Critical vulnerabilities, curated daily for security professionals
π― SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
π
Archived Security Brief
This curated brief highlights 15 critical vulnerabilities and 57 high-priority updates requiring immediate attention.
72 total vulnerabilities disclosed in last 24 hours
π‘ Tip: Swipe CVE cards left to β star, right to β remove
Section Navigation
β οΈ
CISA Known Exploited Vulnerabilities
β οΈ CISA KEVURGENT
CVE-2025-47812
9.5π
Wing FTP ServerWing FTP Server
β° Federal Deadline:August 3, 2025(3 days remaining)
Wing FTP Server Improper Neutralization of Null Byte or NUL Character Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2025-25257
9.5π
FortinetFortiWeb
β° Federal Deadline:August 7, 2025(7 days remaining)
Fortinet FortiWeb SQL Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2025-2775
9.5
SysAidSysAid On-Prem
β° Federal Deadline:August 11, 2025(11 days remaining)
SysAid On-Prem Improper Restriction of XML External Entity Reference Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2025-2776
9.5
SysAidSysAid On-Prem
β° Federal Deadline:August 11, 2025(11 days remaining)
SysAid On-Prem Improper Restriction of XML External Entity Reference Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2025-6558
9.5π
GoogleChromium
β° Federal Deadline:August 11, 2025(11 days remaining)
Google Chromium ANGLE and GPU Improper Input Validation Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2025-54309
9.5
CrushFTPCrushFTP
β° Federal Deadline:August 11, 2025(11 days remaining)
CrushFTP Unprotected Alternate Channel Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2023-2533
9.5
PaperCutNG/MF
β° Federal Deadline:August 17, 2025(17 days remaining)
PaperCut NG/MF Cross-Site Request Forgery (CSRF) Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2025-20337
9.5π
CiscoIdentity Services Engine
β° Federal Deadline:August 17, 2025(17 days remaining)
Cisco Identity Services Engine Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2025-20281
9.5
CiscoIdentity Services Engine
β° Federal Deadline:August 17, 2025(17 days remaining)
Cisco Identity Services Engine Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
π¨
Critical Vulnerabilities
CVE-2025-5954
9.8π
The Service Finder SMS System plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions upMultiple Products
The Service Finder SMS System plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.0.0. This is due to the plugin not restricting use...
CVSS Base9.8
β
CRSSelect profile
CVE-2025-5947
9.8π
The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via authentication bypass in all versions upMultiple Products
The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via authentication bypass in all versions up to, and including, 6.0. This is due to the plugin not properly valid...
CVSS Base9.8
β
CRSSelect profile
CVE-2025-52390
9.1π
Saurus CMS Community Edition since commitMultiple Products
Saurus CMS Community Edition since commit d886e5b0 (2010-04-23) is vulnerable to a SQL Injection vulnerability in the `prepareSearchQuery()` method in `FulltextSearch.class.php`. The application direc...
CVSS Base9.1
β
CRSSelect profile
CVE-2025-50870
9.8π
UnknownMultiple Products
Institute-of-Current-Students 1.0 is vulnerable to Incorrect Access Control in the mydetailsstudent.php endpoint. The myds GET parameter accepts an email address as input and directly returns the corr...
CVSS Base9.8
β
CRSSelect profile
CVE-2025-50460
9.8π
A remote code executionMultiple Products
A remote code execution (RCE) vulnerability exists in the ms-swift project version 3.3.0 due to unsafe deserialization in tests/run.py using yaml.load() from the PyYAML library (versions = 5.3.1). If ...
CVSS Base9.8
β
CRSSelect profile
CVE-2025-54574
9.3π
Squid is a caching proxy for theMultiple Products
Squid is a caching proxy for the Web. In versions 6.3 and below, Squid is vulnerable to a heap buffer overflow and possible remote code execution attack when processing URN due to incorrect buffer man...
CVSS Base9.3
β
CRSSelect profile
CVE-2025-26062
9.8π
An access control issue in IntelbrasMultiple Products
An access control issue in Intelbras RX1500 v2.2.9 and RX3000 v1.0.11 allows unauthenticated attackers to access the router's settings file and obtain potentially sensitive information from the curren...
CVSS Base9.8
β
CRSSelect profile
CVE-2025-8426
9.4π
Marvell QConvergeConsole compressConfigFiles Directory Traversal Information Disclosure andMultiple Products
Marvell QConvergeConsole compressConfigFiles Directory Traversal Information Disclosure and Denial-of-Service Vulnerability. This vulnerability allows remote attackers to disclose sensitive informatio...
CVSS Base9.4
β
CRSSelect profile
CVE-2025-50472
9.8π
TheMultiple Products
The modelscope/ms-swift library thru 2.6.1 is vulnerable to arbitrary code execution through deserialization of untrusted data within the `load_model_meta()` function of the `ModelFileSystemCache()` c...
CVSS Base9.8
β
CRSSelect profile
CVE-2025-50475
9.8π
An OS command injection vulnerability exists in RussoundMultiple Products
An OS command injection vulnerability exists in Russound MBX-PRE-D67F firmware version 3.1.6, allowing unauthenticated attackers to execute arbitrary commands as root via crafted input to the hostname...
CVSS Base9.8
β
CRSSelect profile
CVE-2025-26063
9.8π
An issue in IntelbrasMultiple Products
An issue in Intelbras RX1500 v2.2.9 and RX3000 v1.0.11 allows unauthenticated attackers to execute arbitrary code via injecting a crafted payload into the ESSID name when creating a network.
CVSS Base9.8
β
CRSSelect profile
CVE-2025-8286
9.8π
UnknownMultiple Products
GΓΌralp FMUS series seismic monitoring devicesΒ expose an unauthenticated Telnet-based command line interface that
could allow an attacker to modify hardware configurations, manipulate
data, or factor...
CVSS Base9.8
β
CRSSelect profile
CVE-2025-8454
9.8π
It was discovered thatMultiple Products
It was discovered that uscan, a tool to scan/watch upstream sources for new releases of software, included in devscripts (a collection of scripts to make the life of a Debian Package maintainer easier...
CVSS Base9.8
β
CRSSelect profile
CVE-2025-45150
9.8π
Insecure permissions inMultiple Products
Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive files via supplying a crafted request.
CVSS Base9.8
β
CRSSelect profile
CVE-2025-6000
9.1π
A privileged Vault operator within the root namespace with write permission toMultiple Products
A privileged Vault operator within the root namespace with write permission to {{sys/audit}} may obtain code execution on the underlying host if a plugin directory is set in Vaultβs configuration. Fix...
CVSS Base9.1
β
CRSSelect profile
β οΈ
High Priority Updates
CVE-2025-7847
8.8π
WordPressMultiple Products
The AI Engine plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the rest_simpleFileUpload() function in versions 2
CVSS Base8.8
β
CRSSelect profile
CVE-2025-7443
8.1π
WordPressMultiple Products
The BerqWP β Automated All-In-One Page Speed Optimization for Core Web Vitals, Cache, CDN, Images, CSS, and JavaScript plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation via the store_javascript_cache
CVSS Base8.1
β
CRSSelect profile
CVE-2025-54424
8.1π
MCPMultiple Products
1Panel is a web interface and MCP Server that manages websites, files, containers, databases, and LLMs on a Linux server
CVSS Base8.1
β
CRSSelect profile
CVE-2025-52203
7.6π
storedMultiple Products
A stored cross-site scripting (XSS) vulnerability exists in DevaslanPHP project-management v1
CVSS Base7.6
β
CRSSelect profile
CVE-2025-24853
7.5π
carefullyMultiple Products
A carefully crafted request when creating a header link using the
wiki markup syntax, which could allow the attacker to execute javascript
in the victim's browser and get some sensitive information about the
victim
CVSS Base7.5
β
CRSSelect profile
CVE-2025-45769
7.3π
UnknownMultiple Products
php-jwt v6
CVSS Base7.3
β
CRSSelect profile
CVE-2025-8431
7.3π
BookingMultiple Products
A vulnerability has been found in PHPGurukul Boat Booking System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2025-8213
7.2π
WordPressMultiple Products
The NinjaScanner β Virus & Malware scan plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'nscan_ajax_quarantine' and 'nscan_quarantine_select' functions in all versions up to, and including, 3
CVSS Base7.2
β
CRSSelect profile
CVE-2025-7725
7.2π
WordPressMultiple Products
The Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery β Upload, Vote, Sell via PayPal or Stripe, Social Share Buttons, OpenAI plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the comment feature in all versions up to, and including, 26
An unauthenticated remote attacker can cause a Denial of Service by sending a large number of requests to the http service on port 80
CVSS Base7.5
β
CRSSelect profile
CVE-2025-41688
7.2π
highMultiple Products
A high privileged remote attacker can execute arbitrary OS commands using an undocumented method allowing to escape the implemented LUA sandbox
CVSS Base7.2
β
CRSSelect profile
CVE-2025-53558
8.8
UnknownMultiple Products
ZXHN-F660T and ZXHN-F660A provided by ZTE Japan K
CVSS Base8.8
β
CRSSelect profile
CVE-2025-50572
8.8
RSAMultiple Products
An issue was discovered in Archer Technology RSA Archer 6
CVSS Base8.8
β
CRSSelect profile
CVE-2025-50850
8.6
issueMultiple Products
An issue was discovered in CS Cart 4
CVSS Base8.6
β
CRSSelect profile
CVE-2025-50849
8
CartMultiple Products
CS Cart 4
CVSS Base8
β
CRSSelect profile
CVE-2025-52289
8
MagnusBilling AMultiple Products
A Broken Access Control vulnerability in MagnusBilling v7
CVSS Base8
β
CRSSelect profile
CVE-2025-54564
7.8
HomeMultiple Products
uploadsm in ChargePoint Home Flex 5
CVSS Base7.8
β
CRSSelect profile
CVE-2025-51503
7.6
Microweber CMSMultiple Products
A Stored Cross-Site Scripting (XSS) vulnerability in Microweber CMS 2
CVSS Base7.6
β
CRSSelect profile
CVE-2025-51504
7.6
MicroweberMultiple Products
Microweber CMS 2
CVSS Base7.6
β
CRSSelect profile
CVE-2023-32256
7.5
flawMultiple Products
A flaw was found in the Linux kernel's ksmbd component
CVSS Base7.5
β
CRSSelect profile
CVE-2025-2824
7.4
IBMMultiple Products
IBM Operational Decision Manager 8
CVSS Base7.4
β
CRSSelect profile
CVE-2025-8338
7.3
AdmissionMultiple Products
A vulnerability was found in projectworlds Online Admission System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2025-8339
7.3
ManagementMultiple Products
A vulnerability was found in code-projects Intern Membership Management System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2025-8348
7.3
CloudMultiple Products
A vulnerability has been found in Kehua Charging Pile Cloud Platform 1
CVSS Base7.3
β
CRSSelect profile
CVE-2025-8371
7.3
FormMultiple Products
A vulnerability has been found in code-projects Exam Form Submission 1
CVSS Base7.3
β
CRSSelect profile
CVE-2025-8372
7.3
FormMultiple Products
A vulnerability was found in code-projects Exam Form Submission 1
CVSS Base7.3
β
CRSSelect profile
CVE-2025-8373
7.3
VehicleMultiple Products
A vulnerability was found in code-projects Vehicle Management 1
CVSS Base7.3
β
CRSSelect profile
CVE-2025-8374
7.3
VehicleMultiple Products
A vulnerability was found in code-projects Vehicle Management 1
CVSS Base7.3
β
CRSSelect profile
CVE-2025-8375
7.3
VehicleMultiple Products
A vulnerability was found in code-projects Vehicle Management 1
CVSS Base7.3
β
CRSSelect profile
CVE-2025-8376
7.3
VehicleMultiple Products
A vulnerability classified as critical has been found in code-projects Vehicle Management 1
CVSS Base7.3
β
CRSSelect profile
CVE-2025-8378
7.3
ReservationMultiple Products
A vulnerability was found in Campcodes Online Hotel Reservation System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2025-8407
7.3
VehicleMultiple Products
A vulnerability, which was classified as critical, has been found in code-projects Vehicle Management 1
CVSS Base7.3
β
CRSSelect profile
CVE-2025-8408
7.3
VehicleMultiple Products
A vulnerability, which was classified as critical, was found in code-projects Vehicle Management 1
CVSS Base7.3
β
CRSSelect profile
CVE-2025-29556
7.3
ExaGridMultiple Products
ExaGrid EX10 6
CVSS Base7.3
β
CRSSelect profile
CVE-2025-8409
7.3
VehicleMultiple Products
A vulnerability has been found in code-projects Vehicle Management 1
CVSS Base7.3
β
CRSSelect profile
CVE-2025-26064
7.3
IntelbrasMultiple Products
A cross-site scripting (XSS) vulnerability in Intelbras RX1500 v2
CVSS Base7.3
β
CRSSelect profile
CVE-2025-8434
7.3
MovieMultiple Products
A vulnerability was found in code-projects Online Movie Streaming 1
CVSS Base7.3
β
CRSSelect profile
CVE-2025-8435
7.3
MovieMultiple Products
A vulnerability was found in code-projects Online Movie Streaming 1
CVSS Base7.3
β
CRSSelect profile
CVE-2025-8436
7.3
AdmissionMultiple Products
A vulnerability was found in projectworlds Online Admission System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2025-8437
7.3
KitchenMultiple Products
A vulnerability classified as critical has been found in code-projects Kitchen Treasure 1
CVSS Base7.3
β
CRSSelect profile
CVE-2025-8438
7.3
WazifaMultiple Products
A vulnerability classified as critical was found in code-projects Wazifa System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2025-8439
7.3
WazifaMultiple Products
A vulnerability, which was classified as critical, has been found in code-projects Wazifa System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2025-8441
7.3
MedicineMultiple Products
A vulnerability, which was classified as critical, was found in code-projects Online Medicine Guide 1
CVSS Base7.3
β
CRSSelect profile
CVE-2025-8442
7.3
MedicineMultiple Products
A vulnerability has been found in code-projects Online Medicine Guide 1
CVSS Base7.3
β
CRSSelect profile
CVE-2025-8443
7.3
MedicineMultiple Products
A vulnerability was found in code-projects Online Medicine Guide 1
CVSS Base7.3
β
CRSSelect profile
CVE-2025-54595
7.3
PearcleanerMultiple Products
Pearcleaner is a free, source-available and fair-code licensed mac app cleaner
CVSS Base7.3
β
CRSSelect profile
CVE-2025-46359
7.2
pathMultiple Products
A path traversal issue exists in backup and restore feature of multiple versions of PowerCMS
CVSS Base7.2
β
CRSSelect profile
CVE-2025-54593
7.2
FreshRSSMultiple Products
FreshRSS is a free, self-hostable RSS aggregator
CVSS Base7.2
β
CRSSelect profile
CVE-2025-5999
7.2
privilegedMultiple Products
A privileged Vault operator with write permissions to the root namespaceβs identity endpoint could escalate their own or another userβs token privileges to Vaultβs root policy