Critical vulnerabilities, curated daily for security professionals
🎯 SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
💡 Tip: Swipe CVE cards left to ⭐ star, right to ❌ remove
Section Navigation
⚠️
CISA Known Exploited Vulnerabilities
⚠️ CISA KEVURGENT
CVE-2023-2533
9.5
PaperCutNG/MF
⏰ Federal Deadline:August 17, 2025(1 days remaining)
PaperCut NG/MF Cross-Site Request Forgery (CSRF) Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEVURGENT
CVE-2025-20337
9.5
CiscoIdentity Services Engine
⏰ Federal Deadline:August 17, 2025(1 days remaining)
Cisco Identity Services Engine Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEVURGENT
CVE-2025-20281
9.5
CiscoIdentity Services Engine
⏰ Federal Deadline:August 17, 2025(1 days remaining)
Cisco Identity Services Engine Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEVURGENT
CVE-2025-8876
9.5
N-ableN-Central
⏰ Federal Deadline:August 19, 2025(3 days remaining)
N-able N-Central Command Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEVURGENT
CVE-2025-8875
9.5
N-ableN-Central
⏰ Federal Deadline:August 19, 2025(3 days remaining)
N-able N-Central Insecure Deserialization Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEV
CVE-2020-25078
9.5
D-LinkDCS-2530L and DCS-2670L Devices
⏰ Federal Deadline:August 25, 2025(9 days remaining)
D-Link DCS-2530L and DCS-2670L Devices Unspecified Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEV
CVE-2020-25079
9.5
D-LinkDCS-2530L and DCS-2670L Devices
⏰ Federal Deadline:August 25, 2025(9 days remaining)
D-Link DCS-2530L and DCS-2670L Command Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEV
CVE-2022-40799
9.5
D-LinkDNR-322L
⏰ Federal Deadline:August 25, 2025(9 days remaining)
D-Link DNR-322L Download of Code Without Integrity Check Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEV
CVE-2025-8088
9.5
RARLABWinRAR
⏰ Federal Deadline:September 1, 2025(16 days remaining)
RARLAB WinRAR Path Traversal Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEV
CVE-2007-0671
9.5
MicrosoftOffice
⏰ Federal Deadline:September 1, 2025(16 days remaining)
Microsoft Office Excel Remote Code Execution Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEV
CVE-2013-3893
9.5
MicrosoftInternet Explorer
⏰ Federal Deadline:September 1, 2025(16 days remaining)
Microsoft Internet Explorer Resource Management Errors Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
🚨
Critical Vulnerabilities
CVE-2025-8898
9.8
The Taxi Booking Manager for WoocommerceMultiple Products
The Taxi Booking Manager for Woocommerce | E-cab plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.3.0. This is due to the plugin ...
CVSS Base9.8
→
CRSSelect profile
CVE-2025-7441
9.8
The StoryChief plugin for WordPress is vulnerable to arbitrary file uploads in all versions upMultiple Products
The StoryChief plugin for WordPress is vulnerable to arbitrary file uploads in all versions up to, and including, 1.0.42. This vulnerability occurs through the /wp-json/storychief/webhook REST-API end...
CVSS Base9.8
→
CRSSelect profile
⚠️
High Priority Updates
CVE-2025-7664
7.5
WordPressMultiple Products
The AL Pack plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the check_activate_permission() permission callback for the /wp-json/presslearn/v1/activate REST API endpoint in all versions up to, and including, 1
CVSS Base7.5
→
CRSSelect profile
CVE-2024-12612
7.5
WordpressMultiple Products
The School Management System for Wordpress plugin for WordPress is vulnerable to SQL Injection via several parameters across multiple AJAX action in all versions up to, and including, 93
CVSS Base7.5
→
CRSSelect profile
CVE-2025-3671
8.8
WordpressMultiple Products
The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 67
CVSS Base8.8
→
CRSSelect profile
CVE-2025-6079
8.8
WordpressMultiple Products
The School Management System for Wordpress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the homework
CVSS Base8.8
→
CRSSelect profile
CVE-2025-6080
8.8
WordpressMultiple Products
The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to unauthorized admin account creation in all versions up to, and including, 67
CVSS Base8.8
→
CRSSelect profile
CVE-2025-8142
8.8
WordPressMultiple Products
The Soledad theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 8
CVSS Base8.8
→
CRSSelect profile
CVE-2025-8105
7.3
WordPressMultiple Products
The The Soledad theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 8
CVSS Base7.3
→
CRSSelect profile
CVE-2025-24975
7.1
FirebirdMultiple Products
Firebird is a relational database
CVSS Base7.1
→
CRSSelect profile
CVE-2025-49897
8.5
gopiplus VerticalMultiple Products
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in gopiplus Vertical scroll slideshow gallery v2 allows Blind SQL Injection
CVSS Base8.5
→
CRSSelect profile
CVE-2025-9046
8.8
wasMultiple Products
A vulnerability was identified in Tenda AC20 16
CVSS Base8.8
→
CRSSelect profile
CVE-2025-49895
8.8
iThemesMultiple Products
Cross-Site Request Forgery (CSRF) vulnerability in iThemes ServerBuddy by PluginBuddy
CVSS Base8.8
→
CRSSelect profile
CVE-2025-9087
8.8
hasMultiple Products
A vulnerability has been found in Tenda AC20 16
CVSS Base8.8
→
CRSSelect profile
CVE-2025-9088
8.8
wasMultiple Products
A vulnerability was found in Tenda AC20 16
CVSS Base8.8
→
CRSSelect profile
CVE-2025-9089
8.8
wasMultiple Products
A vulnerability was determined in Tenda AC20 16
CVSS Base8.8
→
CRSSelect profile
CVE-2025-1929
7.2
RiskMultiple Products
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Risk Yazılım Teknolojileri Ltd
CVSS Base7.2
→
CRSSelect profile
CVE-2025-5046
7.8
maliciouslyMultiple Products
A maliciously crafted DGN file, when linked or imported into Autodesk AutoCAD, can force an Out-of-Bounds Read vulnerability
CVSS Base7.8
→
CRSSelect profile
CVE-2025-5047
7.8
maliciouslyMultiple Products
A maliciously crafted DGN file, when parsed through Autodesk AutoCAD, can force an Uninitialized Variable vulnerability
CVSS Base7.8
→
CRSSelect profile
CVE-2025-5048
7.8
maliciouslyMultiple Products
A maliciously crafted DGN file, when linked or imported into Autodesk AutoCAD, can force a Memory Corruption vulnerability
CVSS Base7.8
→
CRSSelect profile
CVE-2025-8092
7.6
DrupalMultiple Products
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal COOKiES Consent Management allows Cross-Site Scripting (XSS)
CVSS Base7.6
→
CRSSelect profile
CVE-2025-8361
7.6
DrupalMultiple Products
Missing Authorization vulnerability in Drupal Config Pages allows Forceful Browsing
CVSS Base7.6
→
CRSSelect profile
CVE-2025-8959
7.5
UnknownMultiple Products
HashiCorp's go-getter library subdirectory download feature is vulnerable to symlink attacks leading to unauthorized read access beyond the designated directory boundaries
CVSS Base7.5
→
CRSSelect profile
CVE-2025-9028
7.3
MedicineMultiple Products
A vulnerability was found in code-projects Online Medicine Guide 1
CVSS Base7.3
→
CRSSelect profile
CVE-2025-9047
7.3
ManagementMultiple Products
A vulnerability has been found in projectworlds Visitor Management System 1
CVSS Base7.3
→
CRSSelect profile
CVE-2025-9050
7.3
ManagementMultiple Products
A vulnerability was found in projectworlds Travel Management System 1
CVSS Base7.3
→
CRSSelect profile
CVE-2025-9051
7.3
ManagementMultiple Products
A vulnerability was determined in projectworlds Travel Management System 1
CVSS Base7.3
→
CRSSelect profile
CVE-2025-9052
7.3
ManagementMultiple Products
A vulnerability was identified in projectworlds Travel Management System 1
CVSS Base7.3
→
CRSSelect profile
CVE-2025-9053
7.3
ManagementMultiple Products
A vulnerability has been found in projectworlds Travel Management System 1