Critical vulnerabilities, curated daily for security professionals
🎯 SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
📊
Archived Security Brief
Monday's security landscape shows continued lower disclosure activity with 11 high-priority vulnerabilities, representing a 50% decrease from Sunday's 22 and an 88% decrease from Friday's 93. No critical CVEs (CVSS 9.0+) were disclosed for the second consecutive day. The 11 high-priority vulnerabilities include issues affecting WordPress plugins, SuiteCRM, and various open-source components. Notably, no vendor patches are currently available for newly disclosed vulnerabilities, requiring organizations to implement compensating controls. Nine vulnerabilities are being actively exploited in the wild and should receive priority attention from security teams.
Lower disclosure activity: 11 high-priority CVEs (down 50% from Sunday, 88% from Friday)
No critical CVEs: Zero CVSS 9.0+ vulnerabilities disclosed for second consecutive day
Patch availability: 0% of new disclosures have vendor patches available
Actively exploited: 9 vulnerabilities confirmed with active exploitation
Focus areas: Web applications, CRM systems, and open-source components
Immediate action: Priority patching recommended for the 9 actively exploited vulnerabilities, particularly those affecting Apple iOS, Microsoft Windows, Adobe Commerce, and Motex LANSCOPE systems. For the 11 newly disclosed high-priority vulnerabilities without vendor patches, implement network segmentation, enhanced monitoring, and access controls as compensating measures. Security teams should focus on WordPress plugin updates and SuiteCRM hardening given the concentration of vulnerabilities in these platforms.
💡 Tip: Swipe CVE cards left to ⭐ star, right to ❌ remove
Section Navigation
⚠️
CISA Known Exploited Vulnerabilities
⚠️ CISA KEVURGENT
CVE-2025-61932
9.5📝
MotexLANSCOPE Endpoint Manager
⏰ Federal Deadline:November 11, 2025(2 days remaining)
Motex LANSCOPE Endpoint Manager Improper Verification of Source of a Communication Channel Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEVURGENT
CVE-2025-54236
9.5📝
AdobeCommerce and Magento
⏰ Federal Deadline:November 13, 2025(4 days remaining)
Adobe Commerce and Magento Improper Input Validation Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEVURGENT
CVE-2025-59287
9.5📝
MicrosoftWindows
⏰ Federal Deadline:November 13, 2025(4 days remaining)
Microsoft Windows Server Update Service (WSUS) Deserialization of Untrusted Data Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEV
CVE-2025-6204
9.5
Dassault SystèmesDELMIA Apriso
⏰ Federal Deadline:November 17, 2025(8 days remaining)
Dassault Systèmes DELMIA Apriso Code Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEV
CVE-2025-6205
9.5📝
Dassault SystèmesDELMIA Apriso
⏰ Federal Deadline:November 17, 2025(8 days remaining)
Dassault Systèmes DELMIA Apriso Missing Authorization Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEV
CVE-2025-41244
9.5📝
BroadcomVMware Aria Operations and VMware Tools
⏰ Federal Deadline:November 19, 2025(10 days remaining)
Broadcom VMware Aria Operations and VMware Tools Privilege Defined with Unsafe Actions Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEV
CVE-2025-24893
9.5
XWikiPlatform
⏰ Federal Deadline:November 19, 2025(10 days remaining)
XWiki Platform Eval Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEV
CVE-2025-48703
9.5📝
CWPControl Web Panel
⏰ Federal Deadline:November 24, 2025(15 days remaining)
CWP Control Web Panel OS Command Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEV
CVE-2025-11371
9.5
GladinetCentreStack and Triofox
⏰ Federal Deadline:November 24, 2025(15 days remaining)
Gladinet CentreStack and Triofox Files or Directories Accessible to External Parties Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️
High Priority Updates
CVE-2025-12099
7.2📝
WordPressMultiple Products
The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3
CVSS Base7.2
→
CRSSelect profile
CVE-2025-11452
7.5📝
WordPressMultiple Products
The Asgaros Forum plugin for WordPress is vulnerable to SQL Injection via the '$_COOKIE['asgarosforum_unread_exclude']' cookie in all versions up to, and including, 3
CVSS Base7.5
→
CRSSelect profile
CVE-2025-12161
8.8📝
WordPressMultiple Products
The Smart Auto Upload Images plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the auto-image creation functionality in all versions up to, and including, 1
CVSS Base8.8
→
CRSSelect profile
CVE-2025-9334
8.8📝
WordPressMultiple Products
The Better Find and Replace – AI-Powered Suggestions plugin for WordPress is vulnerable to Limited Code Injection in all versions up to, and including, 1
CVSS Base8.8
→
CRSSelect profile
CVE-2025-11967
7.2📝
WordPressMultiple Products
The Mail Mint plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the process_contact_attribute_import function in all versions up to, and including, 1
CVSS Base7.2
→
CRSSelect profile
CVE-2025-12399
7.2📝
WordPressMultiple Products
The Alex Reservations: Smart Restaurant Booking plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the /wp-json/srr/v1/app/upload/file REST endpoint in all versions up to, and including, 2
CVSS Base7.2
→
CRSSelect profile
CVE-2025-64492
8.8📝
SuiteCRMMultiple Products
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application
CVSS Base8.8
→
CRSSelect profile
CVE-2025-64495
8.7📝
OpenMultiple Products
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline
CVSS Base8.7
→
CRSSelect profile
CVE-2025-64489
8.3📝
SuiteCRMMultiple Products
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application
CVSS Base8.3
→
CRSSelect profile
CVE-2025-64490
8.3📝
SuiteCRMMultiple Products
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application
CVSS Base8.3
→
CRSSelect profile
CVE-2025-64496
7.3📝
OpenMultiple Products
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline