CVEs from 2025
Total
8,971
critical
critical 1,368
high
high 2,067
medium
medium 2,068
low
low 204
% Critical
15.2%
% with KEV
2.0%
% with exploit
2.8%
Top vendors
- qualcomm 1,123
- fabian 285
- campcodes 232
- phpgurukul 189
- code-projects 121
- redhat 110
- microsoft 107
- portabilis 94
Top products
- i-educar 80
- office_long_term_servicing_channel 35
- office 34
- best_salon_management_system 33
- apartment_management_system 30
- gcp 29
- inventory_management_system 28
- online_learning_management_system 21
Top packages
- Go/github.com/mattermost/mattermost/server/v8 258
- Go/github.com/mattermost/mattermost-server 249
- Packagist/magento/community-edition 231
- Packagist/moodle/moodle 162
- Go/github.com/mattermost/mattermost-server/v5 99
- Go/github.com/mattermost/mattermost-server/v6 99
- Maven/com.liferay.portal:release.dxp.bom 61
- Maven/org.apache.tomcat.embed:tomcat-embed-core 53
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-4404 | high | — | 8.0 | 1y ago | RHSA-2025:9188: idm:DL1 security update (Important) | |||
| CVE-2025-5473 | high | — | 8.0 | 1y ago | RHSA-2025:9165: gimp:2.8 security update (Important) | |||
| CVE-2025-48798 | high | — | 8.0 | 1y ago | RHSA-2025:9165: gimp:2.8 security update (Important) | |||
| CVE-2025-48797 | high | — | 8.0 | 1y ago | RHSA-2025:9165: gimp:2.8 security update (Important) | |||
| CVE-2025-37750 | high | — | 8.0 | 1y ago | Important: kernel security update | |||
| CVE-2025-21979 | high | — | 8.0 | 1y ago | Important: kernel security update | |||
| CVE-2025-22126 | high | — | 8.0 | 1y ago | Important: kernel security update | |||
| CVE-2025-21999 | high | — | 8.0 | 1y ago | Important: kernel security update | |||
| CVE-2025-21963 | high | — | 8.0 | 1y ago | Important: kernel security update | |||
| CVE-2025-48734 | high | — | 8.0 | 1y ago | Important: apache-commons-beanutils security update | |||
| CVE-2025-21969 | high | — | 8.0 | 1y ago | Important: kernel security update | |||
| CVE-2025-21961 | high | — | 8.0 | 1y ago | Important: kernel security update | |||
| CVE-2025-30399 | high | — | 8.0 | 1y ago | RHSA-2025:8815: .NET 9.0 security update (Important) | |||
| CVE-2025-47947 | high | — | 8.0 | 1y ago | RHSA-2025:8844: mod_security security update (Important) | |||
| CVE-2025-40907 | high | — | 8.0 | 1y ago | RHSA-2025:8696: perl-FCGI:0.78 security update (Important) | |||
| CVE-2025-37943 | high | — | 8.0 | 1y ago | Important: kernel security update | |||
| CVE-2025-22055 | high | — | 8.0 | 1y ago | Important: kernel security update | |||
| CVE-2025-37785 | high | — | 8.0 | 1y ago | Important: kernel security update | |||
| CVE-2025-21997 | high | — | 8.0 | 1y ago | Important: kernel security update | |||
| CVE-2025-21920 | high | — | 8.0 | 1y ago | Important: kernel security update | |||
| CVE-2025-21926 | high | — | 8.0 | 1y ago | Important: kernel security update | |||
| CVE-2025-23167 | high | — | 8.0 | 1y ago | A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\r\n\rX` instead of the required `\r\n\r\n`. This inconsistency enables request smuggling, allowing attackers t… | |||
| CVE-2025-23165 | high | — | 8.0 | 1y ago | RHSA-2025:8514: nodejs:20 security update (Important) | |||
| CVE-2025-23166 | high | — | 8.0 | 1y ago | RHSA-2025:8514: nodejs:20 security update (Important) | |||
| CVE-2025-4447 | high | — | 8.0 | 1y ago | RHSA-2025:8431: java-1.8.0-ibm security update (Important) | |||
| CVE-2025-47905 | high | — | 8.0 | 1y ago | Varnish Cache before 7.6.3 and 7.7 before 7.7.1, and Varnish Enterprise before 6.0.13r14, allow client-side desync via HTTP/1 requests, because the product incorrectly permits CRLF to be skipped to d… | |||
| CVE-2025-5267 | high | — | 8.0 | 1y ago | A clickjacking vulnerability could have been used to trick a user into leaking saved payment card details to a malicious page. This vulnerability was fixed in Firefox 139, Firefox ESR 128.11, Thunder… | |||
| CVE-2025-5263 | high | — | 8.0 | 1y ago | Error handling for script execution was incorrectly isolated from web content, which could have allowed cross-origin leak attacks. This vulnerability was fixed in Firefox 139, Firefox ESR 115.24, Fir… | |||
| CVE-2025-5283 | high | — | 8.0 | 1y ago | Use after free in libvpx in Google Chrome prior to 137.0.7151.55 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) | |||
| CVE-2025-32909 | high | — | 8.0 | 1y ago | RHSA-2025:8292: mingw-freetype and spice-client-win security update (Important) | |||
| CVE-2025-32910 | high | — | 8.0 | 1y ago | RHSA-2025:8292: mingw-freetype and spice-client-win security update (Important) | |||
| CVE-2025-5269 | high | — | 8.0 | 1y ago | RHSA-2025:8756: thunderbird security update (Important) | |||
| CVE-2025-5266 | high | — | 8.0 | 1y ago | Script elements loading cross-origin resources generated load and error events which leaked information enabling XS-Leaks attacks. This vulnerability was fixed in Firefox 139, Firefox ESR 128.11, Thu… | |||
| CVE-2025-5268 | high | — | 8.0 | 1y ago | Memory safety bugs present in Firefox 138, Thunderbird 138, Firefox ESR 128.10, and Thunderbird 128.10. Some of these bugs showed evidence of memory corruption and we presume that with enough effort … | |||
| CVE-2025-5264 | high | — | 8.0 | 1y ago | Due to insufficient escaping of the newline character in the “Copy as cURL” feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's … | |||
| CVE-2025-3877 | high | — | 8.0 | 1y ago | RHSA-2025:8756: thunderbird security update (Important) | |||
| CVE-2025-3932 | high | — | 8.0 | 1y ago | RHSA-2025:8756: thunderbird security update (Important) | |||
| CVE-2025-3909 | high | — | 8.0 | 1y ago | RHSA-2025:8756: thunderbird security update (Important) | |||
| CVE-2025-3875 | high | — | 8.0 | 1y ago | RHSA-2025:8756: thunderbird security update (Important) | |||
| CVE-2025-3887 | high | — | 8.0 | 1y ago | RHSA-2025:8201: gstreamer1-plugins-bad-free security update (Important) | |||
| CVE-2025-32914 | high | — | 8.0 | 1y ago | RHSA-2025:8132: libsoup security update (Important) | |||
| CVE-2025-2784 | high | — | 8.0 | 1y ago | RHSA-2025:8132: libsoup security update (Important) | |||
| CVE-2025-32049 | high | — | 8.0 | 1y ago | RHSA-2025:8132: libsoup security update (Important) | |||
| CVE-2025-4948 | high | — | 8.0 | 1y ago | RHSA-2025:8132: libsoup security update (Important) | |||
| CVE-2025-4919 | high | — | 8.0 | 1y ago | An attacker was able to perform an out-of-bounds read or write on a JavaScript object by confusing array index sizes. This vulnerability was fixed in Firefox 138.0.4, Firefox ESR 128.10.1, Firefox ES… | |||
| CVE-2025-4918 | high | — | 8.0 | 1y ago | An attacker was able to perform an out-of-bounds read or write on a JavaScript `Promise` object. This vulnerability was fixed in Firefox 138.0.4, Firefox ESR 128.10.1, Firefox ESR 115.23.1, Thunderbi… | |||
| CVE-2025-31205 | high | — | 8.0 | 1y ago | The issue was addressed with improved checks. This issue is fixed in Safari 18.5, iOS 18.5 and iPadOS 18.5, macOS Sequoia 15.5, tvOS 18.5, visionOS 2.5, watchOS 11.5. A malicious website may exfiltra… | |||
| CVE-2025-37749 | high | — | 8.0 | 1y ago | Important: kernel security update | |||
| CVE-2025-21966 | high | — | 8.0 | 1y ago | Important: kernel security update | |||
| CVE-2025-47287 | high | — | 8.0 | 1y ago | RHSA-2025:8254: pcs security update (Important) | |||
| CVE-2025-26646 | high | — | 8.0 | 1y ago | RHSA-2025:7589: .NET 8.0 security update (Important) | |||
| CVE-2025-21605 | high | — | 8.0 | 1y ago | RHSA-2025:7686: redis:6 security update (Important) | |||
| CVE-2025-32052 | high | — | 8.0 | 1y ago | RHSA-2025:8292: mingw-freetype and spice-client-win security update (Important) | |||
| CVE-2025-32913 | high | — | 8.0 | 1y ago | RHSA-2025:8292: mingw-freetype and spice-client-win security update (Important) | |||
| CVE-2025-32907 | high | — | 8.0 | 1y ago | RHSA-2025:8292: mingw-freetype and spice-client-win security update (Important) | |||
| CVE-2025-46421 | high | — | 8.0 | 1y ago | RHSA-2025:4560: libsoup security update (Important) | |||
| CVE-2025-31492 | high | — | 8.0 | 1y ago | RHSA-2025:3997: mod_auth_openidc:2.3 security update (Important) | |||
| CVE-2025-21633 | high | — | 8.0 | 1y ago | Important: kernel security update | |||
| CVE-2025-46420 | high | — | 8.0 | 1y ago | RHSA-2025:4560: libsoup security update (Important) | |||
| CVE-2025-3155 | high | — | 8.0 | 1y ago | A flaw was found in Yelp. The Gnome user help application allows the help document to execute arbitrary scripts. This vulnerability allows malicious users to input help documents, which may exfiltrat… | |||
| CVE-2025-32911 | high | — | 8.0 | 1y ago | RHSA-2025:8292: mingw-freetype and spice-client-win security update (Important) | |||
| CVE-2025-32906 | high | — | 8.0 | 1y ago | RHSA-2025:8292: mingw-freetype and spice-client-win security update (Important) | |||
| CVE-2025-32053 | high | — | 8.0 | 1y ago | RHSA-2025:8292: mingw-freetype and spice-client-win security update (Important) | |||
| CVE-2025-31498 | high | — | 8.0 | 1y ago | Important: nodejs:22 security update | |||
| CVE-2025-21993 | high | — | 8.0 | 1y ago | Important: kernel security update | |||
| CVE-2025-3277 | high | — | 8.0 | 1y ago | Important: nodejs:22 security update | |||
| CVE-2025-32050 | high | — | 8.0 | 1y ago | RHSA-2025:8292: mingw-freetype and spice-client-win security update (Important) | |||
| CVE-2025-46727 | high | — | 8.0 | 1y ago | RHSA-2025:8254: pcs security update (Important) | |||
| CVE-2025-4093 | high | — | 8.0 | 1y ago | RHSA-2025:4797: thunderbird security update (Important) | |||
| CVE-2025-4091 | high | — | 8.0 | 1y ago | Memory safety bugs present in Firefox 137, Thunderbird 137, Firefox ESR 128.9, and Thunderbird 128.9. Some of these bugs showed evidence of memory corruption and we presume that with enough effort so… | |||
| CVE-2025-2817 | high | — | 8.0 | 1y ago | Thunderbird's update mechanism allowed a medium-integrity user process to interfere with the SYSTEM-level updater by manipulating the file-locking behavior. By injecting code into the user-privileged… | |||
| CVE-2025-4087 | high | — | 8.0 | 1y ago | A vulnerability was identified in Thunderbird where XPath parsing could trigger undefined behavior due to missing null checks during attribute access. This could lead to out-of-bounds read access and… | |||
| CVE-2025-4083 | high | — | 8.0 | 1y ago | A process isolation vulnerability in Thunderbird stemmed from improper handling of javascript: URIs, which could allow content to execute in the top-level document's process instead of the intended f… | |||
| CVE-2025-21927 | high | — | 8.0 | 1y ago | Important: kernel security update | |||
| CVE-2025-3522 | high | — | 8.0 | 1y ago | RHSA-2025:4649: thunderbird security update (Important) | |||
| CVE-2025-3523 | high | — | 8.0 | 1y ago | RHSA-2025:4649: thunderbird security update (Important) | |||
| CVE-2025-2830 | high | — | 8.0 | 1y ago | RHSA-2025:4649: thunderbird security update (Important) | |||
| CVE-2025-22866 | high | — | 8.0 | 1y ago | Important: delve and golang security update | |||
| CVE-2025-30427 | high | — | 8.0 | 1y ago | A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 18.4, iOS 18.4 and iPadOS 18.4, iPadOS 17.7.6, macOS Sequoia 15.4, tvOS 18.4, visionOS 2.4, watchOS… | |||
| CVE-2025-24189 | high | — | 8.0 | 1y ago | The issue was addressed with improved checks. This issue is fixed in Safari 18.3, iOS 18.3 and iPadOS 18.3, macOS Sequoia 15.3, tvOS 18.3, visionOS 2.3, watchOS 11.3. Processing maliciously crafted w… | |||
| CVE-2025-24209 | high | — | 8.0 | 1y ago | A buffer overflow issue was addressed with improved memory handling. This issue is fixed in Safari 18.4, iOS 18.4 and iPadOS 18.4, iPadOS 17.7.6, macOS Sequoia 15.4, tvOS 18.4, watchOS 11.4. Processi… | |||
| CVE-2025-24216 | high | — | 8.0 | 1y ago | The issue was addressed with improved memory handling. This issue is fixed in Safari 18.4, iOS 18.4 and iPadOS 18.4, iPadOS 17.7.6, macOS Sequoia 15.4, tvOS 18.4, visionOS 2.4, watchOS 11.4. Processi… | |||
| CVE-2025-24208 | high | — | 8.0 | 1y ago | A permissions issue was addressed with additional restrictions. This issue is fixed in Safari 18.4, iOS 18.4 and iPadOS 18.4. Loading a malicious iframe may lead to a cross-site scripting attack. | |||
| CVE-2025-24813 | medium | — | 8.0 | 1y ago | Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apach… | |||
| CVE-2025-3029 | high | — | 8.0 | 1y ago | A crafted URL containing specific Unicode characters could have hidden the true origin of the page, resulting in a potential spoofing attack. This vulnerability was fixed in Firefox 137, Firefox ESR … | |||
| CVE-2025-3028 | high | — | 8.0 | 1y ago | JavaScript code running while transforming a document with the XSLTProcessor could lead to a use-after-free. This vulnerability was fixed in Firefox 137, Firefox ESR 115.22, Firefox ESR 128.9, Thunde… | |||
| CVE-2025-3030 | high | — | 8.0 | 1y ago | Memory safety bugs present in Firefox 136, Thunderbird 136, Firefox ESR 128.8, and Thunderbird 128.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort so… | |||
| CVE-2025-1080 | high | — | 8.0 | 1y ago | LibreOffice supports Office URI Schemes to enable browser integration of LibreOffice with MS SharePoint server. An additional scheme 'vnd.libreoffice.command' specific to LibreOffice was added. In th… | |||
| CVE-2025-29786 | high | — | 8.0 | 1y ago | Expr is an expression language and expression evaluation for Go. Prior to version 1.17.0, if the Expr expression parser is given an unbounded input string, it will attempt to compile the entire strin… | |||
| CVE-2025-22868 | high | — | 8.0 | 1y ago | An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing. | |||
| CVE-2025-30204 | high | — | 8.0 | 1y ago | RHSA-2025:7967: osbuild-composer security update (Important) | |||
| CVE-2025-22869 | high | — | 8.0 | 1y ago | RHSA-2025:3210: container-tools:rhel8 security update (Important) | |||
| CVE-2025-21785 | high | — | 8.0 | 1y ago | In the Linux kernel, the following vulnerability has been resolved: arm64: cacheinfo: Avoid out-of-bounds write to cacheinfo array The loop that detects/populates cache information already has a bo… | |||
| CVE-2025-24855 | high | — | 8.0 | 1y ago | RHSA-2025:3615: libxslt security update (Important) | |||
| CVE-2025-27516 | high | — | 8.0 | 1y ago | RHSA-2025:3388: python-jinja2 security update (Important) | |||
| CVE-2025-0624 | high | — | 8.0 | 1y ago | Important: grub2 security update | |||
| CVE-2025-24928 | high | — | 8.0 | 1y ago | libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a stack-based buffer overflow in xmlSnprintfElements in valid.c. To exploit this, DTD validation must occur for an untrusted document or untrusted … | |||
| CVE-2025-24070 | high | — | 8.0 | 1y ago | RHSA-2025:2670: .NET 8.0 security, bug fix, and enhancement update (Important) | |||
| CVE-2025-26596 | high | — | 8.0 | 1y ago | Important: tigervnc security update | |||
| CVE-2025-26601 | high | — | 8.0 | 1y ago | Important: tigervnc security update |