CVE Brief - October 29, 2025

Wednesday, October 29, 2025 Archive

Archived Security Snapshot

Critical vulnerabilities, curated daily for security professionals

🎯 SSCV Profile

See how vulnerabilities affect your specific environment

CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework

Select your system profile:

Risk scores will be adjusted based on your selected environment

Archived Security Brief

This curated brief highlights 11 critical vulnerabilities and 61 high-priority updates requiring immediate attention.

72 total vulnerabilities disclosed in last 24 hours
WordPress ecosystem significantly impacted: 4 plugin/theme vulnerabilities

💡 Tip: Swipe CVE cards left to ⭐ star, right to ❌ remove

CISA Known Exploited Vulnerabilities

⚠️ CISA KEV URGENT

CVE-2021-43798

9.5

Grafana Labs Grafana October 8, 2025

⏰ Federal Deadline: October 29, 2025 (1 days remaining)

Grafana Path Traversal Vulnerability - Active in CISA KEV catalog.

CVSS Base 9.5

→

CRS Select profile

⚠️ CISA KEV URGENT

CVE-2025-47827

9.5

IGEL IGEL OS October 13, 2025

⏰ Federal Deadline: November 3, 2025 (6 days remaining)

IGEL OS Use of a Key Past its Expiration Date Vulnerability - Active in CISA KEV catalog.

CVSS Base 9.5

→

CRS Select profile

⚠️ CISA KEV URGENT

CVE-2025-24990

9.5 📝

Microsoft Windows October 13, 2025

⏰ Federal Deadline: November 3, 2025 (6 days remaining)

Microsoft Windows Untrusted Pointer Dereference Vulnerability - Active in CISA KEV catalog.

CVSS Base 9.5

→

CRS Select profile

⚠️ CISA KEV URGENT

CVE-2025-59230

9.5 📝

Microsoft Windows October 13, 2025

⏰ Federal Deadline: November 3, 2025 (6 days remaining)

Microsoft Windows Improper Access Control Vulnerability - Active in CISA KEV catalog.

CVSS Base 9.5

→

CRS Select profile

⚠️ CISA KEV URGENT

CVE-2016-7836

9.5

SKYSEA Client View October 13, 2025

⏰ Federal Deadline: November 3, 2025 (6 days remaining)

SKYSEA Client View Improper Authentication Vulnerability - Active in CISA KEV catalog.

CVSS Base 9.5

→

CRS Select profile

⚠️ CISA KEV URGENT

CVE-2025-54253

9.5 📝

Adobe Experience Manager (AEM) Forms October 14, 2025

⏰ Federal Deadline: November 4, 2025 (7 days remaining)

Adobe Experience Manager Forms Code Execution Vulnerability - Active in CISA KEV catalog.

CVSS Base 9.5

→

CRS Select profile

⚠️ CISA KEV

CVE-2022-48503

9.5

Apple Multiple Products October 19, 2025

⏰ Federal Deadline: November 9, 2025 (12 days remaining)

Apple Multiple Products Unspecified Vulnerability - Active in CISA KEV catalog.

CVSS Base 9.5

→

CRS Select profile

⚠️ CISA KEV

CVE-2025-2746

9.5

Kentico Xperience CMS October 19, 2025

⏰ Federal Deadline: November 9, 2025 (12 days remaining)

Kentico Xperience CMS Authentication Bypass Using an Alternate Path or Channel Vulnerability - Active in CISA KEV catalog.

CVSS Base 9.5

→

CRS Select profile

⚠️ CISA KEV

CVE-2025-2747

9.5

Kentico Xperience CMS October 19, 2025

⏰ Federal Deadline: November 9, 2025 (12 days remaining)

Kentico Xperience CMS Authentication Bypass Using an Alternate Path or Channel Vulnerability - Active in CISA KEV catalog.

CVSS Base 9.5

→

CRS Select profile

⚠️ CISA KEV

CVE-2025-33073

9.5

Microsoft Windows October 19, 2025

⏰ Federal Deadline: November 9, 2025 (12 days remaining)

Microsoft Windows SMB Client Improper Access Control Vulnerability - Active in CISA KEV catalog.

CVSS Base 9.5

→

CRS Select profile

⚠️ CISA KEV

CVE-2025-61884

9.5 📝

Oracle E-Business Suite October 19, 2025

⏰ Federal Deadline: November 9, 2025 (12 days remaining)

Oracle E-Business Suite Server-Side Request Forgery (SSRF) Vulnerability - Active in CISA KEV catalog.

CVSS Base 9.5

→

CRS Select profile

⚠️ CISA KEV

CVE-2025-61932

9.5 📝

Motex LANSCOPE Endpoint Manager October 21, 2025

⏰ Federal Deadline: November 11, 2025 (14 days remaining)

Motex LANSCOPE Endpoint Manager Improper Verification of Source of a Communication Channel Vulnerability - Active in CISA KEV catalog.

CVSS Base 9.5

→

CRS Select profile

⚠️ CISA KEV

CVE-2025-54236

9.5 📝

Adobe Commerce and Magento October 23, 2025

⏰ Federal Deadline: November 13, 2025 (16 days remaining)

Adobe Commerce and Magento Improper Input Validation Vulnerability - Active in CISA KEV catalog.

CVSS Base 9.5

→

CRS Select profile

⚠️ CISA KEV

CVE-2025-59287

9.5 📝

Microsoft Windows October 23, 2025

⏰ Federal Deadline: November 13, 2025 (16 days remaining)

Microsoft Windows Server Update Service (WSUS) Deserialization of Untrusted Data Vulnerability - Active in CISA KEV catalog.

CVSS Base 9.5

→

CRS Select profile

⚠️ CISA KEV

CVE-2025-6204

9.5

Dassault Systèmes DELMIA Apriso October 27, 2025

⏰ Federal Deadline: November 17, 2025 (20 days remaining)

Dassault Systèmes DELMIA Apriso Code Injection Vulnerability - Active in CISA KEV catalog.

CVSS Base 9.5

→

CRS Select profile

⚠️ CISA KEV

CVE-2025-6205

9.5 📝

Dassault Systèmes DELMIA Apriso October 27, 2025

⏰ Federal Deadline: November 17, 2025 (20 days remaining)

Dassault Systèmes DELMIA Apriso Missing Authorization Vulnerability - Active in CISA KEV catalog.

CVSS Base 9.5

→

CRS Select profile

Critical Vulnerabilities

CVE-2025-4665

9.6 📝

WordPress plugin Contact Form Multiple Products Oct 29, 2025

WordPress plugin Contact Form CFDB7 versions up to and including 1.3.2 are affected by a pre-authentication SQL injection vulnerability that cascades into insecure deserialization (PHP Object Injectio...

CVSS Base 9.6

→

CRS Select profile

CVE-2025-64095

10 📝

DNN Multiple Products Oct 28, 2025

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to 10.1.1, the default HTML editor provider allows unauthenticated file uploads and ...

CVSS Base 10

→

CRS Select profile

CVE-2025-12380

9.8 📝

Starting with Firefox Multiple Products Oct 28, 2025

Starting with Firefox 142, it was possible for a compromised child process to trigger a use-after-free in the GPU or browser process using WebGPU-related IPC calls. This may have been usable to escape...

CVSS Base 9.8

→

CRS Select profile

CVE-2024-45162

9.8 📝

A Multiple Products Oct 29, 2025

A stack-based buffer overflow issue was discovered in the phddns client in Blu-Castle BCUM221E 1.0.0P220507 via the password field.

CVSS Base 9.8

→

CRS Select profile

CVE-2025-11202

9.8 📝

Unknown Multiple Products Oct 29, 2025

win-cli-mcp-server resolveCommandPath Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of win-cli-m...

CVSS Base 9.8

→

CRS Select profile

CVE-2025-62368

9 📝

Taiga is an open source project management Multiple Products Oct 28, 2025

Taiga is an open source project management platform. In versions 6.8.3 and earlier, a remote code execution vulnerability exists in the Taiga API due to unsafe deserialization of untrusted data. This ...

CVSS Base 9

→

CRS Select profile

CVE-2025-36386

9.8 📝

IBM Maximo Application Suite Multiple Products Oct 28, 2025

IBM Maximo Application Suite 9.0.0 through 9.0.15 and 9.1.0 through 9.1.4 could allow a remote attacker to bypass authentication mechanisms and gain unauthorized access to the application.

CVSS Base 9.8

→

CRS Select profile

CVE-2025-61128

9.1 📝

Unknown Multiple Products Oct 28, 2025

Stack-based buffer overflow vulnerability in WAVLINK QUANTUM D3G/WL-WN530HG3 firmware M30HG3_V240730, and possibly other wavlink models allows attackers to execute arbitrary code via crafted referrer ...

CVSS Base 9.1

→

CRS Select profile

CVE-2025-60355

9.8 📝

Unknown Multiple Products Oct 28, 2025

zhangyd-c OneBlog before 2.3.9 was vulnerable to SSTI (Server-Side Template Injection) via FreeMarker templates.

CVSS Base 9.8

→

CRS Select profile

CVE-2025-61043

9.1 📝

An Multiple Products Oct 28, 2025

An out-of-bounds read vulnerability has been discovered in Monkey's Audio 11.31, specifically in the CAPECharacterHelper::GetUTF16FromUTF8 function. The issue arises from improper handling of the leng...

CVSS Base 9.1

→

CRS Select profile

CVE-2025-61235

9.1 📝

An issue was discovered in Dataphone Multiple Products Oct 28, 2025

An issue was discovered in Dataphone A920 v2025.07.161103. A custom packet based on public documentation can be crafted, where some fields can contain arbitrary or trivial data. Normally, such data sh...

CVSS Base 9.1

→

CRS Select profile

High Priority Updates

CVE-2025-64140

8.8 📝

Jenkins Multiple Products October 29, 2025

Jenkins Azure CLI Plugin 0

CVSS Base 8.8

→

CRS Select profile

CVE-2025-64104

7.3 📝

LangGraph Multiple Products October 29, 2025

LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite)

CVSS Base 7.3

→

CRS Select profile

CVE-2025-60075

7.1 📝

WordPress Multiple Products October 29, 2025

Cross-Site Request Forgery (CSRF) vulnerability in Allegro Marketing hpb seo plugin for WordPress hpbseo allows Reflected XSS

CVSS Base 7.1

→

CRS Select profile

CVE-2025-11735

7.5 📝

WordPress Multiple Products October 29, 2025

The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to blind SQL Injection via the `phrase` parameter in all versions up to, and including, 1

CVSS Base 7.5

→

CRS Select profile

CVE-2025-64195

7.6 📝

ThimPress Eduma eduma Multiple Products October 29, 2025

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThimPress Eduma eduma allows PHP Local File Inclusion

CVSS Base 7.6

→

CRS Select profile

CVE-2025-64216

7.5 📝

ThemeSphere SmartMag Multiple Products October 29, 2025

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeSphere SmartMag smart-mag allows PHP Local File Inclusion

CVSS Base 7.5

→

CRS Select profile

CVE-2025-64284

7.5 📝

Majestic Support Multiple Products October 29, 2025

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Majestic Support Majestic Support majestic-support allows PHP Local File Inclusion

CVSS Base 7.5

→

CRS Select profile

CVE-2025-62776

7.8 📝

installer Multiple Products October 29, 2025

The installer of WTW EAGLE (for Windows) 3

CVSS Base 7.8

→

CRS Select profile

CVE-2025-10145

7.7 📝

WordPress Multiple Products October 29, 2025

The Auto Featured Image (Auto Post Thumbnail) plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4

CVSS Base 7.7

→

CRS Select profile

CVE-2025-54604

7.5 📝

Core Multiple Products October 29, 2025

Bitcoin Core through 29

CVSS Base 7.5

→

CRS Select profile

CVE-2025-54605

7.5 📝

Core Multiple Products October 29, 2025

Bitcoin Core through 29

CVSS Base 7.5

→

CRS Select profile

CVE-2025-64131

7.5 📝

Jenkins Multiple Products October 29, 2025

Jenkins SAML Plugin 4

CVSS Base 7.5

→

CRS Select profile

CVE-2025-64134

7.1 📝

Jenkins Multiple Products October 29, 2025

Jenkins JDepend Plugin 1

CVSS Base 7.1

→

CRS Select profile

CVE-2025-11201

8.1 📝

Tracking Multiple Products October 29, 2025

MLflow Tracking Server Model Creation Directory Traversal Remote Code Execution Vulnerability

CVSS Base 8.1

→

CRS Select profile

CVE-2025-10920

7.8 📝

GIMP Multiple Products October 29, 2025

GIMP ICNS File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability

CVSS Base 7.8

→

CRS Select profile

CVE-2025-10921

7.8

GIMP Multiple Products October 29, 2025

GIMP HDR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability

CVSS Base 7.8

→

CRS Select profile

CVE-2025-10922

7.8

GIMP Multiple Products October 29, 2025

GIMP DCM File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability

CVSS Base 7.8

→

CRS Select profile

CVE-2025-10923

7.8

GIMP Multiple Products October 29, 2025

GIMP WBMP File Parsing Integer Overflow Remote Code Execution Vulnerability

CVSS Base 7.8

→

CRS Select profile

CVE-2025-10924

7.8

GIMP Multiple Products October 29, 2025

GIMP FF File Parsing Integer Overflow Remote Code Execution Vulnerability

CVSS Base 7.8

→

CRS Select profile

CVE-2025-10925

7.8

GIMP Multiple Products October 29, 2025

GIMP ILBM File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability

CVSS Base 7.8

→

CRS Select profile

CVE-2025-10934

7.8

GIMP Multiple Products October 29, 2025

GIMP XWD File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability

CVSS Base 7.8

→

CRS Select profile

CVE-2025-11463

7.8

Unknown Multiple Products October 29, 2025

Ashlar-Vellum Cobalt XE File Parsing Integer Overflow Remote Code Execution Vulnerability

CVSS Base 7.8

→

CRS Select profile

CVE-2025-11464

7.8

Unknown Multiple Products October 29, 2025

Ashlar-Vellum Cobalt CO File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability

CVSS Base 7.8

→

CRS Select profile

CVE-2025-11465

7.8

Unknown Multiple Products October 29, 2025

Ashlar-Vellum Cobalt CO File Parsing Use-After-Free Remote Code Execution Vulnerability

CVSS Base 7.8

→

CRS Select profile

CVE-2025-60858

7.5

Reolink Multiple Products October 29, 2025

Reolink Video Doorbell Wi-Fi DB_566128M5MP_W stores and transmits DDNS credentials in plaintext within its configuration and update scripts, allowing attackers to intercept or extract sensitive information

CVSS Base 7.5

→

CRS Select profile

CVE-2025-54546

7.5

affected Multiple Products October 29, 2025

On affected platforms, restricted users could use SSH port forwarding to access host-internal services

CVSS Base 7.5

→

CRS Select profile

CVE-2025-59837

7.2

Astro Multiple Products October 29, 2025

Astro is a web framework that includes an image proxy

CVSS Base 7.2

→

CRS Select profile

CVE-2025-11200

8.1

MLflow Multiple Products October 29, 2025

MLflow Weak Password Requirements Authentication Bypass Vulnerability

CVSS Base 8.1

→

CRS Select profile

CVE-2025-9869

7.8

Razer Multiple Products October 29, 2025

Razer Synapse 3 Macro Module Link Following Local Privilege Escalation Vulnerability

CVSS Base 7.8

→

CRS Select profile

CVE-2025-9870

7.8

Razer Multiple Products October 29, 2025

Razer Synapse 3 RazerPhilipsHueUninstall Link Following Local Privilege Escalation Vulnerability

CVSS Base 7.8

→

CRS Select profile

CVE-2025-9871

7.8

Razer Multiple Products October 29, 2025

Razer Synapse 3 Chroma Connect Link Following Local Privilege Escalation Vulnerability

CVSS Base 7.8

→

CRS Select profile

CVE-2025-62777

8.8

Use Multiple Products October 29, 2025

Use of Hard-Coded Credentials issue exists in MZK-DP300N version 1

CVSS Base 8.8

→

CRS Select profile

CVE-2025-56399

8.8

alexusmai Multiple Products October 29, 2025

alexusmai laravel-file-manager 3

CVSS Base 8.8

→

CRS Select profile

CVE-2025-61429

8.8

Terminal Multiple Products October 29, 2025

An issue in NCR Atleos Terminal Manager (ConfigApp) v3

CVSS Base 8.8

→

CRS Select profile

CVE-2025-11702

8.5

versions Multiple Products October 29, 2025

GitLab has remediated an issue in EE affecting all versions from 17

CVSS Base 8.5

→

CRS Select profile

CVE-2025-61161

8.4

Evope Collector DLL Multiple Products October 29, 2025

DLL hijacking vulnerability in Evope Collector 1

CVSS Base 8.4

→

CRS Select profile

CVE-2025-10932

8.2

Progress MOVEit Multiple Products October 29, 2025

Uncontrolled Resource Consumption vulnerability in Progress MOVEit Transfer (AS2 module)

CVSS Base 8.2

→

CRS Select profile

CVE-2025-64101

8.1

Zitadel Multiple Products October 29, 2025

Zitadel is open-source identity infrastructure software

CVSS Base 8.1

→

CRS Select profile

CVE-2025-12341

7.8

was Multiple Products October 29, 2025

A vulnerability was detected in ermig1979 AntiDupl up to 2

CVSS Base 7.8

→

CRS Select profile

CVE-2025-53814

7.8

A Multiple Products October 29, 2025

A use-after-free vulnerability exists in the XML parser functionality of GCC Productions Inc

CVSS Base 7.8

→

CRS Select profile

CVE-2025-53855

7.8

An Multiple Products October 29, 2025

An out-of-bounds write vulnerability exists in the XML parser functionality of GCC Productions Inc

CVSS Base 7.8

→

CRS Select profile

CVE-2025-57227

7.8

unquoted Multiple Products October 29, 2025

An unquoted service path in Kingosoft Technology Ltd Kingo ROOT v1

CVSS Base 7.8

→

CRS Select profile

CVE-2025-54545

7.8

affected Multiple Products October 29, 2025

On affected platforms, a restricted user could break out of the CLI sandbox to the system shell and elevate their privileges

CVSS Base 7.8

→

CRS Select profile

CVE-2025-61103

7.5

Unknown Multiple Products October 29, 2025

FRRouting/frr from v4

CVSS Base 7.5

→

CRS Select profile

CVE-2025-61104

7.5

Unknown Multiple Products October 29, 2025

FRRouting/frr from v4

CVSS Base 7.5

→

CRS Select profile

CVE-2025-61106

7.5

Unknown Multiple Products October 29, 2025

FRRouting/frr from v4

CVSS Base 7.5

→

CRS Select profile

CVE-2025-61107

7.5

Unknown Multiple Products October 29, 2025

FRRouting/frr from v4

CVSS Base 7.5

→

CRS Select profile

CVE-2025-60349

7.5

issue Multiple Products October 29, 2025

An issue was discovered in Prevx v3

CVSS Base 7.5

→

CRS Select profile

CVE-2025-60354

7.5

Unauthorized Multiple Products October 29, 2025

Unauthorized modification of arbitrary articles vulnerability exists in blog-vue-springboot

CVSS Base 7.5

→

CRS Select profile

CVE-2025-60800

7.5

Incorrect Multiple Products October 29, 2025

Incorrect access control in the /jshERP-boot/user/info interface of jshERP up to commit 90c411a allows attackers to access sensitive information via a crafted GET request

CVSS Base 7.5

→

CRS Select profile

CVE-2025-60805

7.5

Application Multiple Products October 29, 2025

An issue was discovered in BESSystem BES Application Server thru 9

CVSS Base 7.5

→

CRS Select profile

CVE-2025-62727

7.5

Starlette Multiple Products October 29, 2025

Starlette is a lightweight ASGI framework/toolkit

CVSS Base 7.5

→

CRS Select profile

CVE-2025-56558

7.5

issue Multiple Products October 29, 2025

An issue discovered in Dyson App v6

CVSS Base 7.5

→

CRS Select profile

CVE-2025-11232

7.5

trigger Multiple Products October 29, 2025

To trigger the issue, three configuration parameters must have specific settings: "hostname-char-set" must be left at the default setting, which is "[^A-Za-z0-9

CVSS Base 7.5

→

CRS Select profile

CVE-2025-54459

7.5

Hospital Multiple Products October 29, 2025

Prior to September 19, 2025, the Hospital Manager Backend Services exposed the ASP

CVSS Base 7.5

→

CRS Select profile

CVE-2025-12336

7.3

Online Multiple Products October 29, 2025

A vulnerability was identified in Campcodes Retro Basketball Shoes Online Store 1

CVSS Base 7.3

→

CRS Select profile

CVE-2025-12337

7.3

Online Multiple Products October 29, 2025

A security flaw has been discovered in Campcodes Retro Basketball Shoes Online Store 1

CVSS Base 7.3

→

CRS Select profile

CVE-2025-12338

7.3

Online Multiple Products October 29, 2025

A weakness has been identified in Campcodes Retro Basketball Shoes Online Store 1

CVSS Base 7.3

→

CRS Select profile

CVE-2025-12339

7.3

Online Multiple Products October 29, 2025

A security vulnerability has been detected in Campcodes Retro Basketball Shoes Online Store 1

CVSS Base 7.3

→

CRS Select profile

CVE-2025-12342

7.3

flaw Multiple Products October 29, 2025

A flaw has been found in Serdar Bayram Ghost Hot Spot up to 20251014

CVSS Base 7.3

→

CRS Select profile

CVE-2025-12378

7.3

Ordering Multiple Products October 29, 2025

A security flaw has been discovered in code-projects Simple Food Ordering System 1

CVSS Base 7.3

→

CRS Select profile

Archived Security Snapshot

🎯 SSCV Profile

📊 Archived Security Brief

Section Navigation

⚠️ CISA Known Exploited Vulnerabilities

🚨 Critical Vulnerabilities

⚠️ High Priority Updates

⭐ Starred CVEs

Archived Security Brief

CISA Known Exploited Vulnerabilities

Critical Vulnerabilities

High Priority Updates