Critical vulnerabilities, curated daily for security professionals
🎯 SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
📊
Archived Security Brief
Sunday's security landscape marks a critical federal compliance deadline as 5 CISA KEV vulnerabilities expire TODAY requiring immediate patching for Apple iOS (CVE-2022-48503), Microsoft Windows (CVE-2025-33073), Kentico CMS (CVE-2025-2746, CVE-2025-2747), and Oracle E-Business Suite (CVE-2025-61884). In an unprecedented weekend development, zero critical CVEs (CVSS 9.0+) were disclosed for the first time in months, representing a 100% drop from Saturday's 6 vulnerabilities. However, the 22 high-priority CVEs demand continued vigilance despite the 76% decrease from yesterday's 93 disclosures. Federal agencies face compliance enforcement today while patch availability improved marginally to 21%, leaving 79% of vulnerabilities without vendor-provided fixes as organizations navigate this critical deadline day.
FEDERAL DEADLINE TODAY: 5 CISA KEV vulnerabilities expire November 9 requiring immediate compliance
Zero Critical CVEs: First time in months with no CVSS 9.0+ disclosures (down 100% from Saturday)
High Priority Drop: 22 vulnerabilities (down 76% from yesterday's 93)
Patch Availability: 21% (marginal 3% improvement, but 79% still lack vendor patches)
Urgent KEV Patches: Apple iOS, Microsoft Windows, Kentico CMS, Oracle E-Business Suite deadline TODAY
Sunday Compliance: Federal agencies must demonstrate KEV remediation before business hours Monday
Immediate action: Immediate action: Federal agencies and organizations must deploy emergency patches TODAY for CVE-2022-48503 (Apple iOS), CVE-2025-33073 (Microsoft Windows), CVE-2025-2746/CVE-2025-2747 (Kentico CMS), and CVE-2025-61884 (Oracle E-Business Suite) to meet November 9 federal deadline. Security teams should verify patch deployment, document compliance, and prepare deadline reports before end of business. Organizations unable to patch must implement compensating controls and document exceptions immediately.
💡 Tip: Swipe CVE cards left to ⭐ star, right to ❌ remove
Section Navigation
⚠️
CISA Known Exploited Vulnerabilities
⚠️ CISA KEVURGENT
CVE-2022-48503
9.5
AppleMultiple Products
⏰ Federal Deadline:November 9, 2025(1 days remaining)
Apple Multiple Products Unspecified Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEVURGENT
CVE-2025-2746
9.5
KenticoXperience CMS
⏰ Federal Deadline:November 9, 2025(1 days remaining)
Kentico Xperience CMS Authentication Bypass Using an Alternate Path or Channel Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEVURGENT
CVE-2025-2747
9.5
KenticoXperience CMS
⏰ Federal Deadline:November 9, 2025(1 days remaining)
Kentico Xperience CMS Authentication Bypass Using an Alternate Path or Channel Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEVURGENT
CVE-2025-33073
9.5
MicrosoftWindows
⏰ Federal Deadline:November 9, 2025(1 days remaining)
Microsoft Windows SMB Client Improper Access Control Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEVURGENT
CVE-2025-61884
9.5📝
OracleE-Business Suite
⏰ Federal Deadline:November 9, 2025(1 days remaining)
Oracle E-Business Suite Server-Side Request Forgery (SSRF) Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEVURGENT
CVE-2025-61932
9.5📝
MotexLANSCOPE Endpoint Manager
⏰ Federal Deadline:November 11, 2025(3 days remaining)
Motex LANSCOPE Endpoint Manager Improper Verification of Source of a Communication Channel Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEVURGENT
CVE-2025-54236
9.5📝
AdobeCommerce and Magento
⏰ Federal Deadline:November 13, 2025(5 days remaining)
Adobe Commerce and Magento Improper Input Validation Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEVURGENT
CVE-2025-59287
9.5📝
MicrosoftWindows
⏰ Federal Deadline:November 13, 2025(5 days remaining)
Microsoft Windows Server Update Service (WSUS) Deserialization of Untrusted Data Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEV
CVE-2025-6204
9.5
Dassault SystèmesDELMIA Apriso
⏰ Federal Deadline:November 17, 2025(9 days remaining)
Dassault Systèmes DELMIA Apriso Code Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEV
CVE-2025-6205
9.5📝
Dassault SystèmesDELMIA Apriso
⏰ Federal Deadline:November 17, 2025(9 days remaining)
Dassault Systèmes DELMIA Apriso Missing Authorization Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEV
CVE-2025-41244
9.5📝
BroadcomVMware Aria Operations and VMware Tools
⏰ Federal Deadline:November 19, 2025(11 days remaining)
Broadcom VMware Aria Operations and VMware Tools Privilege Defined with Unsafe Actions Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEV
CVE-2025-24893
9.5
XWikiPlatform
⏰ Federal Deadline:November 19, 2025(11 days remaining)
XWiki Platform Eval Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEV
CVE-2025-48703
9.5📝
CWPControl Web Panel
⏰ Federal Deadline:November 24, 2025(16 days remaining)
CWP Control Web Panel OS Command Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEV
CVE-2025-11371
9.5
GladinetCentreStack and Triofox
⏰ Federal Deadline:November 24, 2025(16 days remaining)
Gladinet CentreStack and Triofox Files or Directories Accessible to External Parties Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️
High Priority Updates
CVE-2025-12099
7.2📝
WordPressMultiple Products
The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3
CVSS Base7.2
→
CRSSelect profile
CVE-2025-4519
8.8📝
WordPressMultiple Products
The IDonate – Blood Donation, Request And Donor Management System plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the idonate_donor_password() function in versions 2
CVSS Base8.8
→
CRSSelect profile
CVE-2025-64347
7.5📝
ApolloMultiple Products
Apollo Router Core is a configurable Rust graph router written to run a federated supergraph using Apollo Federation 2
CVSS Base7.5
→
CRSSelect profile
CVE-2025-5483
8.1📝
WordPressMultiple Products
The LC Wizard plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check in the ghl-wizard/inc/wp_user
CVSS Base8.1
→
CRSSelect profile
CVE-2025-11452
7.5📝
WordPressMultiple Products
The Asgaros Forum plugin for WordPress is vulnerable to SQL Injection via the '$_COOKIE['asgarosforum_unread_exclude']' cookie in all versions up to, and including, 3
CVSS Base7.5
→
CRSSelect profile
CVE-2025-37736
8.8📝
ImproperMultiple Products
Improper Authorization in Elastic Cloud Enterprise can lead to Privilege Escalation where the built-in readonly user can call APIs that should not be allowed
CVSS Base8.8
→
CRSSelect profile
CVE-2025-12161
8.8📝
WordPressMultiple Products
The Smart Auto Upload Images plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the auto-image creation functionality in all versions up to, and including, 1
CVSS Base8.8
→
CRSSelect profile
CVE-2025-9334
8.8📝
WordPressMultiple Products
The Better Find and Replace – AI-Powered Suggestions plugin for WordPress is vulnerable to Limited Code Injection in all versions up to, and including, 1
CVSS Base8.8
→
CRSSelect profile
CVE-2025-11967
7.2📝
WordPressMultiple Products
The Mail Mint plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the process_contact_attribute_import function in all versions up to, and including, 1
CVSS Base7.2
→
CRSSelect profile
CVE-2025-12399
7.2📝
WordPressMultiple Products
The Alex Reservations: Smart Restaurant Booking plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the /wp-json/srr/v1/app/upload/file REST endpoint in all versions up to, and including, 2
CVSS Base7.2
→
CRSSelect profile
CVE-2025-10968
8.8📝
GG Soft SoftwareMultiple Products
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'), CWE - 564 - SQL Injection: Hibernate vulnerability in GG Soft Software Services Inc
CVSS Base8.8
→
CRSSelect profile
CVE-2025-64184
8.8📝
DosageMultiple Products
Dosage is a comic strip downloader and archiver
CVSS Base8.8
→
CRSSelect profile
CVE-2025-64492
8.8📝
SuiteCRMMultiple Products
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application
CVSS Base8.8
→
CRSSelect profile
CVE-2025-64495
8.7📝
OpenMultiple Products
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline
CVSS Base8.7
→
CRSSelect profile
CVE-2025-64489
8.3📝
SuiteCRMMultiple Products
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application
CVSS Base8.3
→
CRSSelect profile
CVE-2025-64490
8.3
SuiteCRMMultiple Products
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application
CVSS Base8.3
→
CRSSelect profile
CVE-2025-64343
7.8
UnknownMultiple Products
(conda) Constructor is a tool that enables users to create installers for conda package collections
CVSS Base7.8
→
CRSSelect profile
CVE-2025-9458
7.8
maliciouslyMultiple Products
A maliciously crafted PRT file, when parsed through certain Autodesk products, can force a Memory Corruption vulnerability
CVSS Base7.8
→
CRSSelect profile
CVE-2025-64430
7.5
ParseMultiple Products
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node
CVSS Base7.5
→
CRSSelect profile
CVE-2025-12863
7.5
flawMultiple Products
A flaw was found in the xmlSetTreeDoc() function of the libxml2 XML parsing library
CVSS Base7.5
→
CRSSelect profile
CVE-2025-36186
7.4
IBMMultiple Products
IBM Db2 12
CVSS Base7.4
→
CRSSelect profile
CVE-2025-64496
7.3
OpenMultiple Products
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline