Critical vulnerabilities, curated daily for security professionals
π― SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
π
Today's Security Brief
Tuesday's threat landscape demands urgent action with federal KEV deadlines expiring TODAY for TP-Link TL-WR841N router (CVE-2023-50224) and multiple TP-Link routers (CVE-2025-9377). Additionally, a CVSS 10.0 maximum-severity flaw in Flowise (CVE-2025-59528) enables remote code execution through LLM configurations. With 8 critical CVEs including SQL injection and deserialization vulnerabilities, plus 81 high-priority issues heavily impacting WordPress ecosystems, security teams face immediate patching requirements.
DEADLINE TODAY: TP-Link TL-WR841N and multiple router KEVs expire September 23
SQL injection in PHPGurukul Park Ticketing System (CVSS 9.8)
81 high-priority vulnerabilities with PHP file inclusion flaws widespread
Only 9% patches available across 89 total vulnerabilities
Immediate action: IMMEDIATE: Patch TP-Link TL-WR841N (CVE-2023-50224) and TP-Link Multiple Routers (CVE-2025-9377) TODAY for federal compliance. Address Flowise RCE immediately if using LLM platforms.
π‘ Tip: Swipe CVE cards left to β star, right to β remove
Section Navigation
β οΈ
CISA Known Exploited Vulnerabilities
β οΈ CISA KEVURGENT
CVE-2020-24363
9.5
TP-LinkTL-WA855RE
β° Federal Deadline:September 22, 2025(1 days remaining)
TP-link TL-WA855RE Missing Authentication for Critical Function Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2025-55177
9.5π
Meta PlatformsWhatsApp
β° Federal Deadline:September 22, 2025(1 days remaining)
Meta Platforms WhatsApp Incorrect Authorization Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2023-50224
9.5
TP-LinkTL-WR841N
β° Federal Deadline:September 23, 2025(2 days remaining)
TP-Link TL-WR841N Authentication Bypass by Spoofing Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2025-9377
9.5
TP-LinkMultiple Routers
β° Federal Deadline:September 23, 2025(2 days remaining)
TP-Link Archer C7(EU) and TL-WR841N/ND(MS) OS Command Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2025-38352
9.5
LinuxKernel
β° Federal Deadline:September 24, 2025(3 days remaining)
Linux Kernel Time-of-Check Time-of-Use (TOCTOU) Race Condition Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2025-48543
9.5π
AndroidRuntime
β° Federal Deadline:September 24, 2025(3 days remaining)
Android Runtime Use-After-Free Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2025-53690
9.5π
SitecoreMultiple Products
β° Federal Deadline:September 24, 2025(3 days remaining)
Sitecore Multiple Products Deserialization of Untrusted Data Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2025-5086
9.5
Dassault SystèmesDELMIA Apriso
β° Federal Deadline:October 1, 2025(10 days remaining)
Dassault Systèmes DELMIA Apriso Deserialization of Untrusted Data Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
π¨
Critical Vulnerabilities
CVE-2025-56074
9.8π
A SQL Injection vulnerability was discovered in theMultiple Products
A SQL Injection vulnerability was discovered in the foreigner-bwdates-reports-details.php file of PHPGurukul Park Ticketing Management System v2.0. This vulnerability allows remote attackers to execut...
CVSS Base9.8
β
CRSSelect profile
CVE-2025-59528
10π
Flowise is a dragMultiple Products
Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5, Flowise is vulnerable to remote code execution. The CustomMCP node allows users to input conf...
CVSS Base10
β
CRSSelect profile
CVE-2025-6544
9.8π
A deserialization vulnerability exists inMultiple Products
A deserialization vulnerability exists in h2oai/h2o-3 versions <= 3.46.0.8, allowing attackers to read arbitrary system files and execute arbitrary code. The vulnerability arises from improper handlin...
CVSS Base9.8
β
CRSSelect profile
CVE-2025-35042
9.8π
Airship AI Acropolis includes a default administrative account that uses the same credentials on everyMultiple Products
Airship AI Acropolis includes a default administrative account that uses the same credentials on every installation. Instances of Airship AI that do not change this account password are vulnerable to ...
CVSS Base9.8
β
CRSSelect profile
CVE-2025-57437
9.8π
The Blackmagic Web Presenter HD firmware versionMultiple Products
The Blackmagic Web Presenter HD firmware version 3.3 exposes sensitive information via an unauthenticated Telnet service on port 9977. When connected, the service reveals extensive device configuratio...
CVSS Base9.8
β
CRSSelect profile
CVE-2025-57441
9.8π
The Blackmagic ATEM Mini ProMultiple Products
The Blackmagic ATEM Mini Pro 2.7 exposes sensitive device and stream configuration information via an unauthenticated Telnet service on port 9990. Upon connection, the attacker can access a protocol p...
CVSS Base9.8
β
CRSSelect profile
CVE-2025-58255
9.6π
UnknownMultiple Products
Cross-Site Request Forgery (CSRF) vulnerability in yonisink Custom Post Type Images allows Code Injection. This issue affects Custom Post Type Images: from n/a through 0.5.
CVSS Base9.6
β
CRSSelect profile
CVE-2025-59434
9.6π
Flowise is a dragMultiple Products
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to August 2025 Cloud-Hosted Flowise, an authenticated vulnerability in Flowise Cloud allows any user on t...
CVSS Base9.6
β
CRSSelect profile
β οΈ
High Priority Updates
CVE-2025-58973
7.5π
hashthemes EasyMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in hashthemes Easy Elementor Addons allows PHP Local File Inclusion
CVSS Base7.5
β
CRSSelect profile
CVE-2025-57977
7.1π
WordPressMultiple Products
Cross-Site Request Forgery (CSRF) vulnerability in wpdesk Flexible PDF Invoices for WooCommerce & WordPress allows Cross Site Request Forgery
CVSS Base7.1
β
CRSSelect profile
CVE-2025-53450
7.5π
Pluginwale EasyMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Pluginwale Easy Pricing Table WP allows PHP Local File Inclusion
CVSS Base7.5
β
CRSSelect profile
CVE-2025-57925
7.5π
immonex immonexMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in immonex immonex Kickstart Team allows PHP Local File Inclusion
CVSS Base7.5
β
CRSSelect profile
CVE-2025-59588
7.5π
PenciDesign SoledadMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in PenciDesign Soledad allows PHP Local File Inclusion
CVSS Base7.5
β
CRSSelect profile
CVE-2025-59572
8.8π
purethemesMultiple Products
Cross-Site Request Forgery (CSRF) vulnerability in purethemes WorkScout-Core allows Cross Site Request Forgery
CVSS Base8.8
β
CRSSelect profile
CVE-2025-57919
7.2π
WordPressMultiple Products
Deserialization of Untrusted Data vulnerability in ConveyThis Language Translate Widget for WordPress β ConveyThis allows Object Injection
CVSS Base7.2
β
CRSSelect profile
CVE-2025-53692
7.1π
ExperienceMultiple Products
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Sitecore Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Cross-Site Scripting (XSS)
CVSS Base7.1
β
CRSSelect profile
CVE-2025-58686
8.5π
quadlayers PerfectMultiple Products
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in quadlayers Perfect Brands for WooCommerce allows SQL Injection
CVSS Base8.5
β
CRSSelect profile
CVE-2025-59420
7.5π
ConnectMultiple Products
Authlib is a Python library which builds OAuth and OpenID Connect servers
A vulnerability was identified in Tenda AC20 up to 16
CVSS Base8.8
β
CRSSelect profile
CVE-2025-53465
7.2
raoinfotech GSheetsMultiple Products
Deserialization of Untrusted Data vulnerability in raoinfotech GSheets Connector allows Object Injection
CVSS Base7.2
β
CRSSelect profile
CVE-2025-58662
7.2
awesomesupportMultiple Products
Deserialization of Untrusted Data vulnerability in awesomesupport Awesome Support allows Object Injection
CVSS Base7.2
β
CRSSelect profile
CVE-2025-59430
8.2
MeshMultiple Products
Mesh Connect JS SDK contains JS libraries for integrating with Mesh Connect
CVSS Base8.2
β
CRSSelect profile
CVE-2025-10854
8.1
txtaiMultiple Products
The txtai framework allows the loading of compressed tar files as embedding indices
CVSS Base8.1
β
CRSSelect profile
CVE-2025-51006
7.8
WithinMultiple Products
Within tcpreplay's tcprewrite, a double free vulnerability has been identified in the dlt_linuxsll2_cleanup() function in plugins/dlt_linuxsll2/linuxsll2
CVSS Base7.8
β
CRSSelect profile
CVE-2025-8892
7.8
maliciouslyMultiple Products
A maliciously crafted PRT file, when parsed through certain Autodesk products, can force a Memory Corruption vulnerability
CVSS Base7.8
β
CRSSelect profile
CVE-2025-5962
7.7
flawMultiple Products
A flaw was found in the Lightspeed history service
CVSS Base7.7
β
CRSSelect profile
CVE-2025-35041
7.5
attemptsMultiple Products
Airship AI Acropolis allows unlimited MFA attempts for 15 minutes after a user has logged in with valid credentials
CVSS Base7.5
β
CRSSelect profile
CVE-2025-36202
7.5
IBMMultiple Products
IBM webMethods Integration 10
CVSS Base7.5
β
CRSSelect profile
CVE-2025-59527
7.5
FlowiseMultiple Products
Flowise is a drag & drop user interface to build a customized large language model flow
CVSS Base7.5
β
CRSSelect profile
CVE-2025-10781
7.3
ManagementMultiple Products
A vulnerability was identified in Campcodes Online Learning Management System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2025-10782
7.3
ManagementMultiple Products
A security flaw has been discovered in Campcodes Online Learning Management System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2025-10783
7.3
ManagementMultiple Products
A weakness has been identified in Campcodes Online Learning Management System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2025-10784
7.3
ManagementMultiple Products
A security vulnerability has been detected in Campcodes Online Learning Management System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2025-10785
7.3
InventoryMultiple Products
A vulnerability was detected in Campcodes Grocery Sales and Inventory System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2025-10786
7.3
InventoryMultiple Products
A flaw has been found in Campcodes Grocery Sales and Inventory System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2025-10788
7.3
ReservationMultiple Products
A vulnerability was determined in SourceCodester Online Hotel Reservation System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2025-10789
7.3
ReservationMultiple Products
A vulnerability was identified in SourceCodester Online Hotel Reservation System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2025-10791
7.3
BiddingMultiple Products
A weakness has been identified in code-projects Online Bidding System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2025-10793
7.3
CommerceMultiple Products
A vulnerability was detected in code-projects E-Commerce Website 1
CVSS Base7.3
β
CRSSelect profile
CVE-2025-10795
7.3
BiddingMultiple Products
A vulnerability has been found in code-projects Online Bidding System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2025-10796
7.3
ManagementMultiple Products
A vulnerability was found in code-projects Hostel Management System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2025-10797
7.3
ManagementMultiple Products
A vulnerability was determined in code-projects Hostel Management System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2025-10798
7.3
ManagementMultiple Products
A vulnerability was identified in code-projects Hostel Management System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2025-10799
7.3
ManagementMultiple Products
A security flaw has been discovered in code-projects Hostel Management System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2025-10800
7.3
DiscussionMultiple Products
A weakness has been identified in itsourcecode Online Discussion Forum 1
CVSS Base7.3
β
CRSSelect profile
CVE-2025-10801
7.3
ManagementMultiple Products
A security vulnerability has been detected in SourceCodester Pet Grooming Management Software 1
CVSS Base7.3
β
CRSSelect profile
CVE-2025-10802
7.3
BiddingMultiple Products
A flaw has been found in code-projects Online Bidding System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2025-10808
7.3
ManagementMultiple Products
A weakness has been identified in Campcodes Farm Management System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2025-10809
7.3
ManagementMultiple Products
A security vulnerability has been detected in Campcodes Online Learning Management System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2025-55888
7.3
transactionMultiple Products
Cross-Site Scripting (XSS) vulnerability was discovered in the Ajax transaction manager endpoint of ARD
CVSS Base7.3
β
CRSSelect profile
CVE-2025-10810
7.3
ManagementMultiple Products
A vulnerability was detected in Campcodes Online Learning Management System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2025-10811
7.3
ManagementMultiple Products
A flaw has been found in code-projects Hostel Management System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2025-10812
7.3
ManagementMultiple Products
A vulnerability has been found in code-projects Hostel Management System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2025-10813
7.3
ManagementMultiple Products
A vulnerability was found in code-projects Hostel Management System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2025-10816
7.3
JinherMultiple Products
A security flaw has been discovered in Jinher OA 2
CVSS Base7.3
β
CRSSelect profile
CVE-2025-10817
7.3
ManagementMultiple Products
A weakness has been identified in Campcodes Online Learning Management System 1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e4jvikwp VikRestaurants Table Reservations and Take-Away allows Reflected XSS
CVSS Base7.1
β
CRSSelect profile
CVE-2025-58259
7.1
scriptsbundle NokriMultiple Products
Cross-Site Request Forgery (CSRF) vulnerability in scriptsbundle Nokri allows Cross Site Request Forgery
CVSS Base7.1
β
CRSSelect profile
CVE-2025-58261
7.1
PressPageMultiple Products
Cross-Site Request Forgery (CSRF) vulnerability in PressPage Entertainment Inc Mavis HTTPS to HTTP Redirection allows Stored XSS
CVSS Base7.1
β
CRSSelect profile
CVE-2025-58262
7.1
wpdirectorykit SweetMultiple Products
Cross-Site Request Forgery (CSRF) vulnerability in wpdirectorykit Sweet Energy Efficiency allows Stored XSS
CVSS Base7.1
β
CRSSelect profile
CVE-2025-58267
7.1
Aftabul Islam StockMultiple Products
Cross-Site Request Forgery (CSRF) vulnerability in Aftabul Islam Stock Message allows Stored XSS
CVSS Base7.1
β
CRSSelect profile
CVE-2025-58268
7.1
WPMK WPMK PDFMultiple Products
Cross-Site Request Forgery (CSRF) vulnerability in WPMK WPMK PDF Generator allows Stored XSS
CVSS Base7.1
β
CRSSelect profile
CVE-2025-58270
7.1
NIX Solutions Ltd NIXMultiple Products
Cross-Site Request Forgery (CSRF) vulnerability in NIX Solutions Ltd NIX Anti-Spam Light allows Cross Site Request Forgery