CVE Brief - August 19, 2025

Tuesday, August 19, 2025 Archive

Archived Security Snapshot

Critical vulnerabilities, curated daily for security professionals

🎯 SSCV Profile

See how vulnerabilities affect your specific environment

CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework

Select your system profile:

Risk scores will be adjusted based on your selected environment

Archived Security Brief

Critical surge as 16 high-severity vulnerabilities demand immediate attention while N-able KEV flaws breach federal deadline.

N-able N-Central vulnerabilities now past federal deadline (0 days remaining)
16 critical CVEs represent significant increase from yesterday's 8 vulnerabilities
Database privilege escalation bugs threaten PostgreSQL environments
VaulTLS authentication bypass exposes mTLS infrastructure to complete compromise
WordPress ecosystem under attack with multiple plugin vulnerabilities discovered

💡 Tip: Swipe CVE cards left to ⭐ star, right to ❌ remove

CISA Known Exploited Vulnerabilities

⚠️ CISA KEV URGENT

CVE-2025-8876

9.5 📝

N-able N-Central August 12, 2025

⏰ Federal Deadline: August 19, 2025 (1 days remaining)

N-able N-Central Command Injection Vulnerability - Active in CISA KEV catalog.

CVSS Base 9.5

→

CRS Select profile

⚠️ CISA KEV URGENT

CVE-2025-8875

9.5 📝

N-able N-Central August 12, 2025

⏰ Federal Deadline: August 19, 2025 (1 days remaining)

N-able N-Central Insecure Deserialization Vulnerability - Active in CISA KEV catalog.

CVSS Base 9.5

→

CRS Select profile

⚠️ CISA KEV URGENT

CVE-2020-25078

9.5

D-Link DCS-2530L and DCS-2670L Devices August 4, 2025

⏰ Federal Deadline: August 25, 2025 (7 days remaining)

D-Link DCS-2530L and DCS-2670L Devices Unspecified Vulnerability - Active in CISA KEV catalog.

CVSS Base 9.5

→

CRS Select profile

⚠️ CISA KEV URGENT

CVE-2020-25079

9.5

D-Link DCS-2530L and DCS-2670L Devices August 4, 2025

⏰ Federal Deadline: August 25, 2025 (7 days remaining)

D-Link DCS-2530L and DCS-2670L Command Injection Vulnerability - Active in CISA KEV catalog.

CVSS Base 9.5

→

CRS Select profile

⚠️ CISA KEV URGENT

CVE-2022-40799

9.5

D-Link DNR-322L August 4, 2025

⏰ Federal Deadline: August 25, 2025 (7 days remaining)

D-Link DNR-322L Download of Code Without Integrity Check Vulnerability - Active in CISA KEV catalog.

CVSS Base 9.5

→

CRS Select profile

⚠️ CISA KEV

CVE-2025-8088

9.5

RARLAB WinRAR August 11, 2025

⏰ Federal Deadline: September 1, 2025 (14 days remaining)

RARLAB WinRAR Path Traversal Vulnerability - Active in CISA KEV catalog.

CVSS Base 9.5

→

CRS Select profile

⚠️ CISA KEV

CVE-2007-0671

9.5

Microsoft Office August 11, 2025

⏰ Federal Deadline: September 1, 2025 (14 days remaining)

Microsoft Office Excel Remote Code Execution Vulnerability - Active in CISA KEV catalog.

CVSS Base 9.5

→

CRS Select profile

⚠️ CISA KEV

CVE-2013-3893

9.5

Microsoft Internet Explorer August 11, 2025

⏰ Federal Deadline: September 1, 2025 (14 days remaining)

Microsoft Internet Explorer Resource Management Errors Vulnerability - Active in CISA KEV catalog.

CVSS Base 9.5

→

CRS Select profile

⚠️ CISA KEV

CVE-2025-54948

9.5 📝

Trend Micro Apex One August 17, 2025

⏰ Federal Deadline: September 7, 2025 (20 days remaining)

Trend Micro Apex One OS Command Injection Vulnerability - Active in CISA KEV catalog.

CVSS Base 9.5

→

CRS Select profile

Critical Vulnerabilities

CVE-2025-55282

9.1 📝

Unknown Multiple Products Aug 18, 2025

aiven-db-migrate is an Aiven database migration tool. Prior to 1.0.7, there is a privilege escalation vulnerability that allows a user to elevate to superuser inside PostgreSQL databases during a migr...

CVSS Base 9.1

→

CRS Select profile

CVE-2025-55283

9.1 📝

Unknown Multiple Products Aug 18, 2025

aiven-db-migrate is an Aiven database migration tool. Prior to 1.0.7, there is a privilege escalation vulnerability that allows elevation to superuser inside PostgreSQL databases during a migration fr...

CVSS Base 9.1

→

CRS Select profile

CVE-2025-8723

9.8 📝

The Cloudflare Image Resizing plugin for WordPress is vulnerable to Remote Code Execution due to missing authentication and insufficient sanitization within its Multiple Products Aug 19, 2025

The Cloudflare Image Resizing plugin for WordPress is vulnerable to Remote Code Execution due to missing authentication and insufficient sanitization within its hook_rest_pre_dispatch() method in all ...

CVSS Base 9.8

→

CRS Select profile

CVE-2024-44373

9.8 📝

A Path Traversal vulnerability in AllSky Multiple Products Aug 19, 2025

A Path Traversal vulnerability in AllSky v2023.05.01_04 allows an unauthenticated attacker to create a webshell and remote code execution via the path, content parameter to /includes/save_file.php.

CVSS Base 9.8

→

CRS Select profile

CVE-2025-6758

9.8 📝

The Real Spaces Multiple Products Aug 19, 2025

The Real Spaces - WordPress Properties Directory Theme theme for WordPress is vulnerable to privilege escalation via the 'imic_agent_register' function in all versions up to, and including, 3.6. This ...

CVSS Base 9.8

→

CRS Select profile

CVE-2025-55205

9 📝

Capsule is a Multiple Products Aug 18, 2025

Capsule is a multi-tenancy and policy-based framework for Kubernetes. A namespace label injection vulnerability in Capsule v0.10.3 and earlier allows authenticated tenant users to inject arbitrary lab...

CVSS Base 9

→

CRS Select profile

CVE-2025-55733

9.6 📝

DeepChat is a smart assistant that connects powerful AI to your personal Multiple Products Aug 19, 2025

DeepChat is a smart assistant that connects powerful AI to your personal world. DeepChat before 0.3.1 has a one-click remote code execution vulnerability. An attacker can exploit this vulnerability b...

CVSS Base 9.6

→

CRS Select profile

CVE-2025-55299

9.4 📝

VaulTLS is a modern solution for managing mTLS Multiple Products Aug 18, 2025

VaulTLS is a modern solution for managing mTLS (mutual TLS) certificates. Prior to 0.9.1, user accounts created through the User web UI have an empty but not NULL password set, attackers can use this ...

CVSS Base 9.4

→

CRS Select profile

CVE-2025-31715

9.8 📝

In vowifi Multiple Products Aug 18, 2025

In vowifi service, there is a possible command injection due to improper input validation. This could lead to remote escalation of privilege with no additional execution privileges needed.

CVSS Base 9.8

→

CRS Select profile

CVE-2025-55306

9.8 📝

Unknown Multiple Products Aug 19, 2025

GenX_FX is an advance IA trading platform that will focus on forex trading. A vulnerability was identified in the GenX FX backend where API keys and authentication tokens may be exposed if environment...

CVSS Base 9.8

→

CRS Select profile

CVE-2025-54117

9 📝

NamelessMC is a Multiple Products Aug 18, 2025

NamelessMC is a free, easy to use & powerful website software for Minecraft servers. Cross-site scripting (XSS) vulnerability in NamelessMC before 2.2.3 allows remote authenticated attackers to inject...

CVSS Base 9

→

CRS Select profile

CVE-2025-50567

10 📝

Saurus CMS Community Edition Multiple Products Aug 19, 2025

Saurus CMS Community Edition 4.7.1 contains a vulnerability in the custom DB::prepare() function, which uses preg_replace() with the deprecated /e (eval) modifier to interpolate SQL query parameters. ...

CVSS Base 10

→

CRS Select profile

CVE-2025-55591

9.8 📝

Unknown Multiple Products Aug 18, 2025

TOTOLINK-A3002R v4.0.0-B20230531.1404 was discovered to contain a command injection vulnerability in the devicemac parameter in the formMapDel endpoint.

CVSS Base 9.8

→

CRS Select profile

CVE-2025-54336

9.8 📝

In Plesk Obsidian Multiple Products Aug 19, 2025

In Plesk Obsidian 18.0.70, _isAdminPasswordValid uses an == comparison. Thus, if the correct password is "0e" followed by any digit string, then an attacker can login with any other string that evalua...

CVSS Base 9.8

→

CRS Select profile

CVE-2025-55294

9.8 📝

Unknown Multiple Products Aug 19, 2025

screenshot-desktop allows capturing a screenshot of your local machine. This vulnerability is a command injection issue. When user-controlled input is passed into the format option of the screenshot f...

CVSS Base 9.8

→

CRS Select profile

CVE-2025-55293

9.4 📝

Meshtastic is an open source mesh networking Multiple Products Aug 18, 2025

Meshtastic is an open source mesh networking solution. Prior to v2.6.3, an attacker can send NodeInfo with a empty publicKey first, then overwrite it with a new key. First sending a empty key bypasses...

CVSS Base 9.4

→

CRS Select profile

High Priority Updates

CVE-2025-8218

8.8 📝

WordPress Multiple Products August 19, 2025

The Real Spaces - WordPress Properties Directory Theme theme for WordPress is vulnerable to privilege escalation via the 'change_role_member' parameter in all versions up to, and including, 3

CVSS Base 8.8

→

CRS Select profile

CVE-2025-7670

7.5 📝

WordPress Multiple Products August 19, 2025

The JS Archive List plugin for WordPress is vulnerable to time-based SQL Injection via the build_sql_where() function in all versions up to, and including, 6

CVSS Base 7.5

→

CRS Select profile

CVE-2025-4044

8.2 📝

Improper Multiple Products August 19, 2025

Improper Restriction of XML External Entity Reference in various Lexmark printer drivers for Windows allows attacker to disclose sensitive information to an arbitrary URL

CVSS Base 8.2

→

CRS Select profile

CVE-2025-55287

8 📝

Genealogy Multiple Products August 19, 2025

Genealogy is a family tree PHP application

CVSS Base 8

→

CRS Select profile

CVE-2025-9150

7.3 📝

was Multiple Products August 19, 2025

A vulnerability was identified in Surbowl dormitory-management-php up to 9f1d9d1f528cabffc66fda3652c56ff327fda317

CVSS Base 7.3

→

CRS Select profile

CVE-2025-53192

8.8 📝

Apache Commons Multiple Products August 19, 2025

** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of Expression/Command Delimiters vulnerability in Apache Commons OGNL

CVSS Base 8.8

→

CRS Select profile

CVE-2025-4962

7.7 📝

Insecure Multiple Products August 19, 2025

An Insecure Direct Object Reference (IDOR) vulnerability was identified in the `POST /v1/templates` endpoint of the Lunary API, affecting versions up to 0

CVSS Base 7.7

→

CRS Select profile

CVE-2025-53948

7.5 📝

PACS Multiple Products August 19, 2025

The Sante PACS Server allows a remote attacker to crash the main thread by sending a crafted HL7 message, causing a denial-of-service condition

CVSS Base 7.5

→

CRS Select profile

CVE-2025-36120

8.8 📝

IBM Multiple Products August 19, 2025

IBM Storage Virtualize 8

CVSS Base 8.8

→

CRS Select profile

CVE-2025-7654

8.8 📝

Multiple Multiple Products August 19, 2025

Multiple FunnelKit plugins are vulnerable to Sensitive Information Exposure via the wf_get_cookie shortcode

CVSS Base 8.8

→

CRS Select profile

CVE-2025-52478

8.7 📝

Unknown Multiple Products August 19, 2025

n8n is a workflow automation platform

CVSS Base 8.7

→

CRS Select profile

CVE-2025-32992

8.5 📝

ePort Multiple Products August 19, 2025

Thermo Fisher Scientific ePort through 3

CVSS Base 8.5

→

CRS Select profile

CVE-2025-4046

8.5 📝

Lexmark Cloud Multiple Products August 19, 2025

A missing authorization vulnerability in Lexmark Cloud Services badge management allows attacker to reassign badges within their organization

CVSS Base 8.5

→

CRS Select profile

CVE-2025-31713

8.4 📝

engineer Multiple Products August 19, 2025

In engineer mode service, there is a possible command injection due to improper input validation

CVSS Base 8.4

→

CRS Select profile

CVE-2025-8450

8.2 📝

Improper Multiple Products August 19, 2025

Improper Access Control issue in the Workflow component of Fortra's FileCatalyst allows unauthenticated users to upload arbitrary files via the order forms page

CVSS Base 8.2

→

CRS Select profile

CVE-2025-8098

7.8 📝

improper Multiple Products August 19, 2025

An improper permission vulnerability was reported in Lenovo PC Manager that could allow a local attacker to escalate privileges

CVSS Base 7.8

→

CRS Select profile

CVE-2025-41392

7.8 📝

prior Multiple Products August 19, 2025

In Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions prior to 12

CVSS Base 7.8

→

CRS Select profile

CVE-2025-53705

7.8 📝

prior Multiple Products August 19, 2025

In Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions prior to 12

CVSS Base 7.8

→

CRS Select profile

CVE-2025-46269

7.8 📝

prior Multiple Products August 19, 2025

In Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions prior to 12

CVSS Base 7.8

→

CRS Select profile

CVE-2025-52584

7.8 📝

prior Multiple Products August 19, 2025

In Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions prior to 12

CVSS Base 7.8

→

CRS Select profile

CVE-2025-6625

7.5 📝

Unknown Multiple Products August 19, 2025

CWE-20: Improper Input Validation vulnerability exists that could cause a Denial Of Service when specific crafted FTP command is sent to the device

CVSS Base 7.5

→

CRS Select profile

CVE-2025-33090

7.5

IBM Multiple Products August 19, 2025

IBM Concert Software 1

CVSS Base 7.5

→

CRS Select profile

CVE-2025-55586

7.5

TOTOLINK Multiple Products August 19, 2025

TOTOLINK A3002R v4

CVSS Base 7.5

→

CRS Select profile

CVE-2025-55587

7.5

TOTOLINK Multiple Products August 19, 2025

TOTOLINK A3002R v4

CVSS Base 7.5

→

CRS Select profile

CVE-2025-55588

7.5

TOTOLINK Multiple Products August 19, 2025

TOTOLINK A3002R v4

CVSS Base 7.5

→

CRS Select profile

CVE-2025-54156

7.4

PACS Multiple Products August 19, 2025

The Sante PACS Server Web Portal sends credential information without encryption

CVSS Base 7.4

→

CRS Select profile

CVE-2025-5296

7.3

Unknown Multiple Products August 19, 2025

CWE-59: Improper Link Resolution Before File Access ('Link Following') vulnerability exists that could cause arbitrary data to be written to protected locations, potentially leading to escalation of privilege, arbitrary file corruption, exposure of application and system information or persistent denial of service when a low-privileged attacker tampers with the installation folder

CVSS Base 7.3

→

CRS Select profile

CVE-2025-9154

7.3

Management Multiple Products August 19, 2025

A flaw has been found in itsourcecode Online Tour and Travel Management System 1

CVSS Base 7.3

→

CRS Select profile

CVE-2025-9155

7.3

Management Multiple Products August 19, 2025

A vulnerability has been found in itsourcecode Online Tour and Travel Management System 1

CVSS Base 7.3

→

CRS Select profile

CVE-2025-9156

7.3

Management Multiple Products August 19, 2025

A vulnerability was found in itsourcecode Sports Management System 1

CVSS Base 7.3

→

CRS Select profile

CVE-2025-54421

7.2

Minecraft Multiple Products August 19, 2025

NamelessMC is a free, easy to use & powerful website software for Minecraft servers

CVSS Base 7.2

→

CRS Select profile

CVE-2025-55291

7.1

bookmark Multiple Products August 19, 2025

Shaarli is a minimalist bookmark manager and link sharing service

CVSS Base 7.1

→

CRS Select profile

Archived Security Snapshot

🎯 SSCV Profile

📊 Archived Security Brief

Section Navigation

⚠️ CISA Known Exploited Vulnerabilities

🚨 Critical Vulnerabilities

⚠️ High Priority Updates

⭐ Starred CVEs

Archived Security Brief

CISA Known Exploited Vulnerabilities

Critical Vulnerabilities

High Priority Updates