CVEs from 2025
Total
8,971
critical
critical 1,368
high
high 2,067
medium
medium 2,068
low
low 204
% Critical
15.2%
% with KEV
2.0%
% with exploit
2.8%
Top vendors
- qualcomm 1,123
- fabian 285
- campcodes 232
- phpgurukul 189
- code-projects 121
- redhat 110
- microsoft 107
- portabilis 94
Top products
- i-educar 80
- office_long_term_servicing_channel 35
- office 34
- best_salon_management_system 33
- apartment_management_system 30
- gcp 29
- inventory_management_system 28
- online_learning_management_system 21
Top packages
- Go/github.com/mattermost/mattermost/server/v8 258
- Go/github.com/mattermost/mattermost-server 249
- Packagist/magento/community-edition 231
- Packagist/moodle/moodle 162
- Go/github.com/mattermost/mattermost-server/v5 99
- Go/github.com/mattermost/mattermost-server/v6 99
- Maven/com.liferay.portal:release.dxp.bom 61
- Maven/org.apache.tomcat.embed:tomcat-embed-core 53
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-32491 | critical | 9.8 | 9.8 | 1y ago | Incorrect Privilege Assignment vulnerability in Rankology Rankology SEO – On-site SEO rankology-seo-all-in-one-seo-analytics allows Privilege Escalation.This issue affects Rankology SEO – On-site SEO… | |||
| CVE-2025-25373 | critical | 9.8 | 9.8 | 1y ago | The Memory Management Module of NASA cFS (Core Flight System) Aquila has insecure permissions, which can be exploited to gain an RCE on the platform. | |||
| CVE-2025-2655 | critical | 9.8 | 9.8 | 1y ago | A vulnerability was detected in SourceCodester AC Repair and Services System 1.0. The affected element is the function save_users/delete_users of the file /classes/Users.php. Performing manipulation … | |||
| CVE-2025-26966 | critical | 9.8 | 9.8 | 1y ago | Authentication Bypass Using an Alternate Path or Channel vulnerability in Aldo Latino PrivateContent private-content.This issue affects PrivateContent: from n/a through <= 8.11.5. | |||
| CVE-2025-24607 | critical | 9.8 | 9.8 | 1y ago | Missing Authorization vulnerability in Northern Beaches Websites IdeaPush ideapush allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects IdeaPush: from n/a throug… | |||
| CVE-2025-55754 | critical | 9.6 | 9.6 | 19d ago | Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. Tomcat did not escape ANSI escape sequences in log messages. If Tomcat was running in a console on a Win… | |||
| CVE-2025-11022 | critical | 9.6 | 9.6 | 6mo ago | Cross-Site Request Forgery (CSRF) vulnerability in Personal Project Panilux allows Cross Site Request Forgery. This CSRF vulnerability resulting in Command Injection has been identified. Thi… | |||
| CVE-2025-60156 | critical | 9.6 | 9.6 | 8mo ago | Cross-Site Request Forgery (CSRF) vulnerability in webandprint AR For WordPress ar-for-wordpress allows Upload a Web Shell to a Web Server.This issue affects AR For WordPress: from n/a through <= 8.3… | |||
| CVE-2025-7743 | critical | 9.6 | 9.6 | 9mo ago | Cleartext Transmission of Sensitive Information vulnerability in Dolusoft Omaspot allows Interception, Privilege Escalation. This issue affects Omaspot: before 12.09.2025. | |||
| CVE-2025-30967 | critical | 9.6 | 9.6 | 1y ago | Cross-Site Request Forgery (CSRF) vulnerability in NotFound WPJobBoard allows Upload a Web Shell to a Web Server. This issue affects WPJobBoard: from n/a through n/a. | |||
| CVE-2025-20260 | critical | — | 9.5 | — | A vulnerability in the PDF scanning processes of ClamAV could allow an unauthenticated, remote attacker to cause a buffer overflow condition, cause a denial of service (DoS) condition, or execute arb… | |||
| CVE-2025-20234 | critical | — | 9.5 | — | A vulnerability in Universal Disk Format (UDF) processing of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnera… | |||
| CVE-2025-14931 | critical | — | 9.5 | 6mo ago | Hugging Face smolagents: Unsafe deserialization in Remote Python Executor leads to RCE | |||
| CVE-2025-47151 | critical | — | 9.5 | 7mo ago | RHSA-2025:21628: lasso security update (Critical) | |||
| CVE-2025-55747 | critical | — | 9.5 | 9mo ago | XWiki configuration files can be accessed through the webjars API | |||
| CVE-2025-8077 | critical | — | 9.5 | 9mo ago | NeuVector admin account has insecure default password | |||
| CVE-2025-54951 | critical | — | 9.5 | 10mo ago | ExecuTorch vulnerable to Heap-based Buffer Overflow | |||
| CVE-2025-54950 | critical | — | 9.5 | 10mo ago | ExecuTorch out-of-bounds access vulnerability | |||
| CVE-2025-54949 | critical | — | 9.5 | 10mo ago | ExecuTorch heap buffer overflow vulnerability | |||
| CVE-2025-30405 | critical | — | 9.5 | 10mo ago | ExecuTorch integer overflow vulnerability | |||
| CVE-2025-30404 | critical | — | 9.5 | 10mo ago | ExecuTorch integer overflow vulnerability | |||
| CVE-2025-69614 | critical | 9.4 | 9.4 | 3mo ago | Incorrect Access Control via activation token reuse on the password-reset endpoint allowing unauthorized password resets and full account takeover. Affected Product: Deutsche Telekom AG Telekom Accou… | |||
| CVE-2025-8668 | critical | 9.4 | 9.4 | 4mo ago | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in E-Kalite Software Hardware Engineering Design and Internet Services Industry and Trade Ltd… | |||
| CVE-2025-4319 | critical | 9.4 | 9.4 | 5mo ago | Improper Restriction of Excessive Authentication Attempts, Weak Password Recovery Mechanism for Forgotten Password vulnerability in Birebirsoft Software and Technology Solutions Sufirmam allows Brute… | |||
| CVE-2025-8220 | critical | 9.4 | 9.4 | 11mo ago | A vulnerability has been found in Engeman Web up to 12.0.0.2. The affected element is an unknown function of the file /Login/RecoveryPass of the component Password Recovery Page. The manipulation of … | |||
| CVE-2025-27851 | critical | 9.3 | 9.3 | 24d ago | The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows a cross-site origin WebSocket hijacking attack. Among other uses, the WDU utilizes WebSockets to control settings, including… | |||
| CVE-2025-49055 | critical | 9.3 | 9.3 | 5mo ago | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in kamleshyadav WP Lead Capturing Pages wp-lead-capture allows Blind SQL Injection.This issue affect… | |||
| CVE-2025-32303 | critical | 9.3 | 9.3 | 5mo ago | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mojoomla WPCHURCH allows Blind SQL Injection.This issue affects WPCHURCH: from n/a through 2.7.0. | |||
| CVE-2025-39484 | critical | 9.3 | 9.3 | 5mo ago | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Waituk Entrada allows SQL Injection.This issue affects Entrada: from n/a through 5.7.7. | |||
| CVE-2025-68865 | critical | 9.3 | 9.3 | 5mo ago | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Infility Infility Global infility-global allows SQL Injection.This issue affects Infility Global:… | |||
| CVE-2025-30633 | critical | 9.3 | 9.3 | 5mo ago | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AA-Team Amazon Native Shopping Recommendations allows SQL Injection.This issue affects Amazon Nat… | |||
| CVE-2025-58951 | critical | 9.3 | 9.3 | 6mo ago | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in smartcms Advance Seat Reservation Management for WooCommerce scw-seat-reservation allows SQL Inje… | |||
| CVE-2025-48089 | critical | 9.3 | 9.3 | 7mo ago | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Rainbow-Themes Education WordPress Theme | HiStudy histudy allows SQL Injection.This issue affect… | |||
| CVE-2025-59557 | critical | 9.3 | 9.3 | 8mo ago | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ThemeMove Learts Addons learts-addons allows SQL Injection.This issue affects Learts Addons: from… | |||
| CVE-2025-49931 | critical | 9.3 | 9.3 | 8mo ago | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Crocoblock JetSearch jet-search allows Blind SQL Injection.This issue affects JetSearch: from n/a… | |||
| CVE-2025-49915 | critical | 9.3 | 9.3 | 8mo ago | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cozy Vision SMS Alert Order Notifications sms-alert allows SQL Injection.This issue affects SMS A… | |||
| CVE-2025-11849 | critical | 9.3 | 9.3 | 8mo ago | Mammoth is vulnerable to Directory Traversal | |||
| CVE-2025-39496 | critical | 9.3 | 9.3 | 9mo ago | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WBW WooBeWoo Product Filter Pro allows SQL Injection.This issue affects WooBeWoo Product Filter P… | |||
| CVE-2025-52830 | critical | 9.3 | 9.3 | 11mo ago | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in bSecure – Your Universal Checkout bSecure – Your Universal Checkout bsecure allows Blind SQL Inje… | |||
| CVE-2025-4383 | critical | 9.3 | 9.3 | 1y ago | Improper Restriction of Excessive Authentication Attempts vulnerability in Art-in Bilişim Teknolojileri ve Yazılım Hizm. Tic. Ltd. Şti. Wi-Fi Cloud Hotspot allows Authentication Abuse, Authentication… | |||
| CVE-2025-47573 | critical | 9.3 | 9.3 | 1y ago | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mojoomla School Management allows Blind SQL Injection. This issue affects School Management: from… | |||
| CVE-2025-39479 | critical | 9.3 | 9.3 | 1y ago | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in smartiolabs Smart Notification allows Blind SQL Injection. This issue affects Smart Notification:… | |||
| CVE-2025-39389 | critical | 9.3 | 9.3 | 1y ago | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Solid Plugins AnalyticsWP allows SQL Injection.This issue affects AnalyticsWP: from n/a through 2… | |||
| CVE-2025-32643 | critical | 9.3 | 9.3 | 1y ago | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mojoomla WPGYM allows Blind SQL Injection. This issue affects WPGYM: from n/a through 65.0. | |||
| CVE-2025-47657 | critical | 9.3 | 9.3 | 1y ago | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Productive Minds Productive Commerce productive-commerce allows SQL Injection.This issue affects … | |||
| CVE-2025-30622 | critical | 9.3 | 9.3 | 1y ago | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in torsteino PostMash postmash-custom allows SQL Injection.This issue affects PostMash: from n/a thr… | |||
| CVE-2025-41268 | critical | 9.1 | 9.1 | 9d ago | Nozomi Networks Labs identified a CWE-23: Relative Path Traversal in the Administration WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated att… | |||
| CVE-2025-40949 | critical | 9.1 | 9.1 | 26d ago | A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.17.1), RUGGEDCOM ROX MX5000RE (All versions < V2.17.1), RUGGEDCOM ROX RX1400 (All versions < V2.17.1), RUGGEDCOM ROX RX1… | |||
| CVE-2025-69690 | critical | 9.1 | 9.1 | 1mo ago | Netgate pfSense CE 2.7.2 allows code execution by using the module installer with a backup file with a serialized PHP object containing the post_reboot_commands property. NOTE: the Supplier disputes … | |||
| CVE-2025-59852 | critical | 9.1 | 9.1 | 1mo ago | HCL DFXAnalytics is affected by an Insufficient Transport Layer Protection vulnerability where data is transmitted over the network without encryption, which could allow an attacker to compromise t… | |||
| CVE-2025-14543 | critical | 9.1 | 9.1 | 1mo ago | Improper Restriction of XML External Entity Reference vulnerability in Connext Professional (Core Libraries) allows Serialized Data External Linking.This issue affects Connext Professional: from 7.4.… | |||
| CVE-2025-69615 | critical | 9.1 | 9.1 | 3mo ago | Incorrect Access Control via missing 2FA rate-limiting allowing unlimited brute-force retries and full MFA bypass with no user interaction required. Affected Product: Deutsche Telekom AG Telekom Acco… | |||
| CVE-2025-11158 | critical | 9.1 | 9.1 | 3mo ago | Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6, including 9.3.x and 8.3.x, do not restrict Groovy scripts in new PRPT reports published by users, allowing insertion of … | |||
| CVE-2025-1928 | critical | 9.1 | 9.1 | 6mo ago | Improper Restriction of Excessive Authentication Attempts vulnerability in Restajet Information Technologies Inc. Online Food Delivery System allows Password Recovery Exploitation. This issue affect… | |||
| CVE-2025-14520 | critical | 9.1 | 9.1 | 6mo ago | A weakness has been identified in baowzh hfly up to 638ff9abe9078bc977c132b37acbe1900b63491c. Impacted is an unknown function of the file /admin/index.php/datafile/delfile. This manipulation of the a… | |||
| CVE-2025-11631 | critical | 9.1 | 9.1 | 8mo ago | A vulnerability was determined in RainyGao DocSys up to 2.02.36. Affected by this vulnerability is an unknown functionality of the file /Doc/deleteDoc.do. Executing manipulation of the argument path … | |||
| CVE-2025-9004 | critical | 9.1 | 9.1 | 10mo ago | A vulnerability was found in mtons mblog up to 3.5.0. This issue affects some unknown processing of the file /settings/password. The manipulation leads to improper restriction of excessive authentica… | |||
| CVE-2025-8729 | critical | 9.1 | 9.1 | 10mo ago | A vulnerability has been found in MigoXLab LMeterX 1.2.0 and classified as critical. Affected by this vulnerability is the function process_cert_files of the file backend/service/upload_service.py. T… | |||
| CVE-2025-22871 | critical | 9.1 | 9.1 | 10mo ago | Moderate: git-lfs security update | |||
| CVE-2025-49796 | critical | 9.1 | 9.1 | 11mo ago | A vulnerability was found in libxml2. Processing certain sch:name elements from the input XML file can trigger a memory corruption issue. This flaw allows an attacker to craft a malicious XML input f… | |||
| CVE-2025-49794 | critical | 9.1 | 9.1 | 11mo ago | A use-after-free vulnerability was found in libxml2. This issue occurs when parsing XPath elements under certain circumstances when the XML schematron has the <sch:name path="..."/> schema elements. … | |||
| CVE-2025-48267 | critical | 9.1 | 9.1 | 1y ago | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in ThimPress WP Pipes allows Path Traversal. This issue affects WP Pipes: from n/a through 1.4.2. | |||
| CVE-2025-2691 | critical | 9.1 | 9.1 | 1y ago | nossrf Server-Side Request Forgery (SSRF) | |||
| CVE-2025-62023 | critical | 9.0 | 9.0 | 8mo ago | Improper Control of Generation of Code ('Code Injection') vulnerability in Cristián Lávaque s2Member s2member.This issue affects s2Member: from n/a through <= 250905. | |||
| CVE-2025-8535 | critical | 9.0 | 9.0 | 10mo ago | A vulnerability, which was classified as problematic, has been found in cronoh NanoVault up to 1.2.1. This issue affects the function executeJavaScript of the file /main.js of the component xrb URL H… | |||
| CVE-2025-8264 | critical | 9.0 | 9.0 | 10mo ago | z-push/z-push-dev SQL Injection Vulnerability | |||
| CVE-2025-31916 | critical | 9.0 | 9.0 | 1y ago | Unrestricted Upload of File with Dangerous Type vulnerability in joy2012bd JP Students Result Management System Premium allows Upload a Web Shell to a Web Server. This issue affects JP Students Resul… | |||
| CVE-2025-2311 | critical | 9.0 | 9.0 | 1y ago | Incorrect Use of Privileged APIs, Cleartext Transmission of Sensitive Information, Insufficiently Protected Credentials vulnerability in Sechard Information Technologies SecHard allows Authentication… |