Critical vulnerabilities, curated daily for security professionals
π― SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
π
Archived Security Brief
This curated brief highlights 12 critical vulnerabilities and 33 high-priority updates requiring immediate attention.
45 total vulnerabilities disclosed in last 24 hours
π‘ Tip: Swipe CVE cards left to β star, right to β remove
Section Navigation
β οΈ
CISA Known Exploited Vulnerabilities
β οΈ CISA KEVURGENT
CVE-2025-5086
9.5
Dassault SystèmesDELMIA Apriso
β° Federal Deadline:October 1, 2025(2 days remaining)
Dassault Systèmes DELMIA Apriso Deserialization of Untrusted Data Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2025-10585
9.5π
GoogleChromium V8
β° Federal Deadline:October 13, 2025(14 days remaining)
Google Chromium V8 Type Confusion Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2025-32463
9.5
SudoSudo
β° Federal Deadline:October 19, 2025(20 days remaining)
Sudo Inclusion of Functionality from Untrusted Control Sphere Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2025-59689
9.5
LibraesvaEmail Security Gateway
β° Federal Deadline:October 19, 2025(20 days remaining)
Libraesva Email Security Gateway Command Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2025-10035
9.5π
FortraGoAnywhere MFT
β° Federal Deadline:October 19, 2025(20 days remaining)
Fortra GoAnywhere MFT Deserialization of Untrusted Data Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2025-20352
9.5π
CiscoIOS and IOS XE
β° Federal Deadline:October 19, 2025(20 days remaining)
Cisco IOS and IOS XE Software SNMP Denial of Service and Remote Code Execution Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2021-21311
9.5
AdminerAdminer
β° Federal Deadline:October 19, 2025(20 days remaining)
Adminer Server-Side Request Forgery Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
π¨
Critical Vulnerabilities
CVE-2025-8625
9.8π
The Copypress Rest API plugin for WordPress is vulnerable to Remote Code Execution viaMultiple Products
The Copypress Rest API plugin for WordPress is vulnerable to Remote Code Execution via copyreap_handle_image() Function in versions 1.1 to 1.2. The plugin falls back to a hard-coded JWT signing key wh...
CVSS Base9.8
β
CRSSelect profile
CVE-2025-57266
9.8π
An issue was discovered in fileMultiple Products
An issue was discovered in file AssistantController.java in ThriveX Blogging Framework 2.5.9 thru 3.1.3 allowing unauthenticated attackers to gain sensitive information such as API Keys via the /api/a...
CVSS Base9.8
β
CRSSelect profile
CVE-2025-10659
9.8π
The Telenium Online Web Application is vulnerable due to a PHP endpoint accessible to unauthenticated network users that improperly handlesMultiple Products
The Telenium Online Web Application is vulnerable due to a PHP endpoint accessible to unauthenticated network users that improperly handles user-supplied input. This vulnerability occurs due to the in...
CVSS Base9.8
β
CRSSelect profile
CVE-2025-9762
9.8π
The Post By Email plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in theMultiple Products
The Post By Email plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the save_attachments function in all versions up to, and including, 1.0.4b. This m...
CVSS Base9.8
β
CRSSelect profile
CVE-2024-13150
9.8π
Improper Neutralization of Special Elements used in an SQL CommandMultiple Products
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Fayton Software and Consulting Services fayton.Pro ERP allows SQL Injection.This issue affects fay...
CVSS Base9.8
β
CRSSelect profile
CVE-2025-7493
9.1π
A privilege escalation flaw from host to domain administrator was found inMultiple Products
A privilege escalation flaw from host to domain administrator was found in FreeIPA. This vulnerability is similar to CVE-2025-4404, where it fails to validate the uniqueness of the krbCanonicalName. W...
CVSS Base9.1
β
CRSSelect profile
CVE-2025-10725
9.9π
A flaw was found in Red Hat Openshift AIMultiple Products
A flaw was found in Red Hat Openshift AI Service. A low-privileged attacker with access to an authenticated account, for example as a data scientist using a standard Jupyter notebook, can escalate the...
CVSS Base9.9
β
CRSSelect profile
CVE-2025-11126
9.8π
A security flaw has been discovered in ApemanMultiple Products
A security flaw has been discovered in Apeman ID71 218.53.203.117. This vulnerability affects unknown code of the file /system/www/system.ini. The manipulation results in hard-coded credentials. The a...
CVSS Base9.8
β
CRSSelect profile
CVE-2025-8868
9.8π
In Progress ChefMultiple Products
In Progress Chef Automate, versions earlier than 4.13.295, on Linux x86 platform, an authenticated attacker can gain access to Chef Automate restricted functionality in the compliance service via
im...
CVSS Base9.8
β
CRSSelect profile
CVE-2025-54875
9.8π
FreshRSS is aMultiple Products
FreshRSS is a free, self-hostable RSS aggregator. In versions 1.16.0 and above through 1.26.3, an unprivileged attacker can create a new admin user when registration is enabled through the use of a hi...
CVSS Base9.8
β
CRSSelect profile
CVE-2025-11148
9.8π
All versions of the packageMultiple Products
All versions of the package check-branches are vulnerable to Command Injection check-branches is a command-line tool that is interacted with locally, or via CI, to confirm no conflicts exist in git br...
CVSS Base9.8
β
CRSSelect profile
CVE-2024-58040
9.1π
UnknownMultiple Products
Crypt::RandomEncryption for Perl version 0.01 uses insecure rand() function during encryption.
CVSS Base9.1
β
CRSSelect profile
β οΈ
High Priority Updates
CVE-2025-41246
7.6π
VMwareMultiple Products
VMware Tools for Windows contains an improper authorisationΒ vulnerability due to the way it handles user access controls
CVSS Base7.6
β
CRSSelect profile
CVE-2025-7038
8.2π
WordPressMultiple Products
The LatePoint plugin for WordPress is vulnerable to Authentication Bypass due to insufficient identity verification within the steps__load_step route of the latepoint_route_call AJAX endpoint in all versions up to, and including, 5
CVSS Base8.2
β
CRSSelect profile
CVE-2025-8877
7.5π
WordPressMultiple Products
The AffiliateWP plugin for WordPress is vulnerable to SQL Injection via the ajax_get_affiliate_id_from_login function in all versions up to, and including, 2
CVSS Base7.5
β
CRSSelect profile
CVE-2025-7052
8.8π
WordPressMultiple Products
The LatePoint plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5
CVSS Base8.8
β
CRSSelect profile
CVE-2025-41250
8.5π
VMwareMultiple Products
VMware vCenter contains an SMTP header injection vulnerability
CVSS Base8.5
β
CRSSelect profile
CVE-2025-9991
8.1π
WordPressMultiple Products
The Tiny Bootstrap Elements Light plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4
CVSS Base8.1
β
CRSSelect profile
CVE-2025-9993
8.1π
WordPressMultiple Products
The Bei Fen β WordPress Backup Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1
CVSS Base8.1
β
CRSSelect profile
CVE-2024-55017
7.5π
AccountMultiple Products
Account Takeover in Corezoid 6
CVSS Base7.5
β
CRSSelect profile
CVE-2025-41244
7.8π
VMwareMultiple Products
VMware Aria Operations and VMware Tools contain a local privilege escalation vulnerability
CVSS Base7.8
β
CRSSelect profile
CVE-2025-41251
8.1π
VMwareMultiple Products
VMware NSX contains a weak password recovery mechanism vulnerability
CVSS Base8.1
β
CRSSelect profile
CVE-2025-41252
7.5π
VMwareMultiple Products
Description: VMware NSX contains a username enumeration vulnerability
CVSS Base7.5
β
CRSSelect profile
CVE-2025-45376
7.5π
DellMultiple Products
Dell Repository Manager (DRM), versions 3
CVSS Base7.5
β
CRSSelect profile
CVE-2025-11130
8.4π
weaknessMultiple Products
A weakness has been identified in iHongRen pptp-vpn 1
CVSS Base8.4
β
CRSSelect profile
CVE-2025-7779
8.8π
LocalMultiple Products
Local privilege escalation due to insecure XPC service configuration
CVSS Base8.8
β
CRSSelect profile
CVE-2025-11123
8.8π
flawMultiple Products
A flaw has been found in Tenda AC18 15
CVSS Base8.8
β
CRSSelect profile
CVE-2025-6724
8.8π
earlierMultiple Products
In Progress Chef Automate, versions earlier than 4
CVSS Base8.8
β
CRSSelect profile
CVE-2025-36245
8.8
IBMMultiple Products
IBM InfoSphere 11
CVSS Base8.8
β
CRSSelect profile
CVE-2025-11178
7.3
LocalMultiple Products
Local privilege escalation due to DLL hijacking vulnerability
CVSS Base7.3
β
CRSSelect profile
CVE-2025-23293
8.7
NVIDIAMultiple Products
NVIDIA Delegated Licensing Service for all appliance platforms contains a vulnerability where an User/Attacker may cause an authorized action
CVSS Base8.7
β
CRSSelect profile
CVE-2025-48006
8.2π
DataSpiderMultiple Products
Improper restriction of XML external entity reference issue exists in DataSpider Servista 4
CVSS Base8.2
β
CRSSelect profile
CVE-2025-57483
8.1π
reflectedMultiple Products
A reflected cross-site scripting (XSS) vulnerability in tawk
CVSS Base8.1
β
CRSSelect profile
CVE-2025-35030
8.1π
InformaticsMultiple Products
Medical Informatics Engineering Enterprise Health has a cross site request forgery vulnerability that allows an unauthenticated attacker to trick administrative users into clicking a crafted URL and perform actions on behalf of that administrative user
CVSS Base8.1
β
CRSSelect profile
CVE-2025-6033
7.8
ThereMultiple Products
There is a memory corruption vulnerability due to an out of bounds write in XML_Serialize() when using SymbolEditor in NI Circuit Design Suite
CVSS Base7.8
β
CRSSelect profile
CVE-2025-6034
7.8
ThereMultiple Products
There is a memory corruption vulnerability due to an out of bounds read in DefaultFontOptions() when using SymbolEditor in NI Circuit Design Suite
CVSS Base7.8
β
CRSSelect profile
CVE-2025-51495
7.5
integerMultiple Products
An integer overflow vulnerability exists in the WebSocket component of Mongoose 7
CVSS Base7.5
β
CRSSelect profile
CVE-2025-54591
7.5
FreshRSSMultiple Products
FreshRSS is a free, self-hostable RSS aggregator
CVSS Base7.5
β
CRSSelect profile
CVE-2025-59942
7.5
UnknownMultiple Products
go-f3 is a Golang implementation of Fast Finality for Filecoin (F3)
CVSS Base7.5
β
CRSSelect profile
CVE-2025-11149
7.5
ThisMultiple Products
This affects all versions of the package node-static; all versions of the package @nubosoftware/node-static
CVSS Base7.5
β
CRSSelect profile
CVE-2025-59668
7.5
MultipleMultiple Products
Multiple versions of Central Monitor CNS-6201 contain a NULL pointer dereference vulnerability
CVSS Base7.5
β
CRSSelect profile
CVE-2025-9230
7.5
IssueMultiple Products
Issue summary: An application trying to decrypt CMS messages encrypted using
password based encryption can trigger an out-of-bounds read and write
CVSS Base7.5
β
CRSSelect profile
CVE-2025-11135
7.3
wasMultiple Products
A vulnerability was detected in pmTicket Project-Management-Software up to 2ef379da2075f4761a2c9029cf91d073474e7486
CVSS Base7.3
β
CRSSelect profile
CVE-2025-11140
7.3
wasMultiple Products
A vulnerability was identified in Bjskzy Zhiyou ERP up to 11
CVSS Base7.3
β
CRSSelect profile
CVE-2025-57424
7.3
storedMultiple Products
A stored cross-site scripting (XSS) vulnerability exists in the MyCourts v3 application within the LTA number profile field