CVEs from 2025
Total
8,951
critical
critical 1,361
high
high 2,043
medium
medium 2,040
low
low 203
% Critical
15.2%
% with KEV
2.0%
% with exploit
2.8%
Top vendors
- qualcomm 1,123
- fabian 285
- campcodes 232
- phpgurukul 189
- code-projects 121
- redhat 110
- microsoft 107
- portabilis 94
Top products
- i-educar 80
- office_long_term_servicing_channel 35
- office 34
- best_salon_management_system 33
- apartment_management_system 30
- gcp 29
- inventory_management_system 28
- online_learning_management_system 21
Top packages
- Go/github.com/mattermost/mattermost/server/v8 258
- Go/github.com/mattermost/mattermost-server 249
- Packagist/magento/community-edition 231
- Packagist/moodle/moodle 162
- Go/github.com/mattermost/mattermost-server/v5 99
- Go/github.com/mattermost/mattermost-server/v6 99
- Maven/com.liferay.portal:release.dxp.bom 61
- Maven/org.apache.tomcat.embed:tomcat-embed-core 53
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-61726 | high | — | 8.0 | 18d ago | Memory exhaustion in query parameter parsing in net/url | |||
| CVE-2025-71261 | high | — | 8.0 | 1mo ago | Harvester's SUSE Virtualization Registration Client Vulnerable to MITM and DOS | |||
| CVE-2025-68724 | high | — | 8.0 | 1mo ago | In the Linux kernel, the following vulnerability has been resolved: crypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id Use check_add_overflow() to guard against potential inte… | |||
| CVE-2025-40252 | high | — | 8.0 | 1mo ago | In the Linux kernel, the following vulnerability has been resolved: net: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont() and qede_tpa_end() The loops in 'qede_tpa_cont()' and 'qede… | |||
| CVE-2025-15270 | high | — | 8.0 | 2mo ago | Important: fontforge security update | |||
| CVE-2025-61731 | high | — | 8.0 | 2mo ago | Important: golang security update | |||
| CVE-2025-67873 | high | — | 8.0 | 3mo ago | Important: capstone security update | |||
| CVE-2025-68114 | high | — | 8.0 | 3mo ago | Important: capstone security update | |||
| CVE-2025-15568 | high | 8.0 | 8.0 | 3mo ago | A command injection vulnerability was identified in the web module of Archer AXE75 v1.6/v1.0 router. An authenticated attacker with adjacent-network access may be able to perform remote code executi… | |||
| CVE-2025-69534 | high | — | 8.0 | 3mo ago | Python-Markdown version 3.8 contain a vulnerability where malformed HTML-like sequences can cause html.parser.HTMLParser to raise an unhandled AssertionError during Markdown parsing. Because Python-M… | |||
| CVE-2025-67733 | high | — | 8.0 | 3mo ago | Important: valkey security update | |||
| CVE-2025-38248 | high | — | 8.0 | 3mo ago | In the Linux kernel, the following vulnerability has been resolved: bridge: mcast: Fix use-after-free during router port configuration The bridge maintains a global list of ports behind which a mul… | |||
| CVE-2025-59466 | high | — | 8.0 | 4mo ago | Important: nodejs:24 security update | |||
| CVE-2025-55132 | high | — | 8.0 | 4mo ago | Important: nodejs:24 security update | |||
| CVE-2025-55131 | high | — | 8.0 | 4mo ago | Important: nodejs:24 security update | |||
| CVE-2025-55130 | high | — | 8.0 | 4mo ago | Important: nodejs:24 security update | |||
| CVE-2025-59465 | high | — | 8.0 | 4mo ago | Important: nodejs:24 security update | |||
| CVE-2025-61728 | high | — | 8.0 | 4mo ago | archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously construct… | |||
| CVE-2025-61732 | high | — | 8.0 | 4mo ago | A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary. | |||
| CVE-2025-15059 | high | — | 8.0 | 4mo ago | Important: gimp security update | |||
| CVE-2025-15269 | high | — | 8.0 | 4mo ago | RHSA-2026:7677: fontforge security update (Important) | |||
| CVE-2025-15279 | high | — | 8.0 | 4mo ago | RHSA-2026:7677: fontforge security update (Important) | |||
| CVE-2025-15275 | high | — | 8.0 | 4mo ago | RHSA-2026:7677: fontforge security update (Important) | |||
| CVE-2025-69971 | high | — | 8.0 | 4mo ago | FUXA has a hardcoded fallback JWT signing secret | |||
| CVE-2025-7016 | high | 8.0 | 8.0 | 4mo ago | Improper Access Control vulnerability in Akın Software Computer Import Export Industry and Trade Ltd. QR Menu allows Authentication Abuse. This issue affects QR Menu: before s1.05.12. | |||
| CVE-2025-15468 | high | — | 8.0 | 4mo ago | Important: openssl security update | |||
| CVE-2025-11187 | high | — | 8.0 | 4mo ago | Important: openssl security update | |||
| CVE-2025-66199 | high | — | 8.0 | 4mo ago | Important: openssl security update | |||
| CVE-2025-15469 | high | — | 8.0 | 4mo ago | Important: openssl security update | |||
| CVE-2025-14180 | high | — | 8.0 | 4mo ago | RHSA-2026:1412: php:8.2 security update (Important) | |||
| CVE-2025-40248 | high | — | 8.0 | 4mo ago | Important: kernel security update | |||
| CVE-2025-38731 | high | — | 8.0 | 4mo ago | Important: kernel security update | |||
| CVE-2025-68301 | high | — | 8.0 | 4mo ago | Important: kernel security update | |||
| CVE-2025-38141 | high | — | 8.0 | 4mo ago | Important: kernel security update | |||
| CVE-2025-38349 | high | — | 8.0 | 4mo ago | Important: kernel security update | |||
| CVE-2025-66418 | high | — | 8.0 | 4mo ago | Important: fence-agents security update | |||
| CVE-2025-40294 | high | — | 8.0 | 4mo ago | Important: kernel security update | |||
| CVE-2025-68305 | high | — | 8.0 | 4mo ago | Important: kernel security update | |||
| CVE-2025-40258 | high | — | 8.0 | 4mo ago | Important: kernel security update | |||
| CVE-2025-4764 | high | 8.0 | 8.0 | 5mo ago | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aida Computer Information Technology Inc. Hotel Guest Hotspot allows SQL Injection. This issue a… | |||
| CVE-2025-14423 | high | — | 8.0 | 5mo ago | Important: gimp security update | |||
| CVE-2025-61729 | high | — | 8.0 | 5mo ago | Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string con… | |||
| CVE-2025-14422 | high | — | 8.0 | 5mo ago | RHSA-2026:1574: gimp:2.8 security update (Important) | |||
| CVE-2025-14424 | high | — | 8.0 | 5mo ago | Important: gimp security update | |||
| CVE-2025-14425 | high | — | 8.0 | 5mo ago | Important: gimp security update | |||
| CVE-2025-67269 | high | — | 8.0 | 5mo ago | Important: gpsd-minimal security update | |||
| CVE-2025-67268 | high | — | 8.0 | 5mo ago | Important: gpsd-minimal security update | |||
| CVE-2025-38703 | high | — | 8.0 | 5mo ago | Important: kernel security update | |||
| CVE-2025-66566 | high | — | 8.0 | 5mo ago | yawkat LZ4 Java has a possible information leak in Java safe decompressor | |||
| CVE-2025-39933 | high | — | 8.0 | 5mo ago | Important: kernel security update | |||
| CVE-2025-40277 | high | — | 8.0 | 5mo ago | Important: kernel security update | |||
| CVE-2025-38051 | high | — | 8.0 | 5mo ago | In the Linux kernel, the following vulnerability has been resolved: smb: client: Fix use-after-free in cifs_fill_dirent There is a race condition in the readdir concurrency process, which may acces… | |||
| CVE-2025-68287 | high | — | 8.0 | 5mo ago | Important: kernel security update | |||
| CVE-2025-68285 | high | — | 8.0 | 5mo ago | Important: kernel security update | |||
| CVE-2025-68973 | high | — | 8.0 | 5mo ago | RHSA-2026:0728: gnupg2 security update (Important) | |||
| CVE-2025-68615 | high | — | 8.0 | 5mo ago | RHSA-2026:0750: net-snmp security update (Important) | |||
| CVE-2025-14327 | high | — | 8.0 | 5mo ago | Spoofing issue in the Downloads Panel component. This vulnerability was fixed in Firefox 146, Thunderbird 146, Firefox ESR 140.7, and Thunderbird 140.7. | |||
| CVE-2025-47913 | high | — | 8.0 | 5mo ago | RHSA-2026:0753: container-tools:rhel8 security update (Important) | |||
| CVE-2025-14523 | high | — | 8.0 | 5mo ago | RHSA-2026:1509: spice-client-win security update (Important) | |||
| CVE-2025-39993 | high | — | 8.0 | 5mo ago | In the Linux kernel, the following vulnerability has been resolved: media: rc: fix races with imon_disconnect() Syzbot reports a KASAN issue as below: BUG: KASAN: use-after-free in __create_pipe in… | |||
| CVE-2025-66293 | high | — | 8.0 | 5mo ago | RHSA-2026:9686: java-17-openjdk security update (Important) | |||
| CVE-2025-64720 | high | — | 8.0 | 5mo ago | RHSA-2026:0932: java-1.8.0-openjdk security update (Important) | |||
| CVE-2025-65018 | high | — | 8.0 | 5mo ago | RHSA-2026:0932: java-1.8.0-openjdk security update (Important) | |||
| CVE-2025-13699 | high | — | 8.0 | 5mo ago | RHSA-2026:0698: mariadb-devel:10.3 security update (Important) | |||
| CVE-2025-68156 | high | — | 8.0 | 6mo ago | Important: opentelemetry-collector security update | |||
| CVE-2025-66200 | high | — | 8.0 | 6mo ago | mod_userdir+suexec bypass via AllowOverride FileInfo vulnerability in Apache HTTP Server. Users with access to use the RequestHeader directive in htaccess can cause some CGI scripts to run under an u… | |||
| CVE-2025-65082 | high | — | 8.0 | 6mo ago | Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables set via the Apache configuration unexpectedly superseding variables cal… | |||
| CVE-2025-58098 | high | — | 8.0 | 6mo ago | Apache HTTP Server 2.4.65 and earlier with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi) passes the shell-escaped query string to #exec cmd="..." directives. This issue affects A… | |||
| CVE-2025-55753 | high | — | 8.0 | 6mo ago | An integer overflow in the case of failed ACME certificate renewal leads, after a number of failures (~30 days in default configurations), to the backoff timer becoming 0. Attempts to renew the certi… | |||
| CVE-2025-26625 | high | — | 8.0 | 6mo ago | Git LFS may write to arbitrary files via crafted symlinks | |||
| CVE-2025-43531 | high | — | 8.0 | 6mo ago | A race condition was addressed with improved state handling. This issue is fixed in Safari 26.2, iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, tvOS 26.2, visionOS 26.2, wa… | |||
| CVE-2025-43535 | high | — | 8.0 | 6mo ago | The issue was addressed with improved memory handling. This issue is fixed in Safari 26.2, iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, visionOS 26.2. Processing maliciou… | |||
| CVE-2025-43501 | high | — | 8.0 | 6mo ago | A buffer overflow issue was addressed with improved memory handling. This issue is fixed in Safari 26.2, iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, visionOS 26.2. Proce… | |||
| CVE-2025-43541 | high | — | 8.0 | 6mo ago | A type confusion issue was addressed with improved state handling. This issue is fixed in Safari 26.2, iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, visionOS 26.2. Process… | |||
| CVE-2025-43536 | high | — | 8.0 | 6mo ago | A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.2, iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2. Processing maliciou… | |||
| CVE-2025-6069 | high | — | 8.0 | 6mo ago | The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service. | |||
| CVE-2025-6075 | high | — | 8.0 | 6mo ago | Important: python3.12 security update | |||
| CVE-2025-4516 | high | — | 8.0 | 6mo ago | There is an issue in CPython when using `bytes.decode("unicode_escape", error="ignore|replace")`. If you are not using the "unicode_escape" encoding or an error handler your usage is not affected. To… | |||
| CVE-2025-40176 | high | — | 8.0 | 6mo ago | Important: kernel security update | |||
| CVE-2025-39966 | high | — | 8.0 | 6mo ago | Important: kernel security update | |||
| CVE-2025-13609 | high | — | 8.0 | 6mo ago | Keylime allows users to register new agents by recycling existing UUIDs when using different TPM devices | |||
| CVE-2025-13499 | high | — | 8.0 | 6mo ago | Important: wireshark security update | |||
| CVE-2025-14321 | high | — | 8.0 | 6mo ago | Use-after-free in the WebRTC: Signaling component. This vulnerability was fixed in Firefox 146, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6. | |||
| CVE-2025-31651 | high | — | 8.0 | 6mo ago | Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible for a specially crafted request to… | |||
| CVE-2025-14331 | high | — | 8.0 | 6mo ago | Same-origin policy bypass in the Request Handling component. This vulnerability was fixed in Firefox 146, Firefox ESR 115.31, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6. | |||
| CVE-2025-14322 | high | — | 8.0 | 6mo ago | Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component. This vulnerability was fixed in Firefox 146, Firefox ESR 115.31, Firefox ESR 140.6, Thunderbird 146, and Th… | |||
| CVE-2025-14333 | high | — | 8.0 | 6mo ago | Memory safety bugs present in Firefox ESR 140.5, Thunderbird ESR 140.5, Firefox 145 and Thunderbird 145. Some of these bugs showed evidence of memory corruption and we presume that with enough effort… | |||
| CVE-2025-14328 | high | — | 8.0 | 6mo ago | Privilege escalation in the Netmonitor component. This vulnerability was fixed in Firefox 146, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6. | |||
| CVE-2025-14325 | high | — | 8.0 | 6mo ago | JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 146, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6. | |||
| CVE-2025-14324 | high | — | 8.0 | 6mo ago | JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 146, Firefox ESR 115.31, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6. | |||
| CVE-2025-14329 | high | — | 8.0 | 6mo ago | Privilege escalation in the Netmonitor component. This vulnerability was fixed in Firefox 146, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6. | |||
| CVE-2025-14323 | high | — | 8.0 | 6mo ago | Privilege escalation in the DOM: Notifications component. This vulnerability was fixed in Firefox 146, Firefox ESR 115.31, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6. | |||
| CVE-2025-14330 | high | — | 8.0 | 6mo ago | JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 146, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6. | |||
| CVE-2025-14229 | high | 8.0 | 8.0 | 6mo ago | A security vulnerability has been detected in SourceCodester Inventory Management System 1.0. The affected element is an unknown function of the component SVC Report Export. Such manipulation leads t… | |||
| CVE-2025-66287 | high | — | 8.0 | 6mo ago | A flaw was found in WebKitGTK. Processing malicious web content can cause an unexpected process crash due to improper memory handling. | |||
| CVE-2025-13947 | high | — | 8.0 | 6mo ago | A flaw was found in WebKitGTK. This vulnerability allows remote, user-assisted information disclosure that can reveal any file the user is permitted to read via abusing the file drag-and-drop mechani… | |||
| CVE-2025-43438 | high | — | 8.0 | 6mo ago | A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.1, iOS 18.7.2 and iPadOS 18.7.2, iOS 26.1 and iPadOS 26.1, macOS Tahoe 26.1, visionOS 26.1, watc… | |||
| CVE-2025-13502 | high | — | 8.0 | 6mo ago | A flaw was found in WebKitGTK and WPE WebKit. This vulnerability allows an out-of-bounds read and integer underflow, leading to a UIProcess crash (DoS) via a crafted payload to the GLib remote inspec… | |||
| CVE-2025-43392 | high | — | 8.0 | 6mo ago | The issue was addressed with improved handling of caches. This issue is fixed in Safari 26.1, iOS 18.7.2 and iPadOS 18.7.2, iOS 26.1 and iPadOS 26.1, macOS Tahoe 26.1, tvOS 26.1, visionOS 26.1, watch… | |||
| CVE-2025-43430 | high | — | 8.0 | 6mo ago | This issue was addressed through improved state management. This issue is fixed in Safari 26.1, iOS 26.1 and iPadOS 26.1, macOS Tahoe 26.1, tvOS 26.1, visionOS 26.1, watchOS 26.1. Processing maliciou… |