CVE-2025-5086
Dassault Systèmes DELMIA Apriso Deserialization of Untrusted Data Vulnerability - Active in CISA KEV catalog.
Critical vulnerabilities, curated daily for security professionals
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
This curated brief highlights 9 critical vulnerabilities and 42 high-priority updates requiring immediate attention.
Dassault Systèmes DELMIA Apriso Deserialization of Untrusted Data Vulnerability - Active in CISA KEV catalog.
Google Chromium V8 Type Confusion Vulnerability - Active in CISA KEV catalog.
Sudo Inclusion of Functionality from Untrusted Control Sphere Vulnerability - Active in CISA KEV catalog.
Libraesva Email Security Gateway Command Injection Vulnerability - Active in CISA KEV catalog.
Fortra GoAnywhere MFT Deserialization of Untrusted Data Vulnerability - Active in CISA KEV catalog.
Cisco IOS and IOS XE Software SNMP Denial of Service and Remote Code Execution Vulnerability - Active in CISA KEV catalog.
Adminer Server-Side Request Forgery Vulnerability - Active in CISA KEV catalog.
The Copypress Rest API plugin for WordPress is vulnerable to Remote Code Execution via copyreap_handle_image() Function in versions 1.1 to 1.2. The plugin falls back to a hard-coded JWT signing key wh...
The Telenium Online Web Application is vulnerable due to a PHP endpoint accessible to unauthenticated network users that improperly handles user-supplied input. This vulnerability occurs due to the in...
The Post By Email plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the save_attachments function in all versions up to, and including, 1.0.4b. This m...
The Custom Searchable Data Entry System plugin for WordPress is vulnerable to unauthenticated database wiping in versions up to, and including 1.7.1, due to a missing capability check and lack of suff...
Deserialization of untrusted data inΒ python in pyforyΒ versions 0.12.0 through 0.12.2, or theΒ legacyΒ pyfury versions fromΒ 0.1.0 through 0.10.3: allows arbitrary code execution. An application is vulner...
A privilege escalation flaw from host to domain administrator was found in FreeIPA. This vulnerability is similar to CVE-2025-4404, where it fails to validate the uniqueness of the krbCanonicalName. W...
A flaw was found in Red Hat Openshift AI Service. A low-privileged attacker with access to an authenticated account, for example as a data scientist using a standard Jupyter notebook, can escalate the...
All versions of the package check-branches are vulnerable to Command Injection check-branches is a command-line tool that is interacted with locally, or via CI, to confirm no conflicts exist in git br...
Crypt::RandomEncryption for Perl version 0.01 uses insecure rand() function during encryption.
The LatePoint plugin for WordPress is vulnerable to Authentication Bypass due to insufficient identity verification within the steps__load_step route of the latepoint_route_call AJAX endpoint in all versions up to, and including, 5
The AffiliateWP plugin for WordPress is vulnerable to SQL Injection via the ajax_get_affiliate_id_from_login function in all versions up to, and including, 2
The LatePoint plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5
This vulnerability affects Firefox < 143
The Tiny Bootstrap Elements Light plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4
The Bei Fen β WordPress Backup Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1
NVIDIA Installer for NvAPP for Windows contains a vulnerability in the FrameviewSDK installation process, where an attacker with local unprivileged access could modify files in the Frameview SDK directory
This vulnerability affects Firefox < 143
Account Takeover in Corezoid 6
Keysight Ixia Vision has an issue with hardcoded cryptographic material which may allow an attacker to intercept or decrypt payloads sent to the device via API calls or user authentication if the end user does not replace the TLS certificate that shipped with the device
An issue was discovered in Chipsalliance Rocket-Chip commit f517abbf41abb65cea37421d3559f9739efd00a9 (2025-01-29) allowing attackers to corrupt exception handling and privilege state transitions via a flawed interaction between exception handling and MRET return mechanisms in the CSR logic when an exception is triggered during MRET execution
In Splunk Enterprise versions below 10
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes
Local privilege escalation due to insecure XPC service configuration
IBM InfoSphere 11
DigiSign DigiSigner ONE 1
File upload vulnerability in Fiora chat application 1
A CRLF injection vulnerability in Neto CMS v6
A stored cross-site scripting (XSS) in Kissflow Work Platform Kissflow Application Versions 7337 Account v2
A reflected cross-site scripted (XSS) vulnerability in Codazon Magento Themes v1
Dolibarr ERP & CRM v21
Local privilege escalation due to DLL hijacking vulnerability
NVIDIA Delegated Licensing Service for all appliance platforms contains a vulnerability where an User/Attacker may cause an authorized action
In Frappe ERPNext 15
In Frappe ERPNext 15
In Frappe ERPNext 15
In Frappe ERPNext 15
A heap-use-after free in the PdfTokenizer::ReadDictionary function of podofo v0
There is a memory corruption vulnerability due to an out of bounds write in XML_Serialize() when using SymbolEditor in NI Circuit Design Suite
There is a memory corruption vulnerability due to an out of bounds read in DefaultFontOptions() when using SymbolEditor in NI Circuit Design Suite
go-f3 is a Golang implementation of Fast Finality for Filecoin (F3)
This affects all versions of the package node-static; all versions of the package @nubosoftware/node-static
Multiple versions of Central Monitor CNS-6201 contain a NULL pointer dereference vulnerability
Issue summary: An application trying to decrypt CMS messages encrypted using password based encryption can trigger an out-of-bounds read and write
Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community
Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community
Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community
LiquidFiles filetransfer server is vulnerable to a user enumeration issue in its password reset functionality
An issue was discovered in Django 4
OpenPLC_V3 has a vulnerability in the enipThread function that occurs due to the lack of a return value