Critical vulnerabilities, curated daily for security professionals
đ¯ SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
đ
Archived Security Brief
This curated brief highlights 31 critical vulnerabilities and 82 high-priority updates requiring immediate attention.
113 total vulnerabilities disclosed in last 24 hours
đĄ Tip: Swipe CVE cards left to â star, right to â remove
Section Navigation
â ī¸
CISA Known Exploited Vulnerabilities
â ī¸ CISA KEVURGENT
CVE-2025-6543
9.5đ
CitrixNetScaler ADC and Gateway
â° Federal Deadline:July 20, 2025(5 days remaining)
Citrix NetScaler ADC and Gateway Buffer Overflow Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-48928
9.5đ
TeleMessageTM SGNL
â° Federal Deadline:July 21, 2025(6 days remaining)
TeleMessage TM SGNL Exposure of Core Dump File to an Unauthorized Control Sphere Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-48927
9.5đ
TeleMessageTM SGNL
â° Federal Deadline:July 21, 2025(6 days remaining)
TeleMessage TM SGNL Initialization of a Resource with an Insecure Default Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-6554
9.5đ
GoogleChromium V8
â° Federal Deadline:July 22, 2025(7 days remaining)
Google Chromium V8 Type Confusion Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2019-9621
9.5đ
SynacorZimbra Collaboration Suite (ZCS)
â° Federal Deadline:July 27, 2025(12 days remaining)
Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery (SSRF) Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2019-5418
9.5đ
RailsRuby on Rails
â° Federal Deadline:July 27, 2025(12 days remaining)
Rails Ruby on Rails Path Traversal Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2016-10033
9.5đ
PHPPHPMailer
â° Federal Deadline:July 27, 2025(12 days remaining)
PHPMailer Command Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2014-3931
9.5đ
Looking GlassMulti-Router Looking Glass (MRLG)
â° Federal Deadline:July 27, 2025(12 days remaining)
Multi-Router Looking Glass (MRLG) Buffer Overflow Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-47812
9.5đ
Wing FTP ServerWing FTP Server
â° Federal Deadline:August 3, 2025(19 days remaining)
Wing FTP Server Improper Neutralization of Null Byte or NUL Character Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
đ¨
Critical Vulnerabilities
CVE-2025-53890
9.8đ
pyload is anMultiple Products
pyload is an open-source Download Manager written in pure Python. An unsafe JavaScript evaluation vulnerability in pyLoadâs CAPTCHA processing code allows unauthenticated remote attackers to execute a...
CVSS Base9.8
â
CRSSelect profile
CVE-2025-7340
9.8đ
The HT Contact Form Widget For Elementor Page BuilderMultiple Products
The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the temp_fi...
CVSS Base9.8
â
CRSSelect profile
CVE-2025-7341
9.1đ
The HT Contact Form Widget For Elementor Page BuilderMultiple Products
The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the t...
CVSS Base9.1
â
CRSSelect profile
CVE-2025-7360
9.1đ
The HT Contact Form Widget For Elementor Page BuilderMultiple Products
The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. plugin for WordPress is vulnerable to arbitrary file moving due to insufficient file path validation in the han...
CVSS Base9.1
â
CRSSelect profile
CVE-2025-24759
9.3đ
Improper Neutralization of Special Elements used in an SQL CommandMultiple Products
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CMSJunkie - WordPress Business Directory Plugins WP-BusinessDirectory allows Blind SQL Injection. ...
CVSS Base9.3
â
CRSSelect profile
CVE-2025-5394
9.8đ
The AloneMultiple Products
The Alone â Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the alone_import_pack_install_plugin() func...
CVSS Base9.8
â
CRSSelect profile
CVE-2025-5393
9.1đ
The AloneMultiple Products
The Alone â Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the alone_import_pack_restore_data(...
CVSS Base9.1
â
CRSSelect profile
CVE-2025-50067
9đ
Vulnerability in Oracle Application ExpressMultiple Products
Vulnerability in Oracle Application Express (component: Strategic Planner Starter App). Supported versions that are affected are 24.2.4 and 24.2.5. Easily exploitable vulnerability allows low privil...
CVSS Base9
â
CRSSelect profile
CVE-2025-20337
10đ
A vulnerability in a specific API of Cisco ISE and CiscoMultiple Products
A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root. The attacker does...
CVSS Base10
â
CRSSelect profile
CVE-2025-29009
10đ
Unrestricted Upload of File with Dangerous Type vulnerability in Webkul Medical Prescription Attachment Plugin for WooCommerce allows Upload a Web Shell to a WebMultiple Products
Unrestricted Upload of File with Dangerous Type vulnerability in Webkul Medical Prescription Attachment Plugin for WooCommerce allows Upload a Web Shell to a Web Server. This issue affects Medical Pre...
CVSS Base10
â
CRSSelect profile
CVE-2025-41236
9.3đ
VMwareMultiple Products
VMware ESXi, Workstation, and Fusion contain an integer-overflow vulnerability in the VMXNET3 virtual network adapter. A malicious actor with local administrative privileges on a virtual machine with ...
CVSS Base9.3
â
CRSSelect profile
CVE-2025-41237
9.3đ
VMwareMultiple Products
VMware ESXi, Workstation, and Fusion contain an integer-underflow in VMCI (Virtual Machine Communication Interface) that leads to an out-of-bounds write. A malicious actor with local administrative pr...
CVSS Base9.3
â
CRSSelect profile
CVE-2025-41238
9.3đ
VMwareMultiple Products
VMware ESXi, Workstation, and Fusion contain a heap-overflow vulnerability in the PVSCSI (Paravirtualized SCSI) controller that leads to an out of-bounds write. A malicious actor with local administra...
CVSS Base9.3
â
CRSSelect profile
CVE-2025-52376
9.8đ
An authentication bypass vulnerability in theMultiple Products
An authentication bypass vulnerability in the /web/um_open_telnet.cgi endpoint in Nexxt Solutions NCM-X1800 Mesh Router firmware UV1.2.7 and below, allowing an attacker to remotely enable the Telnet s...
CVSS Base9.8
â
CRSSelect profile
CVE-2025-7673
9.8đ
A buffer overflow vulnerability in the URL parser of the zhttpd web server in ZyxelMultiple Products
A buffer overflow vulnerability in the URL parser of the zhttpd web server in Zyxel VMG8825-T50K firmware versions prior to V5.50(ABOM.5)C0 could allow an unauthenticated attacker to cause denial-of-s...
CVSS Base9.8
â
CRSSelect profile
CVE-2025-3621
9.6đ
UnknownMultiple Products
Vulnerabilities* in ActADUR local server product, developed and maintained by ProTNS, allows Remote Code Inclusion on host systems.Â
* vulnerabilities:
*
Improper Neutralization of Special Elem...
CVSS Base9.6
â
CRSSelect profile
CVE-2025-48300
9.1đ
Unrestricted Upload of File with Dangerous Type vulnerability in Adrian Tobey Groundhogg allows Upload a Web Shell to a WebMultiple Products
Unrestricted Upload of File with Dangerous Type vulnerability in Adrian Tobey Groundhogg allows Upload a Web Shell to a Web Server. This issue affects Groundhogg: from n/a through 4.2.1.
CVSS Base9.1
â
CRSSelect profile
CVE-2025-28961
9.8đ
Deserialization of Untrusted Data vulnerability in Md Yeasin Ul Haider URL Shortener allows ObjectMultiple Products
Deserialization of Untrusted Data vulnerability in Md Yeasin Ul Haider URL Shortener allows Object Injection. This issue affects URL Shortener: from n/a through 3.0.7.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-30949
9.8đ
Deserialization of Untrusted Data vulnerability in Guru Team Site Chat on Telegram allows ObjectMultiple Products
Deserialization of Untrusted Data vulnerability in Guru Team Site Chat on Telegram allows Object Injection. This issue affects Site Chat on Telegram: from n/a through 1.0.4.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-30973
9.8đ
Deserialization of Untrusted Data vulnerability inMultiple Products
Deserialization of Untrusted Data vulnerability in Codexpert, Inc CoSchool LMS allows Object Injection. This issue affects CoSchool LMS: from n/a through 1.4.3.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-52836
9.8
Incorrect Privilege Assignment vulnerability in Unity Business Technology Pty Ltd TheMultiple Products
Incorrect Privilege Assignment vulnerability in Unity Business Technology Pty Ltd The E-Commerce ERP allows Privilege Escalation. This issue affects The E-Commerce ERP: from n/a through 2.1.1.3.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-28959
9.3
Improper Neutralization of Special Elements used in an SQL CommandMultiple Products
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Md Yeasin Ul Haider URL Shortener allows SQL Injection. This issue affects URL Shortener: from n/a...
CVSS Base9.3
â
CRSSelect profile
CVE-2025-28982
9.3
Improper Neutralization of Special Elements used in an SQL CommandMultiple Products
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ThimPress WP Pipes allows SQL Injection. This issue affects WP Pipes: from n/a through 1.4.3.
CVSS Base9.3
â
CRSSelect profile
CVE-2025-30936
9.3
Improper Neutralization of Special Elements used in an SQL CommandMultiple Products
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Torod Company for Information Technology Torod allows SQL Injection. This issue affects Torod: fro...
CVSS Base9.3
â
CRSSelect profile
CVE-2025-52714
9.3
Improper Neutralization of Special Elements used in an SQL CommandMultiple Products
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in shinetheme Traveler allows SQL Injection. This issue affects Traveler: from n/a through n/a.
CVSS Base9.3
â
CRSSelect profile
CVE-2025-53836
9.9đ
XWiki Rendering is a generic rendering system that converts textual input in a given syntaxMultiple Products
XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Starting in version 4.2-milestone-1 and prior to ...
CVSS Base9.9
â
CRSSelect profile
CVE-2025-52688
9.8
Successful exploitation of the vulnerability could allow an attacker to inject commands with root privileges on the accessMultiple Products
Successful exploitation of the vulnerability could allow an attacker to inject commands with root privileges on the access point, potentially leading to the loss of confidentiality, integrity, availab...
CVSS Base9.8
â
CRSSelect profile
CVE-2025-52689
9.8
Successful exploitation of the vulnerability could allow an unauthenticated attacker to obtain a valid session ID with administrator privileges by spoofing the loginMultiple Products
Successful exploitation of the vulnerability could allow an unauthenticated attacker to obtain a valid session ID with administrator privileges by spoofing the login request, potentially allowing the ...
CVSS Base9.8
â
CRSSelect profile
CVE-2024-9342
9.8
In Eclipse GlassFish versionMultiple Products
In Eclipse GlassFish version 7.0.16 or earlier it is possible to perform Login Brute Force attacks as there is no limitation in the number of failed login attempts.
CVSS Base9.8
â
CRSSelect profile
CVE-2024-9408
9.8
In Eclipse GlassFish since versionMultiple Products
In Eclipse GlassFish since version 6.2.5 it is possible to perform a Server Side Request Forgery attack in specific endpoints.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-54010
9.6
UnknownMultiple Products
Cross-Site Request Forgery (CSRF) vulnerability in Shahjahan Jewel FluentSnippets allows Cross Site Request Forgery. This issue affects FluentSnippets: from n/a through 10.50.
CVSS Base9.6
â
CRSSelect profile
â ī¸
High Priority Updates
CVE-2025-7359
8.2đ
WordPressMultiple Products
The Counter live visitors for WooCommerce plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the wcvisitor_get_block function in all versions up to, and including, 1
CVSS Base8.2
â
CRSSelect profile
CVE-2025-50060
8.1đ
OracleMultiple Products
Vulnerability in the Oracle BI Publisher product of Oracle Analytics (component: Web Server)
CVSS Base8.1
â
CRSSelect profile
CVE-2025-28955
7.5đ
WordpressMultiple Products
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in FWDesign Easy Video Player Wordpress & WooCommerce allows Path Traversal
CVSS Base7.5
â
CRSSelect profile
CVE-2025-7657
8.8đ
GoogleMultiple Products
Use after free in WebRTC in Google Chrome prior to 138
CVSS Base8.8
â
CRSSelect profile
CVE-2025-31422
8.8đ
WordPressMultiple Products
Deserialization of Untrusted Data vulnerability in designthemes Visual Art | Gallery WordPress Theme allows Object Injection
CVSS Base8.8
â
CRSSelect profile
CVE-2025-2800
7.2đ
WordPressMultiple Products
The WP Event Manager â Events Calendar, Registrations, Sell Tickets with WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the âorganizer_name' parameter in all versions up to, and including, 3
CVSS Base7.2
â
CRSSelect profile
CVE-2025-6993
7.5đ
WordPressMultiple Products
The Ultimate WP Mail plugin for WordPress is vulnerable to Privilege Escalation due to improper authorization within the get_email_log_details() AJAX handler in versions 1
CVSS Base7.5
â
CRSSelect profile
CVE-2025-6558
8.8đ
GoogleMultiple Products
Insufficient validation of untrusted input in ANGLE and GPU in Google Chrome prior to 138
CVSS Base8.8
â
CRSSelect profile
CVE-2025-7656
8.8đ
GoogleMultiple Products
Integer overflow in V8 in Google Chrome prior to 138
CVSS Base8.8
â
CRSSelect profile
CVE-2025-30751
8.8đ
OracleMultiple Products
Vulnerability in the Oracle Database component of Oracle Database Server
CVSS Base8.8
â
CRSSelect profile
CVE-2025-50059
8.6đ
OracleMultiple Products
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking)
CVSS Base8.6
â
CRSSelect profile
CVE-2025-53024
8.2đ
OracleMultiple Products
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core)
CVSS Base8.2
â
CRSSelect profile
CVE-2025-53027
8.2đ
OracleMultiple Products
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core)
CVSS Base8.2
â
CRSSelect profile
CVE-2025-53028
8.2đ
OracleMultiple Products
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core)
CVSS Base8.2
â
CRSSelect profile
CVE-2025-7667
8.1đ
WordPressMultiple Products
The Restrict File Access plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1
CVSS Base8.1
â
CRSSelect profile
CVE-2025-30743
8.1đ
OracleMultiple Products
Vulnerability in the Oracle Lease and Finance Management product of Oracle E-Business Suite (component: Internal Operations)
CVSS Base8.1
â
CRSSelect profile
CVE-2025-30744
8.1đ
OracleMultiple Products
Vulnerability in the Oracle Mobile Field Service product of Oracle E-Business Suite (component: Multiplatform Sync Errors)
CVSS Base8.1
â
CRSSelect profile
CVE-2025-30749
8.1đ
OracleMultiple Products
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: 2D)
CVSS Base8.1
â
CRSSelect profile
CVE-2025-50062
8.1đ
OracleMultiple Products
Vulnerability in the PeopleSoft Enterprise HCM Global Payroll Core product of Oracle PeopleSoft (component: Global Payroll for Core)
CVSS Base8.1
â
CRSSelect profile
CVE-2025-50105
8.1đ
OracleMultiple Products
Vulnerability in the Oracle Universal Work Queue product of Oracle E-Business Suite (component: Work Provider Administration)
CVSS Base8.1
â
CRSSelect profile
CVE-2025-50106
8.1đ
OracleMultiple Products
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: 2D)
CVSS Base8.1
â
CRSSelect profile
CVE-2025-6043
8.1
WordPressMultiple Products
The Malcure Malware Scanner â #1 Toolset for WordPress Malware Removal plugin for WordPress is vulnerable to Arbitrary File Deletion due to a missing capability check on the wpmr_delete_file() function in all versions up to, and including, 16
CVSS Base8.1
â
CRSSelect profile
CVE-2025-50069
7.7đ
OracleMultiple Products
Vulnerability in the Java VM component of Oracle Database Server
CVSS Base7.7
â
CRSSelect profile
CVE-2025-30762
7.5
OracleMultiple Products
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core)
CVSS Base7.5
â
CRSSelect profile
CVE-2025-37105
7.5
LicenseMultiple Products
An hsqldb-related remote code execution vulnerability exists in HPE AutoPass License Server (APLS) prior to 9
CVSS Base7.5
â
CRSSelect profile
CVE-2025-50063
7.3
OracleMultiple Products
Vulnerability in Oracle Java SE (component: Install)
CVSS Base7.3
â
CRSSelect profile
CVE-2025-31055
7.1
WordPressMultiple Products
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in vergatheme Electrician - Electrical Service WordPress allows Reflected XSS
CVSS Base7.1
â
CRSSelect profile
CVE-2025-31072
7.1
WordPressMultiple Products
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in designthemes Ofiz - WordPress Business Consulting Theme allows Reflected XSS
CVSS Base7.1
â
CRSSelect profile
CVE-2025-31427
7.1
WordPressMultiple Products
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in designthemes Invico - WordPress Consulting Business Theme allows Reflected XSS
CVSS Base7.1
â
CRSSelect profile
CVE-2025-46500
7.1
WordpressMultiple Products
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ValvePress Wordpress Auto Spinner allows Reflected XSS
CVSS Base7.1
â
CRSSelect profile
CVE-2025-47554
7.1
WordPressMultiple Products
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in QuanticaLabs CSS3 Compare Pricing Tables for WordPress allows Reflected XSS
CVSS Base7.1
â
CRSSelect profile
CVE-2025-52779
7.1
karimmughal DotMultiple Products
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in karimmughal Dot html,php,xml etc pages allows Reflected XSS
CVSS Base7.1
â
CRSSelect profile
CVE-2025-37106
7.3
LicenseMultiple Products
An authentication bypass and disclosure of information vulnerability exists in HPE AutoPass License Server (APLS) prior to 9
CVSS Base7.3
â
CRSSelect profile
CVE-2025-37107
7.3
LicenseMultiple Products
An authentication bypass vulnerability exists in HPE AutoPass License Server (APLS) prior to 9
CVSS Base7.3
â
CRSSelect profile
CVE-2025-48161
7.6
YayCommerce YaySMTPMultiple Products
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YayCommerce YaySMTP allows SQL Injection
CVSS Base7.6
â
CRSSelect profile
CVE-2025-48301
7.6
YayCommerce SMTPMultiple Products
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YayCommerce SMTP for SendGrid â YaySMTP allows SQL Injection
CVSS Base7.6
â
CRSSelect profile
CVE-2025-54043
7.6
YayCommerce SMTPMultiple Products
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YayCommerce SMTP for Amazon SES allows SQL Injection
CVSS Base7.6
â
CRSSelect profile
CVE-2025-41239
7.1
VMwareMultiple Products
VMware ESXi, Workstation, Fusion, and VMware Tools contains an information disclosure vulnerability due to the usage of an uninitialised memory in vSockets
CVSS Base7.1
â
CRSSelect profile
CVE-2025-37104
7.1
securityMultiple Products
A security vulnerability has been identified in HPE Telco Service Orchestrator software
CVSS Base7.1
â
CRSSelect profile
CVE-2025-47645
8.5
ELEXtensions ELEXMultiple Products
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ELEXtensions ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes allows SQL Injection
CVSS Base8.5
â
CRSSelect profile
CVE-2025-40776
8.6
EDNSMultiple Products
A `named` caching resolver that is configured to send ECS (EDNS Client Subnet) options may be vulnerable to a cache-poisoning attack
CVSS Base8.6
â
CRSSelect profile
CVE-2025-24777
8.8
awethemes HillterMultiple Products
Deserialization of Untrusted Data vulnerability in awethemes Hillter allows Object Injection
CVSS Base8.8
â
CRSSelect profile
CVE-2025-24779
8.8
DeserializationMultiple Products
Deserialization of Untrusted Data vulnerability in NooTheme Yogi allows Object Injection
CVSS Base8.8
â
CRSSelect profile
CVE-2025-48345
7.1
arisoft ContactMultiple Products
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in arisoft Contact Form 7 Editor Button allows Reflected XSS
CVSS Base7.1
â
CRSSelect profile
CVE-2025-49888
7.1
pimwick PWMultiple Products
Missing Authorization vulnerability in pimwick PW WooCommerce On Sale! allows Exploiting Incorrectly Configured Access Control Security Levels
CVSS Base7.1
â
CRSSelect profile
CVE-2025-52777
7.1
cmsMinds Pay withMultiple Products
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in cmsMinds Pay with Contact Form 7 allows Reflected XSS
CVSS Base7.1
â
CRSSelect profile
CVE-2025-54026
8.5
QuanticaLabs GymBaseMultiple Products
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in QuanticaLabs GymBase Theme Classes allows SQL Injection
CVSS Base8.5
â
CRSSelect profile
CVE-2025-32574
8.5
ImproperMultiple Products
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mojoomla WPGYM allows SQL Injection
CVSS Base8.5
â
CRSSelect profile
CVE-2025-49876
8.5
Metagauss ProfileGridMultiple Products
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Metagauss ProfileGrid allows SQL Injection
CVSS Base8.5
â
CRSSelect profile
CVE-2025-52819
8.5
pakkemx PakkeMultiple Products
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in pakkemx Pakke EnvÃos allows SQL Injection
CVSS Base8.5
â
CRSSelect profile
CVE-2025-32874
7.4
DetectiveMultiple Products
An issue was discovered in Kaseya Rapid Fire Tools Network Detective through 2
CVSS Base7.4
â
CRSSelect profile
CVE-2025-26186
8.1
openSIS SQL InjectionMultiple Products
SQL Injection vulnerability in openSIS v
CVSS Base8.1
â
CRSSelect profile
CVE-2025-48153
7.1
Atakan Au ImportMultiple Products
Cross-Site Request Forgery (CSRF) vulnerability in Atakan Au Import CDN-Remote Images allows Stored XSS
CVSS Base7.1
â
CRSSelect profile
CVE-2025-6971
7.8
SOLIDWORKSMultiple Products
Use After Free vulnerability exists in the CATPRODUCT file reading procedure in SOLIDWORKS eDrawings on Release SOLIDWORKS Desktop 2025
CVSS Base7.8
â
CRSSelect profile
CVE-2025-6972
7.8
SOLIDWORKSMultiple Products
Use After Free vulnerability exists in the CATPRODUCT file reading procedure in SOLIDWORKS eDrawings on Release SOLIDWORKS Desktop 2025
CVSS Base7.8
â
CRSSelect profile
CVE-2025-6973
7.8
SOLIDWORKSMultiple Products
Use After Free vulnerability exists in the JT file reading procedure in SOLIDWORKS eDrawings on Release SOLIDWORKS Desktop 2025
CVSS Base7.8
â
CRSSelect profile
CVE-2025-7042
7.8
SOLIDWORKSMultiple Products
Use After Free vulnerability exists in the IPT file reading procedure in SOLIDWORKS eDrawings on Release SOLIDWORKS Desktop 2025
CVSS Base7.8
â
CRSSelect profile
CVE-2025-48299
7.6
YayCommerce YayExtraMultiple Products
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YayCommerce YayExtra allows SQL Injection
CVSS Base7.6
â
CRSSelect profile
CVE-2025-49034
7.6
FunnelKit FunnelMultiple Products
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in FunnelKit Funnel Builder by FunnelKit allows SQL Injection
CVSS Base7.6
â
CRSSelect profile
CVE-2025-53990
7.2
jetmonstersMultiple Products
Deserialization of Untrusted Data vulnerability in jetmonsters JetFormBuilder allows Object Injection
CVSS Base7.2
â
CRSSelect profile
CVE-2025-28965
8.6
Md Yeasin Ul HaiderMultiple Products
Missing Authorization vulnerability in Md Yeasin Ul Haider URL Shortener allows Accessing Functionality Not Properly Constrained by ACLs
CVSS Base8.6
â
CRSSelect profile
CVE-2025-53923
8.2
EmlogMultiple Products
Emlog is an open source website building system
CVSS Base8.2
â
CRSSelect profile
CVE-2025-52690
8.1
SuccessfulMultiple Products
Successful exploitation of the vulnerability could allow an attacker to execute arbitrary commands as root, potentially leading to the loss of confidentiality, integrity, availability, and full control of the access point
CVSS Base8.1
â
CRSSelect profile
CVE-2025-0831
7.8
SOLIDWORKSMultiple Products
Out-Of-Bounds Read vulnerability exists in the JT file reading procedure in SOLIDWORKS eDrawings on Release SOLIDWORKS Desktop 2025
CVSS Base7.8
â
CRSSelect profile
CVE-2025-6974
7.8
SOLIDWORKSMultiple Products
Use of Uninitialized Variable vulnerability exists in the JT file reading procedure in SOLIDWORKS eDrawings on Release SOLIDWORKS Desktop 2025
CVSS Base7.8
â
CRSSelect profile
CVE-2025-53959
7.6
YouTrackMultiple Products
In JetBrains YouTrack before 2025
CVSS Base7.6
â
CRSSelect profile
CVE-2024-42650
7.5
NanoMQMultiple Products
NanoMQ 0
CVSS Base7.5
â
CRSSelect profile
CVE-2025-29000
7.5
August InfotechMultiple Products
Missing Authorization vulnerability in August Infotech Multi-language Responsive Contact Form allows Accessing Functionality Not Properly Constrained by ACLs
CVSS Base7.5
â
CRSSelect profile
CVE-2025-31070
7.5
LambertGroupMultiple Products
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in LambertGroup HTML5 Radio Player - WPBakery Page Builder Addon allows Path Traversal
CVSS Base7.5
â
CRSSelect profile
CVE-2025-52803
7.5
MissingMultiple Products
Missing Authorization vulnerability in uxper Sala allows Accessing Functionality Not Properly Constrained by ACLs
CVSS Base7.5
â
CRSSelect profile
CVE-2025-52804
7.5
MissingMultiple Products
Missing Authorization vulnerability in uxper Nuss allows Accessing Functionality Not Properly Constrained by ACLs
CVSS Base7.5
â
CRSSelect profile
CVE-2025-36097
7.5
IBMMultiple Products
IBM WebSphere Application Server 9
CVSS Base7.5
â
CRSSelect profile
CVE-2025-40777
7.5
If aMultiple Products
If a `named` caching resolver is configured with `serve-stale-enable` `yes`, and with `stale-answer-client-timeout` set to `0` (the only allowable value other than `disabled`), and if the resolver, in the process of resolving a query, encounters a CNAME chain involving a specific combination of cached or authoritative records, the daemon will abort with an assertion failure
CVSS Base7.5
â
CRSSelect profile
CVE-2025-40923
7.3
beforeMultiple Products
Plack-Middleware-Session before version 0
CVSS Base7.3
â
CRSSelect profile
CVE-2025-6265
7.2
A path traversalMultiple Products
A path traversal vulnerability in the file_upload-cgi CGI program of Zyxel NWA50AX PRO firmware version 7
CVSS Base7.2
â
CRSSelect profile
CVE-2025-50819
7.1
beiyuouo DirectoryMultiple Products
Directory traversal vulnerability in beiyuouo arxiv-daily thru 2025-05-06 (commit fad168770b0e68aef3e5acfa16bb2e7a7765d687) when parsing the the topic
CVSS Base7.1
â
CRSSelect profile
CVE-2025-30955
7.1
ImproperMultiple Products
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GT3themes ListingEasy allows Reflected XSS
CVSS Base7.1
â
CRSSelect profile
CVE-2025-47652
7.1
Infility InfilityMultiple Products
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Infility Infility Global allows Reflected XSS
CVSS Base7.1
â
CRSSelect profile
CVE-2025-48291
7.1
Wasiliy StreckerMultiple Products
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery allows Stored XSS
CVSS Base7.1
â
CRSSelect profile
CVE-2025-49031
7.1
StefanMultiple Products
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Stefan M
CVSS Base7.1
â
CRSSelect profile
CVE-2025-52786
7.1
Kingdom CreationMultiple Products
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kingdom Creation Media Folder allows Reflected XSS
CVSS Base7.1
â
CRSSelect profile
CVE-2025-52787
7.1
EZiHosting TennisMultiple Products
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in EZiHosting Tennis Court Bookings allows Reflected XSS