Critical vulnerabilities, curated daily for security professionals
đ¯ SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
đ
Archived Security Brief
Tuesday's vulnerability disclosure reflects elevated activity with 8 critical CVEs and 57 high-priority vulnerabilities, representing a 300% increase in critical vulnerabilities compared to Monday. Three severe SQL injection vulnerabilities in Blood Bank Management System (CVSS 10.0, 9.6, 9.6) and privilege escalation in Avast Antivirus (CVSS 9.0) highlight the most severe threats. Six CISA KEV vulnerabilities continue to require remediation across Samsung Mobile, Gladinet Triofox, Microsoft Windows, WatchGuard Firebox, and Google Chromium systems.
Eight critical vulnerabilities disclosed (CVSS 9.0+), a 300% increase from Monday's count of 2 critical CVEs
Fifty-seven high-priority vulnerabilities (CVSS 7.0-8.9), a 714% increase from Monday's 7 CVEs
Three Blood Bank Management System SQL injection flaws enable authentication bypass and data breach
Six CISA KEV vulnerabilities requiring remediation, unchanged from yesterday
Immediate action: Security teams should review the 8 critical vulnerabilities and assess organizational exposure to the 57 high-priority CVEs. Organizations should continue addressing the 6 CISA KEV vulnerabilities.
đĄ Tip: Swipe CVE cards left to â star, right to â remove
Section Navigation
â ī¸
CISA Known Exploited Vulnerabilities
â ī¸ CISA KEVURGENT
CVE-2025-12480
9.5đ
GladinetTriofox
â° Federal Deadline:December 2, 2025(1 days remaining)
Gladinet Triofox Improper Access Control Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-62215
9.5
MicrosoftWindows
â° Federal Deadline:December 2, 2025(1 days remaining)
Microsoft Windows Race Condition Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-9242
9.5
WatchGuardFirebox
â° Federal Deadline:December 2, 2025(1 days remaining)
WatchGuard Firebox Out-of-Bounds Write Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-13223
9.5đ
GoogleChromium V8
â° Federal Deadline:December 9, 2025(8 days remaining)
Google Chromium V8 Type Confusion Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-61757
9.5đ
OracleFusion Middleware
â° Federal Deadline:December 11, 2025(10 days remaining)
Oracle Fusion Middleware Missing Authentication for Critical Function Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2021-26829
9.5
OpenPLCScadaBR
â° Federal Deadline:December 18, 2025(17 days remaining)
OpenPLC ScadaBR Cross-site Scripting Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
đ¨
Critical Vulnerabilities
CVE-2025-63531
10đ
A SQL injection vulnerability exists in the Blood Bank Management SystemMultiple Products
A SQL injection vulnerability exists in the Blood Bank Management System 1.0 within the receiverLogin.php component. The application fails to properly sanitize user-supplied input in SQL queries, allowing an attacker to inject arbitrary SQL code. By manipulating the remail and rpassword fields, an attacker can bypass authentication and gain unauthorized access to the system.
CVSS Base10
â
CRSSelect profile
CVE-2025-63532
9.6đ
A SQL injection vulnerability exists in the Blood Bank Management SystemMultiple Products
A SQL injection vulnerability exists in the Blood Bank Management System 1.0 within the cancel.php component. The application fails to properly sanitize user-supplied input in SQL queries, allowing an attacker to inject arbitrary SQL code. By manipulating the search field, an attacker can bypass authentication and gain unauthorized access to the system.
CVSS Base9.6
â
CRSSelect profile
CVE-2025-63535
9.6đ
A SQL injection vulnerability exists in the Blood Bank Management SystemMultiple Products
A SQL injection vulnerability exists in the Blood Bank Management System 1.0 within the abs.php component. The application fails to properly sanitize usersupplied input in SQL queries, allowing an attacker to inject arbitrary SQL code. By manipulating the search field, an attacker can bypass authentication and gain unauthorized access to the system.
CVSS Base9.6
â
CRSSelect profile
CVE-2025-3500
9đ
Integer Overflow or Wraparound vulnerability in Avast AntivirusMultiple Products
Integer Overflow or Wraparound vulnerability in Avast Antivirus (25.1.981.6) on Windows allows Privilege Escalation.This issue affects Antivirus: from 25.1.981.6 before 25.3.
CVSS Base9
â
CRSSelect profile
CVE-2025-8351
9đ
UnknownMultiple Products
Heap-based Buffer Overflow, Out-of-bounds Read vulnerability in Avast Antivirus on MacOS when scanning a malformed file may allow Local Execution of Code or Denial-of-Service of the anitvirus engine process.This issue affects Antivirus: from 8.3.70.94 before 8.3.70.98.
CVSS Base9
â
CRSSelect profile
CVE-2025-63525
9.6đ
An issue was discovered in Blood Bank Management SystemMultiple Products
An issue was discovered in Blood Bank Management System 1.0 allowing authenticated attackers to perform actions with escalated privileges via crafted request to delete.php.
CVSS Base9.6
â
CRSSelect profile
CVE-2025-12106
9.1đ
Insufficient argument validation in OpenVPNMultiple Products
Insufficient argument validation in OpenVPN 2.7_alpha1 through 2.7_rc1 allows an attacker to trigger a heap buffer over-read when parsing IP addresses
CVSS Base9.1
â
CRSSelect profile
CVE-2025-66401
9.8đ
MCP Watch is a comprehensive security scanner for Model Context ProtocolMultiple Products
MCP Watch is a comprehensive security scanner for Model Context Protocol (MCP) servers. In 0.1.2 and earlier, the MCPScanner class contains a critical Command Injection vulnerability in the cloneRepo method. The application passes the user-supplied githubUrl argument directly to a system shell via execSync without sanitization. This allows an attacker to execute arbitrary commands on the host machine by appending shell metacharacters to the URL.
CVSS Base9.8
â
CRSSelect profile
â ī¸
High Priority Updates
CVE-2025-10101
8.1đ
Avast Antivirus onMultiple Products
Heap-based Buffer Overflow, Out-of-bounds Write vulnerability in Avast Antivirus on MacOS of a crafted Mach-O file may allow Local Execution of Code or Denial of Service of antivirus protection
CVSS Base8.1
â
CRSSelect profile
CVE-2025-7007
7.5đ
Avast Antivirus onMultiple Products
NULL Pointer Dereference vulnerability in Avast Antivirus on MacOS, Avast Anitvirus on Linux when scanning a malformed Windows PE file causes the antivirus process to crash
CVSS Base7.5
â
CRSSelect profile
CVE-2025-63365
7.1đ
FileMultiple Products
SoftSea EPUB File Reader 1
CVSS Base7.1
â
CRSSelect profile
CVE-2025-59789
7.5đ
UncontrolledMultiple Products
Uncontrolled recursion in the json2pb component in Apache bRPC (version < 1
CVSS Base7.5
â
CRSSelect profile
CVE-2025-64775
7.5đ
Apache Denial ofMultiple Products
Denial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion
CVSS Base7.5
â
CRSSelect profile
CVE-2025-26858
8.6đ
bufferMultiple Products
A buffer overflow vulnerability exists in the Modbus TCP functionality of Socomec DIRIS Digiware M-70 1
CVSS Base8.6
â
CRSSelect profile
CVE-2025-41738
7.5đ
visualisationMultiple Products
An unauthenticated remote attacker may cause the visualisation server of the CODESYS Control runtime system to access a resource with a pointer of wrong type, potentially leading to a denial-of-service (DoS) condition
CVSS Base7.5
â
CRSSelect profile
CVE-2025-66205
7.1đ
FrappeMultiple Products
Frappe is a full-stack web application framework
CVSS Base7.1
â
CRSSelect profile
CVE-2025-66295
8.8đ
GravMultiple Products
Grav is a file-based Web platform
CVSS Base8.8
â
CRSSelect profile
CVE-2025-66296
8.8đ
GravMultiple Products
Grav is a file-based Web platform
CVSS Base8.8
â
CRSSelect profile
CVE-2025-66299
8.8đ
GravMultiple Products
Grav is a file-based Web platform
CVSS Base8.8
â
CRSSelect profile
CVE-2024-45370
7.3đ
ConfigMultiple Products
An authentication bypass vulnerability exists in the User profile management functionality of Socomec Easy Config System 2
CVSS Base7.3
â
CRSSelect profile
CVE-2024-48882
8.6đ
denialMultiple Products
A denial of service vulnerability exists in the Modbus TCP functionality of Socomec DIRIS Digiware M-70 1
CVSS Base8.6
â
CRSSelect profile
CVE-2025-23417
8.6đ
denialMultiple Products
A denial of service vulnerability exists in the Modbus RTU over TCP functionality of Socomec DIRIS Digiware M-70 1
CVSS Base8.6
â
CRSSelect profile
CVE-2025-55221
8.6đ
denialMultiple Products
A denial of service vulnerability exists in the Modbus TCP and Modbus RTU over TCP USB Function functionality of Socomec DIRIS Digiware M-70 1
CVSS Base8.6
â
CRSSelect profile
CVE-2025-55222
8.6
denialMultiple Products
A denial of service vulnerability exists in the Modbus TCP and Modbus RTU over TCP USB Function functionality of Socomec DIRIS Digiware M-70 1
CVSS Base8.6
â
CRSSelect profile
CVE-2025-63526
8.5
AMultiple Products
A cross-site scripting (XSS) vulnerability exists in the Blood Bank Management System within the abs
CVSS Base8.5
â
CRSSelect profile
CVE-2025-63527
8.5
ManagementMultiple Products
A cross-site scripting (XSS) vulnerability exists in the Blood Bank Management System 1
CVSS Base8.5
â
CRSSelect profile
CVE-2025-63528
8.5
ManagementMultiple Products
A cross-site scripting (XSS) vulnerability exists in the Blood Bank Management System 1
CVSS Base8.5
â
CRSSelect profile
CVE-2025-63533
8.5
ManagementMultiple Products
A cross-site scripting (XSS) vulnerability exists in the Blood Bank Management System 1
CVSS Base8.5
â
CRSSelect profile
CVE-2025-63534
8.5
ManagementMultiple Products
A cross-site scripting (XSS) vulnerability exists in the Blood Bank Management System 1
CVSS Base8.5
â
CRSSelect profile
CVE-2025-66300
8.5
GravMultiple Products
Grav is a file-based Web platform
CVSS Base8.5
â
CRSSelect profile
CVE-2024-39148
8.1
KerOSMultiple Products
The service wmp-agent of KerOS prior 5
CVSS Base8.1
â
CRSSelect profile
CVE-2025-57489
8.1
IncorrectMultiple Products
Incorrect access control in the SDAgent component of Shirt Pocket SuperDuper! v3
CVSS Base8.1
â
CRSSelect profile
CVE-2025-64772
7.8
INZONEMultiple Products
The installer of INZONE Hub 1
CVSS Base7.8
â
CRSSelect profile
CVE-2025-41700
7.8
unauthenticatedMultiple Products
An unauthenticated attacker can trick a local user into executing arbitrary code by opening a deliberately manipulated CODESYS project file with a CODESYS development system
CVSS Base7.8
â
CRSSelect profile
CVE-2025-61228
7.8
issueMultiple Products
An issue in Shirt Pocket SuperDuper! V
CVSS Base7.8
â
CRSSelect profile
CVE-2025-11131
7.5
In nrMultiple Products
In nr modem, there is a possible system crash due to improper input validation
CVSS Base7.5
â
CRSSelect profile
CVE-2025-11132
7.5
In nrMultiple Products
In nr modem, there is a possible system crash due to improper input validation
CVSS Base7.5
â
CRSSelect profile
CVE-2025-11133
7.5
In nrMultiple Products
In nr modem, there is a possible system crash due to improper input validation
CVSS Base7.5
â
CRSSelect profile
CVE-2025-3012
7.5
dpcMultiple Products
In dpc modem, there is a possible system crash due to null pointer dereference
CVSS Base7.5
â
CRSSelect profile
CVE-2025-61607
7.5
In nrMultiple Products
In nr modem, there is a possible system crash due to improper input validation
CVSS Base7.5
â
CRSSelect profile
CVE-2025-61608
7.5
In nrMultiple Products
In nr modem, there is a possible system crash due to improper input validation
CVSS Base7.5
â
CRSSelect profile
CVE-2025-61609
7.5
InMultiple Products
In modem, there is a possible system crash due to improper input validation
CVSS Base7.5
â
CRSSelect profile
CVE-2025-61610
7.5
In nrMultiple Products
In nr modem, there is a possible system crash due to improper input validation
CVSS Base7.5
â
CRSSelect profile
CVE-2025-61617
7.5
In nrMultiple Products
In nr modem, there is a possible system crash due to improper input validation
CVSS Base7.5
â
CRSSelect profile
CVE-2025-61618
7.5
In nrMultiple Products
In nr modem, there is a possible system crash due to improper input validation
CVSS Base7.5
â
CRSSelect profile
CVE-2025-61619
7.5
In nrMultiple Products
In nr modem, there is a possible system crash due to improper input validation
CVSS Base7.5
â
CRSSelect profile
CVE-2024-56089
7.5
issueMultiple Products
An issue in Technitium through v13
CVSS Base7.5
â
CRSSelect profile
CVE-2024-53684
7.5
AMultiple Products
A cross-site request forgery (csrf) vulnerability exists in the WEBVIEW-M functionality of Socomec DIRIS Digiware M-70 1
CVSS Base7.5
â
CRSSelect profile
CVE-2025-54848
7.5
denialMultiple Products
A denial of service vulnerability exists in the Modbus TCP and Modbus RTU over TCP functionality of Socomec DIRIS Digiware M-70 1
CVSS Base7.5
â
CRSSelect profile
CVE-2025-54849
7.5
denialMultiple Products
A denial of service vulnerability exists in the Modbus TCP and Modbus RTU over TCP functionality of Socomec DIRIS Digiware M-70 1
CVSS Base7.5
â
CRSSelect profile
CVE-2025-54850
7.5
denialMultiple Products
A denial of service vulnerability exists in the Modbus TCP and Modbus RTU over TCP functionality of Socomec DIRIS Digiware M-70 1
CVSS Base7.5
â
CRSSelect profile
CVE-2025-54851
7.5
denialMultiple Products
A denial of service vulnerability exists in the Modbus TCP and Modbus RTU over TCP functionality of Socomec DIRIS Digiware M-70 1
CVSS Base7.5
â
CRSSelect profile
CVE-2025-13782
7.3đ
wasMultiple Products
A vulnerability was identified in taosir WTCMS up to 01a5f68a3dfc2fdddb44eed967bb2d4f60487665
CVSS Base7.3
â
CRSSelect profile
CVE-2025-13786
7.3đ
wasMultiple Products
A vulnerability was detected in taosir WTCMS up to 01a5f68a3dfc2fdddb44eed967bb2d4f60487665
CVSS Base7.3
â
CRSSelect profile
CVE-2025-13788
7.3đ
hasMultiple Products
A vulnerability has been found in Chanjet CRM up to 20251106
CVSS Base7.3
â
CRSSelect profile
CVE-2025-13792
7.3đ
securityMultiple Products
A security flaw has been discovered in Qualitor up to 8
CVSS Base7.3
â
CRSSelect profile
CVE-2025-13803
7.3
wasMultiple Products
A vulnerability was identified in MediaCrush 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-13806
7.3
securityMultiple Products
A security vulnerability has been detected in nutzam NutzBoot up to 2
CVSS Base7.3
â
CRSSelect profile
CVE-2025-13808
7.3
flawMultiple Products
A flaw has been found in orionsec orion-ops up to 5925824997a3109651bbde07460958a7be249ed1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-13814
7.3
securityMultiple Products
A security flaw has been discovered in moxi159753 Mogu Blog v2 up to 5
CVSS Base7.3
â
CRSSelect profile
CVE-2024-49572
7.2
denialMultiple Products
A denial of service vulnerability exists in the Modbus TCP functionality of Socomec DIRIS Digiware M-70 1
CVSS Base7.2
â
CRSSelect profile
CVE-2025-20085
7.2
denialMultiple Products
A denial of service vulnerability exists in the Modbus RTU over TCP functionality of Socomec DIRIS Digiware M-70 1
CVSS Base7.2
â
CRSSelect profile
CVE-2025-66423
7.1đ
TrytonMultiple Products
Tryton trytond 6
CVSS Base7.1
â
CRSSelect profile
CVE-2025-11699
7.1
nopCommerceMultiple Products
nopCommerce v4
CVSS Base7.1
â
CRSSelect profile
CVE-2025-66448
7.1
servingMultiple Products
vLLM is an inference and serving engine for large language models (LLMs)