Critical vulnerabilities, curated daily for security professionals
🎯 SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
📊
Archived Security Brief
Wednesday's security landscape remains stable with 5 critical vulnerabilities (CVSS 9.0+) and 35 high-priority issues, unchanged from Tuesday's disclosure activity. The threat environment continues to be dominated by authentication bypass flaws in EIP Plus (CVE-2025-12866) and New Site Server (CVE-2025-12868), both rated CVSS 9.8, along with critical issues affecting JetBrains YouTrack, Triofox, and Soft Serve. Vendor patches remain available for 13% of disclosed vulnerabilities. Ten vulnerabilities are being actively exploited in the wild, with one urgent deadline passing today (November 12) for Motex LANSCOPE (CVE-2025-61932), while Adobe Commerce and Microsoft Windows patches have deadlines approaching November 13.
Critical vulnerabilities: 5 CVSS 9.0+ issues (unchanged from Tuesday)
Key products affected: JetBrains YouTrack, EIP Plus, New Site Server, Triofox, Soft Serve
Immediate action: URGENT: Motex LANSCOPE CVE-2025-61932 deadline passed today (November 12). Organizations must patch immediately. Priority patching also required for Adobe Commerce (CVE-2025-54236) and Microsoft Windows (CVE-2025-59287) with deadlines November 13. For critical vulnerabilities CVE-2025-12866 (EIP Plus) and CVE-2025-12868 (New Site Server), both CVSS 9.8, organizations should review vendor advisories and implement patches immediately. Given limited patch availability (13%), security teams should implement network segmentation, enhanced monitoring, and access controls for unpatched vulnerabilities.
💡 Tip: Swipe CVE cards left to ⭐ star, right to ❌ remove
Section Navigation
⚠️
CISA Known Exploited Vulnerabilities
⚠️ CISA KEVURGENT
CVE-2025-61932
9.5📝
MotexLANSCOPE Endpoint Manager
⏰ Federal Deadline:November 11, 2025(1 days remaining)
Motex LANSCOPE Endpoint Manager Improper Verification of Source of a Communication Channel Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEVURGENT
CVE-2025-54236
9.5📝
AdobeCommerce and Magento
⏰ Federal Deadline:November 13, 2025(3 days remaining)
Adobe Commerce and Magento Improper Input Validation Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEVURGENT
CVE-2025-59287
9.5📝
MicrosoftWindows
⏰ Federal Deadline:November 13, 2025(3 days remaining)
Microsoft Windows Server Update Service (WSUS) Deserialization of Untrusted Data Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEVURGENT
CVE-2025-6204
9.5
Dassault SystèmesDELMIA Apriso
⏰ Federal Deadline:November 17, 2025(7 days remaining)
Dassault Systèmes DELMIA Apriso Code Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEVURGENT
CVE-2025-6205
9.5📝
Dassault SystèmesDELMIA Apriso
⏰ Federal Deadline:November 17, 2025(7 days remaining)
Dassault Systèmes DELMIA Apriso Missing Authorization Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEV
CVE-2025-41244
9.5📝
BroadcomVMware Aria Operations and VMware Tools
⏰ Federal Deadline:November 19, 2025(9 days remaining)
Broadcom VMware Aria Operations and VMware Tools Privilege Defined with Unsafe Actions Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEV
CVE-2025-24893
9.5
XWikiPlatform
⏰ Federal Deadline:November 19, 2025(9 days remaining)
XWiki Platform Eval Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEV
CVE-2025-48703
9.5📝
CWPControl Web Panel
⏰ Federal Deadline:November 24, 2025(14 days remaining)
CWP Control Web Panel OS Command Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEV
CVE-2025-11371
9.5
GladinetCentreStack and Triofox
⏰ Federal Deadline:November 24, 2025(14 days remaining)
Gladinet CentreStack and Triofox Files or Directories Accessible to External Parties Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEV
CVE-2025-21042
9.5
SamsungMobile Devices
⏰ Federal Deadline:November 30, 2025(20 days remaining)
Samsung Mobile Devices Out-of-Bounds Write Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
🚨
Critical Vulnerabilities
CVE-2025-12866
9.8📝
EIP Plus developed by Hundred Plus has a Weak Password Recovery MechanismMultiple Products
EIP Plus developed by Hundred Plus has a Weak Password Recovery Mechanism vulnerability, allowing unauthenticated remote attacker to predict or brute-force the 'forgot password' link, thereby successf...
CVSS Base9.8
→
CRSSelect profile
CVE-2025-12868
9.8📝
New Site Server developed by CyberTutor has a Use ofMultiple Products
New Site Server developed by CyberTutor has a Use of Client-Side Authentication vulnerability, allowing unauthenticated remote attackers to modify the frontend code to gain administrator privileges on...
CVSS Base9.8
→
CRSSelect profile
CVE-2025-64689
9.6📝
In JetBrains YouTrack beforeMultiple Products
In JetBrains YouTrack before 2025.3.104432 misconfiguration in the Junie could lead to exposure of the global Junie token
CVSS Base9.6
→
CRSSelect profile
CVE-2025-12480
9.1📝
Triofox versions prior toMultiple Products
Triofox versions prior to 16.7.10368.56560, are vulnerable to an Improper Access Control flaw that allows access to initial setup pages even after setup is complete.
CVSS Base9.1
→
CRSSelect profile
CVE-2025-64522
9.1📝
Soft Serve is aMultiple Products
Soft Serve is a self-hostable Git server for the command line. Versions prior to 0.11.1 have a SSRF vulnerability where webhook URLs are not validated, allowing repository administrators to create web...
CVSS Base9.1
→
CRSSelect profile
⚠️
High Priority Updates
CVE-2025-12864
8.8📝
UnknownMultiple Products
U-Office Force developed by e-Excellence has a SQL Injection vulnerability, allowing authenticated remote attacker to inject arbitrary SQL commands to read, modify, and delete database contents
CVSS Base8.8
→
CRSSelect profile
CVE-2025-12865
8.8📝
UnknownMultiple Products
U-Office Force developed by e-Excellence has a SQL Injection vulnerability, allowing authenticated remote attacker to inject arbitrary SQL commands to read, modify, and delete database contents
CVSS Base8.8
→
CRSSelect profile
CVE-2025-12438
8.8📝
GoogleMultiple Products
Use after free in Ozone in Google Chrome on Linux and ChromeOS prior to 142
CVSS Base8.8
→
CRSSelect profile
CVE-2025-12429
8.8📝
GoogleMultiple Products
Inappropriate implementation in V8 in Google Chrome prior to 142
CVSS Base8.8
→
CRSSelect profile
CVE-2025-12432
8.8📝
GoogleMultiple Products
Race in V8 in Google Chrome prior to 142
CVSS Base8.8
→
CRSSelect profile
CVE-2025-64519
8.8📝
trackerMultiple Products
TorrentPier is an open source BitTorrent Public/Private tracker engine, written in php
CVSS Base8.8
→
CRSSelect profile
CVE-2025-12726
7.5📝
GoogleMultiple Products
Inappropriate implementation in Views in Google Chrome on Windows prior to 142
CVSS Base7.5
→
CRSSelect profile
CVE-2025-64518
7.5📝
CycloneDXMultiple Products
The CycloneDX core module provides a model representation of the SBOM along with utilities to assist in creating, validating, and parsing SBOMs
CVSS Base7.5
→
CRSSelect profile
CVE-2025-63711
7.1📝
SourceCodesterMultiple Products
A Cross-Site Request Forgery (CSRF) vulnerability in the SourceCodester Client Database Management System 1
CVSS Base7.1
→
CRSSelect profile
CVE-2025-12967
8📝
issueMultiple Products
An issue in AWS Wrappers for Amazon Aurora PostgreSQL may allow for privilege escalation to rds_superuser role
CVSS Base8
→
CRSSelect profile
CVE-2025-46430
7.3📝
DellMultiple Products
Dell Display and Peripheral Manager, versions prior to 2
CVSS Base7.3
→
CRSSelect profile
CVE-2025-64484
8.5📝
UnknownMultiple Products
OAuth2-Proxy is an open-source tool that can act as either a standalone reverse proxy or a middleware component integrated into existing reverse proxy or load balancer setups
CVSS Base8.5
→
CRSSelect profile
CVE-2025-12867
7.2📝
theMultiple Products
EIP Plus developed by Hundred Plus has an Arbitrary File Uplaod vulnerability, allowing privileged remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server
CVSS Base7.2
→
CRSSelect profile
CVE-2025-47773
8.8📝
CombodoMultiple Products
Combodo iTop is a web based IT service management tool
CVSS Base8.8
→
CRSSelect profile
CVE-2025-47932
8.8📝
CombodoMultiple Products
Combodo iTop is a web based IT service management tool
CVSS Base8.8
→
CRSSelect profile
CVE-2025-48065
8.8
CombodoMultiple Products
Combodo iTop is a web based IT service management tool
CVSS Base8.8
→
CRSSelect profile
CVE-2025-49145
8.7
CombodoMultiple Products
Combodo iTop is a web based IT service management tool
CVSS Base8.7
→
CRSSelect profile
CVE-2025-12613
8.6
cloudinaryMultiple Products
Versions of the package cloudinary before 2
CVSS Base8.6
→
CRSSelect profile
CVE-2025-64512
8.6
UnknownMultiple Products
Pdfminer
CVSS Base8.6
→
CRSSelect profile
CVE-2025-48055
8.5
CombodoMultiple Products
Combodo iTop is a web based IT service management tool
CVSS Base8.5
→
CRSSelect profile
CVE-2025-64456
8.4
ReSharperMultiple Products
In JetBrains ReSharper before 2025
CVSS Base8.4
→
CRSSelect profile
CVE-2025-64685
8.1
YouTrackMultiple Products
In JetBrains YouTrack before 2025
CVSS Base8.1
→
CRSSelect profile
CVE-2025-64501
7.6
ProsemirrorToHtmlMultiple Products
ProsemirrorToHtml is a JSON converter which takes ProseMirror-compatible JSON and outputs HTML
CVSS Base7.6
→
CRSSelect profile
CVE-2025-59777
7.5
NULLMultiple Products
NULL pointer dereference vulnerability exists in GNU libmicrohttpd v1
CVSS Base7.5
→
CRSSelect profile
CVE-2025-62689
7.5
NULLMultiple Products
NULL pointer dereference vulnerability exists in GNU libmicrohttpd v1
CVSS Base7.5
→
CRSSelect profile
CVE-2025-63455
7.5
TendaMultiple Products
Tenda AX-3 v16
CVSS Base7.5
→
CRSSelect profile
CVE-2025-64508
7.5
BugsinkMultiple Products
Bugsink is a self-hosted error tracking tool
CVSS Base7.5
→
CRSSelect profile
CVE-2025-64509
7.5
BugsinkMultiple Products
Bugsink is a self-hosted error tracking tool
CVSS Base7.5
→
CRSSelect profile
CVE-2025-41731
7.4
wasMultiple Products
A vulnerability was identified in the password generation algorithm when accessing the debug-interface
CVSS Base7.4
→
CRSSelect profile
CVE-2025-64688
7.4
YouTrackMultiple Products
In JetBrains YouTrack before 2025
CVSS Base7.4
→
CRSSelect profile
CVE-2025-12925
7.3
securityMultiple Products
A security flaw has been discovered in rymcu forest up to de53ce79db9faa2efc4e79ce1077a302c42a1224
CVSS Base7.3
→
CRSSelect profile
CVE-2025-12928
7.3
SearchMultiple Products
A vulnerability was detected in code-projects Online Job Search Engine 1
CVSS Base7.3
→
CRSSelect profile
CVE-2025-12929
7.3
ApplicationMultiple Products
A flaw has been found in SourceCodester Survey Application System 1
CVSS Base7.3
→
CRSSelect profile
CVE-2025-12938
7.3
AdmissionMultiple Products
A vulnerability was identified in projectworlds Online Admission System 1
CVSS Base7.3
→
CRSSelect profile
CVE-2025-64167
7.1
CombodoMultiple Products
Combodo iTop is a web based IT service management tool