Critical vulnerabilities, curated daily for security professionals
đ¯ SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
đ
Archived Security Brief
Sunday's security landscape shows moderating weekend threat levels with 9 critical vulnerabilities (-10% from Saturday) and 45 high-priority CVEs (-37% decrease). However, 17 CISA KEV vulnerabilities with November 3rd federal deadline (tomorrow) create critical end-of-weekend urgency. Patch availability improved to 17% (+42%), but 83% of vulnerabilities remain unpatched as organizations face minimal weekend vendor support and Monday's federal compliance deadline.
9 critical CVEs (-10% weekend decline from Saturday's 10)
45 high-priority CVEs (-37% decrease, down from 71)
17 CISA KEV vulnerabilities with November 3rd deadline (TOMORROW)
17% patch availability (+42% improvement from 12%)
Sunday timing: final weekend day before critical Monday federal deadline
WordPress ecosystem impact continues with ongoing plugin vulnerabilities
Immediate action: CRITICAL SUNDAY ACTION: 17 CISA KEV vulnerabilities must be remediated by TOMORROW (November 3rd federal deadline). Organizations must complete weekend patching, deploy emergency compensating controls, and prepare Monday morning verification reports for federal compliance. Limited Sunday vendor support requires immediate prioritization and escalation protocols.
đĄ Tip: Swipe CVE cards left to â star, right to â remove
Section Navigation
â ī¸
CISA Known Exploited Vulnerabilities
â ī¸ CISA KEVURGENT
CVE-2025-47827
9.5
IGELIGEL OS
â° Federal Deadline:November 3, 2025(3 days remaining)
IGEL OS Use of a Key Past its Expiration Date Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-24990
9.5đ
MicrosoftWindows
â° Federal Deadline:November 3, 2025(3 days remaining)
Microsoft Windows Untrusted Pointer Dereference Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-59230
9.5đ
MicrosoftWindows
â° Federal Deadline:November 3, 2025(3 days remaining)
Microsoft Windows Improper Access Control Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2016-7836
9.5
SKYSEAClient View
â° Federal Deadline:November 3, 2025(3 days remaining)
SKYSEA Client View Improper Authentication Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-54253
9.5đ
AdobeExperience Manager (AEM) Forms
â° Federal Deadline:November 4, 2025(4 days remaining)
Adobe Experience Manager Forms Code Execution Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2022-48503
9.5
AppleMultiple Products
â° Federal Deadline:November 9, 2025(9 days remaining)
Apple Multiple Products Unspecified Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-2746
9.5
KenticoXperience CMS
â° Federal Deadline:November 9, 2025(9 days remaining)
Kentico Xperience CMS Authentication Bypass Using an Alternate Path or Channel Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-2747
9.5
KenticoXperience CMS
â° Federal Deadline:November 9, 2025(9 days remaining)
Kentico Xperience CMS Authentication Bypass Using an Alternate Path or Channel Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-33073
9.5
MicrosoftWindows
â° Federal Deadline:November 9, 2025(9 days remaining)
Microsoft Windows SMB Client Improper Access Control Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-61884
9.5đ
OracleE-Business Suite
â° Federal Deadline:November 9, 2025(9 days remaining)
Oracle E-Business Suite Server-Side Request Forgery (SSRF) Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-61932
9.5đ
MotexLANSCOPE Endpoint Manager
â° Federal Deadline:November 11, 2025(11 days remaining)
Motex LANSCOPE Endpoint Manager Improper Verification of Source of a Communication Channel Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-54236
9.5đ
AdobeCommerce andâ¯Magento
â° Federal Deadline:November 13, 2025(13 days remaining)
Adobe Commerce andâ¯Magento Improper Input Validation Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-59287
9.5đ
MicrosoftWindows
â° Federal Deadline:November 13, 2025(13 days remaining)
Microsoft Windows Server Update Service (WSUS) Deserialization of Untrusted Data Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-6204
9.5
Dassault SystèmesDELMIA Apriso
â° Federal Deadline:November 17, 2025(17 days remaining)
Dassault Systèmes DELMIA Apriso Code Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-6205
9.5đ
Dassault SystèmesDELMIA Apriso
â° Federal Deadline:November 17, 2025(17 days remaining)
Dassault Systèmes DELMIA Apriso Missing Authorization Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-41244
9.5đ
BroadcomVMware Aria Operations and VMware Tools
â° Federal Deadline:November 19, 2025(19 days remaining)
Broadcom VMware Aria Operations and VMware Tools Privilege Defined with Unsafe Actions Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-24893
9.5
XWikiPlatform
â° Federal Deadline:November 19, 2025(19 days remaining)
XWiki Platform Eval Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
đ¨
Critical Vulnerabilities
CVE-2025-8489
9.8đ
The King Addons for ElementorMultiple Products
The King Addons for Elementor â Free Elements, Widgets, Templates, and Features for Elementor plugin for WordPress is vulnerable to privilege escalation in versions 24.12.92 to 51.1.14 . This is due t...
CVSS Base9.8
â
CRSSelect profile
CVE-2025-11833
9.8đ
The Post SMTPMultiple Products
The Post SMTP â Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the __construc...
CVSS Base9.8
â
CRSSelect profile
CVE-2025-5397
9.8đ
The Noo JobMonster theme for WordPress is vulnerable to Authentication Bypass in all versions upMultiple Products
The Noo JobMonster theme for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 4.8.1. This is due to the check_login() function not properly verifying a user's ide...
CVSS Base9.8
â
CRSSelect profile
CVE-2025-11499
9.8đ
The Tablesome TableMultiple Products
The Tablesome Table â Contact Form DB â WPForms, CF7, Gravity, Forminator, Fluent plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the set_featured_i...
CVSS Base9.8
â
CRSSelect profile
CVE-2025-48983
9.9đ
A vulnerability in the Mount service of Veeam BackupMultiple Products
A vulnerability in the Mount service of Veeam Backup & Replication, which allows for remote code execution (RCE) on the Backup infrastructure hosts by an authenticated domain user.
CVSS Base9.9
â
CRSSelect profile
CVE-2025-52665
10đ
A malicious actor with access to the management network could exploit a misconfiguration inMultiple Products
A malicious actor with access to the management network could exploit a misconfiguration in UniFiâs door access application, UniFi Access, that exposed a management API without proper authentication. ...
CVSS Base10
â
CRSSelect profile
CVE-2025-6520
9.8đ
Improper Neutralization of Special Elements used in an SQL CommandMultiple Products
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Abis Technology BAPSIS allows Blind SQL Injection.This issue affects BAPSIS: before 202510271606.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-29270
10đ
Incorrect access control in theMultiple Products
Incorrect access control in the realtime.cgi endpoint of Deep Sea Electronics devices DSE855 v1.1.0 to v1.1.26 allows attackers to gain access to the admin panel and complete control of the device.
CVSS Base10
â
CRSSelect profile
CVE-2025-57108
9.8đ
Kitware VTKMultiple Products
Kitware VTK (Visualization Toolkit) through 9.5.0 contains a heap use-after-free vulnerability in vtkGLTFDocumentLoader. The vulnerability manifests during mesh object copy operations where vector mem...
CVSS Base9.8
â
CRSSelect profile
â ī¸
High Priority Updates
CVE-2025-64360
7.5đ
StylemixThemesMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in StylemixThemes Consulting Elementor Widgets consulting-elementor-widgets allows PHP Local File Inclusion
CVSS Base7.5
â
CRSSelect profile
CVE-2025-6990
8.8đ
WordPressMultiple Products
The kallyas theme for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4
CVSS Base8.8
â
CRSSelect profile
CVE-2025-10897
8.6đ
WordPressMultiple Products
The WooCommerce Designer Pro theme for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 1
CVSS Base8.6
â
CRSSelect profile
CVE-2025-10487
7.3đ
WordPressMultiple Products
The Advanced Ads â Ad Manager & AdSense plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2
CVSS Base7.3
â
CRSSelect profile
CVE-2025-12115
7.5đ
WordPressMultiple Products
The WPC Name Your Price for WooCommerce plugin for WordPress is vulnerable to unauthorized price alteration in all versions up to, and including, 2
CVSS Base7.5
â
CRSSelect profile
CVE-2025-5949
8.8đ
WordPressMultiple Products
The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 6
CVSS Base8.8
â
CRSSelect profile
CVE-2025-6574
8.8đ
WordPressMultiple Products
The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and excluding, 6
CVSS Base8.8
â
CRSSelect profile
CVE-2025-64359
7.5đ
StylemixThemesMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in StylemixThemes Consulting consulting allows PHP Local File Inclusion
CVSS Base7.5
â
CRSSelect profile
CVE-2025-7846
8.8đ
WordPressMultiple Products
The WordPress User Extra Fields plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the save_fields() function in all versions up to, and including, 16
CVSS Base8.8
â
CRSSelect profile
CVE-2025-11920
8.8đ
WordPressMultiple Products
The WPCOM Member plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1
CVSS Base8.8
â
CRSSelect profile
CVE-2025-11755
8.8đ
WordPressMultiple Products
The WP Delicious â Recipe Plugin for Food Bloggers (formerly Delicious Recipes) plugin for WordPress is vulnerable to arbitrary file uploads when importing recipes via CSV in all versions up to, and including, 1
CVSS Base8.8
â
CRSSelect profile
CVE-2025-12171
8.8đ
WordPressMultiple Products
The RESTful Content Syndication plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ingest_image() function in versions 1
CVSS Base8.8
â
CRSSelect profile
CVE-2025-48982
7.3đ
MicrosoftMultiple Products
This vulnerability in Veeam Agent for Microsoft Windows allows for Local Privilege Escalation if a system administrator is tricked into restoring a malicious file
CVSS Base7.3
â
CRSSelect profile
CVE-2025-11995
7.2đ
WordPressMultiple Products
The Community Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via event details parameter in all versions up to, and including, 1
CVSS Base7.2
â
CRSSelect profile
CVE-2025-48984
8.8đ
BackupMultiple Products
A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user
CVSS Base8.8
â
CRSSelect profile
CVE-2025-52664
8.8
ReviveMultiple Products
SQL injection in Revive Adserver 6
CVSS Base8.8
â
CRSSelect profile
CVE-2025-64353
8.8
Chouby PolylangMultiple Products
Deserialization of Untrusted Data vulnerability in Chouby Polylang polylang allows Object Injection
CVSS Base8.8
â
CRSSelect profile
CVE-2025-30188
7.5
MaliciousMultiple Products
Malicious or unintentional API requests can be used to add significant amount of data to caches
CVSS Base7.5
â
CRSSelect profile
CVE-2025-64366
7.6
Stylemix MasterStudyMultiple Products
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Stylemix MasterStudy LMS masterstudy-lms-learning-management-system allows Blind SQL Injection
CVSS Base7.6
â
CRSSelect profile
CVE-2025-12507
8.8
CommunicationMultiple Products
The service Bizerba Communication Server (BCS) has an unquoted service path
CVSS Base8.8
â
CRSSelect profile
CVE-2025-64349
8.8
ELOGMultiple Products
ELOG allows an authenticated user to modify another user's profile
CVSS Base8.8
â
CRSSelect profile
CVE-2025-36367
8.8
IBMMultiple Products
IBM i 7
CVSS Base8.8
â
CRSSelect profile
CVE-2025-12508
8.4
WhenMultiple Products
When using domain users as BRAIN2 users, communication with Active Directory services is unencrypted
CVSS Base8.4
â
CRSSelect profile
CVE-2025-12509
8.4
clientMultiple Products
On a client with an admin user, a Global_Shipping script can be implemented
CVSS Base8.4
â
CRSSelect profile
CVE-2025-12357
8.3
theMultiple Products
By manipulating the Signal Level Attenuation Characterization (SLAC)
protocol with spoofed measurements, an attacker can stage a
man-in-the-middle attack between an electric vehicle and chargers that
comply with the ISO 15118-2 part
CVSS Base8.3
â
CRSSelect profile
CVE-2025-62618
8
ELOGMultiple Products
ELOG allows an authenticated user to upload arbitrary HTML files
CVSS Base8
â
CRSSelect profile
CVE-2025-33003
7.8
IBMMultiple Products
IBM InfoSphere Information Server 11
CVSS Base7.8
â
CRSSelect profile
CVE-2025-60749
7.8
Trimble SketchUpMultiple Products
DLL Hijacking vulnerability in Trimble SketchUp desktop 2025 via crafted libcef
CVSS Base7.8
â
CRSSelect profile
CVE-2025-6176
7.5
ScrapyMultiple Products
Scrapy versions up to 2
CVSS Base7.5
â
CRSSelect profile
CVE-2025-62232
7.5
SensitiveMultiple Products
Sensitive data exposure via logging in basic-auth leads to plaintext usernames and passwords written to error logs and forwarded to log sinks when log level is INFO/DEBUG
CVSS Base7.5
â
CRSSelect profile
CVE-2025-58147
7.5
UnknownMultiple Products
[This CNA information record relates to multiple CVEs; the
text explains which aspects/vulnerabilities correspond to which CVE
CVSS Base7.5
â
CRSSelect profile
CVE-2025-58148
7.5
UnknownMultiple Products
[This CNA information record relates to multiple CVEs; the
text explains which aspects/vulnerabilities correspond to which CVE
CVSS Base7.5
â
CRSSelect profile
CVE-2025-58149
7.5
WhenMultiple Products
When passing through PCI devices, the detach logic in libxl won't remove
access permissions to any 64bit memory BARs the device might have
CVSS Base7.5
â
CRSSelect profile
CVE-2025-12501
7.5
IDEMultiple Products
Integer overflow in GameMaker IDE below 2024
CVSS Base7.5
â
CRSSelect profile
CVE-2025-57106
7.5
KitwareMultiple Products
Kitware VTK (Visualization Toolkit) up to 9
CVSS Base7.5
â
CRSSelect profile
CVE-2025-63468
7.5
TotolinkMultiple Products
Totolink LR350 v9
CVSS Base7.5
â
CRSSelect profile
CVE-2025-63469
7.5
TotolinkMultiple Products
Totolink LR350 v9
CVSS Base7.5
â
CRSSelect profile
CVE-2025-63464
7.5
TotolinkMultiple Products
Totolink LR350 v9
CVSS Base7.5
â
CRSSelect profile
CVE-2025-63465
7.5
TotolinkMultiple Products
Totolink LR350 v9
CVSS Base7.5
â
CRSSelect profile
CVE-2025-63561
7.5
priorMultiple Products
Summer Pearl Group Vacation Rental Management Platform prior to 1
CVSS Base7.5
â
CRSSelect profile
CVE-2025-30189
7.4
WhenMultiple Products
When cache is enabled, some passdb/userdb drivers incorrectly cache all users with same cache key, causing wrong cached information to be used for these users
CVSS Base7.4
â
CRSSelect profile
CVE-2025-54763
7.2
FutureNetMultiple Products
FutureNet MA and IP-K series provided by Century Systems Co
CVSS Base7.2
â
CRSSelect profile
CVE-2025-57107
7.1
KitwareMultiple Products
Kitware VTK (Visualization Toolkit) through 9
CVSS Base7.1
â
CRSSelect profile
CVE-2025-64168
7.1
AgnoMultiple Products
Agno is a multi-agent framework, runtime and control plane
CVSS Base7.1
â
CRSSelect profile
CVE-2025-64348
7.1
ELOGMultiple Products
ELOG allows an authenticated user to modify or overwrite the configuration file, resulting in denial of service