CVEs from 2025
Total
8,965
critical
critical 1,368
high
high 2,067
medium
medium 2,068
low
low 204
% Critical
15.3%
% with KEV
2.0%
% with exploit
2.8%
Top vendors
- qualcomm 1,123
- fabian 285
- campcodes 232
- phpgurukul 189
- code-projects 121
- redhat 110
- microsoft 107
- portabilis 94
Top products
- i-educar 80
- office_long_term_servicing_channel 35
- office 34
- best_salon_management_system 33
- apartment_management_system 30
- gcp 29
- inventory_management_system 28
- online_learning_management_system 21
Top packages
- Go/github.com/mattermost/mattermost/server/v8 258
- Go/github.com/mattermost/mattermost-server 249
- Packagist/magento/community-edition 231
- Packagist/moodle/moodle 162
- Go/github.com/mattermost/mattermost-server/v5 99
- Go/github.com/mattermost/mattermost-server/v6 99
- Maven/com.liferay.portal:release.dxp.bom 61
- Maven/org.apache.tomcat.embed:tomcat-embed-core 53
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-32910 | high | — | 8.0 | 1y ago | RHSA-2025:8292: mingw-freetype and spice-client-win security update (Important) | |||
| CVE-2025-5267 | high | — | 8.0 | 1y ago | A clickjacking vulnerability could have been used to trick a user into leaking saved payment card details to a malicious page. This vulnerability was fixed in Firefox 139, Firefox ESR 128.11, Thunder… | |||
| CVE-2025-32909 | high | — | 8.0 | 1y ago | RHSA-2025:8292: mingw-freetype and spice-client-win security update (Important) | |||
| CVE-2025-3909 | high | — | 8.0 | 1y ago | RHSA-2025:8756: thunderbird security update (Important) | |||
| CVE-2025-3877 | high | — | 8.0 | 1y ago | RHSA-2025:8756: thunderbird security update (Important) | |||
| CVE-2025-3887 | high | — | 8.0 | 1y ago | RHSA-2025:8201: gstreamer1-plugins-bad-free security update (Important) | |||
| CVE-2025-3875 | high | — | 8.0 | 1y ago | RHSA-2025:8756: thunderbird security update (Important) | |||
| CVE-2025-3932 | high | — | 8.0 | 1y ago | RHSA-2025:8756: thunderbird security update (Important) | |||
| CVE-2025-2784 | high | — | 8.0 | 1y ago | RHSA-2025:8132: libsoup security update (Important) | |||
| CVE-2025-4948 | high | — | 8.0 | 1y ago | RHSA-2025:8132: libsoup security update (Important) | |||
| CVE-2025-32914 | high | — | 8.0 | 1y ago | RHSA-2025:8132: libsoup security update (Important) | |||
| CVE-2025-32049 | high | — | 8.0 | 1y ago | RHSA-2025:8132: libsoup security update (Important) | |||
| CVE-2025-4919 | high | — | 8.0 | 1y ago | An attacker was able to perform an out-of-bounds read or write on a JavaScript object by confusing array index sizes. This vulnerability was fixed in Firefox 138.0.4, Firefox ESR 128.10.1, Firefox ES… | |||
| CVE-2025-4918 | high | — | 8.0 | 1y ago | An attacker was able to perform an out-of-bounds read or write on a JavaScript `Promise` object. This vulnerability was fixed in Firefox 138.0.4, Firefox ESR 128.10.1, Firefox ESR 115.23.1, Thunderbi… | |||
| CVE-2025-31205 | high | — | 8.0 | 1y ago | The issue was addressed with improved checks. This issue is fixed in Safari 18.5, iOS 18.5 and iPadOS 18.5, macOS Sequoia 15.5, tvOS 18.5, visionOS 2.5, watchOS 11.5. A malicious website may exfiltra… | |||
| CVE-2025-37749 | high | — | 8.0 | 1y ago | Important: kernel security update | |||
| CVE-2025-21966 | high | — | 8.0 | 1y ago | Important: kernel security update | |||
| CVE-2025-47287 | high | — | 8.0 | 1y ago | RHSA-2025:8254: pcs security update (Important) | |||
| CVE-2025-26646 | high | — | 8.0 | 1y ago | RHSA-2025:7589: .NET 8.0 security update (Important) | |||
| CVE-2025-31492 | high | — | 8.0 | 1y ago | RHSA-2025:3997: mod_auth_openidc:2.3 security update (Important) | |||
| CVE-2025-21633 | high | — | 8.0 | 1y ago | Important: kernel security update | |||
| CVE-2025-3155 | high | — | 8.0 | 1y ago | A flaw was found in Yelp. The Gnome user help application allows the help document to execute arbitrary scripts. This vulnerability allows malicious users to input help documents, which may exfiltrat… | |||
| CVE-2025-32906 | high | — | 8.0 | 1y ago | RHSA-2025:8292: mingw-freetype and spice-client-win security update (Important) | |||
| CVE-2025-31498 | high | — | 8.0 | 1y ago | Important: nodejs:22 security update | |||
| CVE-2025-32913 | high | — | 8.0 | 1y ago | RHSA-2025:8292: mingw-freetype and spice-client-win security update (Important) | |||
| CVE-2025-21605 | high | — | 8.0 | 1y ago | RHSA-2025:7686: redis:6 security update (Important) | |||
| CVE-2025-46421 | high | — | 8.0 | 1y ago | RHSA-2025:4560: libsoup security update (Important) | |||
| CVE-2025-32907 | high | — | 8.0 | 1y ago | RHSA-2025:8292: mingw-freetype and spice-client-win security update (Important) | |||
| CVE-2025-32052 | high | — | 8.0 | 1y ago | RHSA-2025:8292: mingw-freetype and spice-client-win security update (Important) | |||
| CVE-2025-3277 | high | — | 8.0 | 1y ago | Important: nodejs:22 security update | |||
| CVE-2025-32911 | high | — | 8.0 | 1y ago | RHSA-2025:8292: mingw-freetype and spice-client-win security update (Important) | |||
| CVE-2025-32053 | high | — | 8.0 | 1y ago | RHSA-2025:8292: mingw-freetype and spice-client-win security update (Important) | |||
| CVE-2025-21993 | high | — | 8.0 | 1y ago | Important: kernel security update | |||
| CVE-2025-46420 | high | — | 8.0 | 1y ago | RHSA-2025:4560: libsoup security update (Important) | |||
| CVE-2025-32050 | high | — | 8.0 | 1y ago | RHSA-2025:8292: mingw-freetype and spice-client-win security update (Important) | |||
| CVE-2025-46727 | high | — | 8.0 | 1y ago | RHSA-2025:8254: pcs security update (Important) | |||
| CVE-2025-4093 | high | — | 8.0 | 1y ago | RHSA-2025:4797: thunderbird security update (Important) | |||
| CVE-2025-4083 | high | — | 8.0 | 1y ago | A process isolation vulnerability in Thunderbird stemmed from improper handling of javascript: URIs, which could allow content to execute in the top-level document's process instead of the intended f… | |||
| CVE-2025-2817 | high | — | 8.0 | 1y ago | Thunderbird's update mechanism allowed a medium-integrity user process to interfere with the SYSTEM-level updater by manipulating the file-locking behavior. By injecting code into the user-privileged… | |||
| CVE-2025-4091 | high | — | 8.0 | 1y ago | Memory safety bugs present in Firefox 137, Thunderbird 137, Firefox ESR 128.9, and Thunderbird 128.9. Some of these bugs showed evidence of memory corruption and we presume that with enough effort so… | |||
| CVE-2025-4087 | high | — | 8.0 | 1y ago | A vulnerability was identified in Thunderbird where XPath parsing could trigger undefined behavior due to missing null checks during attribute access. This could lead to out-of-bounds read access and… | |||
| CVE-2025-21927 | high | — | 8.0 | 1y ago | Important: kernel security update | |||
| CVE-2025-3522 | high | — | 8.0 | 1y ago | RHSA-2025:4649: thunderbird security update (Important) | |||
| CVE-2025-3523 | high | — | 8.0 | 1y ago | RHSA-2025:4649: thunderbird security update (Important) | |||
| CVE-2025-2830 | high | — | 8.0 | 1y ago | RHSA-2025:4649: thunderbird security update (Important) | |||
| CVE-2025-22866 | high | — | 8.0 | 1y ago | Important: delve and golang security update | |||
| CVE-2025-30427 | high | — | 8.0 | 1y ago | A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 18.4, iOS 18.4 and iPadOS 18.4, iPadOS 17.7.6, macOS Sequoia 15.4, tvOS 18.4, visionOS 2.4, watchOS… | |||
| CVE-2025-24216 | high | — | 8.0 | 1y ago | The issue was addressed with improved memory handling. This issue is fixed in Safari 18.4, iOS 18.4 and iPadOS 18.4, iPadOS 17.7.6, macOS Sequoia 15.4, tvOS 18.4, visionOS 2.4, watchOS 11.4. Processi… | |||
| CVE-2025-24209 | high | — | 8.0 | 1y ago | A buffer overflow issue was addressed with improved memory handling. This issue is fixed in Safari 18.4, iOS 18.4 and iPadOS 18.4, iPadOS 17.7.6, macOS Sequoia 15.4, tvOS 18.4, watchOS 11.4. Processi… | |||
| CVE-2025-24189 | high | — | 8.0 | 1y ago | The issue was addressed with improved checks. This issue is fixed in Safari 18.3, iOS 18.3 and iPadOS 18.3, macOS Sequoia 15.3, tvOS 18.3, visionOS 2.3, watchOS 11.3. Processing maliciously crafted w… | |||
| CVE-2025-24208 | high | — | 8.0 | 1y ago | A permissions issue was addressed with additional restrictions. This issue is fixed in Safari 18.4, iOS 18.4 and iPadOS 18.4. Loading a malicious iframe may lead to a cross-site scripting attack. | |||
| CVE-2025-24813 | medium | — | 8.0 | 1y ago | Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apach… | |||
| CVE-2025-3030 | high | — | 8.0 | 1y ago | Memory safety bugs present in Firefox 136, Thunderbird 136, Firefox ESR 128.8, and Thunderbird 128.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort so… | |||
| CVE-2025-3028 | high | — | 8.0 | 1y ago | JavaScript code running while transforming a document with the XSLTProcessor could lead to a use-after-free. This vulnerability was fixed in Firefox 137, Firefox ESR 115.22, Firefox ESR 128.9, Thunde… | |||
| CVE-2025-3029 | high | — | 8.0 | 1y ago | A crafted URL containing specific Unicode characters could have hidden the true origin of the page, resulting in a potential spoofing attack. This vulnerability was fixed in Firefox 137, Firefox ESR … | |||
| CVE-2025-1080 | high | — | 8.0 | 1y ago | LibreOffice supports Office URI Schemes to enable browser integration of LibreOffice with MS SharePoint server. An additional scheme 'vnd.libreoffice.command' specific to LibreOffice was added. In th… | |||
| CVE-2025-22868 | high | — | 8.0 | 1y ago | An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing. | |||
| CVE-2025-22869 | high | — | 8.0 | 1y ago | RHSA-2025:3210: container-tools:rhel8 security update (Important) | |||
| CVE-2025-30204 | high | — | 8.0 | 1y ago | RHSA-2025:7967: osbuild-composer security update (Important) | |||
| CVE-2025-29786 | high | — | 8.0 | 1y ago | Expr is an expression language and expression evaluation for Go. Prior to version 1.17.0, if the Expr expression parser is given an unbounded input string, it will attempt to compile the entire strin… | |||
| CVE-2025-21785 | high | — | 8.0 | 1y ago | In the Linux kernel, the following vulnerability has been resolved: arm64: cacheinfo: Avoid out-of-bounds write to cacheinfo array The loop that detects/populates cache information already has a bo… | |||
| CVE-2025-27516 | high | — | 8.0 | 1y ago | RHSA-2025:3388: python-jinja2 security update (Important) | |||
| CVE-2025-24855 | high | — | 8.0 | 1y ago | RHSA-2025:3615: libxslt security update (Important) | |||
| CVE-2025-0624 | high | — | 8.0 | 1y ago | Important: grub2 security update | |||
| CVE-2025-24928 | high | — | 8.0 | 1y ago | libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a stack-based buffer overflow in xmlSnprintfElements in valid.c. To exploit this, DTD validation must occur for an untrusted document or untrusted … | |||
| CVE-2025-24070 | high | — | 8.0 | 1y ago | RHSA-2025:2670: .NET 8.0 security, bug fix, and enhancement update (Important) | |||
| CVE-2025-26600 | high | — | 8.0 | 1y ago | A use-after-free flaw was found in X.Org and Xwayland. When a device is removed while still frozen, the events queued for that device remain while the device is freed. Replaying the events will cause… | |||
| CVE-2025-26595 | high | — | 8.0 | 1y ago | A buffer overflow flaw was found in X.Org and Xwayland. The code in XkbVModMaskText() allocates a fixed-sized buffer on the stack and copies the names of the virtual modifiers to that buffer. The cod… | |||
| CVE-2025-26598 | high | — | 8.0 | 1y ago | An out-of-bounds write flaw was found in X.Org and Xwayland. The function GetBarrierDevice() searches for the pointer device based on its device ID and returns the matching value, or supposedly NULL,… | |||
| CVE-2025-26599 | high | — | 8.0 | 1y ago | An access to an uninitialized pointer flaw was found in X.Org and Xwayland. The function compCheckRedirect() may fail if it cannot allocate the backing pixmap. In that case, compRedirectWindow() will… | |||
| CVE-2025-26596 | high | — | 8.0 | 1y ago | A heap overflow flaw was found in X.Org and Xwayland. The computation of the length in XkbSizeKeySyms() differs from what is written in XkbWriteKeySyms(), which may lead to a heap-based buffer overfl… | |||
| CVE-2025-26601 | high | — | 8.0 | 1y ago | A use-after-free flaw was found in X.Org and Xwayland. When changing an alarm, the values of the change mask are evaluated one after the other, changing the trigger values as requested, and eventuall… | |||
| CVE-2025-26594 | high | — | 8.0 | 1y ago | A use-after-free flaw was found in X.Org and Xwayland. The root cursor is referenced in the X server as a global variable. If a client frees the root cursor, the internal reference points to freed me… | |||
| CVE-2025-1932 | high | — | 8.0 | 1y ago | An inconsistent comparator in xslt/txNodeSorter could have resulted in potentially exploitable out-of-bounds access. Only affected version 122 and later. This vulnerability was fixed in Firefox 136, … | |||
| CVE-2025-1938 | high | — | 8.0 | 1y ago | Memory safety bugs present in Firefox 135, Thunderbird 135, Firefox ESR 128.7, and Thunderbird 128.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort so… | |||
| CVE-2025-1931 | high | — | 8.0 | 1y ago | It was possible to cause a use-after-free in the content process side of a WebTransport connection, leading to a potentially exploitable crash. This vulnerability was fixed in Firefox 136, Firefox ES… | |||
| CVE-2025-1937 | high | — | 8.0 | 1y ago | Memory safety bugs present in Firefox 135, Thunderbird 135, Firefox ESR 115.20, Firefox ESR 128.7, and Thunderbird 128.7. Some of these bugs showed evidence of memory corruption and we presume that w… | |||
| CVE-2025-1936 | high | — | 8.0 | 1y ago | jar: URLs retrieve local file content packaged in a ZIP archive. The null and everything after it was ignored when retrieving the content from the archive, but the fake extension after the null was u… | |||
| CVE-2025-1933 | high | — | 8.0 | 1y ago | On 64-bit CPUs, when the JIT compiles WASM i32 return values they can pick up bits from left over memory. This can potentially cause them to be treated as a different type. This vulnerability was fix… | |||
| CVE-2025-1930 | high | — | 8.0 | 1y ago | On Windows, a compromised content process could use bad StreamData sent over AudioIPC to trigger a use-after-free in the Browser process. This could have led to a sandbox escape. This vulnerability w… | |||
| CVE-2025-1935 | high | — | 8.0 | 1y ago | A web page could trick a user into setting that site as the default handler for a custom URL protocol. This vulnerability was fixed in Firefox 136, Firefox ESR 128.8, Thunderbird 136, and Thunderbird… | |||
| CVE-2025-1934 | high | — | 8.0 | 1y ago | It was possible to interrupt the processing of a RegExp bailout and run additional JavaScript, potentially triggering garbage collection when the engine was not expecting it. This vulnerability was f… | |||
| CVE-2025-24150 | high | — | 8.0 | 1y ago | A privacy issue was addressed with improved handling of files. This issue is fixed in Safari 18.3, iOS 18.3 and iPadOS 18.3, macOS Sequoia 15.3. Copying a URL from Web Inspector may lead to command i… | |||
| CVE-2025-24143 | high | — | 8.0 | 1y ago | The issue was addressed with improved access restrictions to the file system. This issue is fixed in Safari 18.3, iOS 18.3 and iPadOS 18.3, macOS Sequoia 15.3, visionOS 2.3. A maliciously crafted web… | |||
| CVE-2025-24162 | high | — | 8.0 | 1y ago | This issue was addressed through improved state management. This issue is fixed in Safari 18.3, iOS 18.3 and iPadOS 18.3, macOS Sequoia 15.3, tvOS 18.3, visionOS 2.3, watchOS 11.3. Processing malicio… | |||
| CVE-2025-1244 | high | — | 8.0 | 1y ago | RHSA-2025:1917: emacs security update (Important) | |||
| CVE-2025-21523 | high | — | 8.0 | 1y ago | RHSA-2025:1673: mysql:8.0 security update (Important) | |||
| CVE-2025-21531 | high | — | 8.0 | 1y ago | RHSA-2025:1673: mysql:8.0 security update (Important) | |||
| CVE-2025-21521 | high | — | 8.0 | 1y ago | RHSA-2025:1673: mysql:8.0 security update (Important) | |||
| CVE-2025-21536 | high | — | 8.0 | 1y ago | RHSA-2025:1673: mysql:8.0 security update (Important) | |||
| CVE-2025-21504 | high | — | 8.0 | 1y ago | RHSA-2025:1673: mysql:8.0 security update (Important) | |||
| CVE-2025-21519 | high | — | 8.0 | 1y ago | RHSA-2025:1673: mysql:8.0 security update (Important) | |||
| CVE-2025-21491 | high | — | 8.0 | 1y ago | RHSA-2025:1673: mysql:8.0 security update (Important) | |||
| CVE-2025-21494 | high | — | 8.0 | 1y ago | RHSA-2025:1673: mysql:8.0 security update (Important) | |||
| CVE-2025-21501 | high | — | 8.0 | 1y ago | RHSA-2025:1673: mysql:8.0 security update (Important) | |||
| CVE-2025-21505 | high | — | 8.0 | 1y ago | RHSA-2025:1673: mysql:8.0 security update (Important) | |||
| CVE-2025-21497 | high | — | 8.0 | 1y ago | RHSA-2025:1673: mysql:8.0 security update (Important) | |||
| CVE-2025-21522 | high | — | 8.0 | 1y ago | RHSA-2025:1673: mysql:8.0 security update (Important) | |||
| CVE-2025-21546 | high | — | 8.0 | 1y ago | RHSA-2025:1673: mysql:8.0 security update (Important) | |||
| CVE-2025-21534 | high | — | 8.0 | 1y ago | RHSA-2025:1673: mysql:8.0 security update (Important) |