Critical vulnerabilities, curated daily for security professionals
đ¯ SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
đ
Archived Security Brief
This curated brief highlights 7 critical vulnerabilities and 64 high-priority updates requiring immediate attention.
92 total vulnerabilities disclosed in last 24 hours
đĄ Tip: Swipe CVE cards left to â star, right to â remove
Section Navigation
â ī¸
CISA Known Exploited Vulnerabilities
â ī¸ CISA KEVURGENT
CVE-2025-13223
9.5đ
GoogleChromium V8
â° Federal Deadline:December 9, 2025(7 days remaining)
Google Chromium V8 Type Confusion Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-61757
9.5đ
OracleFusion Middleware
â° Federal Deadline:December 11, 2025(9 days remaining)
Oracle Fusion Middleware Missing Authentication for Critical Function Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2021-26829
9.5
OpenPLCScadaBR
â° Federal Deadline:December 18, 2025(16 days remaining)
OpenPLC ScadaBR Cross-site Scripting Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-48633
9.5
AndroidFramework
â° Federal Deadline:December 22, 2025(20 days remaining)
Android Framework Information Disclosure Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-48572
9.5
AndroidFramework
â° Federal Deadline:December 22, 2025(20 days remaining)
Android Framework Privilege Escalation Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2021-26828
9.5
OpenPLCScadaBR
â° Federal Deadline:December 23, 2025(21 days remaining)
OpenPLC ScadaBR Unrestricted Upload of File with Dangerous Type Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
đ¨
Critical Vulnerabilities
CVE-2025-13486
9.8đ
The Advanced CustomMultiple Products
The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution in versions 0.9.0.5 through 0.9.1.1 via the prepare_form() function. This is due to the function accepting user input and then passing that through call_user_func_array(). This makes it possible for unauthenticated attackers to execute arbitrary code on the server, which can be leveraged to inject backdoors or create new administrative user accounts.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-66222
9.6đ
DeepChat is a smart assistant uses artificialMultiple Products
DeepChat is a smart assistant uses artificial intelligence. In 0.5.0 and earlier, there is a Stored Cross-Site Scripting (XSS) vulnerability in the Mermaid diagram renderer allows an attacker to execute arbitrary JavaScript within the application context. By leveraging the exposed Electron IPC bridge, this XSS can be escalated to Remote Code Execution (RCE) by registering and starting a malicious MCP (Model Context Protocol) server.
CVSS Base9.6
â
CRSSelect profile
CVE-2025-13390
10đ
The WP Directory Kit plugin for WordPress is vulnerable to authentication bypass in all versions upMultiple Products
The WP Directory Kit plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.4.4 due to incorrect implementation of the authentication algorithm in the "wdk_generate_auto_login_link" function. This is due to the feature using a cryptographically weak token generation mechanism. This makes it possible for unauthenticated attackers to gain administrative access and achieve full site takeover via the auto-login endpoint with a predictable token.
CVSS Base10
â
CRSSelect profile
CVE-2025-65267
9đ
In ERPNextMultiple Products
In ERPNext v15.83.2 and Frappe Framework v15.86.0, improper validation of uploaded SVG avatar images allows attackers to embed malicious JavaScript. The payload executes when an administrator clicks the image link to view the avatar, resulting in stored cross-site scripting (XSS). Successful exploitation may lead to account takeover, privilege escalation, or full compromise of the affected ERPNext instance.
CVSS Base9
â
CRSSelect profile
CVE-2025-13342
9.8đ
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to unauthorized modification of arbitrary WordPress options in all versions upMultiple Products
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to unauthorized modification of arbitrary WordPress options in all versions up to, and including, 3.28.20. This is due to insufficient capability checks and input validation in the ActionOptions::run() save handler. This makes it possible for unauthenticated attackers to modify critical WordPress options such as users_can_register, default_role, and admin_email via submitting crafted form data to public frontend forms.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-55182
10đ
AMultiple Products
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
CVSS Base10
â
CRSSelect profile
CVE-2024-32641
9.8
Masa CMS is an open source Enterprise Content ManagementMultiple Products
Masa CMS is an open source Enterprise Content Management platform. Masa CMS versions prior to 7.2.8, 7.3.13, and 7.4.6 are vulnerable to remote code execution. The vulnerability exists in the addParam function, which accepts user input via the criteria parameter. This input is subsequently evaluated by setDynamicContent, allowing an unauthenticated attacker to execute arbitrary code via the m tag. The vulnerability is patched in versions 7.2.8, 7.3.13, and 7.4.6.
CVSS Base9.8
â
CRSSelect profile
â ī¸
High Priority Updates
CVE-2025-20386
8đ
versionsMultiple Products
In Splunk Enterprise for Windows versions below 10
CVSS Base8
â
CRSSelect profile
CVE-2025-20387
8đ
versionsMultiple Products
In Splunk Universal Forwarder for Windows versions below 10
CVSS Base8
â
CRSSelect profile
CVE-2025-13516
8.1đ
WordPressMultiple Products
The SureMail â SMTP and Email Logs Plugin for WordPress is vulnerable to Unrestricted Upload of File with Dangerous Type in versions up to and including 1
CVSS Base8.1
â
CRSSelect profile
CVE-2025-13633
8.8đ
GoogleMultiple Products
Use after free in Digital Credentials in Google Chrome prior to 143
CVSS Base8.8
â
CRSSelect profile
CVE-2025-13638
8.8đ
GoogleMultiple Products
Use after free in Media Stream in Google Chrome prior to 143
CVSS Base8.8
â
CRSSelect profile
CVE-2025-13387
7.2đ
WordPressMultiple Products
The Kadence WooCommerce Email Designer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the customer name in all versions up to, and including, 1
CVSS Base7.2
â
CRSSelect profile
CVE-2025-13724
7.5đ
WordPressMultiple Products
The VikRentCar Car Rental Management System plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'month' parameter in all versions up to, and including, 1
CVSS Base7.5
â
CRSSelect profile
CVE-2025-12529
8.8đ
WordPressMultiple Products
The Cost Calculator Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deleteOrdersFiles() function in all versions up to, and including, 3
CVSS Base8.8
â
CRSSelect profile
CVE-2025-13630
8.8đ
GoogleMultiple Products
Type Confusion in V8 in Google Chrome prior to 143
CVSS Base8.8
â
CRSSelect profile
CVE-2025-13631
8.8đ
GoogleMultiple Products
Inappropriate implementation in Google Updater in Google Chrome on Mac prior to 143
CVSS Base8.8
â
CRSSelect profile
CVE-2025-13720
8.8đ
GoogleMultiple Products
Bad cast in Loader in Google Chrome prior to 143
CVSS Base8.8
â
CRSSelect profile
CVE-2025-53841
7.8đ
AgentMultiple Products
Akamai Guardicore Platform Agent before 52
CVSS Base7.8
â
CRSSelect profile
CVE-2025-13000
7.7đ
WordPressMultiple Products
The db-access WordPress plugin through 0
CVSS Base7.7
â
CRSSelect profile
CVE-2025-13721
7.5đ
GoogleMultiple Products
Race in v8 in Google Chrome prior to 143
CVSS Base7.5
â
CRSSelect profile
CVE-2025-13646
7.5đ
WordPressMultiple Products
The Modula Image Gallery plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'ajax_unzip_file' function in versions 2
CVSS Base7.5
â
CRSSelect profile
CVE-2025-13645
7.2
WordPressMultiple Products
The Modula Image Gallery plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'ajax_unzip_file' function in versions 2
CVSS Base7.2
â
CRSSelect profile
CVE-2025-66411
7.8
CoderMultiple Products
Coder allows organizations to provision remote development environments via Terraform
CVSS Base7.8
â
CRSSelect profile
CVE-2024-3884
7.5
flawMultiple Products
A flaw was found in Undertow that can cause remote denial of service attacks
CVSS Base7.5
â
CRSSelect profile
CVE-2025-50360
8.4
heapMultiple Products
A heap buffer overflow in compiler
CVSS Base8.4
â
CRSSelect profile
CVE-2025-58481
7.3
ImproperMultiple Products
Improper access control in MPRemoteService of MotionPhoto prior to version 4
CVSS Base7.3
â
CRSSelect profile
CVE-2025-11787
8.8
operating systemMultiple Products
Command injection vulnerability in the operating system in Circutor SGE-PLC1000/SGE-PLC50 v9
CVSS Base8.8
â
CRSSelect profile
CVE-2025-12744
8.8
flawMultiple Products
A flaw was found in the ABRT daemonâs handling of user-supplied mount information
CVSS Base8.8
â
CRSSelect profile
CVE-2025-57198
8.8
AVTECHMultiple Products
AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 was discovered to contain an authenticated command injection vulnerability in the Machine
CVSS Base8.8
â
CRSSelect profile
CVE-2025-57199
8.8
NetFailDetectDMultiple Products
AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 was discovered to contain an authenticated command injection vulnerability in the NetFailDetectD binary
CVSS Base8.8
â
CRSSelect profile
CVE-2025-57201
8.8
SMBMultiple Products
AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 was discovered to contain an authenticated command injection vulnerability in the SMB server function
CVSS Base8.8
â
CRSSelect profile
CVE-2024-32642
8.8
MasaMultiple Products
Masa CMS is an open source Enterprise Content Management platform
CVSS Base8.8
â
CRSSelect profile
CVE-2025-33208
8.8
NVIDIAMultiple Products
NVIDIA TAO contains a vulnerability where an attacker may cause a resource to be loaded via an uncontrolled search path
CVSS Base8.8
â
CRSSelect profile
CVE-2024-45675
8.4
IBMMultiple Products
IBM Informix Dynamic Server 14
CVSS Base8.4
â
CRSSelect profile
CVE-2025-64298
8.4
UnknownMultiple Products
NMIS/BioDose V22
CVSS Base8.4
â
CRSSelect profile
CVE-2025-61940
8.3
UnknownMultiple Products
NMIS/BioDose V22
CVSS Base8.3
â
CRSSelect profile
CVE-2025-62575
8.3
UnknownMultiple Products
NMIS/BioDose V22
CVSS Base8.3
â
CRSSelect profile
CVE-2025-64642
8
UnknownMultiple Products
NMIS/BioDose V22
CVSS Base8
â
CRSSelect profile
CVE-2025-54065
7.9
DoomMultiple Products
GZDoom is a feature centric port for all Doom engine games
CVSS Base7.9
â
CRSSelect profile
CVE-2025-20763
7.8
InMultiple Products
In mmdvfs, there is a possible out of bounds write due to a missing bounds check
CVSS Base7.8
â
CRSSelect profile
CVE-2025-20764
7.8
InMultiple Products
In smi, there is a possible out of bounds write due to a missing bounds check
CVSS Base7.8
â
CRSSelect profile
CVE-2025-20766
7.8
InMultiple Products
In display, there is a possible memory corruption due to improper input validation
CVSS Base7.8
â
CRSSelect profile
CVE-2025-20767
7.8
InMultiple Products
In display, there is a possible out of bounds write due to an integer overflow
CVSS Base7.8
â
CRSSelect profile
CVE-2025-20768
7.8
InMultiple Products
In display, there is a possible out of bounds read due to a missing bounds check
CVSS Base7.8
â
CRSSelect profile
CVE-2025-11781
7.8
UseMultiple Products
Use of hardcoded cryptographic keys in Circutor SGE-PLC1000/SGE-PLC50 v9
CVSS Base7.8
â
CRSSelect profile
CVE-2025-66476
7.8
VimMultiple Products
Vim is an open source, command line text editor
CVSS Base7.8
â
CRSSelect profile
CVE-2025-66431
7.8
PleskMultiple Products
WebPros Plesk before 18
CVSS Base7.8
â
CRSSelect profile
CVE-2025-7044
7.7
ImproperMultiple Products
An Improper Input Validation vulnerability exists in the user websocket handler of MAAS
CVSS Base7.7
â
CRSSelect profile
CVE-2025-65843
7.7
AquariusMultiple Products
Aquarius Desktop 3
CVSS Base7.7
â
CRSSelect profile
CVE-2025-66468
7.6
AimeosMultiple Products
The Aimeos GrapesJS CMS extension provides page editor for creating content pages based on extensible components
CVSS Base7.6
â
CRSSelect profile
CVE-2025-65027
7.6
ROMMultiple Products
RomM (ROM Manager) allows users to scan, enrich, browse and play their game collections with a clean and responsive interface
CVSS Base7.6
â
CRSSelect profile
CVE-2025-11789
7.5
CircutorMultiple Products
Out-of-bounds read vulnerability in Circutor SGE-PLC1000/SGE-PLC50 v9
CVSS Base7.5
â
CRSSelect profile
CVE-2025-13295
7.5
Argus TechnologyMultiple Products
Insertion of Sensitive Information Into Sent Data vulnerability in Argus Technology Inc
CVSS Base7.5
â
CRSSelect profile
CVE-2025-41014
7.5
TCMAN GIM UserMultiple Products
User Enumeration Vulnerability in TCMAN GIM v11 version 20250304
CVSS Base7.5
â
CRSSelect profile
CVE-2025-41015
7.5
TCMAN GIM UserMultiple Products
User Enumeration Vulnerability in TCMAN GIM v11 version 20250304
CVSS Base7.5
â
CRSSelect profile
CVE-2025-64460
7.5
discoveredMultiple Products
An issue was discovered in 5
CVSS Base7.5
â
CRSSelect profile
CVE-2025-65844
7.5
EverShopMultiple Products
EverShop 2
CVSS Base7.5
â
CRSSelect profile
CVE-2025-61729
7.5
WithinMultiple Products
Within HostnameError
CVSS Base7.5
â
CRSSelect profile
CVE-2025-65320
7.5
AbacreMultiple Products
Abacre Restaurant Point of Sale (POS) up to 15
CVSS Base7.5
â
CRSSelect profile
CVE-2024-32643
7.5
MasaMultiple Products
Masa CMS is an open source Enterprise Content Management platform
CVSS Base7.5
â
CRSSelect profile
CVE-2025-54326
7.5
ProcessorMultiple Products
An issue was discovered in Camera in Samsung Mobile Processor Exynos 1280 and 2200
CVSS Base7.5
â
CRSSelect profile
CVE-2025-12819
7.5
PgBouncerMultiple Products
Untrusted search path in auth_query connection handler in PgBouncer before 1
CVSS Base7.5
â
CRSSelect profile
CVE-2025-33201
7.5
NVIDIAMultiple Products
NVIDIA Triton Inference Server contains a vulnerability where an attacker may cause an improper check for unusual or exceptional conditions issue by sending extra large payloads
CVSS Base7.5
â
CRSSelect profile
CVE-2025-33211
7.5
NVIDIAMultiple Products
NVIDIA Triton Server for Linux contains a vulnerability where an attacker may cause an improper validation of specified quantity in input
CVSS Base7.5
â
CRSSelect profile
CVE-2025-13947
7.4
flawMultiple Products
A flaw was found in WebKitGTK
CVSS Base7.4
â
CRSSelect profile
CVE-2025-58482
7.3
ImproperMultiple Products
Improper access control in MPLocalService of MotionPhoto prior to version 4
CVSS Base7.3
â
CRSSelect profile
CVE-2025-64778
7.3
UnknownMultiple Products
NMIS/BioDose software V22
CVSS Base7.3
â
CRSSelect profile
CVE-2025-59697
7.2
HSMiMultiple Products
Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13
CVSS Base7.2
â
CRSSelect profile
CVE-2025-59702
7.2
HSMiMultiple Products
Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13
CVSS Base7.2
â
CRSSelect profile
CVE-2025-66293
7.1
LIBPNGMultiple Products
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files