CVE Brief - November 8, 2025

Saturday, November 8, 2025 Archive

Archived Security Snapshot

Critical vulnerabilities, curated daily for security professionals

🎯 SSCV Profile

See how vulnerabilities affect your specific environment

CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework

Select your system profile:

Risk scores will be adjusted based on your selected environment

Archived Security Brief

Saturday's security landscape presents a critical patch availability crisis as organizations head into the weekend with only 18% of newly disclosed vulnerabilities having vendor patches available. While critical CVE disclosures dropped 75% to just 6 vulnerabilities, 14 actively exploited CISA KEV vulnerabilities demand urgent attention with 5 federal deadlines expiring within the next 5 days including critical flaws in Apple iOS (CVE-2022-48503), Microsoft Windows (CVE-2025-33073), and Kentico CMS (CVE-2025-2746, CVE-2025-2747). The 93 high-priority CVEs represent a 9.4% increase from Friday, with significant impacts to WordPress ecosystems, enterprise infrastructure, and industrial control systems requiring immediate weekend security operations.

CISA KEV Crisis: 5 federal compliance deadlines expire within 5 days (November 9-13)
Patch Availability Emergency: Only 18% of vulnerabilities have vendor patches available
Critical CVEs: 6 vulnerabilities with CVSS 9.0+ scores (down 75% from yesterday)
High Priority Surge: 93 vulnerabilities requiring attention (up 9.4% from Friday)
Weekend Security Posture: Organizations must prioritize emergency patching for Apple iOS, Microsoft Windows, and Kentico CMS KEV vulnerabilities before Monday

Immediate action: Immediate action: Deploy emergency patches for CISA KEV vulnerabilities CVE-2022-48503 (Apple iOS), CVE-2025-33073 (Microsoft Windows), CVE-2025-2746 and CVE-2025-2747 (Kentico CMS) before November 9 federal deadline. Implement network segmentation and enhanced monitoring for the 82% of vulnerabilities lacking vendor patches. Security teams must maintain weekend staffing for compliance deadlines expiring Sunday and Monday.

💡 Tip: Swipe CVE cards left to ⭐ star, right to ❌ remove

CISA Known Exploited Vulnerabilities

⚠️ CISA KEV URGENT

CVE-2022-48503

9.5

Apple Multiple Products October 19, 2025

⏰ Federal Deadline: November 9, 2025 (2 days remaining)

Apple Multiple Products Unspecified Vulnerability - Active in CISA KEV catalog.

CVSS Base 9.5

→

CRS Select profile

⚠️ CISA KEV URGENT

CVE-2025-2746

9.5

Kentico Xperience CMS October 19, 2025

⏰ Federal Deadline: November 9, 2025 (2 days remaining)

Kentico Xperience CMS Authentication Bypass Using an Alternate Path or Channel Vulnerability - Active in CISA KEV catalog.

CVSS Base 9.5

→

CRS Select profile

⚠️ CISA KEV URGENT

CVE-2025-2747

9.5

Kentico Xperience CMS October 19, 2025

⏰ Federal Deadline: November 9, 2025 (2 days remaining)

Kentico Xperience CMS Authentication Bypass Using an Alternate Path or Channel Vulnerability - Active in CISA KEV catalog.

CVSS Base 9.5

→

CRS Select profile

⚠️ CISA KEV URGENT

CVE-2025-33073

9.5

Microsoft Windows October 19, 2025

⏰ Federal Deadline: November 9, 2025 (2 days remaining)

Microsoft Windows SMB Client Improper Access Control Vulnerability - Active in CISA KEV catalog.

CVSS Base 9.5

→

CRS Select profile

⚠️ CISA KEV URGENT

CVE-2025-61884

9.5 📝

Oracle E-Business Suite October 19, 2025

⏰ Federal Deadline: November 9, 2025 (2 days remaining)

Oracle E-Business Suite Server-Side Request Forgery (SSRF) Vulnerability - Active in CISA KEV catalog.

CVSS Base 9.5

→

CRS Select profile

⚠️ CISA KEV URGENT

CVE-2025-61932

9.5 📝

Motex LANSCOPE Endpoint Manager October 21, 2025

⏰ Federal Deadline: November 11, 2025 (4 days remaining)

Motex LANSCOPE Endpoint Manager Improper Verification of Source of a Communication Channel Vulnerability - Active in CISA KEV catalog.

CVSS Base 9.5

→

CRS Select profile

⚠️ CISA KEV URGENT

CVE-2025-54236

9.5 📝

Adobe Commerce and Magento October 23, 2025

⏰ Federal Deadline: November 13, 2025 (6 days remaining)

Adobe Commerce and Magento Improper Input Validation Vulnerability - Active in CISA KEV catalog.

CVSS Base 9.5

→

CRS Select profile

⚠️ CISA KEV URGENT

CVE-2025-59287

9.5 📝

Microsoft Windows October 23, 2025

⏰ Federal Deadline: November 13, 2025 (6 days remaining)

Microsoft Windows Server Update Service (WSUS) Deserialization of Untrusted Data Vulnerability - Active in CISA KEV catalog.

CVSS Base 9.5

→

CRS Select profile

⚠️ CISA KEV

CVE-2025-6204

9.5

Dassault Systèmes DELMIA Apriso October 27, 2025

⏰ Federal Deadline: November 17, 2025 (10 days remaining)

Dassault Systèmes DELMIA Apriso Code Injection Vulnerability - Active in CISA KEV catalog.

CVSS Base 9.5

→

CRS Select profile

⚠️ CISA KEV

CVE-2025-6205

9.5 📝

Dassault Systèmes DELMIA Apriso October 27, 2025

⏰ Federal Deadline: November 17, 2025 (10 days remaining)

Dassault Systèmes DELMIA Apriso Missing Authorization Vulnerability - Active in CISA KEV catalog.

CVSS Base 9.5

→

CRS Select profile

⚠️ CISA KEV

CVE-2025-41244

9.5 📝

Broadcom VMware Aria Operations and VMware Tools October 29, 2025

⏰ Federal Deadline: November 19, 2025 (12 days remaining)

Broadcom VMware Aria Operations and VMware Tools Privilege Defined with Unsafe Actions Vulnerability - Active in CISA KEV catalog.

CVSS Base 9.5

→

CRS Select profile

⚠️ CISA KEV

CVE-2025-24893

9.5

XWiki Platform October 29, 2025

⏰ Federal Deadline: November 19, 2025 (12 days remaining)

XWiki Platform Eval Injection Vulnerability - Active in CISA KEV catalog.

CVSS Base 9.5

→

CRS Select profile

⚠️ CISA KEV

CVE-2025-48703

9.5 📝

CWP Control Web Panel November 3, 2025

⏰ Federal Deadline: November 24, 2025 (17 days remaining)

CWP Control Web Panel OS Command Injection Vulnerability - Active in CISA KEV catalog.

CVSS Base 9.5

→

CRS Select profile

⚠️ CISA KEV

CVE-2025-11371

9.5

Gladinet CentreStack and Triofox November 3, 2025

⏰ Federal Deadline: November 24, 2025 (17 days remaining)

Gladinet CentreStack and Triofox Files or Directories Accessible to External Parties Vulnerability - Active in CISA KEV catalog.

CVSS Base 9.5

→

CRS Select profile

Critical Vulnerabilities

CVE-2025-10230

10 📝

A flaw was found in Multiple Products Nov 7, 2025

A flaw was found in Samba, in the front-end WINS hook handling: NetBIOS names from registration packets are passed to a shell without proper validation or escaping. Unsanitized NetBIOS name data from ...

CVSS Base 10

→

CRS Select profile

CVE-2025-12352

9.8 📝

The Gravity Forms plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the Multiple Products Nov 7, 2025

The Gravity Forms plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the copy_post_image() function in all versions up to, and including, 2.9.20. This ...

CVSS Base 9.8

→

CRS Select profile

CVE-2025-63690

9.1 📝

In Multiple Products Nov 7, 2025

In pig-mesh Pig versions 3.8.2 and below, when setting up scheduled tasks in the Quartz management function under the system management module, it is possible to execute any Java class with a paramete...

CVSS Base 9.1

→

CRS Select profile

CVE-2025-63689

10 📝

Multiple SQL injection vulnerabilitites in Multiple Products Nov 7, 2025

Multiple SQL injection vulnerabilitites in ycf1998 money-pos system before commit 11f276bd20a41f089298d804e43cb1c39d041e59 (2025-09-14) allows a remote attacker to execute arbitrary code via the order...

CVSS Base 10

→

CRS Select profile

CVE-2025-63691

9.6 📝

In Multiple Products Nov 7, 2025

In pig-mesh In Pig version 3.8.2 and below, within the Token Management function under the System Management module, the token query interface (/api/admin/sys-token/page) has an improper permission ve...

CVSS Base 9.6

→

CRS Select profile

CVE-2025-64180

10 📝

Unknown Multiple Products Nov 7, 2025

Manager-io/Manager is accounting software. In Manager Desktop and Server versions 25.11.1.3085 and below, a critical vulnerability permits unauthorized access to internal network resources. The flaw l...

CVSS Base 10

→

CRS Select profile

High Priority Updates

CVE-2025-60198

8.2 📝

WordPress Multiple Products November 7, 2025

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in dedalx Saxon - Viral Content Blog & Magazine Marketing WordPress Theme saxon allows PHP Local File Inclusion

CVSS Base 8.2

→

CRS Select profile

CVE-2025-60199

8.2 📝

WordPress Multiple Products November 7, 2025

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in dedalx InHype - Blog & Magazine WordPress Theme inhype allows PHP Local File Inclusion

CVSS Base 8.2

→

CRS Select profile

CVE-2025-60190

8.1 📝

WordPress Multiple Products November 7, 2025

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Hinnerk Altenburg Immocaster WordPress Plugin immocaster allows PHP Local File Inclusion

CVSS Base 8.1

→

CRS Select profile

CVE-2025-60191

7.5 📝

Premmerce Premmerce Multiple Products November 7, 2025

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Premmerce Premmerce Wishlist for WooCommerce premmerce-woocommerce-wishlist allows PHP Local File Inclusion

CVSS Base 7.5

→

CRS Select profile

CVE-2025-60192

7.5 📝

Premmerce Premmerce Multiple Products November 7, 2025

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Premmerce Premmerce Wholesale Pricing for WooCommerce premmerce-woocommerce-wholesale-pricing allows PHP Local File Inclusion

CVSS Base 7.5

→

CRS Select profile

CVE-2025-60194

7.5 📝

Premmerce Premmerce Multiple Products November 7, 2025

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Premmerce Premmerce Product Search for WooCommerce premmerce-search allows PHP Local File Inclusion

CVSS Base 7.5

→

CRS Select profile

CVE-2025-60203

7.5 📝

Josh Kohlbach Store Multiple Products November 7, 2025

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Josh Kohlbach Store Exporter woocommerce-exporter allows PHP Local File Inclusion

CVSS Base 7.5

→

CRS Select profile

CVE-2025-60204

7.5 📝

Josh Kohlbach Multiple Products November 7, 2025

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Josh Kohlbach WooCommerce Store Toolkit woocommerce-store-toolkit allows PHP Local File Inclusion

CVSS Base 7.5

→

CRS Select profile

CVE-2025-60248

7.5 📝

WPClever WPC Product Multiple Products November 7, 2025

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WPClever WPC Product Options for WooCommerce wpc-product-options allows PHP Local File Inclusion

CVSS Base 7.5

→

CRS Select profile

CVE-2025-37735

7 📝

Improper Multiple Products November 7, 2025

Improper preservation of permissions in Elastic Defend on Windows hosts can lead to arbitrary files on the system being deleted by the Defend service running as SYSTEM

CVSS Base 7

→

CRS Select profile

CVE-2025-12486

8.8 📝

Heimdall Multiple Products November 7, 2025

Heimdall Data Database Proxy Cross-Site Scripting Remote Code Execution Vulnerability

CVSS Base 8.8

→

CRS Select profile

CVE-2025-60197

8.2 📝

Improper Multiple Products November 7, 2025

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in owenr88 Simple Contact Forms simple-contact-forms allows PHP Local File Inclusion

CVSS Base 8.2

→

CRS Select profile

CVE-2025-62010

8.1 📝

ApusTheme Famita Multiple Products November 7, 2025

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ApusTheme Famita famita allows PHP Local File Inclusion

CVSS Base 8.1

→

CRS Select profile

CVE-2025-62014

8.1 📝

ApusTheme ITok Multiple Products November 7, 2025

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ApusTheme ITok itok

CVSS Base 8.1

→

CRS Select profile

CVE-2025-62045

8.1 📝

CodexThemes TheGem Multiple Products November 7, 2025

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CodexThemes TheGem Theme Elements (for WPBakery) thegem-elements

CVSS Base 8.1

→

CRS Select profile

CVE-2025-62055

8.1 📝

Improper Multiple Products November 7, 2025

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Academist academist

CVSS Base 8.1

→

CRS Select profile

CVE-2025-62067

8.1 📝

Improper Multiple Products November 7, 2025

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Savory savory

CVSS Base 8.1

→

CRS Select profile

CVE-2025-64287

8.1 📝

Improper Multiple Products November 7, 2025

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Edge-Themes Alloggio - Hotel Booking alloggio allows PHP Local File Inclusion

CVSS Base 8.1

→

CRS Select profile

CVE-2025-62053

favethemes Houzez Multiple Products November 7, 2025

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in favethemes Houzez houzez

CVSS Base 8

→

CRS Select profile

CVE-2025-11205

8.8

Google Multiple Products November 7, 2025

Heap buffer overflow in WebGPU in Google Chrome prior to 141

CVSS Base 8.8

→

CRS Select profile

CVE-2025-11756

8.8

Google Multiple Products November 7, 2025

Use after free in Safe Browsing in Google Chrome prior to 141

CVSS Base 8.8

→

CRS Select profile

CVE-2025-4519

8.8

WordPress Multiple Products November 7, 2025

The IDonate – Blood Donation, Request And Donor Management System plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the idonate_donor_password() function in versions 2

CVSS Base 8.8

→

CRS Select profile

CVE-2025-60074

7.5

Processby Lazy Load Multiple Products November 7, 2025

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Processby Lazy Load Optimizer lazy-load-optimizer allows PHP Local File Inclusion

CVSS Base 7.5

→

CRS Select profile

CVE-2025-60193

7.5

Premmerce Premmerce Multiple Products November 7, 2025

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Premmerce Premmerce User Roles premmerce-user-roles allows PHP Local File Inclusion

CVSS Base 7.5

→

CRS Select profile

CVE-2025-60196

7.5

Clearblue Multiple Products November 7, 2025

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Clearblue Clearblue® Ovulation Calculator clearblue-ovulation-calculator allows PHP Local File Inclusion

CVSS Base 7.5

→

CRS Select profile

CVE-2025-60200

7.5

ThimPress LearnPress Multiple Products November 7, 2025

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThimPress LearnPress Export Import learnpress-import-export allows PHP Local File Inclusion

CVSS Base 7.5

→

CRS Select profile

CVE-2025-60201

7.5

aguilatechnologies WP Multiple Products November 7, 2025

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in aguilatechnologies WP Customer Area customer-area allows PHP Local File Inclusion

CVSS Base 7.5

→

CRS Select profile

CVE-2025-60202

7.5

Kyle Phillips Multiple Products November 7, 2025

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Kyle Phillips Favorites favorites allows PHP Local File Inclusion

CVSS Base 7.5

→

CRS Select profile

CVE-2025-60240

7.5

Alexander AnyComment Multiple Products November 7, 2025

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Alexander AnyComment anycomment allows PHP Local File Inclusion

CVSS Base 7.5

→

CRS Select profile

CVE-2025-60241

7.5

Premmerce Premmerce Multiple Products November 7, 2025

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Premmerce Premmerce premmerce allows PHP Local File Inclusion

CVSS Base 7.5

→

CRS Select profile

CVE-2025-64173

7.5

Apollo Multiple Products November 7, 2025

Apollo Router Core is a configurable graph router written in Rust to run a federated supergraph using Apollo Federation 2

CVSS Base 7.5

→

CRS Select profile

CVE-2025-64347

7.5

Apollo Multiple Products November 7, 2025

Apollo Router Core is a configurable Rust graph router written to run a federated supergraph using Apollo Federation 2

CVSS Base 7.5

→

CRS Select profile

CVE-2025-62066

7.4

fuelthemes Revolution Multiple Products November 7, 2025

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in fuelthemes Revolution revolution

CVSS Base 7.4

→

CRS Select profile

CVE-2025-62075

7.3

Ido Kobelkowsky Multiple Products November 7, 2025

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Ido Kobelkowsky Simple Payment simple-payment

CVSS Base 7.3

→

CRS Select profile

CVE-2025-11458

8.1

Google Multiple Products November 7, 2025

Heap buffer overflow in Sync in Google Chrome prior to 141

CVSS Base 8.1

→

CRS Select profile

CVE-2025-5483

8.1

WordPress Multiple Products November 7, 2025

The LC Wizard plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check in the ghl-wizard/inc/wp_user

CVSS Base 8.1

→

CRS Select profile

CVE-2025-63588

7.1

query handling of Multiple Products November 7, 2025

An unauthenticated reflected cross-site scripting vulnerability in the query handling of CMSimpleXH allows remote attackers to inject and execute arbitrary JavaScript in a victim's browser via a crafted request (e

CVSS Base 7.1

→

CRS Select profile

CVE-2025-12036

8.8

Google Multiple Products November 7, 2025

Out of bounds memory access in V8 in Google Chrome prior to 141

CVSS Base 8.8

→

CRS Select profile

CVE-2025-37736

8.8

Improper Multiple Products November 7, 2025

Improper Authorization in Elastic Cloud Enterprise can lead to Privilege Escalation where the built-in readonly user can call APIs that should not be allowed

CVSS Base 8.8

→

CRS Select profile

CVE-2025-11206

7.1

Google Multiple Products November 7, 2025

Heap buffer overflow in Video in Google Chrome prior to 141

CVSS Base 7.1

→

CRS Select profile

CVE-2025-12490

8.8

Netgate Multiple Products November 7, 2025

Netgate pfSense CE Suricata Path Traversal Remote Code Execution Vulnerability

CVSS Base 8.8

→

CRS Select profile

CVE-2025-12790

7.4

flaw Multiple Products November 7, 2025

A flaw was found in Rubygem MQTT

CVSS Base 7.4

→

CRS Select profile

CVE-2025-62630

8.8

insufficient Multiple Products November 7, 2025

Due to insufficient sanitization, an attacker can upload a specially crafted configuration file to traverse directories and achieve remote code execution with system-level permissions

CVSS Base 8.8

→

CRS Select profile

CVE-2025-54719

8.8

NooTheme Yogi Multiple Products November 7, 2025

Deserialization of Untrusted Data vulnerability in NooTheme Yogi - Health Beauty & Yoga noo-yogi allows Object Injection

CVSS Base 8.8

→

CRS Select profile

CVE-2025-58619

8.8

sbouey Falang Multiple Products November 7, 2025

Deserialization of Untrusted Data vulnerability in sbouey Falang multilanguage falang allows Object Injection

CVSS Base 8.8

→

CRS Select profile

CVE-2025-62035

8.8

uxper Togo Multiple Products November 7, 2025

Deserialization of Untrusted Data vulnerability in uxper Togo togo

CVSS Base 8.8

→

CRS Select profile

CVE-2025-10968

8.8

GG Soft Software Multiple Products November 7, 2025

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'), CWE - 564 - SQL Injection: Hibernate vulnerability in GG Soft Software Services Inc

CVSS Base 8.8

→

CRS Select profile

CVE-2025-62041

7.1

CodexThemes TheGem Multiple Products November 7, 2025

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodexThemes TheGem (Elementor) thegem-elementor

CVSS Base 7.1

→

CRS Select profile

CVE-2025-64196

7.1

Pluggabl Booster Multiple Products November 7, 2025

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pluggabl Booster for WooCommerce woocommerce-jetpack allows Reflected XSS

CVSS Base 7.1

→

CRS Select profile

CVE-2025-60239

8.5

Improper Multiple Products November 7, 2025

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Codexpert, Inc CoSchool LMS coschool allows Blind SQL Injection

CVSS Base 8.5

→

CRS Select profile

CVE-2025-59171

7.5

insufficient Multiple Products November 7, 2025

Due to insufficient sanitization, an attacker can upload a specially crafted configuration file to traverse directories and achieve remote code execution with system-level permissions

CVSS Base 7.5

→

CRS Select profile

CVE-2025-60541

7.3

A Multiple Products November 7, 2025

A Server-Side Request Forgery (SSRF) in the /api/proxy/ component of linshenkx prompt-optimizer v1

CVSS Base 7.3

→

CRS Select profile

CVE-2025-58592

8.1

Cozmoslabs Multiple Products November 7, 2025

Deserialization of Untrusted Data vulnerability in Cozmoslabs TranslatePress translatepress-multilingual allows Object Injection

CVSS Base 8.1

→

CRS Select profile

CVE-2025-10885

7.8

maliciously Multiple Products November 7, 2025

A maliciously crafted file, when executed on the victim's machine, can lead to privilege escalation to NT AUTHORITY/SYSTEM due to an insufficient validation of loaded binaries

CVSS Base 7.8

→

CRS Select profile

CVE-2025-12489

7.8

Unknown Multiple Products November 7, 2025

evernote-mcp-server openBrowser Command Injection Privilege Escalation Vulnerability

CVSS Base 7.8

→

CRS Select profile

CVE-2025-11956

8.9

Proliz Software Multiple Products November 7, 2025

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Proliz Software Ltd

CVSS Base 8.9

→

CRS Select profile

CVE-2025-12556

8.8

argument Multiple Products November 7, 2025

An argument injection vulnerability exists in the affected product that could allow an attacker to execute arbitrary code within the context of the host machine

CVSS Base 8.8

→

CRS Select profile

CVE-2025-62034

8.8

uxper Togo Incorrect Multiple Products November 7, 2025

Incorrect Privilege Assignment vulnerability in uxper Togo togo

CVSS Base 8.8

→

CRS Select profile

CVE-2025-12485

8.8

Devolutions Multiple Products November 7, 2025

Improper privilege management during pre-MFA cookie handling in Devolutions Server allows a low-privileged authenticated user to impersonate another account by replaying the pre-MFA cookie

CVSS Base 8.8

→

CRS Select profile

CVE-2025-58423

8.8

insufficient Multiple Products November 7, 2025

Due to insufficient sanitization, an attacker can upload a specially crafted configuration file to cause a denial-of-service condition, traverse directories, or read/write files, within the context of the local system account

CVSS Base 8.8

→

CRS Select profile

CVE-2025-64184

8.8

Dosage Multiple Products November 7, 2025

Dosage is a comic strip downloader and archiver

CVSS Base 8.8

→

CRS Select profile

CVE-2025-48090

8.2

Path Multiple Products November 7, 2025

Path Traversal: '

CVSS Base 8.2

→

CRS Select profile

CVE-2025-58207

8.2

WP Messiah Ai Image Multiple Products November 7, 2025

Missing Authorization vulnerability in WP Messiah Ai Image Alt Text Generator for WP ai-image-alt-text-generator-for-wp allows Exploiting Incorrectly Configured Access Control Security Levels

CVSS Base 8.2

→

CRS Select profile

CVE-2025-27919

8.2

AnyDesk Multiple Products November 7, 2025

An issue was discovered in AnyDesk through 9

CVSS Base 8.2

→

CRS Select profile

CVE-2025-63307

8.1

alexusmai Multiple Products November 7, 2025

alexusmai laravel-file-manager 3

CVSS Base 8.1

→

CRS Select profile

CVE-2025-64343

7.8

Unknown Multiple Products November 7, 2025

(conda) Constructor is a tool that enables users to create installers for conda package collections

CVSS Base 7.8

→

CRS Select profile

CVE-2025-9458

7.8

maliciously Multiple Products November 7, 2025

A maliciously crafted PRT file, when parsed through certain Autodesk products, can force a Memory Corruption vulnerability

CVSS Base 7.8

→

CRS Select profile

CVE-2025-62039

7.5

Ays Pro AI ChatBot Multiple Products November 7, 2025

Insertion of Sensitive Information Into Sent Data vulnerability in Ays Pro AI ChatBot with ChatGPT and Content Generator by AYS ays-chatgpt-assistant allows Retrieve Embedded Sensitive Data

CVSS Base 7.5

→

CRS Select profile

CVE-2025-27916

7.5

AnyDesk Multiple Products November 7, 2025

An issue was discovered in AnyDesk through 9

CVSS Base 7.5

→

CRS Select profile

CVE-2025-27917

7.5

AnyDesk Multiple Products November 7, 2025

An issue was discovered in AnyDesk through 9

CVSS Base 7.5

→

CRS Select profile

CVE-2025-63551

7.5

A Multiple Products November 7, 2025

A Server-Side Request Forgery (SSRF) vulnerability, achievable through an XML External Entity (XXE) injection, exists in MetInfo Content Management System (CMS) thru 8

CVSS Base 7.5

→

CRS Select profile

CVE-2025-64430

7.5

Parse Multiple Products November 7, 2025

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node

CVSS Base 7.5

→

CRS Select profile

CVE-2025-12863

7.5

flaw Multiple Products November 7, 2025

A flaw was found in the xmlSetTreeDoc() function of the libxml2 XML parsing library

CVSS Base 7.5

→

CRS Select profile

CVE-2025-36186

7.4

IBM Multiple Products November 7, 2025

IBM Db2 12

CVSS Base 7.4

→

CRS Select profile

CVE-2024-25621

7.3

containerd Multiple Products November 7, 2025

containerd is an open-source container runtime

CVSS Base 7.3

→

CRS Select profile

CVE-2025-53573

7.1

jegtheme Epic Review Multiple Products November 7, 2025

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jegtheme Epic Review epic-review allows Reflected XSS

CVSS Base 7.1

→

CRS Select profile

CVE-2025-53585

7.1

NooTheme WeMusic Multiple Products November 7, 2025

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NooTheme WeMusic noo-wemusic allows Reflected XSS

CVSS Base 7.1

→

CRS Select profile

CVE-2025-54711

7.1

bPlugins Info Cards Multiple Products November 7, 2025

Missing Authorization vulnerability in bPlugins Info Cards info-cards allows Accessing Functionality Not Properly Constrained by ACLs

CVSS Base 7.1

→

CRS Select profile

CVE-2025-54718

7.1

NooTheme Yogi Multiple Products November 7, 2025

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NooTheme Yogi - Health Beauty & Yoga noo-yogi allows Reflected XSS

CVSS Base 7.1

→

CRS Select profile

CVE-2025-54721

7.1

ThimPress Resca resca Multiple Products November 7, 2025

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress Resca resca allows Reflected XSS

CVSS Base 7.1

→

CRS Select profile

CVE-2025-54722

7.1

Improper Multiple Products November 7, 2025

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ex-Themes WooTour woo-tour allows Reflected XSS

CVSS Base 7.1

→

CRS Select profile

CVE-2025-54737

7.1

NooTheme Jobmonster Multiple Products November 7, 2025

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NooTheme Jobmonster noo-jobmonster allows Reflected XSS

CVSS Base 7.1

→

CRS Select profile

CVE-2025-62031

7.1

tagDiv tagDiv Multiple Products November 7, 2025

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tagDiv tagDiv Composer td-composer

CVSS Base 7.1

→

CRS Select profile

CVE-2025-62036

7.1

uxper Togo Multiple Products November 7, 2025

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in uxper Togo togo

CVSS Base 7.1

→

CRS Select profile

CVE-2025-62040

7.1

YOP YOP Poll Multiple Products November 7, 2025

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in YOP YOP Poll yop-poll

CVSS Base 7.1

→

CRS Select profile

CVE-2025-62057

7.1

favethemes Houzez Multiple Products November 7, 2025

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in favethemes Houzez Theme - Functionality houzez-theme-functionality

CVSS Base 7.1

→

CRS Select profile

CVE-2025-62059

7.1

Brainstorm Multiple Products November 7, 2025

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brainstorm Force SureRank surerank

CVSS Base 7.1

→

CRS Select profile

CVE-2025-62074

7.1

Amauri Multiple Products November 7, 2025

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Amauri WPMobile

CVSS Base 7.1

→

CRS Select profile

CVE-2025-62076

7.1

Ido Kobelkowsky Multiple Products November 7, 2025

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ido Kobelkowsky Simple Payment simple-payment

CVSS Base 7.1

→

CRS Select profile

CVE-2025-64198

7.1

appscreo Easy Social Multiple Products November 7, 2025

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in appscreo Easy Social Share Buttons easy-social-share-buttons3 allows Reflected XSS

CVSS Base 7.1

→

CRS Select profile

CVE-2025-64224

7.1

ThemeGoods Grand Multiple Products November 7, 2025

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Grand Conference Theme Custom Post Type grandconference-custom-post allows Reflected XSS

CVSS Base 7.1

→

CRS Select profile

CVE-2025-64232

7.1

icopydoc Import from Multiple Products November 7, 2025

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in icopydoc Import from YML import-from-yml allows Reflected XSS

CVSS Base 7.1

→

CRS Select profile

CVE-2025-63589

7.1

reflected Multiple Products November 7, 2025

A reflected XSS vulnerability exists in CMSimple_XH 1

CVSS Base 7.1

→

CRS Select profile

Archived Security Snapshot

🎯 SSCV Profile

📊 Archived Security Brief

Section Navigation

⚠️ CISA Known Exploited Vulnerabilities

🚨 Critical Vulnerabilities

⚠️ High Priority Updates

⭐ Starred CVEs

Archived Security Brief

CISA Known Exploited Vulnerabilities

Critical Vulnerabilities

High Priority Updates