CVEs from 2025
Total
8,829
critical
critical 1,329
high
high 1,995
medium
medium 1,981
low
low 202
% Critical
15.1%
% with KEV
2.1%
% with exploit
2.8%
Top vendors
- qualcomm 1,123
- fabian 285
- campcodes 232
- phpgurukul 189
- code-projects 121
- redhat 108
- microsoft 107
- portabilis 94
Top products
- i-educar 80
- office_long_term_servicing_channel 35
- office 34
- best_salon_management_system 33
- apartment_management_system 30
- gcp 29
- inventory_management_system 28
- online_learning_management_system 21
Top packages
- Go/github.com/mattermost/mattermost/server/v8 258
- Go/github.com/mattermost/mattermost-server 249
- Packagist/magento/community-edition 231
- Packagist/moodle/moodle 162
- Go/github.com/mattermost/mattermost-server/v5 99
- Go/github.com/mattermost/mattermost-server/v6 99
- Maven/com.liferay.portal:release.dxp.bom 61
- Maven/org.apache.tomcat.embed:tomcat-embed-core 53
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-48370 | low | — | 2.5 | 1y ago | auth-js Vulnerable to Insecure Path Routing from Malformed User Input | |||
| CVE-2025-4428 | unknown | — | 2.5 | 1y ago | Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability in the API component that allows an authenticated attacker to remotely execute arbitrary code via crafted API requests. T… | |||
| CVE-2025-4427 | unknown | — | 2.5 | 1y ago | Ivanti Endpoint Manager Mobile (EPMM) contains an authentication bypass vulnerability in the API component that allows an attacker to access protected resources without proper credentials via crafted… | |||
| CVE-2025-30397 | unknown | — | 2.5 | 1y ago | Microsoft Windows Scripting Engine contains a type confusion vulnerability that allows an unauthorized attacker to execute code over a network via a specially crafted URL. | |||
| CVE-2025-32432 | unknown | — | 2.5 | 1y ago | Craft CMS contains a code injection vulnerability that allows a remote attacker to execute arbitrary code. | |||
| CVE-2025-24016 | unknown | — | 2.5 | 1y ago | Wazuh contains a deserialization of untrusted data vulnerability that allows for remote code execution on Wazuh servers. | |||
| CVE-2025-24054 | unknown | — | 2.5 | 1y ago | Microsoft Windows NTLM contains an external control of file name or path vulnerability that allows an unauthorized attacker to perform spoofing over a network. | |||
| CVE-2025-30406 | unknown | — | 2.5 | 1y ago | Gladinet CentreStack and Triofox contains a use of hard-coded cryptographic key vulnerability in the way that the application manages keys used for ViewState integrity verification. Successful exploi… | |||
| CVE-2025-31161 | unknown | — | 2.5 | 1y ago | CrushFTP contains an authentication bypass vulnerability in the HTTP authorization header that allows a remote unauthenticated attacker to authenticate to any known or guessable user account (e.g., c… | |||
| CVE-2025-22457 | unknown | — | 2.5 | 1y ago | Ivanti Connect Secure, Policy Secure, and ZTA Gateways contains a stack-based buffer overflow vulnerability that allows a remote unauthenticated attacker to achieve remote code execution. | |||
| CVE-2025-2783 | unknown | — | 2.5 | 1y ago | Google Chromium Mojo on Windows contains a sandbox escape vulnerability caused by a logic error, which results from an incorrect handle being provided in unspecified circumstances. This vulnerability… | |||
| CVE-2025-26633 | unknown | — | 2.5 | 1y ago | Microsoft Windows Management Console (MMC) contains an improper neutralization vulnerability that allows an unauthorized attacker to bypass a security feature locally. | |||
| CVE-2025-24893 | unknown | — | 2.5 | 1y ago | XWiki Platform contains an eval injection vulnerability that could allow any guest to perform arbitrary remote code execution through a request to SolrSearch. | |||
| CVE-2025-1376 | low | 2.5 | 2.5 | 1y ago | A vulnerability classified as problematic was found in GNU elfutils 0.192. This vulnerability affects the function elf_strptr in the library /libelf/elf_strptr.c of the component eu-strip. The manipu… | |||
| CVE-2025-24085 | unknown | — | 2.5 | 1y ago | Apple iOS, macOS, and other Apple products contain a user-after-free vulnerability that could allow a malicious application to elevate privileges. | |||
| CVE-2025-21333 | unknown | — | 2.5 | 1y ago | Microsoft Windows Hyper-V NT Kernel Integration VSP contains a heap-based buffer overflow vulnerability that allows a local attacker to gain SYSTEM privileges. | |||
| CVE-2025-0282 | unknown | — | 2.5 | 1y ago | Ivanti Connect Secure, Policy Secure, and ZTA Gateways contain a stack-based buffer overflow which can lead to unauthenticated remote code execution. | |||
| CVE-2025-68711 | low | 2.4 | 2.4 | 9d ago | AppLockZ App Lock and Fingerprint Lock (applock.passwordfingerprint.applockz) 4.2.11 for Android allows a local attacker with physical access to bypass the PIN lock. The lock is implemented as an ove… | |||
| CVE-2025-68708 | low | 2.4 | 2.4 | 9d ago | SailingLab AppLock (aka com.alpha.applock) 4.3.8 for Android allows a local attacker with physical access to bypass the PIN lock. The lock is implemented as an overlay rather than by using Android's … | |||
| CVE-2025-68710 | low | 2.4 | 2.4 | 10d ago | Easyelife App lock (aka Fingerprint,Applock or locker.app.safe.applocker) 1.9.2 for Android allows a local attacker with physical access to bypass the PIN lock. The lock is implemented as an overlay … | |||
| CVE-2025-15505 | low | 2.4 | 2.4 | 5mo ago | A vulnerability was found in Luxul XWR-600 up to 4.0.1. The affected element is an unknown function of the component Web Administration Interface. The manipulation of the argument Guest Network/Wirel… | |||
| CVE-2025-15149 | low | 2.4 | 2.4 | 5mo ago | A vulnerability has been found in rawchen ecms up to b59d7feaa9094234e8aa6c8c6b290621ca575ded. Affected by this vulnerability is the function updateProductServlet of the file src/servlet/product/upda… | |||
| CVE-2025-14722 | low | 2.4 | 2.4 | 6mo ago | A vulnerability was determined in vion707 DMadmin up to 3403cafdb42537a648c30bf8cbc8148ec60437d1. This impacts the function Add of the file Admin/Controller/AddonsController.class.php of the componen… | |||
| CVE-2025-13795 | low | 2.4 | 2.4 | 6mo ago | A weakness has been identified in codingWithElias School Management System up to f1ac334bfd89ae9067cc14dea12ec6ff3f078c01. Affected is an unknown function of the file /student-view.php of the compone… | |||
| CVE-2025-11645 | low | 2.4 | 2.4 | 8mo ago | A security vulnerability has been detected in Tomofun Furbo Mobile App up to 7.57.0a on Android. This affects an unknown part of the component Authentication Token Handler. The manipulation leads to … | |||
| CVE-2025-11333 | low | 2.4 | 2.4 | 8mo ago | A vulnerability was identified in langleyfcu Online Banking System up to 57437e6400ce0ae240e692c24e6346b8d0c17d7a. This impacts an unknown function of the file /customer_add_action.php of the compone… | |||
| CVE-2025-11283 | low | 2.4 | 2.4 | 8mo ago | A vulnerability was determined in Frappe LMS 2.35.0. This affects an unknown function of the component Course Handler. Executing manipulation of the argument Description can lead to cross site script… | |||
| CVE-2025-11134 | low | 2.4 | 2.4 | 8mo ago | A security vulnerability has been detected in Cudy TR1200 1.16.3-20230804-164635. Impacted is an unknown function of the file /cgi-bin/luci/admin/network/wireless/config/ of the component Wireless Se… | |||
| CVE-2025-10949 | low | 2.4 | 2.4 | 8mo ago | A vulnerability was found in Changsha Developer Technology iView Editor up to 1.1.1. This impacts an unknown function of the component Markdown Handler. The manipulation results in cross site scripti… | |||
| CVE-2025-10909 | low | 2.4 | 2.4 | 8mo ago | Mangati NovoSGA XSS vulnerability in /admin | |||
| CVE-2025-10434 | low | 2.4 | 2.4 | 9mo ago | A vulnerability was identified in IbuyuCMS up to 2.6.3. Impacted is an unknown function of the file /admin/article.php?a=mod of the component Add Article Page. The manipulation of the argument Title … | |||
| CVE-2025-9797 | low | 2.4 | 2.4 | 9mo ago | A vulnerability was determined in mrvautin expressCart up to b31302f4e99c3293bd742c6d076a721e168118b0. This impacts an unknown function of the file /admin/product/edit/ of the component Edit Product … | |||
| CVE-2025-9591 | low | 2.4 | 2.4 | 9mo ago | A security vulnerability has been detected in ZrLog up to 3.1.5. This vulnerability affects unknown code of the file /api/admin/template/config of the component Theme Configuration Form. Such manipul… | |||
| CVE-2025-9416 | low | 2.4 | 2.4 | 9mo ago | A security flaw has been discovered in oitcode samarium up to 0.9.6. This vulnerability affects unknown code of the file /cms/webpage/ of the component Pages Image Handler. The manipulation results i… | |||
| CVE-2025-9119 | low | 2.4 | 2.4 | 10mo ago | A vulnerability was determined in Netis WF2419 1.2.29433. This vulnerability affects unknown code of the file /index.htm of the component Wireless Settings Page. This manipulation of the argument SSI… | |||
| CVE-2025-9103 | low | 2.4 | 2.4 | 10mo ago | A vulnerability was detected in ZenCart 2.1.0. Affected by this vulnerability is an unknown functionality of the component CKEditor. The manipulation leads to cross site scripting. The attack can be … | |||
| CVE-2025-8834 | low | 2.4 | 2.4 | 10mo ago | A vulnerability has been found in JCG Link-net LW-N915R 17s.20.001.908. Affected is an unknown function of the file /wireless/basic.asp of the component Wireless Basic Settings Page. The manipulation… | |||
| CVE-2025-7554 | low | 2.4 | 2.4 | 11mo ago | A vulnerability classified as problematic was found in Sapido RB-1802 1.0.32. This vulnerability affects unknown code of the file urlfilter.asp of the component URL Filtering Page. The manipulation o… | |||
| CVE-2025-62316 | low | 2.3 | 2.3 | 22d ago | HCL AION is affected by a vulnerability where certain security-related HTTP response headers are not properly configured. Absence of these headers may reduce the effectiveness of browser-based securi… | |||
| CVE-2025-6748 | low | 2.1 | 2.1 | 11mo ago | A vulnerability classified as problematic has been found in Bharti Airtel Thanks App 4.105.4 on Android. Affected is an unknown function of the file /Android/data/com.myairtelapp/files/. The manipula… | |||
| CVE-2025-6666 | low | 2.0 | 2.0 | 6mo ago | A vulnerability was determined in motogadget mo.lock Ignition Lock up to 20251125. Affected by this vulnerability is an unknown functionality of the component NFC Handler. Executing manipulation can … | |||
| CVE-2025-21096 | low | 1.9 | 1.9 | 10mo ago | Improper buffer restrictions in the firmware for some Intel(R) TDX may allow a privileged user to potentially enable escalation of privilege via local access. | |||
| CVE-2025-9381 | low | 1.6 | 1.6 | 10mo ago | A security flaw has been discovered in FNKvision Y215 CCTV Camera 10.194.120.40. This affects an unknown part of the file /tmp/wpa_supplicant.conf. Performing manipulation results in information disc… | |||
| CVE-2025-7215 | low | 1.6 | 1.6 | 11mo ago | A vulnerability, which was classified as problematic, has been found in FNKvision FNK-GU2 up to 40.1.7. Affected by this issue is some unknown functionality of the file /rom/wpa_supplicant.conf. The … | |||
| CVE-2025-7214 | low | 1.6 | 1.6 | 11mo ago | A vulnerability classified as problematic was found in FNKvision FNK-GU2 up to 40.1.7. Affected by this vulnerability is an unknown functionality of the file /etc/shadow of the component MD5. The man… | |||
| CVE-2025-29635 | unknown | — | 1.5 | 1mo ago | D-Link DIR-823X contains a command injection vulnerability that allows an authorized attacker to execute arbitrary commands on remote devices by sending a POST request to /goform/set_prohibiting via … | |||
| CVE-2025-2749 | unknown | — | 1.5 | 2mo ago | Kentico Xperience contains a path traversal vulnerability that could allow an authenticated user's Staging Sync Server to upload arbitrary data to path relative locations. | |||
| CVE-2025-48700 | unknown | — | 1.5 | 2mo ago | Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability that could allow attackers to execute arbitrary JavaScript within the user's session, potentially leading to una… | |||
| CVE-2025-32975 | unknown | — | 1.5 | 2mo ago | Quest KACE Systems Management Appliance (SMA) contains an improper authentication vulnerability that could allow attackers to impersonate legitimate users without valid credentials. | |||
| CVE-2025-60710 | unknown | — | 1.5 | 2mo ago | Microsoft Windows contains a link following vulnerability that allows for privilege escalation | |||
| CVE-2025-53521 | unknown | — | 1.5 | 2mo ago | F5 BIG-IP APM contains a stack-based buffer overflow vulnerability that could allow a threat actor to achieve remote code execution. | |||
| CVE-2025-43520 | unknown | — | 1.5 | 3mo ago | Apple watchOS, iOS, iPadOS, macOS, visionOS, and tvOS contain a classic buffer overflow vulnerability which could allow a malicious application to cause unexpected system termination or write kernel … | |||
| CVE-2025-43510 | unknown | — | 1.5 | 3mo ago | Apple watchOS, iOS, iPadOS, macOS, visionOS, and tvOS contain an improper locking vulnerability that could allow a malicious application to cause unexpected changes in memory shared between processes. | |||
| CVE-2025-66376 | unknown | — | 1.5 | 3mo ago | Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability in the Classic UI where attackers could abuse Cascading Style Sheets (CSS) @import directives in email HTML. | |||
| CVE-2025-47813 | unknown | — | 1.5 | 3mo ago | Wing FTP Server contains a generation of error message containing sensitive information vulnerability when using a long value in the UID cookie. | |||
| CVE-2025-26399 | unknown | — | 1.5 | 3mo ago | SolarWinds Web Help Desk contain a deserialization of untrusted data vulnerability in AjaxProxy that could allow an attacker to run commands on the host machine. | |||
| CVE-2025-68461 | unknown | — | 1.5 | 4mo ago | RoundCube Webmail contains a cross-site scripting vulnerability via the animate tag in an SVG document. | |||
| CVE-2025-15556 | unknown | — | 1.5 | 4mo ago | Notepad++ when using the WinGUp updater, contains a download of code without integrity check vulnerability that could allow an attacker to intercept or redirect update traffic to download and execute… | |||
| CVE-2025-68645 | unknown | — | 1.5 | 4mo ago | Synacor Zimbra Collaboration Suite (ZCS) contains a PHP remote file inclusion vulnerability that could allow for remote attackers to craft requests to the /h/rest endpoint to influence internal reque… | |||
| CVE-2025-34026 | unknown | — | 1.5 | 4mo ago | Versa Concerto SD-WAN orchestration platform contains an improper authentication vulnerability in the Traefik reverse proxy configuration, allowing at attacker to access administrative endpoints. The… | |||
| CVE-2025-14733 | unknown | — | 1.5 | 6mo ago | WatchGuard Fireware OS iked process contains an out of bounds write vulnerability in the OS iked process. This vulnerability may allow a remote unauthenticated attacker to execute arbitrary code and … | |||
| CVE-2025-59374 | unknown | — | 1.5 | 6mo ago | ASUS Live Update contains an embedded malicious code vulnerability client were distributed with unauthorized modifications introduced through a supply chain compromise. The modified builds could caus… | |||
| CVE-2025-40602 | unknown | — | 1.5 | 6mo ago | SonicWall SMA1000 contains a missing authorization vulnerability that could allow for privilege escalation appliance management console (AMC) of affected devices. | |||
| CVE-2025-20393 | unknown | — | 1.5 | 6mo ago | Cisco Secure Email Gateway, Secure Email, AsyncOS Software, and Web Manager appliances contains an improper input validation vulnerability that allows threat actors to execute arbitrary commands with… | |||
| CVE-2025-59718 | unknown | — | 1.5 | 6mo ago | Fortinet FortiOS, FortiSwitchMaster, FortiProxy, and FortiWeb contain an improper verification of cryptographic signature vulnerability that may allow an unauthenticated attacker to bypass the FortiC… | |||
| CVE-2025-8110 | unknown | — | 1.5 | 6mo ago | Gogs contains a path traversal vulnerability affecting improper Symbolic link handling in the PutContents API that could allow for code execution. | |||
| CVE-2025-62221 | unknown | — | 1.5 | 6mo ago | Microsoft Windows Cloud Files Mini Filter Driver contains a use after free vulnerability that can allow an authorized attacker to elevate privileges locally. | |||
| CVE-2025-6218 | unknown | — | 1.5 | 6mo ago | RARLAB WinRAR contains a path traversal vulnerability allowing an attacker to execute code in the context of the current user. | |||
| CVE-2025-66644 | unknown | — | 1.5 | 6mo ago | Array Networks ArrayOS AG contains an OS command injection vulnerability that could allow an attacker to execute arbitrary commands. | |||
| CVE-2025-48572 | unknown | — | 1.5 | 6mo ago | Android Framework contains an unspecified vulnerability that allows for privilege escalation. | |||
| CVE-2025-48633 | unknown | — | 1.5 | 6mo ago | Android Framework contains an unspecified vulnerability that allows for information disclosure. | |||
| CVE-2025-61757 | unknown | — | 1.5 | 7mo ago | Oracle Fusion Middleware contains a missing authentication for critical function vulnerability, allowing unauthenticated remote attackers to take over Identity Manager. | |||
| CVE-2025-13223 | unknown | — | 1.5 | 7mo ago | Google Chromium V8 contains a type confusion vulnerability that allows for heap corruption. | |||
| CVE-2025-9242 | unknown | — | 1.5 | 7mo ago | WatchGuard Firebox contains an out-of-bounds write vulnerability in the OS iked process that may allow a remote unauthenticated attacker to execute arbitrary code. | |||
| CVE-2025-12480 | unknown | — | 1.5 | 7mo ago | Gladinet Triofox contains an improper access control vulnerability that allows access to initial setup pages even after setup is complete. | |||
| CVE-2025-21042 | unknown | — | 1.5 | 7mo ago | Samsung mobile devices contain an out-of-bounds write vulnerability in libimagecodec.quram.so. This vulnerability could allow remote attackers to execute arbitrary code. | |||
| CVE-2025-48703 | unknown | — | 1.5 | 7mo ago | CWP Control Web Panel (formerly CentOS Web Panel) contains an OS command Injection vulnerability that allows unauthenticated remote code execution via shell metacharacters in the t_total parameter in… | |||
| CVE-2025-11953 | unknown | — | 1.5 | 7mo ago | React Native Community CLI contains an OS command injection vulnerability which could allow unauthenticated network attackers to send POST requests to the Metro Development Server and run arbitrary e… | |||
| CVE-2025-6205 | unknown | — | 1.5 | 7mo ago | Dassault Systèmes DELMIA Apriso contains a missing authorization vulnerability that could allow an attacker to gain privileged access to the application. | |||
| CVE-2025-6204 | unknown | — | 1.5 | 7mo ago | Dassault Systèmes DELMIA Apriso contains a code injection vulnerability that could allow an attacker to execute arbitrary code. | |||
| CVE-2025-61932 | unknown | — | 1.5 | 8mo ago | Motex LANSCOPE Endpoint Manager contains an improper verification of source of a communication channel vulnerability allowing an attacker to execute arbitrary code by sending specially crafted packet… | |||
| CVE-2025-2746 | unknown | — | 1.5 | 8mo ago | Kentico Xperience CMS contains an authentication bypass using an alternate path or channel vulnerability that could allow an attacker to control administrative objects. | |||
| CVE-2025-2747 | unknown | — | 1.5 | 8mo ago | Kentico Xperience CMS contains an authentication bypass using an alternate path or channel vulnerability that could allow an attacker to control administrative objects. | |||
| CVE-2025-61884 | unknown | — | 1.5 | 8mo ago | Oracle E-Business Suite contains a server-side request forgery (SSRF) vulnerability in the Runtime component of Oracle Configurator. This vulnerability is remotely exploitable without authentication. | |||
| CVE-2025-54253 | unknown | — | 1.5 | 8mo ago | Adobe Experience Manager Forms in JEE contains an unspecified vulnerability that allows for arbitrary code execution. | |||
| CVE-2025-59230 | unknown | — | 1.5 | 8mo ago | Microsoft Windows contains an improper access control vulnerability in Windows Remote Access Connection Manager which could allow an authorized attacker to elevate privileges locally. | |||
| CVE-2025-47827 | unknown | — | 1.5 | 8mo ago | IGEL OS contains a use of a key past its expiration date vulnerability that allows for Secure Boot bypass. The igel-flash-driver module improperly verifies a cryptographic signature. Ultimately, a cr… | |||
| CVE-2025-24990 | unknown | — | 1.5 | 8mo ago | Microsoft Windows Agere Modem Driver contains an untrusted pointer dereference vulnerability that allows for privilege escalation. An attacker who successfully exploited this vulnerability could gain… | |||
| CVE-2025-27915 | unknown | — | 1.5 | 8mo ago | Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability that exists in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. When a user… | |||
| CVE-2025-4008 | unknown | — | 1.5 | 8mo ago | Smartbedded Meteobridge contains a command injection vulnerability that could allow remote unauthenticated attackers to gain arbitrary command execution with elevated privileges (root) on affected de… | |||
| CVE-2025-21043 | unknown | — | 1.5 | 8mo ago | Samsung mobile devices contain an out-of-bounds write vulnerability in libimagecodec.quram.so which allows remote attackers to execute arbitrary code. | |||
| CVE-2025-20352 | unknown | — | 1.5 | 8mo ago | Cisco IOS and IOS XE contains a stack-based buffer overflow vulnerability in the Simple Network Management Protocol (SNMP) subsystem that could allow for denial of service or remote code execution. A… | |||
| CVE-2025-59689 | unknown | — | 1.5 | 8mo ago | Libraesva Email Security Gateway (ESG) contains a command injection vulnerability which allows command injection via a compressed e-mail attachment. | |||
| CVE-2025-10035 | unknown | — | 1.5 | 8mo ago | Fortra GoAnywhere MFT contains a deserialization of untrusted data vulnerability allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, … | |||
| CVE-2025-20362 | unknown | — | 1.5 | 8mo ago | Cisco Secure Firewall Adaptive Security (ASA) Appliance and Secure Firewall Threat Defense (FTD) Software VPN Web Server contain a missing authorization vulnerability. This vulnerability could be cha… | |||
| CVE-2025-20333 | unknown | — | 1.5 | 8mo ago | Cisco Secure Firewall Adaptive Security (ASA) Appliance and Secure Firewall Threat Defense (FTD) Software VPN Web Server contain a buffer overflow vulnerability that allows for remote code execution.… | |||
| CVE-2025-10585 | unknown | — | 1.5 | 9mo ago | Google Chromium contains a type confusion vulnerability in the V8 JavaScript and WebAssembly engine. | |||
| CVE-2025-5086 | unknown | — | 1.5 | 9mo ago | Dassault Systèmes DELMIA Apriso contains a deserialization of untrusted data vulnerability that could lead to a remote code execution. | |||
| CVE-2025-48543 | unknown | — | 1.5 | 9mo ago | Android Runtime contains a use-after-free vulnerability potentially allowing a chrome sandbox escape leading to local privilege escalation. | |||
| CVE-2025-53690 | unknown | — | 1.5 | 9mo ago | Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud contain a deserialization of untrusted data vulnerability involving the use of default machine … |