Critical vulnerabilities, curated daily for security professionals
đ¯ SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
đ
Archived Security Brief
This curated brief highlights 32 critical vulnerabilities and 100 high-priority updates requiring immediate attention.
141 total vulnerabilities disclosed in last 24 hours
đĄ Tip: Swipe CVE cards left to â star, right to â remove
Section Navigation
â ī¸
CISA Known Exploited Vulnerabilities
â ī¸ CISA KEVURGENT
CVE-2020-25078
9.5
D-LinkDCS-2530L and DCS-2670L Devices
â° Federal Deadline:August 25, 2025(6 days remaining)
D-Link DCS-2530L and DCS-2670L Devices Unspecified Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2020-25079
9.5
D-LinkDCS-2530L and DCS-2670L Devices
â° Federal Deadline:August 25, 2025(6 days remaining)
D-Link DCS-2530L and DCS-2670L Command Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2022-40799
9.5
D-LinkDNR-322L
â° Federal Deadline:August 25, 2025(6 days remaining)
D-Link DNR-322L Download of Code Without Integrity Check Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-8088
9.5
RARLABWinRAR
â° Federal Deadline:September 1, 2025(13 days remaining)
RARLAB WinRAR Path Traversal Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2007-0671
9.5
MicrosoftOffice
â° Federal Deadline:September 1, 2025(13 days remaining)
Microsoft Office Excel Remote Code Execution Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2013-3893
9.5
MicrosoftInternet Explorer
â° Federal Deadline:September 1, 2025(13 days remaining)
Microsoft Internet Explorer Resource Management Errors Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-54948
9.5đ
Trend MicroApex One
â° Federal Deadline:September 7, 2025(19 days remaining)
Trend Micro Apex One OS Command Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
đ¨
Critical Vulnerabilities
CVE-2025-8723
9.8đ
The Cloudflare Image Resizing plugin for WordPress is vulnerable to Remote Code Execution due to missing authentication and insufficient sanitization within itsMultiple Products
The Cloudflare Image Resizing plugin for WordPress is vulnerable to Remote Code Execution due to missing authentication and insufficient sanitization within its hook_rest_pre_dispatch() method in all ...
CVSS Base9.8
â
CRSSelect profile
CVE-2024-44373
9.8đ
A Path Traversal vulnerability in AllSkyMultiple Products
A Path Traversal vulnerability in AllSky v2023.05.01_04 allows an unauthenticated attacker to create a webshell and remote code execution via the path, content parameter to /includes/save_file.php.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-53577
10đ
Improper Control of Generation of CodeMultiple Products
Improper Control of Generation of Code ('Code Injection') vulnerability in thehp Global DNS allows Remote Code Inclusion. This issue affects Global DNS: from n/a through 3.1.0.
CVSS Base10
â
CRSSelect profile
CVE-2025-55746
9.3đ
Directus is aMultiple Products
Directus is a real-time API and App dashboard for managing SQL database content. From 10.8.0 to before 11.9.3, a vulnerability exists in the file update mechanism which allows an unauthenticated actor...
CVSS Base9.3
â
CRSSelect profile
CVE-2025-6758
9.8đ
The Real SpacesMultiple Products
The Real Spaces - WordPress Properties Directory Theme theme for WordPress is vulnerable to privilege escalation via the 'imic_agent_register' function in all versions up to, and including, 3.6. This ...
CVSS Base9.8
â
CRSSelect profile
CVE-2025-54143
9.8đ
Sandboxed iframes on webpages could potentially allow downloads to theMultiple Products
Sandboxed iframes on webpages could potentially allow downloads to the device, bypassing the expected sandbox restrictions declared on the parent page This vulnerability affects Firefox for iOS < 141.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-55031
9.8đ
Malicious pages could use Firefox for iOS to passMultiple Products
Malicious pages could use Firefox for iOS to pass FIDO: links to the OS and trigger the hybrid passkey transport. An attacker within Bluetooth range could have used this to trick the user into using t...
CVSS Base9.8
â
CRSSelect profile
CVE-2025-8042
9.8đ
Firefox for Android allowed a sandboxed iframe without theMultiple Products
Firefox for Android allowed a sandboxed iframe without the `allow-downloads` attribute to start downloads. This vulnerability affects Firefox < 141.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-9187
9.8đ
Memory safety bugs present in FirefoxMultiple Products
Memory safety bugs present in Firefox 141 and Thunderbird 141. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to...
CVSS Base9.8
â
CRSSelect profile
CVE-2025-54145
9.1đ
The QR scanner could allow arbitrary websites to be opened if a user was tricked into scanning a malicious link that leveragedMultiple Products
The QR scanner could allow arbitrary websites to be opened if a user was tricked into scanning a malicious link that leveraged Firefox's open-text URL scheme This vulnerability affects Firefox for iOS...
CVSS Base9.1
â
CRSSelect profile
CVE-2025-54677
9.1đ
Unrestricted Upload of File with Dangerous Type vulnerability in vcita Online BookingMultiple Products
Unrestricted Upload of File with Dangerous Type vulnerability in vcita Online Booking & Scheduling Calendar for WordPress by vcita allows Using Malicious Files. This issue affects Online Booking & Sch...
CVSS Base9.1
â
CRSSelect profile
CVE-2025-54713
9.8đ
Authentication Bypass Using an Alternate Path or Channel vulnerability in magepeopleteam Taxi Booking Manager for WooCommerce allows AuthenticationMultiple Products
Authentication Bypass Using an Alternate Path or Channel vulnerability in magepeopleteam Taxi Booking Manager for WooCommerce allows Authentication Abuse. This issue affects Taxi Booking Manager for W...
CVSS Base9.8
â
CRSSelect profile
CVE-2025-54049
9.9đ
Incorrect Privilege Assignment vulnerability in miniOrange Custom API for WP allows PrivilegeMultiple Products
Incorrect Privilege Assignment vulnerability in miniOrange Custom API for WP allows Privilege Escalation. This issue affects Custom API for WP: from n/a through 4.2.2.
CVSS Base9.9
â
CRSSelect profile
CVE-2025-8610
9.8đ
AOMEI Cyber Backup Missing Authentication for Critical Function Remote Code ExecutionMultiple Products
AOMEI Cyber Backup Missing Authentication for Critical Function Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of A...
CVSS Base9.8
â
CRSSelect profile
CVE-2025-8611
9.8đ
AOMEI Cyber Backup Missing Authentication for Critical Function Remote Code ExecutionMultiple Products
AOMEI Cyber Backup Missing Authentication for Critical Function Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of A...
CVSS Base9.8
â
CRSSelect profile
CVE-2025-55733
9.6đ
DeepChat is a smart assistant that connects powerful AI to your personalMultiple Products
DeepChat is a smart assistant that connects powerful AI to your personal world. DeepChat before 0.3.1 has a one-click remote code execution vulnerability. An attacker can exploit this vulnerability b...
CVSS Base9.6
â
CRSSelect profile
CVE-2025-54048
9.3
Improper Neutralization of Special Elements used in an SQL CommandMultiple Products
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in miniOrange Custom API for WP allows SQL Injection. This issue affects Custom API for WP: from n/a ...
CVSS Base9.3
â
CRSSelect profile
CVE-2025-48148
10
Unrestricted Upload of File with Dangerous Type vulnerability in StoreKeeperMultiple Products
Unrestricted Upload of File with Dangerous Type vulnerability in StoreKeeper B.V. StoreKeeper for WooCommerce allows Using Malicious Files. This issue affects StoreKeeper for WooCommerce: from n/a thr...
CVSS Base10
â
CRSSelect profile
CVE-2025-53213
9.9
Unrestricted Upload of File with Dangerous Type vulnerability in ELEXtensions ReachShip WooCommerceMultiple Products
Unrestricted Upload of File with Dangerous Type vulnerability in ELEXtensions ReachShip WooCommerce Multi-Carrier & Conditional Shipping allows Using Malicious Files. This issue affects ReachShip WooC...
CVSS Base9.9
â
CRSSelect profile
CVE-2025-48169
9.9
Improper Control of Generation of CodeMultiple Products
Improper Control of Generation of Code ('Code Injection') vulnerability in Jordy Meow Code Engine allows Remote Code Inclusion. This issue affects Code Engine: from n/a through 0.3.3.
CVSS Base9.9
â
CRSSelect profile
CVE-2025-55306
9.8đ
UnknownMultiple Products
GenX_FX is an advance IA trading platform that will focus on forex trading. A vulnerability was identified in the GenX FX backend where API keys and authentication tokens may be exposed if environment...
CVSS Base9.8
â
CRSSelect profile
CVE-2025-53299
9.8
Deserialization of Untrusted Data vulnerability in ThemeMakers ThemeMakers Visual Content Composer allows ObjectMultiple Products
Deserialization of Untrusted Data vulnerability in ThemeMakers ThemeMakers Visual Content Composer allows Object Injection. This issue affects ThemeMakers Visual Content Composer: from n/a through 1.5...
CVSS Base9.8
â
CRSSelect profile
CVE-2025-53580
9.8
Incorrect Privilege Assignment vulnerability in quantumcloud Simple Business Directory Pro allows PrivilegeMultiple Products
Incorrect Privilege Assignment vulnerability in quantumcloud Simple Business Directory Pro allows Privilege Escalation. This issue affects Simple Business Directory Pro: from n/a through n/a.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-54014
9.8
Deserialization of Untrusted Data vulnerability in QuanticaLabs MediCenterMultiple Products
Deserialization of Untrusted Data vulnerability in QuanticaLabs MediCenter - Health Medical Clinic allows Object Injection. This issue affects MediCenter - Health Medical Clinic: from n/a through 15.1...
CVSS Base9.8
â
CRSSelect profile
CVE-2025-27129
9.8
An authentication bypass vulnerability exists in the HTTP authentication functionality of TendaMultiple Products
An authentication bypass vulnerability exists in the HTTP authentication functionality of Tenda AC6 V5.0 V02.03.01.110. A specially crafted HTTP request can lead to arbitrary code execution. An attack...
CVSS Base9.8
â
CRSSelect profile
CVE-2025-54726
9.3
Improper Neutralization of Special Elements used in an SQL CommandMultiple Products
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Miguel Useche JS Archive List allows SQL Injection. This issue affects JS Archive List: from n/a t...
CVSS Base9.3
â
CRSSelect profile
CVE-2025-50567
10đ
Saurus CMS Community EditionMultiple Products
Saurus CMS Community Edition 4.7.1 contains a vulnerability in the custom DB::prepare() function, which uses preg_replace() with the deprecated /e (eval) modifier to interpolate SQL query parameters. ...
CVSS Base10
â
CRSSelect profile
CVE-2025-54336
9.8đ
In Plesk ObsidianMultiple Products
In Plesk Obsidian 18.0.70, _isAdminPasswordValid uses an == comparison. Thus, if the correct password is "0e" followed by any digit string, then an attacker can login with any other string that evalua...
CVSS Base9.8
â
CRSSelect profile
CVE-2025-55294
9.8đ
UnknownMultiple Products
screenshot-desktop allows capturing a screenshot of your local machine. This vulnerability is a command injection issue. When user-controlled input is passed into the format option of the screenshot f...
CVSS Base9.8
â
CRSSelect profile
CVE-2025-51543
9.8
An issue was discovered in Cicool builderMultiple Products
An issue was discovered in Cicool builder 3.4.4 allowing attackers to reset the administrator's password via the /administrator/auth/reset_password endpoint.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-9179
9.8
An attacker was able to perform memory corruption in the GMP process which processes encryptedMultiple Products
An attacker was able to perform memory corruption in the GMP process which processes encrypted media. This process is also heavily sandboxed, but represents slightly different privileges from the cont...
CVSS Base9.8
â
CRSSelect profile
CVE-2025-49381
9.6
UnknownMultiple Products
Cross-Site Request Forgery (CSRF) vulnerability in ads.txt Guru ads.txt Guru Connect allows Cross Site Request Forgery. This issue affects ads.txt Guru Connect: from n/a through 1.1.1.
CVSS Base9.6
â
CRSSelect profile
â ī¸
High Priority Updates
CVE-2025-8145
8.8đ
WordPressMultiple Products
The Redirection for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3
CVSS Base8.8
â
CRSSelect profile
CVE-2025-53565
8.1đ
GoogleMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in RadiusTheme Widget for Google Reviews allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2025-8289
7.5đ
WordPressMultiple Products
The Redirection for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3
CVSS Base7.5
â
CRSSelect profile
CVE-2025-8141
8.8đ
WordPressMultiple Products
The Redirection for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_associated_files function in all versions up to, and including, 3
CVSS Base8.8
â
CRSSelect profile
CVE-2025-48149
8.1đ
dedalxMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in dedalx Cook&Meal allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2025-48157
8.1đ
Michele GiorgiMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Michele Giorgi Formality allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2025-48160
8.1đ
CocoBasic CalirisMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CocoBasic Caliris allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2025-48171
8.1đ
thembay Cena StoreMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Cena Store allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2025-53198
8.1đ
favethemes HouzezMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in favethemes Houzez allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2025-53204
8.1đ
ovatheme eventlistMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ovatheme eventlist allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2025-53207
8.1đ
WP Travel WP TravelMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Travel WP Travel Gutenberg Blocks allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2025-53567
8.1đ
ImproperMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in nK Ghost Kit allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2025-54031
8.1đ
Schiocco SupportMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Schiocco Support Board allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2025-8218
8.8đ
WordPressMultiple Products
The Real Spaces - WordPress Properties Directory Theme theme for WordPress is vulnerable to privilege escalation via the 'change_role_member' parameter in all versions up to, and including, 3
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Benjamin Denis SEOPress for MainWP allows PHP Local File Inclusion
CVSS Base7.5
â
CRSSelect profile
CVE-2025-48302
7.5
Roxnor FundEngineMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Roxnor FundEngine allows PHP Local File Inclusion
CVSS Base7.5
â
CRSSelect profile
CVE-2025-53210
7.5
bdthemes ZoloBlocksMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in bdthemes ZoloBlocks allows PHP Local File Inclusion
CVSS Base7.5
â
CRSSelect profile
CVE-2025-54017
7.5
Cozmoslabs PaidMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Cozmoslabs Paid Member Subscriptions allows PHP Local File Inclusion
CVSS Base7.5
â
CRSSelect profile
CVE-2025-54028
7.5
Saleswonder TeamMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Saleswonder Team Tobias CF7 WOW Styler allows PHP Local File Inclusion
CVSS Base7.5
â
CRSSelect profile
CVE-2025-54034
7.5
Tribulant SoftwareMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Tribulant Software Newsletters allows PHP Local File Inclusion
CVSS Base7.5
â
CRSSelect profile
CVE-2025-54750
7.5
FunnelKit FunnelMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in FunnelKit Funnel Builder by FunnelKit allows PHP Local File Inclusion
CVSS Base7.5
â
CRSSelect profile
CVE-2025-7670
7.5đ
WordPressMultiple Products
The JS Archive List plugin for WordPress is vulnerable to time-based SQL Injection via the build_sql_where() function in all versions up to, and including, 6
CVSS Base7.5
â
CRSSelect profile
CVE-2025-9132
8.8
GoogleMultiple Products
Out of bounds write in V8 in Google Chrome prior to 139
CVSS Base8.8
â
CRSSelect profile
CVE-2025-4044
8.2đ
ImproperMultiple Products
Improper Restriction of XML External Entity Reference in various Lexmark printer drivers for Windows allows attacker to disclose sensitive information to an arbitrary URL
CVSS Base8.2
â
CRSSelect profile
CVE-2025-55029
7.5
MaliciousMultiple Products
Malicious scripts could bypass the popup blocker to spam new tabs, potentially resulting in denial of service attacks This vulnerability affects Firefox for iOS < 142
CVSS Base7.5
â
CRSSelect profile
CVE-2025-54052
7.5
Realtyna RealtynaMultiple Products
Cross-Site Request Forgery (CSRF) vulnerability in Realtyna Realtyna Organic IDX plugin allows PHP Local File Inclusion
CVSS Base7.5
â
CRSSelect profile
CVE-2025-9150
7.3đ
wasMultiple Products
A vulnerability was identified in Surbowl dormitory-management-php up to 9f1d9d1f528cabffc66fda3652c56ff327fda317
CVSS Base7.3
â
CRSSelect profile
CVE-2025-32010
8.1
AMultiple Products
A stack-based buffer overflow vulnerability exists in the Cloud API functionality of Tenda AC6 V5
CVSS Base8.1
â
CRSSelect profile
CVE-2025-54926
7.2
UnknownMultiple Products
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could cause remote code execution when an authenticated attacker with admin privileges uploads a malicious file over HTTP which then gets executed
Authentication Bypass vulnerability in jobx up to v1
CVSS Base8.8
â
CRSSelect profile
CVE-2025-7654
8.8đ
MultipleMultiple Products
Multiple FunnelKit plugins are vulnerable to Sensitive Information Exposure via the wf_get_cookie shortcode
CVSS Base8.8
â
CRSSelect profile
CVE-2025-49399
8.8
BasixMultiple Products
Cross-Site Request Forgery (CSRF) vulnerability in Basix NEX-Forms allows Cross Site Request Forgery
CVSS Base8.8
â
CRSSelect profile
CVE-2025-50503
8.8
password resetMultiple Products
A vulnerability in the password reset workflow of the Touch Lebanon Mobile App 2
CVSS Base8.8
â
CRSSelect profile
CVE-2025-51991
8.8
throughMultiple Products
XWiki through version 17
CVSS Base8.8
â
CRSSelect profile
CVE-2025-9245
8.8
LinksysMultiple Products
A vulnerability was detected in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 1
CVSS Base8.8
â
CRSSelect profile
CVE-2025-9246
8.8
LinksysMultiple Products
A flaw has been found in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 1
CVSS Base8.8
â
CRSSelect profile
CVE-2025-9247
8.8
LinksysMultiple Products
A vulnerability has been found in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 1
CVSS Base8.8
â
CRSSelect profile
CVE-2025-9248
8.8
LinksysMultiple Products
A vulnerability was found in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 1
CVSS Base8.8
â
CRSSelect profile
CVE-2025-9249
8.8
LinksysMultiple Products
A vulnerability was determined in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 1
CVSS Base8.8
â
CRSSelect profile
CVE-2025-9250
8.8
LinksysMultiple Products
A vulnerability was identified in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 1
CVSS Base8.8
â
CRSSelect profile
CVE-2025-9251
8.8
LinksysMultiple Products
A security flaw has been discovered in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 1
CVSS Base8.8
â
CRSSelect profile
CVE-2025-9252
8.8
LinksysMultiple Products
A weakness has been identified in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 1
CVSS Base8.8
â
CRSSelect profile
CVE-2025-8612
7.3
AOMEIMultiple Products
AOMEI Backupper Workstation Link Following Local Privilege Escalation Vulnerability
CVSS Base7.3
â
CRSSelect profile
CVE-2025-52478
8.7đ
UnknownMultiple Products
n8n is a workflow automation platform
CVSS Base8.7
â
CRSSelect profile
CVE-2025-57731
8.7
YouTrackMultiple Products
In JetBrains YouTrack before 2025
CVSS Base8.7
â
CRSSelect profile
CVE-2025-49438
7.2
Max Chirkov SimpleMultiple Products
Deserialization of Untrusted Data vulnerability in Max Chirkov Simple Login Log allows Object Injection
CVSS Base7.2
â
CRSSelect profile
CVE-2025-54012
7.2
nanbu WelcartMultiple Products
Deserialization of Untrusted Data vulnerability in nanbu Welcart e-Commerce allows Object Injection
CVSS Base7.2
â
CRSSelect profile
CVE-2025-48158
8.6
Alex GithatuMultiple Products
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Alex Githatu BuddyPress XProfile Custom Image Field allows Path Traversal
CVSS Base8.6
â
CRSSelect profile
CVE-2025-5260
8.6
UnknownMultiple Products
Server-Side Request Forgery (SSRF) vulnerability in Pik Online YazÄąlÄąm ÃÃļzÃŧmleri A
CVSS Base8.6
â
CRSSelect profile
CVE-2025-30256
8.6
denialMultiple Products
A denial of service vulnerability exists in the HTTP Header Parsing functionality of Tenda AC6 V5
CVSS Base8.6
â
CRSSelect profile
CVE-2025-4046
8.5đ
Lexmark CloudMultiple Products
A missing authorization vulnerability in Lexmark Cloud Services badge management allows attacker to reassign badges within their organization
CVSS Base8.5
â
CRSSelect profile
CVE-2025-53194
8.5
TemplateMultiple Products
Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Crocoblock JetEngine allows Code Injection
CVSS Base8.5
â
CRSSelect profile
CVE-2025-8450
8.2đ
ImproperMultiple Products
Improper Access Control issue in the Workflow component of Fortra's FileCatalyst allows unauthenticated users to upload arbitrary files via the order forms page
CVSS Base8.2
â
CRSSelect profile
CVE-2025-9180
8.1
UnknownMultiple Products
'Same-origin policy bypass in the Graphics: Canvas2D component
CVSS Base8.1
â
CRSSelect profile
CVE-2025-24322
8.1
unsafeMultiple Products
An unsafe default authentication vulnerability exists in the Initial Setup Authentication functionality of Tenda AC6 V5
CVSS Base8.1
â
CRSSelect profile
CVE-2025-8309
8.1
ThereMultiple Products
There is an improper privilege management vulnerability identified in ManageEngine's Asset Explorer, ServiceDesk Plus, ServiceDesk Plus MSP, and SupportCenter Plus products by Zohocorp
CVSS Base8.1
â
CRSSelect profile
CVE-2025-9182
7.5
UnknownMultiple Products
'Denial-of-service due to out-of-memory in the Graphics: WebRender component
CVSS Base7.5
â
CRSSelect profile
CVE-2025-30975
7.5
SaifuMak Add CustomMultiple Products
Improper Control of Generation of Code ('Code Injection') vulnerability in SaifuMak Add Custom Codes allows Code Injection
CVSS Base7.5
â
CRSSelect profile
CVE-2025-53208
7.5
paymayapg MayaMultiple Products
Authorization Bypass Through User-Controlled Key vulnerability in paymayapg Maya Business allows Accessing Functionality Not Properly Constrained by ACLs
CVSS Base7.5
â
CRSSelect profile
CVE-2025-54021
7.5
Mitchell BennisMultiple Products
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Mitchell Bennis Simple File List allows Path Traversal
CVSS Base7.5
â
CRSSelect profile
CVE-2025-55715
7.5
Themeisle OtterMultiple Products
Insertion of Sensitive Information Into Sent Data vulnerability in Themeisle Otter - Gutenberg Block allows Retrieve Embedded Sensitive Data
CVSS Base7.5
â
CRSSelect profile
CVE-2025-5261
7.5
Pik OnlineMultiple Products
Authorization Bypass Through User-Controlled Key vulnerability in Pik Online YazÄąlÄąm ÃÃļzÃŧmleri A
CVSS Base7.5
â
CRSSelect profile
CVE-2025-57732
7.5
TeamCityMultiple Products
In JetBrains TeamCity before 2025
CVSS Base7.5
â
CRSSelect profile
CVE-2025-24496
7.5
informationMultiple Products
An information disclosure vulnerability exists in the /goform/getproductInfo functionality of Tenda AC6 V5
CVSS Base7.5
â
CRSSelect profile
CVE-2025-54924
7.5
UnknownMultiple Products
CWE-918: Server-Side Request Forgery (SSRF) vulnerability exists that could cause unauthorized access to sensitive data when an attacker sends a specially crafted document to a vulnerable endpoint
CVSS Base7.5
â
CRSSelect profile
CVE-2025-54925
7.5
UnknownMultiple Products
CWE-918: Server-Side Request Forgery (SSRF) vulnerability exists that could cause unauthorized access to sensitive data when an attacker configures the application to access a malicious url
CVSS Base7.5
â
CRSSelect profile
CVE-2025-55483
7.5
TendaMultiple Products
Tenda AC6 V15
CVSS Base7.5
â
CRSSelect profile
CVE-2025-55482
7.5
TendaMultiple Products
Tenda AC6 V15
CVSS Base7.5
â
CRSSelect profile
CVE-2025-55498
7.5
TendaMultiple Products
Tenda AC6 V15
CVSS Base7.5
â
CRSSelect profile
CVE-2025-5115
7.5
EclipseMultiple Products
In Eclipse Jetty, versions <=9
CVSS Base7.5
â
CRSSelect profile
CVE-2025-9154
7.3
ManagementMultiple Products
A flaw has been found in itsourcecode Online Tour and Travel Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-9155
7.3
ManagementMultiple Products
A vulnerability has been found in itsourcecode Online Tour and Travel Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-9156
7.3
ManagementMultiple Products
A vulnerability was found in itsourcecode Sports Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-55503
7.3
TendaMultiple Products
Tenda AC6 V15
CVSS Base7.3
â
CRSSelect profile
CVE-2025-9238
7.3
wasMultiple Products
A vulnerability was determined in Swatadru Exam-Seating-Arrangement up to 97335ccebf95468d92525f4255a2241d2b0b002f
CVSS Base7.3
â
CRSSelect profile
CVE-2025-31355
7.2
firmwareMultiple Products
A firmware update vulnerability exists in the Firmware Signature Validation functionality of Tenda AC6 V5
CVSS Base7.2
â
CRSSelect profile
CVE-2025-28977
7.1
ThimPress WP PipesMultiple Products
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress WP Pipes allows Reflected XSS
CVSS Base7.1
â
CRSSelect profile
CVE-2025-48151
7.1
ImproperMultiple Products
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CreativeMindsSolutions CM Map Locations allows Reflected XSS
CVSS Base7.1
â
CRSSelect profile
CVE-2025-48152
7.1
dimafreund RentsystMultiple Products
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dimafreund Rentsyst allows Reflected XSS
CVSS Base7.1
â
CRSSelect profile
CVE-2025-48154
7.1
LambertGroupMultiple Products
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Multimedia Playlist Slider Addon for WPBakery Page Builder allows Reflected XSS
CVSS Base7.1
â
CRSSelect profile
CVE-2025-48159
7.1
LambertGroup YoutubeMultiple Products
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Youtube Vimeo Video Player and Slider WP Plugin allows Reflected XSS
CVSS Base7.1
â
CRSSelect profile
CVE-2025-48162
7.1
quantumcloud SimpleMultiple Products
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in quantumcloud Simple Business Directory Pro allows Reflected XSS
CVSS Base7.1
â
CRSSelect profile
CVE-2025-48163
7.1
LambertGroup SHOUTMultiple Products
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup SHOUT - HTML5 Radio Player With Ads - ShoutCast and IceCast Support allows Reflected XSS
CVSS Base7.1
â
CRSSelect profile
CVE-2025-48168
7.1
LambertGroup ApolloMultiple Products
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Apollo - Sticky Full Width HTML5 Audio Player allows Reflected XSS
CVSS Base7.1
â
CRSSelect profile
CVE-2025-48170
7.1
LambertGroupMultiple Products
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Universal Video Player - Addon for WPBakery Page Builder allows Reflected XSS
CVSS Base7.1
â
CRSSelect profile
CVE-2025-48296
7.1
skygroup UpStoreMultiple Products
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in skygroup UpStore allows Reflected XSS
CVSS Base7.1
â
CRSSelect profile
CVE-2025-48297
7.1
quantumcloud SimpleMultiple Products
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in quantumcloud Simple Link Directory allows Reflected XSS
CVSS Base7.1
â
CRSSelect profile
CVE-2025-53201
7.1
NooTheme JobmonsterMultiple Products
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NooTheme Jobmonster allows Reflected XSS
CVSS Base7.1
â
CRSSelect profile
CVE-2025-53205
7.1
LambertGroup RadioMultiple Products
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Radio Player Shoutcast & Icecast allows Reflected XSS
CVSS Base7.1
â
CRSSelect profile
CVE-2025-53212
7.1
LambertGroupMultiple Products
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Revolution Video Player With Bottom Playlist allows Reflected XSS
CVSS Base7.1
â
CRSSelect profile
CVE-2025-53226
7.1
digitalzoomstudioMultiple Products
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in digitalzoomstudio Comments Capcha Box allows Reflected XSS
CVSS Base7.1
â
CRSSelect profile
CVE-2025-53319
7.1
Raptive Raptive AdsMultiple Products
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Raptive Raptive Ads allows Reflected XSS
CVSS Base7.1
â
CRSSelect profile
CVE-2025-53559
7.1
LambertGroupMultiple Products
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Universal Video Player - Addon for WPBakery Page Builder allows Reflected XSS