Critical vulnerabilities, curated daily for security professionals
đ¯ SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
đ
Archived Security Brief
This curated brief highlights 10 critical vulnerabilities and 36 high-priority updates requiring immediate attention.
54 total vulnerabilities disclosed in last 24 hours
đĄ Tip: Swipe CVE cards left to â star, right to â remove
Section Navigation
â ī¸
CISA Known Exploited Vulnerabilities
â ī¸ CISA KEVURGENT
CVE-2025-2775
9.5
SysAidSysAid On-Prem
â° Federal Deadline:August 11, 2025(4 days remaining)
SysAid On-Prem Improper Restriction of XML External Entity Reference Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-2776
9.5
SysAidSysAid On-Prem
â° Federal Deadline:August 11, 2025(4 days remaining)
SysAid On-Prem Improper Restriction of XML External Entity Reference Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-6558
9.5đ
GoogleChromium
â° Federal Deadline:August 11, 2025(4 days remaining)
Google Chromium ANGLE and GPU Improper Input Validation Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-54309
9.5
CrushFTPCrushFTP
â° Federal Deadline:August 11, 2025(4 days remaining)
CrushFTP Unprotected Alternate Channel Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2023-2533
9.5
PaperCutNG/MF
â° Federal Deadline:August 17, 2025(10 days remaining)
PaperCut NG/MF Cross-Site Request Forgery (CSRF) Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-20337
9.5đ
CiscoIdentity Services Engine
â° Federal Deadline:August 17, 2025(10 days remaining)
Cisco Identity Services Engine Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-20281
9.5
CiscoIdentity Services Engine
â° Federal Deadline:August 17, 2025(10 days remaining)
Cisco Identity Services Engine Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2020-25078
9.5
D-LinkDCS-2530L and DCS-2670L Devices
â° Federal Deadline:August 25, 2025(18 days remaining)
D-Link DCS-2530L and DCS-2670L Devices Unspecified Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2020-25079
9.5
D-LinkDCS-2530L and DCS-2670L Devices
â° Federal Deadline:August 25, 2025(18 days remaining)
D-Link DCS-2530L and DCS-2670L Command Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2022-40799
9.5
D-LinkDNR-322L
â° Federal Deadline:August 25, 2025(18 days remaining)
D-Link DNR-322L Download of Code Without Integrity Check Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
đ¨
Critical Vulnerabilities
CVE-2025-8356
9.8đ
In Xerox FreeFlow Core versionMultiple Products
In Xerox FreeFlow Core version 8.0.4, an attacker can exploit a Path Traversal vulnerability to access unauthorized files on the server. This can lead to Remote Code Execution (RCE), allowing the atta...
CVSS Base9.8
â
CRSSelect profile
CVE-2025-53606
9.8đ
Deserialization of Untrusted Data vulnerability in Apache SeataMultiple Products
Deserialization of Untrusted Data vulnerability in Apache Seata (incubating).
This issue affects Apache Seata (incubating): 2.4.0.
Users are recommended to upgrade to version 2.5.0, which fixes the ...
CVSS Base9.8
â
CRSSelect profile
CVE-2025-48913
9.8đ
If untrusted users are allowed to configure JMS for ApacheMultiple Products
If untrusted users are allowed to configure JMS for Apache CXF, previously they could use RMI or LDAP URLs, potentially leading to code execution capabilities. This interface is now restricted to rej...
CVSS Base9.8
â
CRSSelect profile
CVE-2025-8731
9.8đ
A vulnerability was found in TRENDnetMultiple Products
A vulnerability was found in TRENDnet TI-G160i, TI-PG102i and TPL-430AP up to 20250724. It has been classified as critical. This affects an unknown part of the component SSH Service. The manipulation ...
CVSS Base9.8
â
CRSSelect profile
CVE-2025-54887
9.1đ
jwe is a Ruby implementation of the RFCMultiple Products
jwe is a Ruby implementation of the RFC 7516 JSON Web Encryption (JWE) standard. In versions 1.1.0 and below, authentication tags of encrypted JWEs can be brute forced, which may result in loss of con...
CVSS Base9.1
â
CRSSelect profile
CVE-2025-54952
9.8đ
An integer overflow vulnerability in the loading of ExecuTorch models can causeMultiple Products
An integer overflow vulnerability in the loading of ExecuTorch models can cause smaller-than-expected memory regions to be allocated, potentially resulting in code execution or other undesirable effec...
CVSS Base9.8
â
CRSSelect profile
CVE-2025-8730
9.8đ
A vulnerability was found in BelkinMultiple Products
A vulnerability was found in Belkin F9K1009 and F9K1010 2.00.04/2.00.09 and classified as critical. Affected by this issue is some unknown functionality of the component Web Interface. The manipulatio...
CVSS Base9.8
â
CRSSelect profile
CVE-2025-8284
9.8
ByMultiple Products
By default, the Packet Power Monitoring and Control Web Interface do not
enforce authentication mechanisms. This vulnerability could allow
unauthorized users to access and manipulate monitoring and ...
CVSS Base9.8
â
CRSSelect profile
CVE-2025-52913
9.8
A vulnerability in the NuPoint Unified MessagingMultiple Products
A vulnerability in the NuPoint Unified Messaging (NPM) component of Mitel MiCollab through 9.8 SP2 (9.8.2.12) could allow an unauthenticated attacker to conduct a path traversal attack due to insuffic...
CVSS Base9.8
â
CRSSelect profile
CVE-2025-5095
9.8
Burk Technology ARCMultiple Products
Burk Technology ARC Solo's password change mechanism can be utilized without proper
authentication procedures, allowing an attacker to take over the device.
A password change request can be sent dir...
CVSS Base9.8
â
CRSSelect profile
â ī¸
High Priority Updates
CVE-2025-8576
8.8đ
GoogleMultiple Products
Use after free in Extensions in Google Chrome prior to 139
CVSS Base8.8
â
CRSSelect profile
CVE-2025-8578
8.8đ
GoogleMultiple Products
Use after free in Cast in Google Chrome prior to 139
CVSS Base8.8
â
CRSSelect profile
CVE-2025-4796
8.8đ
WordPressMultiple Products
The Eventin plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4
CVSS Base8.8
â
CRSSelect profile
CVE-2025-55077
7.4đ
MicrosoftMultiple Products
Tyler Technologies ERP Pro 9 SaaS allows an authenticated user to escape the application and execute limited operating system commands within the remote Microsoft Windows environment with the privileges of the authenticated user
CVSS Base7.4
â
CRSSelect profile
CVE-2020-9322
8.8đ
CoreMultiple Products
The /users endpoint in Statamic Core before 2
CVSS Base8.8
â
CRSSelect profile
CVE-2025-53787
8.2đ
MicrosoftMultiple Products
Microsoft 365 Copilot BizChat Information Disclosure Vulnerability
CVSS Base8.2
â
CRSSelect profile
CVE-2025-8355
7.5đ
CoreMultiple Products
In Xerox FreeFlow Core version 8
CVSS Base7.5
â
CRSSelect profile
CVE-2025-54882
7.1đ
MicrosoftMultiple Products
Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune
CVSS Base7.1
â
CRSSelect profile
CVE-2025-3770
7đ
BIOS where anMultiple Products
EDK2 contains a vulnerability in BIOS where an attacker may cause âProtection Mechanism Failureâ by local access
CVSS Base7
â
CRSSelect profile
CVE-2025-26513
7đ
priorMultiple Products
The installer for SAN Host Utilities for Windows versions prior to 8
CVSS Base7
â
CRSSelect profile
CVE-2025-24000
8.8đ
WPExperts Post SMTPMultiple Products
Authentication Bypass Using an Alternate Path or Channel vulnerability in WPExperts Post SMTP allows Authentication Bypass
CVSS Base8.8
â
CRSSelect profile
CVE-2025-54886
8.4đ
skopsMultiple Products
skops is a Python library which helps users share and ship their scikit-learn based models
CVSS Base8.4
â
CRSSelect profile
CVE-2025-53520
8.8đ
affectedMultiple Products
The affected product allows firmware updates to be downloaded from EG4's
website, transferred via USB dongles, or installed through EG4's
Monitoring Center (remote, cloud-connected interface) or via a serial
connection, and can install these files without integrity checks
CVSS Base8.8
â
CRSSelect profile
CVE-2025-8393
7.3đ
TLSMultiple Products
A TLS vulnerability exists in the phone application used to manage a
connected device
CVSS Base7.3
â
CRSSelect profile
CVE-2023-41520
8.8đ
StudentMultiple Products
Student Attendance Management System v1 was discovered to contain multiple SQL injection vulnerabilities in createClassArms
CVSS Base8.8
â
CRSSelect profile
CVE-2023-41521
8.8
StudentMultiple Products
Student Attendance Management System v1 was discovered to contain multiple SQL injection vulnerabilities in createSessionTerm
CVSS Base8.8
â
CRSSelect profile
CVE-2023-41522
8.8
StudentMultiple Products
Student Attendance Management System v1 was discovered to contain multiple SQL injection vulnerabilities in createStudents
CVSS Base8.8
â
CRSSelect profile
CVE-2023-41523
8.8
StudentMultiple Products
Student Attendance Management System v1 was discovered to contain a SQL injection vulnerability via the emailAddress parameter at createClassTeacher
CVSS Base8.8
â
CRSSelect profile
CVE-2023-41524
8.8
StudentMultiple Products
Student Attendance Management System v1 was discovered to contain a SQL injection vulnerability via the username parameter at index
CVSS Base8.8
â
CRSSelect profile
CVE-2023-41531
8.8
HospitalMultiple Products
Hospital Management System v4 was discovered to contain multiple SQL injection vulnerabilities in func3
CVSS Base8.8
â
CRSSelect profile
CVE-2023-41532
8.8
HospitalMultiple Products
Hospital Management System v4 was discovered to contain a SQL injection vulnerability via the doctor_contact parameter in doctorsearch
CVSS Base8.8
â
CRSSelect profile
CVE-2025-54785
8.8
SuiteCRMMultiple Products
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application
CVSS Base8.8
â
CRSSelect profile
CVE-2025-54788
8.8
SuiteCRMMultiple Products
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application
CVSS Base8.8
â
CRSSelect profile
CVE-2025-51629
8.8
PdfViewerMultiple Products
A cross-site scripting (XSS) vulnerability in the PdfViewer component of Agenzia Impresa Eccobook 2
CVSS Base8.8
â
CRSSelect profile
CVE-2025-8748
8.8
MiRMultiple Products
MiR software versions prior to version 3
CVSS Base8.8
â
CRSSelect profile
CVE-2025-52914
8.8
SuiteMultiple Products
A vulnerability in the Suite Applications Services component of Mitel MiCollab 10
CVSS Base8.8
â
CRSSelect profile
CVE-2025-47219
8.1
GStreamerMultiple Products
In GStreamer through 1
CVSS Base8.1
â
CRSSelect profile
CVE-2025-46414
8.1
affectedMultiple Products
The affected product does not limit the number of attempts for inputting
the correct PIN for a registered product, which may allow an attacker
to gain unauthorized access using brute-force methods if they possess a
valid device serial number
CVSS Base8.1
â
CRSSelect profile
CVE-2025-50675
7.8
GPMAWMultiple Products
GPMAW 14, a bioinformatics software, has a critical vulnerability related to insecure file permissions in its installation directory
CVSS Base7.8
â
CRSSelect profile
CVE-2025-35970
7.5
multipleMultiple Products
On multiple products of SEIKO EPSON and FUJIFILM Corporation, the initial administrator password is easy to guess from the information available via SNMP
CVSS Base7.5
â
CRSSelect profile
CVE-2025-55137
7.4
LinkJoinMultiple Products
LinkJoin through 882f196 mishandles lacks type checking in password reset
CVSS Base7.4
â
CRSSelect profile
CVE-2025-55138
7.4
LinkJoinMultiple Products
LinkJoin through 882f196 mishandles token ownership in password reset