CVEs from 2025
Total
8,971
critical
critical 1,368
high
high 2,067
medium
medium 2,068
low
low 204
% Critical
15.2%
% with KEV
2.0%
% with exploit
2.8%
Top vendors
- qualcomm 1,123
- fabian 285
- campcodes 232
- phpgurukul 189
- code-projects 121
- redhat 110
- microsoft 107
- portabilis 94
Top products
- i-educar 80
- office_long_term_servicing_channel 35
- office 34
- best_salon_management_system 33
- apartment_management_system 30
- gcp 29
- inventory_management_system 28
- online_learning_management_system 21
Top packages
- Go/github.com/mattermost/mattermost/server/v8 258
- Go/github.com/mattermost/mattermost-server 249
- Packagist/magento/community-edition 231
- Packagist/moodle/moodle 162
- Go/github.com/mattermost/mattermost-server/v5 99
- Go/github.com/mattermost/mattermost-server/v6 99
- Maven/com.liferay.portal:release.dxp.bom 61
- Maven/org.apache.tomcat.embed:tomcat-embed-core 53
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-11954 | high | 8.0 | 8.0 | 17d ago | Cross-Site request forgery (CSRF) vulnerability in Sitemio Information Technologies Trade Ltd. Co. WISECP allows Cross Site Request Forgery. This issue affects WISECP: through 20022026. NOTE: The ve… | |||
| CVE-2025-68741 | high | — | 8.0 | 18d ago | Important: kernel security update | |||
| CVE-2025-71116 | high | — | 8.0 | 18d ago | In the Linux kernel, the following vulnerability has been resolved: libceph: make decode_pool() more resilient against corrupted osdmaps If the osdmap is (maliciously) corrupted such that the encod… | |||
| CVE-2025-15284 | high | — | 8.0 | 19d ago | Important: linux-sgx security update | |||
| CVE-2025-43511 | high | — | 8.0 | 19d ago | A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.2, iOS 18.7.2 and iPadOS 18.7.2, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, visionOS 26.2, watc… | |||
| CVE-2025-46299 | high | — | 8.0 | 19d ago | A memory initialization issue was addressed with improved memory handling. This issue is fixed in Safari 26.2, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, tvOS 26.2, visionOS 26.2, watchOS 26.2. Proc… | |||
| CVE-2025-43213 | high | — | 8.0 | 19d ago | The issue was addressed with improved memory handling. This issue is fixed in Safari 18.6, iOS 18.6 and iPadOS 18.6, macOS Sequoia 15.6, tvOS 18.6, visionOS 2.6, watchOS 11.6. Processing maliciously … | |||
| CVE-2025-61726 | high | — | 8.0 | 19d ago | Memory exhaustion in query parameter parsing in net/url | |||
| CVE-2025-43214 | high | — | 8.0 | 19d ago | The issue was addressed with improved memory handling. This issue is fixed in Safari 18.6, iOS 18.6 and iPadOS 18.6, macOS Sequoia 15.6, tvOS 18.6, visionOS 2.6, watchOS 11.6. Processing maliciously … | |||
| CVE-2025-43457 | high | — | 8.0 | 19d ago | A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.1, iOS 26.1 and iPadOS 26.1, macOS Tahoe 26.1, visionOS 26.1, watchOS 26.1. Processing malicious… | |||
| CVE-2025-13837 | high | — | 8.0 | 19d ago | Important: python3.12 security update | |||
| CVE-2025-15282 | high | — | 8.0 | 19d ago | Important: python3.12 security update | |||
| CVE-2025-46701 | high | — | 8.0 | 19d ago | Improper Handling of Case Sensitivity vulnerability in Apache Tomcat's GCI servlet allows security constraint bypass of security constraints that apply to the pathInfo component of a URI mapped to th… | |||
| CVE-2025-55668 | high | — | 8.0 | 19d ago | Session Fixation vulnerability in Apache Tomcat via rewrite valve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Old… | |||
| CVE-2025-71261 | high | — | 8.0 | 1mo ago | Harvester's SUSE Virtualization Registration Client Vulnerable to MITM and DOS | |||
| CVE-2025-68724 | high | — | 8.0 | 1mo ago | In the Linux kernel, the following vulnerability has been resolved: crypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id Use check_add_overflow() to guard against potential inte… | |||
| CVE-2025-40252 | high | — | 8.0 | 1mo ago | In the Linux kernel, the following vulnerability has been resolved: net: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont() and qede_tpa_end() The loops in 'qede_tpa_cont()' and 'qede… | |||
| CVE-2025-15270 | high | — | 8.0 | 2mo ago | Important: fontforge security update | |||
| CVE-2025-61731 | high | — | 8.0 | 2mo ago | Important: golang security update | |||
| CVE-2025-68114 | high | — | 8.0 | 3mo ago | Important: capstone security update | |||
| CVE-2025-67873 | high | — | 8.0 | 3mo ago | Important: capstone security update | |||
| CVE-2025-15568 | high | 8.0 | 8.0 | 3mo ago | A command injection vulnerability was identified in the web module of Archer AXE75 v1.6/v1.0 router. An authenticated attacker with adjacent-network access may be able to perform remote code executi… | |||
| CVE-2025-69534 | high | — | 8.0 | 3mo ago | Python-Markdown has an Uncaught Exception | |||
| CVE-2025-67733 | high | — | 8.0 | 3mo ago | Important: valkey security update | |||
| CVE-2025-38248 | high | — | 8.0 | 3mo ago | In the Linux kernel, the following vulnerability has been resolved: bridge: mcast: Fix use-after-free during router port configuration The bridge maintains a global list of ports behind which a mul… | |||
| CVE-2025-59465 | high | — | 8.0 | 4mo ago | Important: nodejs:24 security update | |||
| CVE-2025-59466 | high | — | 8.0 | 4mo ago | Important: nodejs:24 security update | |||
| CVE-2025-55131 | high | — | 8.0 | 4mo ago | Important: nodejs:24 security update | |||
| CVE-2025-55132 | high | — | 8.0 | 4mo ago | Important: nodejs:24 security update | |||
| CVE-2025-55130 | high | — | 8.0 | 4mo ago | Important: nodejs:24 security update | |||
| CVE-2025-15059 | high | — | 8.0 | 4mo ago | Important: gimp security update | |||
| CVE-2025-61732 | high | — | 8.0 | 4mo ago | A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary. | |||
| CVE-2025-61728 | high | — | 8.0 | 4mo ago | archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously construct… | |||
| CVE-2025-15269 | high | — | 8.0 | 4mo ago | RHSA-2026:7677: fontforge security update (Important) | |||
| CVE-2025-15275 | high | — | 8.0 | 4mo ago | RHSA-2026:7677: fontforge security update (Important) | |||
| CVE-2025-15279 | high | — | 8.0 | 4mo ago | RHSA-2026:7677: fontforge security update (Important) | |||
| CVE-2025-69971 | high | — | 8.0 | 4mo ago | FUXA has a hardcoded fallback JWT signing secret | |||
| CVE-2025-7016 | high | 8.0 | 8.0 | 4mo ago | Improper Access Control vulnerability in Akın Software Computer Import Export Industry and Trade Ltd. QR Menu allows Authentication Abuse. This issue affects QR Menu: before s1.05.12. | |||
| CVE-2025-11187 | high | — | 8.0 | 4mo ago | Important: openssl security update | |||
| CVE-2025-15469 | high | — | 8.0 | 4mo ago | Important: openssl security update | |||
| CVE-2025-66199 | high | — | 8.0 | 4mo ago | Important: openssl security update | |||
| CVE-2025-15468 | high | — | 8.0 | 4mo ago | Important: openssl security update | |||
| CVE-2025-14180 | high | — | 8.0 | 4mo ago | In PHP versions 8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1 when using the PDO PostgreSQL driver with PDO::ATTR_EMULATE_PREPARES enabled, an… | |||
| CVE-2025-66418 | high | — | 8.0 | 4mo ago | Important: fence-agents security update | |||
| CVE-2025-68301 | high | — | 8.0 | 4mo ago | Important: kernel security update | |||
| CVE-2025-40294 | high | — | 8.0 | 4mo ago | Important: kernel security update | |||
| CVE-2025-68305 | high | — | 8.0 | 4mo ago | Important: kernel security update | |||
| CVE-2025-38141 | high | — | 8.0 | 4mo ago | Important: kernel security update | |||
| CVE-2025-40248 | high | — | 8.0 | 4mo ago | Important: kernel security update | |||
| CVE-2025-40258 | high | — | 8.0 | 4mo ago | Important: kernel security update | |||
| CVE-2025-38731 | high | — | 8.0 | 4mo ago | Important: kernel security update | |||
| CVE-2025-38349 | high | — | 8.0 | 4mo ago | Important: kernel security update | |||
| CVE-2025-4764 | high | 8.0 | 8.0 | 5mo ago | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aida Computer Information Technology Inc. Hotel Guest Hotspot allows SQL Injection. This issue a… | |||
| CVE-2025-14423 | high | — | 8.0 | 5mo ago | Important: gimp security update | |||
| CVE-2025-14424 | high | — | 8.0 | 5mo ago | Important: gimp security update | |||
| CVE-2025-61729 | high | — | 8.0 | 5mo ago | Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string con… | |||
| CVE-2025-14425 | high | — | 8.0 | 5mo ago | Important: gimp security update | |||
| CVE-2025-14422 | high | — | 8.0 | 5mo ago | RHSA-2026:1574: gimp:2.8 security update (Important) | |||
| CVE-2025-67269 | high | — | 8.0 | 5mo ago | Important: gpsd-minimal security update | |||
| CVE-2025-38703 | high | — | 8.0 | 5mo ago | Important: kernel security update | |||
| CVE-2025-40277 | high | — | 8.0 | 5mo ago | Important: kernel security update | |||
| CVE-2025-68285 | high | — | 8.0 | 5mo ago | Important: kernel security update | |||
| CVE-2025-68287 | high | — | 8.0 | 5mo ago | Important: kernel security update | |||
| CVE-2025-39933 | high | — | 8.0 | 5mo ago | Important: kernel security update | |||
| CVE-2025-67268 | high | — | 8.0 | 5mo ago | Important: gpsd-minimal security update | |||
| CVE-2025-38051 | high | — | 8.0 | 5mo ago | In the Linux kernel, the following vulnerability has been resolved: smb: client: Fix use-after-free in cifs_fill_dirent There is a race condition in the readdir concurrency process, which may acces… | |||
| CVE-2025-66566 | high | — | 8.0 | 5mo ago | yawkat LZ4 Java has a possible information leak in Java safe decompressor | |||
| CVE-2025-14327 | high | — | 8.0 | 5mo ago | Spoofing issue in the Downloads Panel component. This vulnerability was fixed in Firefox 146, Thunderbird 146, Firefox ESR 140.7, and Thunderbird 140.7. | |||
| CVE-2025-68615 | high | — | 8.0 | 5mo ago | RHSA-2026:0750: net-snmp security update (Important) | |||
| CVE-2025-68973 | high | — | 8.0 | 5mo ago | RHSA-2026:0728: gnupg2 security update (Important) | |||
| CVE-2025-47913 | high | — | 8.0 | 5mo ago | RHSA-2026:0753: container-tools:rhel8 security update (Important) | |||
| CVE-2025-14523 | high | — | 8.0 | 5mo ago | RHSA-2026:1509: spice-client-win security update (Important) | |||
| CVE-2025-39993 | high | — | 8.0 | 5mo ago | In the Linux kernel, the following vulnerability has been resolved: media: rc: fix races with imon_disconnect() Syzbot reports a KASAN issue as below: BUG: KASAN: use-after-free in __create_pipe in… | |||
| CVE-2025-64720 | high | — | 8.0 | 5mo ago | RHSA-2026:0932: java-1.8.0-openjdk security update (Important) | |||
| CVE-2025-65018 | high | — | 8.0 | 5mo ago | RHSA-2026:0932: java-1.8.0-openjdk security update (Important) | |||
| CVE-2025-66293 | high | — | 8.0 | 5mo ago | RHSA-2026:9686: java-17-openjdk security update (Important) | |||
| CVE-2025-13699 | high | — | 8.0 | 5mo ago | MariaDB mariadb-dump Utility Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MariaDB. Intera… | |||
| CVE-2025-68156 | high | — | 8.0 | 6mo ago | Important: opentelemetry-collector security update | |||
| CVE-2025-26625 | high | — | 8.0 | 6mo ago | Git LFS may write to arbitrary files via crafted symlinks | |||
| CVE-2025-65082 | high | — | 8.0 | 6mo ago | Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables set via the Apache configuration unexpectedly superseding variables cal… | |||
| CVE-2025-55753 | high | — | 8.0 | 6mo ago | An integer overflow in the case of failed ACME certificate renewal leads, after a number of failures (~30 days in default configurations), to the backoff timer becoming 0. Attempts to renew the certi… | |||
| CVE-2025-58098 | high | — | 8.0 | 6mo ago | Apache HTTP Server 2.4.65 and earlier with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi) passes the shell-escaped query string to #exec cmd="..." directives. This issue affects A… | |||
| CVE-2025-66200 | high | — | 8.0 | 6mo ago | mod_userdir+suexec bypass via AllowOverride FileInfo vulnerability in Apache HTTP Server. Users with access to use the RequestHeader directive in htaccess can cause some CGI scripts to run under an u… | |||
| CVE-2025-6075 | high | — | 8.0 | 6mo ago | Important: python3.12 security update | |||
| CVE-2025-6069 | high | — | 8.0 | 6mo ago | The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service. | |||
| CVE-2025-43541 | high | — | 8.0 | 6mo ago | A type confusion issue was addressed with improved state handling. This issue is fixed in Safari 26.2, iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, visionOS 26.2. Process… | |||
| CVE-2025-43501 | high | — | 8.0 | 6mo ago | A buffer overflow issue was addressed with improved memory handling. This issue is fixed in Safari 26.2, iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, visionOS 26.2. Proce… | |||
| CVE-2025-43531 | high | — | 8.0 | 6mo ago | A race condition was addressed with improved state handling. This issue is fixed in Safari 26.2, iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, tvOS 26.2, visionOS 26.2, wa… | |||
| CVE-2025-43535 | high | — | 8.0 | 6mo ago | The issue was addressed with improved memory handling. This issue is fixed in Safari 26.2, iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, visionOS 26.2. Processing maliciou… | |||
| CVE-2025-43536 | high | — | 8.0 | 6mo ago | A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.2, iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2. Processing maliciou… | |||
| CVE-2025-40176 | high | — | 8.0 | 6mo ago | Important: kernel security update | |||
| CVE-2025-4516 | high | — | 8.0 | 6mo ago | There is an issue in CPython when using `bytes.decode("unicode_escape", error="ignore|replace")`. If you are not using the "unicode_escape" encoding or an error handler your usage is not affected. To… | |||
| CVE-2025-39966 | high | — | 8.0 | 6mo ago | Important: kernel security update | |||
| CVE-2025-13609 | high | — | 8.0 | 6mo ago | Keylime allows users to register new agents by recycling existing UUIDs when using different TPM devices | |||
| CVE-2025-13499 | high | — | 8.0 | 6mo ago | Important: wireshark security update | |||
| CVE-2025-14333 | high | — | 8.0 | 6mo ago | Memory safety bugs present in Firefox ESR 140.5, Thunderbird ESR 140.5, Firefox 145 and Thunderbird 145. Some of these bugs showed evidence of memory corruption and we presume that with enough effort… | |||
| CVE-2025-14324 | high | — | 8.0 | 6mo ago | JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 146, Firefox ESR 115.31, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6. | |||
| CVE-2025-14323 | high | — | 8.0 | 6mo ago | Privilege escalation in the DOM: Notifications component. This vulnerability was fixed in Firefox 146, Firefox ESR 115.31, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6. | |||
| CVE-2025-14322 | high | — | 8.0 | 6mo ago | Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component. This vulnerability was fixed in Firefox 146, Firefox ESR 115.31, Firefox ESR 140.6, Thunderbird 146, and Th… | |||
| CVE-2025-14321 | high | — | 8.0 | 6mo ago | Use-after-free in the WebRTC: Signaling component. This vulnerability was fixed in Firefox 146, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6. |