CVEs from 2025
Total
8,829
critical
critical 1,329
high
high 1,995
medium
medium 1,981
low
low 202
% Critical
15.1%
% with KEV
2.1%
% with exploit
2.8%
Top vendors
- qualcomm 1,123
- fabian 285
- campcodes 232
- phpgurukul 189
- code-projects 121
- redhat 108
- microsoft 107
- portabilis 94
Top products
- i-educar 80
- office_long_term_servicing_channel 35
- office 34
- best_salon_management_system 33
- apartment_management_system 30
- gcp 29
- inventory_management_system 28
- online_learning_management_system 21
Top packages
- Go/github.com/mattermost/mattermost/server/v8 258
- Go/github.com/mattermost/mattermost-server 249
- Packagist/magento/community-edition 231
- Packagist/moodle/moodle 162
- Go/github.com/mattermost/mattermost-server/v5 99
- Go/github.com/mattermost/mattermost-server/v6 99
- Maven/com.liferay.portal:release.dxp.bom 61
- Maven/org.apache.tomcat.embed:tomcat-embed-core 53
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-49360 | high | 8.1 | 8.1 | 6mo ago | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Militarology militarology allows PHP Local File Inclusion.This is… | |||
| CVE-2025-49359 | high | 8.1 | 8.1 | 6mo ago | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes ShieldGroup shieldgroup allows PHP Local File Inclusion.This issu… | |||
| CVE-2025-14111 | high | 8.1 | 8.1 | 6mo ago | A security vulnerability has been detected in Rarlab RAR App up to 7.11 Build 127 on Android. This affects an unknown part of the component com.rarlab.rar. Such manipulation leads to path traversal. … | |||
| CVE-2025-14016 | high | 8.1 | 8.1 | 6mo ago | A security vulnerability has been detected in macrozheng mall-swarm up to 1.0.3. Affected is the function delete of the file /member/readHistory/delete. Such manipulation of the argument ids leads to… | |||
| CVE-2025-13813 | high | 8.1 | 8.1 | 6mo ago | A vulnerability was identified in moxi159753 Mogu Blog v2 up to 5.2. This issue affects some unknown processing of the file /storage/ of the component Storage Management Endpoint. The manipulation le… | |||
| CVE-2025-13468 | high | 8.1 | 8.1 | 7mo ago | A weakness has been identified in SourceCodester Alumni Management System 1.0. This issue affects the function delete_forum/delete_career/delete_comment/delete_gallery/delete_event of the file admin/… | |||
| CVE-2025-13435 | high | 8.1 | 8.1 | 7mo ago | Resty has a Path Traversal vulnerability | |||
| CVE-2025-11959 | high | 8.1 | 8.1 | 7mo ago | Files or Directories Accessible to External Parties, Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Premierturk Information Technologies Inc. Excavation Management… | |||
| CVE-2025-58995 | high | 8.1 | 8.1 | 7mo ago | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Creatives_Planet Leblix leblix allows PHP Local File Inclusion.This issue affe… | |||
| CVE-2025-58994 | high | 8.1 | 8.1 | 7mo ago | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in designervily Greenify greenify allows PHP Local File Inclusion.This issue affe… | |||
| CVE-2025-48290 | high | 8.1 | 8.1 | 7mo ago | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in bslthemes Kinsley kinsley allows PHP Local File Inclusion.This issue affects K… | |||
| CVE-2025-48090 | high | 8.1 | 8.1 | 7mo ago | Path Traversal: '.../...//' vulnerability in CocoBasic Blanka - One Page WordPress Theme blanka-wp allows PHP Local File Inclusion.This issue affects Blanka - One Page WordPress Theme: from n/a throu… | |||
| CVE-2025-12615 | high | 8.1 | 8.1 | 7mo ago | A security vulnerability has been detected in PHPGurukul News Portal 1.0. The affected element is an unknown function of the file /onps/settings.py. Such manipulation of the argument SECRET_KEY leads… | |||
| CVE-2025-12547 | high | 8.1 | 8.1 | 7mo ago | A vulnerability was identified in LogicalDOC Community Edition up to 9.2.1. This vulnerability affects unknown code of the file /login.jsp of the component Admin Login Page. Such manipulation leads t… | |||
| CVE-2025-12283 | high | 8.1 | 8.1 | 7mo ago | A security flaw has been discovered in code-projects Client Details System 1.0. The impacted element is an unknown function. The manipulation results in authorization bypass. The attack can be launch… | |||
| CVE-2025-58967 | high | 8.1 | 8.1 | 8mo ago | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove Businext businext allows PHP Local File Inclusion.This issue affects… | |||
| CVE-2025-58958 | high | 8.1 | 8.1 | 8mo ago | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove SmilePure smilepure allows PHP Local File Inclusion.This issue affec… | |||
| CVE-2025-11941 | high | 8.1 | 8.1 | 8mo ago | A vulnerability was detected in e107 CMS up to 2.3.3. This impacts an unknown function of the file /e107_admin/image.php?mode=main&action=avatar of the component Avatar Handler. Performing manipulati… | |||
| CVE-2025-11938 | high | 8.1 | 8.1 | 8mo ago | A vulnerability was found in ChurchCRM up to 5.18.0. This vulnerability affects unknown code of the file setup/routes/setup.php. Performing a manipulation of the argument DB_PASSWORD/ROOT_PATH/URL re… | |||
| CVE-2025-11853 | high | 8.1 | 8.1 | 8mo ago | A vulnerability was determined in Sismics Teedy up to 1.11. This affects an unknown function of the file /api/file of the component API Endpoint. Executing a manipulation can lead to improper access … | |||
| CVE-2025-49552 | high | 8.1 | 8.1 | 8mo ago | Adobe Connect versions 12.9 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a high-privileged attacker to execute malicious scripts in a vi… | |||
| CVE-2025-11646 | high | 8.1 | 8.1 | 8mo ago | A vulnerability was detected in Tomofun Furbo 360 and Furbo Mini. This vulnerability affects unknown code of the component GATT Service. The manipulation results in improper access controls. The atta… | |||
| CVE-2025-11609 | high | 8.1 | 8.1 | 8mo ago | A flaw has been found in code-projects Hospital Management System 1.0. Affected is the function session of the component express-session. This manipulation of the argument secret with the input secre… | |||
| CVE-2025-11290 | high | 8.1 | 8.1 | 8mo ago | A vulnerability was identified in CRMEB up to 5.6.1. This affects an unknown function of the component JWT HMAC Secret Handler. Such manipulation of the argument secret with the input default leads t… | |||
| CVE-2025-9566 | high | 8.1 | 8.1 | 9mo ago | RHSA-2025:15904: container-tools:rhel8 security update (Important) | |||
| CVE-2025-54709 | high | 8.1 | 8.1 | 9mo ago | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in uxper Sala. This issue affects Sala: from n/a through 1.1.6. | |||
| CVE-2025-9801 | high | 8.1 | 8.1 | 9mo ago | A security vulnerability has been detected in SimStudioAI sim up to ed9b9ad83f1a7c61f4392787fb51837d34eeb0af. This affects an unknown part. The manipulation of the argument filePath leads to path tra… | |||
| CVE-2025-53243 | high | 8.1 | 8.1 | 9mo ago | Deserialization of Untrusted Data vulnerability in emarket-design Employee Directory – Staff Listing & Team Directory Plugin for WordPress employee-directory allows Object Injection.This issue affect… | |||
| CVE-2025-9262 | high | 8.1 | 8.1 | 10mo ago | wong2 mcp-cli Command Injection Vulnerability | |||
| CVE-2025-49438 | high | 8.1 | 8.1 | 10mo ago | Deserialization of Untrusted Data vulnerability in Max Chirkov Simple Login Log allows Object Injection. This issue affects Simple Login Log: from n/a through 1.1.3. | |||
| CVE-2025-47219 | high | 8.1 | 8.1 | 10mo ago | In GStreamer through 1.26.1, the isomp4 plugin's qtdemux_parse_trak function may read past the end of a heap buffer while parsing an MP4 file, possibly leading to information disclosure. | |||
| CVE-2025-7947 | high | 8.1 | 8.1 | 11mo ago | A vulnerability classified as critical has been found in jshERP up to 3.5. Affected is an unknown function of the file /user/delete of the component Account Handler. The manipulation of the argument … | |||
| CVE-2025-7628 | high | 8.1 | 8.1 | 11mo ago | A vulnerability was found in YiJiuSmile kkFileViewOfficeEdit up to 5fbc57c48e8fe6c1b91e0e7995e2d59615f37abd. It has been classified as critical. This affects the function deleteFile of the file /dele… | |||
| CVE-2025-7079 | high | 8.1 | 8.1 | 11mo ago | A vulnerability, which was classified as problematic, has been found in mao888 bluebell-plus up to 2.3.0. This issue affects some unknown processing of the file bluebell_backend/pkg/jwt/jwt.go of the… | |||
| CVE-2025-52813 | high | 8.1 | 8.1 | 11mo ago | Missing Authorization vulnerability in pietro MobiLoud allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects MobiLoud: from n/a through 4.6.5. | |||
| CVE-2025-7060 | high | 8.1 | 8.1 | 11mo ago | A vulnerability was found in Monitorr up to 1.7.6m. It has been classified as problematic. This affects an unknown part of the file assets/config/_installation/mkdbajax.php of the component Installer… | |||
| CVE-2025-52810 | high | 8.1 | 8.1 | 11mo ago | Path Traversal vulnerability in TMRW-studio Katerio - Magazine allows PHP Local File Inclusion. This issue affects Katerio - Magazine: from n/a through 1.5.1. | |||
| CVE-2025-6329 | high | 8.1 | 8.1 | 1y ago | A vulnerability was found in ScriptAndTools Real Estate Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file userdelete.php of the component Us… | |||
| CVE-2025-49454 | high | 8.1 | 8.1 | 1y ago | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in LoftOcean TinySalt tinysalt allows PHP Local File Inclusion.This issue affects… | |||
| CVE-2025-5877 | high | 8.1 | 8.1 | 1y ago | A vulnerability, which was classified as problematic, has been found in Fengoffice Feng Office 3.2.2.1. Affected by this issue is some unknown functionality of the file /application/models/Applicatio… | |||
| CVE-2025-5139 | high | 8.1 | 8.1 | 1y ago | A vulnerability was found in Qualitor 8.20/8.24. It has been rated as critical. Affected by this issue is some unknown functionality of the file /html/ad/adconexaooffice365/request/testaConexaoOffice… | |||
| CVE-2025-31633 | high | 8.1 | 8.1 | 1y ago | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in gavias Kiamo - Responsive Business Service WordPress Theme allows PHP Local Fi… | |||
| CVE-2025-31632 | high | 8.1 | 8.1 | 1y ago | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in SpyroPress La Boom allows PHP Local File Inclusion. This issue affects La Boom… | |||
| CVE-2025-39491 | high | 8.1 | 8.1 | 1y ago | Path Traversal vulnerability in WHMPress WHMpress allows Path Traversal. This issue affects WHMpress: from 6.2 through revision. | |||
| CVE-2025-2338 | high | 8.1 | 8.1 | 1y ago | A vulnerability, which was classified as critical, was found in tbeu matio 1.5.28. Affected is the function strdup_vprintf of the file src/io.c. The manipulation leads to heap-based buffer overflow. … | |||
| CVE-2025-2337 | high | 8.1 | 8.1 | 1y ago | A vulnerability, which was classified as critical, has been found in tbeu matio 1.5.28. This issue affects the function Mat_VarPrint of the file src/mat.c. The manipulation leads to heap-based buffer… | |||
| CVE-2025-23368 | high | 8.1 | 8.1 | 1y ago | Wildfly Elytron integration susceptible to brute force attacks via CLI | |||
| CVE-2025-32801 | high | — | 8.0 | — | Kea configuration and API directives can be used to load a malicious hook library. Many common configurations run Kea as root, leave the API entry points unsecured by default, and/or place the contr… | |||
| CVE-2025-49091 | high | — | 8.0 | — | KDE Konsole before 25.04.2 allows remote code execution in a certain scenario. It supports loading URLs from the scheme handlers such as a ssh:// or telnet:// or rlogin:// URL. This can be executed r… | |||
| CVE-2025-53367 | high | — | 8.0 | — | DjVuLibre is a GPL implementation of DjVu, a web-centric format for distributing documents and images. Prior to version 3.5.29, the MMRDecoder::scanruns method is affected by an OOB-write vulnerabili… | |||
| CVE-2025-46803 | high | — | 8.0 | — | The default mode of pseudo terminals (PTYs) allocated by Screen was changed from 0620 to 0622, thereby allowing anyone to write to any Screen PTYs in the system. | |||
| CVE-2025-46804 | high | — | 8.0 | — | A minor information leak when running Screen with setuid-root privileges allows unprivileged users to deduce information about a path that would otherwise not be available. Affected are older Scree… | |||
| CVE-2025-40775 | high | — | 8.0 | — | When an incoming DNS protocol message includes a Transaction Signature (TSIG), BIND always checks it. If the TSIG contains an invalid value in the algorithm field, BIND immediately aborts with an as… | |||
| CVE-2025-30232 | high | — | 8.0 | — | A use-after-free in Exim 4.96 through 4.98.1 could allow users (with command-line access) to escalate privileges. | |||
| CVE-2025-46802 | high | — | 8.0 | — | For a short time they PTY is set to mode 666, allowing any user on the system to connect to the screen session. | |||
| CVE-2025-23395 | high | — | 8.0 | — | Screen 5.0.0 when it runs with setuid-root privileges does not drop privileges while operating on a user supplied path. This allows unprivileged users to create files in arbitrary locations with `roo… | |||
| CVE-2025-32803 | high | — | 8.0 | — | In some cases, Kea log files or lease files may be world-readable. This issue affects Kea versions 2.4.0 through 2.4.1, 2.6.0 through 2.6.2, and 2.7.0 through 2.7.8. | |||
| CVE-2025-46805 | high | — | 8.0 | — | Screen version 5.0.0 and older version 4 releases have a TOCTOU race potentially allowing to send SIGHUP, SIGCONT to privileged processes when installed setuid-root. | |||
| CVE-2025-32802 | high | — | 8.0 | — | Kea configuration and API directives can be used to overwrite arbitrary files, subject to permissions granted to Kea. Many common configurations run Kea as root, leave the API entry points unsecured… | |||
| CVE-2025-68366 | high | — | 8.0 | 8d ago | In the Linux kernel, the following vulnerability has been resolved: nbd: defer config unlock in nbd_genl_connect There is one use-after-free warning when running NBD_CMD_CONNECT and NBD_CLEAR_SOCK:… | |||
| CVE-2025-38653 | high | — | 8.0 | 8d ago | In the Linux kernel, the following vulnerability has been resolved: proc: use the same treatment to check proc_lseek as ones for proc_read_iter et.al Check pde->proc_ops->proc_lseek directly may ca… | |||
| CVE-2025-68347 | high | — | 8.0 | 8d ago | In the Linux kernel, the following vulnerability has been resolved: ALSA: firewire-motu: fix buffer overflow in hwdep read for DSP events The DSP event handling code in hwdep_read() could write mor… | |||
| CVE-2025-71089 | high | — | 8.0 | 8d ago | In the Linux kernel, the following vulnerability has been resolved: iommu: disable SVA when CONFIG_X86 is set Patch series "Fix stale IOTLB entries for kernel address space", v7. This proposes a f… | |||
| CVE-2025-68183 | high | — | 8.0 | 8d ago | In the Linux kernel, the following vulnerability has been resolved: ima: don't clear IMA_DIGSIG flag when setting or removing non-IMA xattr Currently when both IMA and EVM are in fix mode, the IMA … | |||
| CVE-2025-11954 | high | 8.0 | 8.0 | 16d ago | Cross-Site request forgery (CSRF) vulnerability in Sitemio Information Technologies Trade Ltd. Co. WISECP allows Cross Site Request Forgery. This issue affects WISECP: through 20022026. NOTE: The ve… | |||
| CVE-2025-71116 | high | — | 8.0 | 16d ago | In the Linux kernel, the following vulnerability has been resolved: libceph: make decode_pool() more resilient against corrupted osdmaps If the osdmap is (maliciously) corrupted such that the encod… | |||
| CVE-2025-68741 | high | — | 8.0 | 16d ago | Important: kernel security update | |||
| CVE-2025-43214 | high | — | 8.0 | 17d ago | The issue was addressed with improved memory handling. This issue is fixed in Safari 18.6, iOS 18.6 and iPadOS 18.6, macOS Sequoia 15.6, tvOS 18.6, visionOS 2.6, watchOS 11.6. Processing maliciously … | |||
| CVE-2025-43213 | high | — | 8.0 | 17d ago | The issue was addressed with improved memory handling. This issue is fixed in Safari 18.6, iOS 18.6 and iPadOS 18.6, macOS Sequoia 15.6, tvOS 18.6, visionOS 2.6, watchOS 11.6. Processing maliciously … | |||
| CVE-2025-55668 | high | — | 8.0 | 17d ago | Session Fixation vulnerability in Apache Tomcat via rewrite valve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Old… | |||
| CVE-2025-43457 | high | — | 8.0 | 17d ago | A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.1, iOS 26.1 and iPadOS 26.1, macOS Tahoe 26.1, visionOS 26.1, watchOS 26.1. Processing malicious… | |||
| CVE-2025-61726 | high | — | 8.0 | 17d ago | RHSA-2026:23228: image-builder security update (Important) | |||
| CVE-2025-13837 | high | — | 8.0 | 17d ago | Important: python3.12 security update | |||
| CVE-2025-46701 | high | — | 8.0 | 17d ago | Improper Handling of Case Sensitivity vulnerability in Apache Tomcat's GCI servlet allows security constraint bypass of security constraints that apply to the pathInfo component of a URI mapped to th… | |||
| CVE-2025-15284 | high | — | 8.0 | 17d ago | Important: linux-sgx security update | |||
| CVE-2025-43511 | high | — | 8.0 | 17d ago | A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.2, iOS 18.7.2 and iPadOS 18.7.2, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, visionOS 26.2, watc… | |||
| CVE-2025-15282 | high | — | 8.0 | 17d ago | Important: python3.12 security update | |||
| CVE-2025-46299 | high | — | 8.0 | 17d ago | A memory initialization issue was addressed with improved memory handling. This issue is fixed in Safari 26.2, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, tvOS 26.2, visionOS 26.2, watchOS 26.2. Proc… | |||
| CVE-2025-71261 | high | — | 8.0 | 1mo ago | Harvester's SUSE Virtualization Registration Client Vulnerable to MITM and DOS | |||
| CVE-2025-40252 | high | — | 8.0 | 1mo ago | In the Linux kernel, the following vulnerability has been resolved: net: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont() and qede_tpa_end() The loops in 'qede_tpa_cont()' and 'qede… | |||
| CVE-2025-68724 | high | — | 8.0 | 1mo ago | In the Linux kernel, the following vulnerability has been resolved: crypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id Use check_add_overflow() to guard against potential inte… | |||
| CVE-2025-15270 | high | — | 8.0 | 2mo ago | Important: fontforge security update | |||
| CVE-2025-61731 | high | — | 8.0 | 2mo ago | Important: golang security update | |||
| CVE-2025-68114 | high | — | 8.0 | 3mo ago | Important: capstone security update | |||
| CVE-2025-67873 | high | — | 8.0 | 3mo ago | Important: capstone security update | |||
| CVE-2025-15568 | high | 8.0 | 8.0 | 3mo ago | A command injection vulnerability was identified in the web module of Archer AXE75 v1.6/v1.0 router. An authenticated attacker with adjacent-network access may be able to perform remote code executi… | |||
| CVE-2025-69534 | high | — | 8.0 | 3mo ago | Python-Markdown version 3.8 contain a vulnerability where malformed HTML-like sequences can cause html.parser.HTMLParser to raise an unhandled AssertionError during Markdown parsing. Because Python-M… | |||
| CVE-2025-67733 | high | — | 8.0 | 3mo ago | Important: valkey security update | |||
| CVE-2025-38248 | high | — | 8.0 | 3mo ago | In the Linux kernel, the following vulnerability has been resolved: bridge: mcast: Fix use-after-free during router port configuration The bridge maintains a global list of ports behind which a mul… | |||
| CVE-2025-59465 | high | — | 8.0 | 4mo ago | Important: nodejs:24 security update | |||
| CVE-2025-59466 | high | — | 8.0 | 4mo ago | Important: nodejs:24 security update | |||
| CVE-2025-55131 | high | — | 8.0 | 4mo ago | Important: nodejs:24 security update | |||
| CVE-2025-55132 | high | — | 8.0 | 4mo ago | Important: nodejs:24 security update | |||
| CVE-2025-55130 | high | — | 8.0 | 4mo ago | Important: nodejs:24 security update | |||
| CVE-2025-61728 | high | — | 8.0 | 4mo ago | archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously construct… | |||
| CVE-2025-15059 | high | — | 8.0 | 4mo ago | Important: gimp security update | |||
| CVE-2025-61732 | high | — | 8.0 | 4mo ago | A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary. | |||
| CVE-2025-15275 | high | — | 8.0 | 4mo ago | RHSA-2026:7677: fontforge security update (Important) | |||
| CVE-2025-15269 | high | — | 8.0 | 4mo ago | RHSA-2026:7677: fontforge security update (Important) | |||
| CVE-2025-15279 | high | — | 8.0 | 4mo ago | RHSA-2026:7677: fontforge security update (Important) |