Critical vulnerabilities, curated daily for security professionals
đ¯ SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
đ
Archived Security Brief
Tuesday's Security Snapshot: High-Volume Alert Day
Heavy Critical Load: 10 critical vulnerabilities demand immediate attention, including fresh threats from Sophos Firewall and WinMatrix3
Federal Deadline TODAY: Google Chromium V8 KEV vulnerability expires at midnight - patch Chrome/Edge browsers NOW
Fresh Threat Surge: 100+ high-priority vulnerabilities disclosed, with major spikes in IrfanView plugin and D-Link router exploits
Weekend Backlog: Enhanced collection captured 3-day vulnerability accumulation, showing the real-world impact of delayed weekend patching
Immediate action: Immediate patching required for Google Chromium V8 KEV vulnerability expiring today
đĄ Tip: Swipe CVE cards left to â star, right to â remove
Section Navigation
â ī¸
CISA Known Exploited Vulnerabilities
â ī¸ CISA KEV
CVE-2025-6554
9.5đ
GoogleChromium V8
â° Federal Deadline:July 22, 2025
Google Chromium V8 Type Confusion Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2019-9621
9.5đ
SynacorZimbra Collaboration Suite (ZCS)
â° Federal Deadline:July 27, 2025(5 days remaining)
Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery (SSRF) Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2019-5418
9.5đ
RailsRuby on Rails
â° Federal Deadline:July 27, 2025(5 days remaining)
Rails Ruby on Rails Path Traversal Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2016-10033
9.5đ
PHPPHPMailer
â° Federal Deadline:July 27, 2025(5 days remaining)
PHPMailer Command Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2014-3931
9.5đ
Looking GlassMulti-Router Looking Glass (MRLG)
â° Federal Deadline:July 27, 2025(5 days remaining)
Multi-Router Looking Glass (MRLG) Buffer Overflow Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-47812
9.5đ
Wing FTP ServerWing FTP Server
â° Federal Deadline:August 3, 2025(12 days remaining)
Wing FTP Server Improper Neutralization of Null Byte or NUL Character Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-25257
9.5đ
FortinetFortiWeb
â° Federal Deadline:August 7, 2025(16 days remaining)
Fortinet FortiWeb SQL Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
đ¨
Critical Vulnerabilities
CVE-2025-7343
9.8đ
The SFT developed by Digiwin has a SQL InjectionMultiple Products
The SFT developed by Digiwin has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-6704
9.8đ
An arbitrary file writing vulnerability in the Secure PDF eXchangeMultiple Products
An arbitrary file writing vulnerability in the Secure PDF eXchange (SPX) feature of Sophos Firewall versions older than 21.0 MR2 (21.0.2)Â can lead to pre-auth remote code execution, if a specific conf...
CVSS Base9.8
â
CRSSelect profile
CVE-2025-36846
9.8đ
An issue was discovered in Eveo URVE Web ManagerMultiple Products
An issue was discovered in Eveo URVE Web Manager 27.02.2025. The application exposes a /_internal/pc/vpro.php localhost endpoint to unauthenticated users that is vulnerable to OS Command Injection. Th...
CVSS Base9.8
â
CRSSelect profile
CVE-2020-26799
9.8đ
A reflectedMultiple Products
A reflected cross-site scripting (XSS) vulnerability was discovered in index.php on Luxcal 4.5.2 which allows an unauthenticated attacker to steal other users' data.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-7624
9.8đ
An SQL injection vulnerability in the legacyMultiple Products
An SQL injection vulnerability in the legacy (transparent) SMTP proxy of Sophos Firewall versions older than 21.0 MR2 (21.0.2) can lead to remote code execution, if a quarantining policy is active for...
CVSS Base9.8
â
CRSSelect profile
CVE-2025-7916
9.8đ
UnknownMultiple Products
WinMatrix3 developed by Simopro Technology has an Insecure Deserialization vulnerability, allowing unauthenticated remote attackers to execute arbitrary code on the server by sending maliciously craft...
CVSS Base9.8
â
CRSSelect profile
CVE-2025-7918
9.8đ
UnknownMultiple Products
WinMatrix3 Web package developed by Simopro Technology has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete databas...
CVSS Base9.8
â
CRSSelect profile
CVE-2025-7921
9.8đ
Certain modem models developed by Askey has aMultiple Products
Certain modem models developed by Askey has a Stack-based Buffer Overflow vulnerability, allowing unauthenticated remote attackers to control the program's execution flow and potentially execute arbit...
CVSS Base9.8
â
CRSSelect profile
CVE-2025-54122
10đ
UnknownMultiple Products
Manager-io/Manager is accounting software. A critical unauthenticated full read Server-Side Request Forgery (SSRF) vulnerability has been identified in the proxy handler component of both manager Desk...
CVSS Base10
â
CRSSelect profile
CVE-2024-6107
9.6đ
Due to insufficientMultiple Products
Due to insufficient verification, an attacker could use a malicious client to bypass authentication checks and run RPC commands in a region. This has been addressed in MAAS and updated in the correspo...
CVSS Base9.6
â
CRSSelect profile
â ī¸
High Priority Updates
CVE-2025-47917
8.9đ
TLSMultiple Products
Mbed TLS before 3
CVSS Base8.9
â
CRSSelect profile
CVE-2025-7344
8.8đ
EAIMultiple Products
The EAI developed by Digiwin has a Privilege Escalation vulnerability, allowing remote attackers with regular privileges to elevate their privileges to administrator level via a specific API