTLM contains an external control of file name or path vulnerability that allows an unauthorized attacker to perform spoofing over a network. | |||
| CVE-2025-30406 | unknown | — | 2.5 | 1y ago | Gladinet CentreStack and Triofox contains a use of hard-coded cryptographic key vulnerability in the way that the application manages keys used for ViewState integrity verification. Successful exploi… | |||
| CVE-2025-31161 | unknown | — | 2.5 | 1y ago | CrushFTP contains an authentication bypass vulnerability in the HTTP authorization header that allows a remote unauthenticated attacker to authenticate to any known or guessable user account (e.g., c… | |||
| CVE-2025-22457 | unknown | — | 2.5 | 1y ago | Ivanti Connect Secure, Policy Secure, and ZTA Gateways contains a stack-based buffer overflow vulnerability that allows a remote unauthenticated attacker to achieve remote code execution. | |||
| CVE-2025-2783 | unknown | — | 2.5 | 1y ago | Google Chromium Mojo on Windows contains a sandbox escape vulnerability caused by a logic error, which results from an incorrect handle being provided in unspecified circumstances. This vulnerability… | |||
| CVE-2025-26633 | unknown | — | 2.5 | 1y ago | Microsoft Windows Management Console (MMC) contains an improper neutralization vulnerability that allows an unauthorized attacker to bypass a security feature locally. | |||
| CVE-2025-24893 | unknown | — | 2.5 | 1y ago | XWiki Platform contains an eval injection vulnerability that could allow any guest to perform arbitrary remote code execution through a request to SolrSearch. | |||
| CVE-2025-24085 | unknown | — | 2.5 | 1y ago | Apple iOS, macOS, and other Apple products contain a user-after-free vulnerability that could allow a malicious application to elevate privileges. | |||
| CVE-2025-21333 | unknown | — | 2.5 | 1y ago | Microsoft Windows Hyper-V NT Kernel Integration VSP contains a heap-based buffer overflow vulnerability that allows a local attacker to gain SYSTEM privileges. | |||
| CVE-2025-0282 | unknown | — | 2.5 | 1y ago | Ivanti Connect Secure, Policy Secure, and ZTA Gateways contain a stack-based buffer overflow which can lead to unauthenticated remote code execution. | |||
| CVE-2025-29635 | unknown | — | 1.5 | 1mo ago | D-Link DIR-823X contains a command injection vulnerability that allows an authorized attacker to execute arbitrary commands on remote devices by sending a POST request to /goform/set_prohibiting via … | |||
| CVE-2025-2749 | unknown | — | 1.5 | 2mo ago | Kentico Xperience contains a path traversal vulnerability that could allow an authenticated user's Staging Sync Server to upload arbitrary data to path relative locations. | |||
| CVE-2025-32975 | unknown | — | 1.5 | 2mo ago | Quest KACE Systems Management Appliance (SMA) contains an improper authentication vulnerability that could allow attackers to impersonate legitimate users without valid credentials. | |||
| CVE-2025-48700 | unknown | — | 1.5 | 2mo ago | Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability that could allow attackers to execute arbitrary JavaScript within the user's session, potentially leading to una… | |||
| CVE-2025-60710 | unknown | — | 1.5 | 2mo ago | Microsoft Windows contains a link following vulnerability that allows for privilege escalation | |||
| CVE-2025-53521 | unknown | — | 1.5 | 2mo ago | F5 BIG-IP APM contains a stack-based buffer overflow vulnerability that could allow a threat actor to achieve remote code execution. | |||
| CVE-2025-43520 | unknown | — | 1.5 | 3mo ago | Apple watchOS, iOS, iPadOS, macOS, visionOS, and tvOS contain a classic buffer overflow vulnerability which could allow a malicious application to cause unexpected system termination or write kernel … | |||
| CVE-2025-43510 | unknown | — | 1.5 | 3mo ago | Apple watchOS, iOS, iPadOS, macOS, visionOS, and tvOS contain an improper locking vulnerability that could allow a malicious application to cause unexpected changes in memory shared between processes. | |||
| CVE-2025-66376 | unknown | — | 1.5 | 3mo ago | Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability in the Classic UI where attackers could abuse Cascading Style Sheets (CSS) @import directives in email HTML. | |||
| CVE-2025-47813 | unknown | — | 1.5 | 3mo ago | Wing FTP Server contains a generation of error message containing sensitive information vulnerability when using a long value in the UID cookie. | |||
| CVE-2025-26399 | unknown | — | 1.5 | 3mo ago | SolarWinds Web Help Desk contain a deserialization of untrusted data vulnerability in AjaxProxy that could allow an attacker to run commands on the host machine. | |||
| CVE-2025-68461 | unknown | — | 1.5 | 3mo ago | RoundCube Webmail contains a cross-site scripting vulnerability via the animate tag in an SVG document. | |||
| CVE-2025-15556 | unknown | — | 1.5 | 4mo ago | Notepad++ when using the WinGUp updater, contains a download of code without integrity check vulnerability that could allow an attacker to intercept or redirect update traffic to download and execute… | |||
| CVE-2025-68645 | unknown | — | 1.5 | 4mo ago | Synacor Zimbra Collaboration Suite (ZCS) contains a PHP remote file inclusion vulnerability that could allow for remote attackers to craft requests to the /h/rest endpoint to influence internal reque… | |||
| CVE-2025-34026 | unknown | — | 1.5 | 4mo ago | Versa Concerto SD-WAN orchestration platform contains an improper authentication vulnerability in the Traefik reverse proxy configuration, allowing at attacker to access administrative endpoints. The… | |||
| CVE-2025-14733 | unknown | — | 1.5 | 6mo ago | WatchGuard Fireware OS iked process contains an out of bounds write vulnerability in the OS iked process. This vulnerability may allow a remote unauthenticated attacker to execute arbitrary code and … | |||
| CVE-2025-20393 | unknown | — | 1.5 | 6mo ago | Cisco Secure Email Gateway, Secure Email, AsyncOS Software, and Web Manager appliances contains an improper input validation vulnerability that allows threat actors to execute arbitrary commands with… | |||
| CVE-2025-59374 | unknown | — | 1.5 | 6mo ago | ASUS Live Update contains an embedded malicious code vulnerability client were distributed with unauthorized modifications introduced through a supply chain compromise. The modified builds could caus… | |||
| CVE-2025-40602 | unknown | — | 1.5 | 6mo ago | SonicWall SMA1000 contains a missing authorization vulnerability that could allow for privilege escalation appliance management console (AMC) of affected devices. | |||
| CVE-2025-59718 | unknown | — | 1.5 | 6mo ago | Fortinet FortiOS, FortiSwitchMaster, FortiProxy, and FortiWeb contain an improper verification of cryptographic signature vulnerability that may allow an unauthenticated attacker to bypass the FortiC… | |||
| CVE-2025-8110 | unknown | — | 1.5 | 6mo ago | Gogs contains a path traversal vulnerability affecting improper Symbolic link handling in the PutContents API that could allow for code execution. | |||
| CVE-2025-62221 | unknown | — | 1.5 | 6mo ago | Microsoft Windows Cloud Files Mini Filter Driver contains a use after free vulnerability that can allow an authorized attacker to elevate privileges locally. | |||
| CVE-2025-6218 | unknown | — | 1.5 | 6mo ago | RARLAB WinRAR contains a path traversal vulnerability allowing an attacker to execute code in the context of the current user. | |||
| CVE-2025-66644 | unknown | — | 1.5 | 6mo ago | Array Networks ArrayOS AG contains an OS command injection vulnerability that could allow an attacker to execute arbitrary commands. | |||
| CVE-2025-48633 | unknown | — | 1.5 | 6mo ago | Android Framework contains an unspecified vulnerability that allows for information disclosure. | |||
| CVE-2025-48572 | unknown | — | 1.5 | 6mo ago | Android Framework contains an unspecified vulnerability that allows for privilege escalation. | |||
| CVE-2025-61757 | unknown | — | 1.5 | 7mo ago | Oracle Fusion Middleware contains a missing authentication for critical function vulnerability, allowing unauthenticated remote attackers to take over Identity Manager. | |||
| CVE-2025-13223 | unknown | — | 1.5 | 7mo ago | Google Chromium V8 contains a type confusion vulnerability that allows for heap corruption. | |||
| CVE-2025-9242 | unknown | — | 1.5 | 7mo ago | WatchGuard Firebox contains an out-of-bounds write vulnerability in the OS iked process that may allow a remote unauthenticated attacker to execute arbitrary code. | |||
| CVE-2025-12480 | unknown | — | 1.5 | 7mo ago | Gladinet Triofox contains an improper access control vulnerability that allows access to initial setup pages even after setup is complete. | |||
| CVE-2025-21042 | unknown | — | 1.5 | 7mo ago | Samsung mobile devices contain an out-of-bounds write vulnerability in libimagecodec.quram.so. This vulnerability could allow remote attackers to execute arbitrary code. | |||
| CVE-2025-48703 | unknown | — | 1.5 | 7mo ago | CWP Control Web Panel (formerly CentOS Web Panel) contains an OS command Injection vulnerability that allows unauthenticated remote code execution via shell metacharacters in the t_total parameter in… | |||
| CVE-2025-11953 | unknown | — | 1.5 | 7mo ago | React Native Community CLI contains an OS command injection vulnerability which could allow unauthenticated network attackers to send POST requests to the Metro Development Server and run arbitrary e… | |||
| CVE-2025-6204 | unknown | — | 1.5 | 7mo ago | Dassault Systèmes DELMIA Apriso contains a code injection vulnerability that could allow an attacker to execute arbitrary code. | |||
| CVE-2025-6205 | unknown | — | 1.5 | 7mo ago | Dassault Systèmes DELMIA Apriso contains a missing authorization vulnerability that could allow an attacker to gain privileged access to the application. | |||
| CVE-2025-61932 | unknown | — | 1.5 | 8mo ago | Motex LANSCOPE Endpoint Manager contains an improper verification of source of a communication channel vulnerability allowing an attacker to execute arbitrary code by sending specially crafted packet… | |||
| CVE-2025-2746 | unknown | — | 1.5 | 8mo ago | Kentico Xperience CMS contains an authentication bypass using an alternate path or channel vulnerability that could allow an attacker to control administrative objects. | |||
| CVE-2025-61884 | unknown | — | 1.5 | 8mo ago | Oracle E-Business Suite contains a server-side request forgery (SSRF) vulnerability in the Runtime component of Oracle Configurator. This vulnerability is remotely exploitable without authentication. | |||
| CVE-2025-2747 | unknown | — | 1.5 | 8mo ago | Kentico Xperience CMS contains an authentication bypass using an alternate path or channel vulnerability that could allow an attacker to control administrative objects. | |||
| CVE-2025-54253 | unknown | — | 1.5 | 8mo ago | Adobe Experience Manager Forms in JEE contains an unspecified vulnerability that allows for arbitrary code execution. | |||
| CVE-2025-24990 | unknown | — | 1.5 | 8mo ago | Microsoft Windows Agere Modem Driver contains an untrusted pointer dereference vulnerability that allows for privilege escalation. An attacker who successfully exploited this vulnerability could gain… | |||
| CVE-2025-59230 | unknown | — | 1.5 | 8mo ago | Microsoft Windows contains an improper access control vulnerability in Windows Remote Access Connection Manager which could allow an authorized attacker to elevate privileges locally. | |||
| CVE-2025-47827 | unknown | — | 1.5 | 8mo ago | IGEL OS contains a use of a key past its expiration date vulnerability that allows for Secure Boot bypass. The igel-flash-driver module improperly verifies a cryptographic signature. Ultimately, a cr… |