CVE-2025-10585
Google Chromium V8 Type Confusion Vulnerability - Active in CISA KEV catalog.
Critical vulnerabilities, curated daily for security professionals
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
This week's security landscape featured 17 critical vulnerabilities including Redis memory corruption (CVSS 9.9) and multiple WordPress plugin authentication bypasses. With 11 CISA KEV vulnerabilities actively exploited and only 24% of issues having available patches, organizations face significant exposure across web applications and enterprise infrastructure.
Immediate action: Prioritize patching Redis instances and WordPress plugins immediately. Review CISA KEV catalog for federal compliance requirements. Implement compensating controls for unpatched vulnerabilities.
Google Chromium V8 Type Confusion Vulnerability - Active in CISA KEV catalog.
Sudo Inclusion of Functionality from Untrusted Control Sphere Vulnerability - Active in CISA KEV catalog.
Libraesva Email Security Gateway Command Injection Vulnerability - Active in CISA KEV catalog.
Fortra GoAnywhere MFT Deserialization of Untrusted Data Vulnerability - Active in CISA KEV catalog.
Cisco IOS and IOS XE Software SNMP Denial of Service and Remote Code Execution Vulnerability - Active in CISA KEV catalog.
Adminer Server-Side Request Forgery Vulnerability - Active in CISA KEV catalog.
GNU Bash OS Command Injection Vulnerability - Active in CISA KEV catalog.
Jenkins Remote Code Execution Vulnerability - Active in CISA KEV catalog.
Juniper ScreenOS Improper Authentication Vulnerability - Active in CISA KEV catalog.
Samsung Mobile Devices Out-of-Bounds Write Vulnerability - Active in CISA KEV catalog.
Smartbedded Meteobridge Command Injection Vulnerability - Active in CISA KEV catalog.
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate the garbage collector, trigg...
The Appy Pie Connect for WooCommerce plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization within the reset_user_password() REST handler in all versions up to, and in...
The RestroPress â Online Food Ordering System plugin for WordPress is vulnerable to Authentication Bypass in versions 3.0.0 to 3.1.9.2. This is due to the plugin exposing user private tokens and API d...
The WPRecovery plugin for WordPress is vulnerable to SQL Injection via the 'data[id]' parameter in all versions up to, and including, 2.0. This is due to insufficient escaping on the user supplied par...
SQL injection vulnerability in AndSoft's e-TMS v25.03. This vulnerability could allow an attacker to retrieve, create, update, and delete databases by sending a POST request. The relationship between ...
SQL injection vulnerability in AndSoft's e-TMS v25.03. This vulnerability could allow an attacker to retrieve, create, update, and delete databases by sending a POST request. The relationship between ...
The Spirit Framework plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.2.14. This is due to the custom_actions() function not properly validating a us...
The Ajax WooSearch WordPress plugin through 1.0.0 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to...
The Flock Safety DetectionProcessing com.flocksafety.android.objects application 6.35.33 for Android (installed on Falcon and Sparrow License Plate Readers and Bravo Edge AI Compute Devices) bundles a...
The JoomSport â for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.7.3 via the task parameter. This m...
Operating system command injection vulnerability in AndSoft's e-TMS v25.03. This vulnerability allows an attacker to execute operating system commands on the server by sending a POST request. The rela...
Operating system command injection vulnerability in AndSoft's e-TMS v25.03. This vulnerability allows an attacker to execute operating system commands on the server by sending a POST request. The rela...
Operating system command injection vulnerability in AndSoft's e-TMS v25.03. This vulnerability allows an attacker to execute operating system commands on the server by sending a POST request. The rela...
Operating system command injection vulnerability in AndSoft's e-TMS v25.03. This vulnerability allows an attacker to execute operating system commands on the server by sending a POST request. The rela...
Operating system command injection vulnerability in AndSoft's e-TMS v25.03. This vulnerability allows an attacker to execute operating system commands on the server by sending a POST request. The rela...
Operating system command injection vulnerability in AndSoft's e-TMS v25.03. This vulnerability allows an attacker to execute operating system commands on the server by sending a POST request. The rela...
Operating system command injection vulnerability in AndSoft's e-TMS v25.03. This vulnerability allows an attacker to execute operating system commands on the server by sending a POST request. The rela...
Redis is an open source, in-memory database that persists on disk
phpMyFAQ is an open source FAQ web application
An attacker can obtain server information using Path Traversal vulnerability to conduct SQL Injection, which possibly exploits Unrestricted Upload of File with Dangerous Type vulnerability in MarkAny SafePC Enterprise on Windows, Linux
The WP Dispatcher plugin for WordPress is vulnerable to SQL Injection via the âidâ parameter in all versions up to, and including, 1
The Blappsta Mobile App Plugin â Your native, mobile iPhone App and Android App plugin for WordPress is vulnerable to SQL Injection via the nh_ynaa_comments() function in all versions up to, and including, 0
The TextBuilder plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions 1
The AP Background plugin for WordPress is vulnerable to arbitrary file uploads due to missing authorization and insufficient file validation within the advParallaxBackAdminSaveSlider() handler in versions 3
TS3 Manager is modern web interface for maintaining Teamspeak3 servers
Flock Safety Falcon and Sparrow License Plate Readers OPM1
The WP Dispatcher plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the wp_dispatcher_process_upload() function in all versions up to, and including, 1
Unity Runtime before 2025-10-02 on Android, Windows, macOS, and Linux allows argument injection that can result in loading of library code from an unintended location
Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Kylin
Files or Directories Accessible to External Parties vulnerability in Apache Kylin
Server-Side Request Forgery (SSRF) vulnerability in Apache Kylin
An uninitialized variable in the HTTP CGI request arguments processing component of Vigor Routers running DrayOS may allow an attacker the ability to perform RCE on the appliance through memory corruption
SSH Tectia Server before 6
HCL MyXalytics product is affected by Cross Site Scripting vulnerability in the web application
TP-Link AX1800 WiFi 6 Router (Archer AX21) devices allow unauthenticated attackers (on the LAN) to execute arbitrary code as root via the db_dir field to minidlnad
A TCL Smart TV running a vulnerable UPnP/DLNA MediaRenderer implementation is affected by a remote, unauthenticated Denial of Service (DoS) condition
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Teknolojik Center Telecommunication Industry Trade Co
KV STUDIO and VT5-WX15/WX12 contain a stack-based buffer overflow vulnerability
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Unrestricted Upload of File with Dangerous Type vulnerability in GTONE ChangeFlow allows Path Traversal, Accessing Functionality Not Properly Constrained by ACLs
Cursor is a code editor built for programming with AI
Cursor is a code editor built for programming with AI
Eidos is an extensible framework for Personal Data Management
An unauthenticated debug port may allow access to the device file system
Karapace is an open-source implementation of Kafka REST and Schema Registry
An issue in DirectAdmin v1
A vulnerability has been identified within Rancher Manager whereby the SAML authentication from the Rancher CLI tool is vulnerable to phishing attacks
Cursor is a code editor built for programming with AI
KV Studio versions 12
VT Studio versions 8
KV STUDIO versions 12
VT STUDIO versions 8
VT STUDIO versions 8
Installer of Panasonic AutoDownloader version 1
Anyquery is an SQL query engine built on top of SQLite
A vulnerability has been identified within Rancher Manager where a missing server-side validation on the `
Emlog is an open source website building system
HCL MyXalytics: 6
Path traversal vulnerability in AndSoft's e-TMS v25
Vulnerability in the cryptographic algorithm of AndSoft's e-TMS v25
YOSHOP 2
Tenda AC18 V15
Tenda AC18 V15
The Flock Safety Peripheral com
Tenda AC18 V15
Stalwart is a mail and collaboration server
A flaw was found in QEMU
Cursor is a code editor built for programming with AI
MotionEye v0
The Matrix specification before 1
The Matrix specification before 1
Cursor is a code editor built for programming with AI