Critical vulnerabilities, curated daily for security professionals
đ¯ SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
đ
Archived Security Brief
Thursday's vulnerability landscape shows modest activity with twelve critical vulnerabilities (CVSS 9.0+) and 100 high-priority CVEs requiring assessment. The critical CVE count decreased by one issue from Wednesday, while high-priority disclosures remained unchanged at 100 vulnerabilities. Ten actively exploited vulnerabilities continue to require priority remediation. Patch availability improved to 15%, up from 9% on Wednesday, providing security teams with more immediate remediation options as the week progresses.
Twelve critical vulnerabilities (CVSS 9.0+), representing an 8% decrease from Wednesday's thirteen critical issues
100 high-priority vulnerabilities (CVSS 7.0-8.9), unchanged from Wednesday's count
Ten actively exploited vulnerabilities requiring priority remediation across enterprise and critical infrastructure environments
Patch availability improved to 15%, up from Wednesday's 9%, providing additional remediation options
Notable critical vulnerabilities include WordPress authentication bypass and Adobe Experience Manager issues requiring assessment
Immediate action: Security teams should assess the twelve active critical vulnerabilities and review the 100 high-priority CVEs for applicability to their environments. Organizations should prioritize remediation of the ten actively exploited vulnerabilities. With patch availability at 15%, teams should deploy available vendor patches while implementing compensating controls for vulnerabilities without immediate fixes.
đĄ Tip: Swipe CVE cards left to â star, right to â remove
Section Navigation
â ī¸
CISA Known Exploited Vulnerabilities
â ī¸ CISA KEVURGENT
CVE-2025-55182
9.5đ
MetaReact Server Components
â° Federal Deadline:December 11, 2025(1 days remaining)
Meta React Server Components Remote Code Execution Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-61757
9.5đ
OracleFusion Middleware
â° Federal Deadline:December 11, 2025(1 days remaining)
Oracle Fusion Middleware Missing Authentication for Critical Function Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2021-26829
9.5
OpenPLCScadaBR
â° Federal Deadline:December 18, 2025(8 days remaining)
OpenPLC ScadaBR Cross-site Scripting Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-48633
9.5đ
AndroidFramework
â° Federal Deadline:December 22, 2025(12 days remaining)
Android Framework Information Disclosure Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-48572
9.5đ
AndroidFramework
â° Federal Deadline:December 22, 2025(12 days remaining)
Android Framework Privilege Escalation Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2021-26828
9.5
OpenPLCScadaBR
â° Federal Deadline:December 23, 2025(13 days remaining)
OpenPLC ScadaBR Unrestricted Upload of File with Dangerous Type Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2022-37055
9.5
D-LinkRouters
â° Federal Deadline:December 28, 2025(18 days remaining)
D-Link Routers Buffer Overflow Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-66644
9.5
Array Networks ArrayOS AG
â° Federal Deadline:December 28, 2025(18 days remaining)
Array Networks ArrayOS AG OS Command Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-6218
9.5
RARLABWinRAR
â° Federal Deadline:December 29, 2025(19 days remaining)
RARLAB WinRAR Path Traversal Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
đ¨
Critical Vulnerabilities
CVE-2025-67510
9.4đ
Neuron is a PHP framework for creating and orchestrating AIMultiple Products
Neuron is a PHP framework for creating and orchestrating AI Agents. In versions 2.8.11 and below, the MySQLWriteTool executes arbitrary SQL provided by the caller using PDO::prepare() + execute() without semantic restrictions. This is consistent with the name (âwrite toolâ), but in an LLM/agent context it becomes a high-risk capability: prompt injection or indirect prompt manipulation can cause execution of destructive queries such as DROP TABLE, TRUNCATE, DELETE, ALTER, or privilege-related statements (subject to DB permissions). Deployments that expose an agent with MySQLWriteTool enabled to untrusted input and/or run the tool with a DB user that has broad privileges are impacted. This issue is fixed in version 2.8.12.
CVSS Base9.4
â
CRSSelect profile
CVE-2025-67506
9.8đ
PipesHub is a fully extensible workplace AI platform for enterprise search and workflowMultiple Products
PipesHub is a fully extensible workplace AI platform for enterprise search and workflow automation. Versions prior to 0.1.0-beta expose POST /api/v1/record/buffer/convert through missing authentication. The endpoint accepts a file upload and converts it to PDF via LibreOffice by uploading payload to os.path.join(tmpdir, file.filename) without normalizing the filename. An attacker can submit a crafted filename containing ../ sequences to write arbitrary files anywhere the service account has permission, enabling remote file overwrite or planting malicious code. This issue is fixed in version 0.1.0-beta.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-13613
9.8đ
The Elated Membership plugin for WordPress is vulnerable to Authentication Bypass in all versions upMultiple Products
The Elated Membership plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.2. This is due to the plugin not properly logging in a user with the data that was previously verified through the 'eltdf_membership_check_facebook_user' and the 'eltdf_membership_login_user_from_social_network' function. This makes it possible for unauthenticated attackers to log in as administrative users, as long as they have an existing account on the site which can easily be created by default through the temp user functionality, and access to the administrative user's email.
Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could lead to arbitrary code execution. An attacker could exploit this vulnerability by injecting malicious scripts into a web page that are executed in the context of the victim's browser. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high. Exploitation of this issue requires user interaction in that a victim must visit a crafted malicious page.
Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could lead to arbitrary code execution. An attacker could exploit this vulnerability by injecting malicious scripts into a web page that are executed in the context of the victim's browser. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high. Exploitation of this issue requires user interaction in that a victim must visit a crafted malicious page.
Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could lead to arbitrary code execution. An attacker could exploit this vulnerability by injecting malicious scripts into a web page that are executed in the context of the victim's browser. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high. Exploitation of this issue requires user interaction in that a victim must visit a crafted malicious page.
CVSS Base9.3
â
CRSSelect profile
CVE-2025-67511
9.6đ
Cybersecurity AIMultiple Products
Cybersecurity AI (CAI) is an open-source framework for building and deploying AI-powered offensive and defensive automation. Versions 0.5.9 and below are vulnerable to Command Injection through the run_ssh_command_with_credentials() function, which is available to AI agents. Only password and command inputs are escaped in run_ssh_command_with_credentials to prevent shell injection; while username, host and port values are injectable. This issue does not have a fix at the time of publication.
Unauthenticated Telnet enablement via cstecgi.cgi (auth bypass) leading to unauthenticated root login with a blank password on factory/reset X5000R V9.1.0u.6369_B20230113 (arbitrary command execution). Earlier versions that share the same implementation, may also be affected.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-65807
9.8đ
An issue in sd commandMultiple Products
An issue in sd command v1.0.0 and before allows attackers to escalate privileges to root via a crafted command.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-13607
9.4đ
A malicious actor can access camera configurationMultiple Products
A malicious actor can access camera configuration information, including account credentials, without authenticating when accessing a vulnerable URL.
CVSS Base9.4
â
CRSSelect profile
CVE-2025-61808
9.1đ
ColdFusion versionsMultiple Products
ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability that could lead to arbitrary code execution by a high priviledged attacker. Exploitation of this issue does not require user interaction and scope is changed.
CVSS Base9.1
â
CRSSelect profile
CVE-2025-61809
9.1đ
ColdFusion versionsMultiple Products
ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read and write access. Exploitation of this issue does not require user interaction and scope is unchanged.
CVSS Base9.1
â
CRSSelect profile
â ī¸
High Priority Updates
â ī¸ CISA KEV
CVE-2025-62221
7.8đ
UseMultiple Products
â° Federal Deadline:December 29, 2025(19 days remaining)
Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally
CVSS Base7.8
â
CRSSelect profile
CVE-2025-63062
7.6đ
AndonDesign UDesignMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AndonDesign UDesign Core u-design-core allows PHP Local File Inclusion
CVSS Base7.6
â
CRSSelect profile
CVE-2025-63036
7.5đ
DFDevelopment RonnebyMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in DFDevelopment Ronneby Theme Core ronneby-core allows PHP Local File Inclusion
CVSS Base7.5
â
CRSSelect profile
CVE-2025-63076
7.5đ
ImproperMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Dream-Theme The7 Elements dt-the7-core allows PHP Local File Inclusion
CVSS Base7.5
â
CRSSelect profile
CVE-2025-64678
8.8đ
UnknownMultiple Products
Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network
CVSS Base8.8
â
CRSSelect profile
CVE-2025-62549
8.8đ
UntrustedMultiple Products
Untrusted pointer dereference in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network
CVSS Base8.8
â
CRSSelect profile
CVE-2025-67505
8.4đ
OktaMultiple Products
Okta Java Management SDK facilitates interactions with the Okta management API
CVSS Base8.4
â
CRSSelect profile
CVE-2025-62456
8.8đ
UnknownMultiple Products
Heap-based buffer overflow in Windows Resilient File System (ReFS) allows an authorized attacker to execute code over a network
CVSS Base8.8
â
CRSSelect profile
CVE-2025-62472
7.8đ
ConnectionMultiple Products
Use of uninitialized resource in Windows Remote Access Connection Manager allows an authorized attacker to elevate privileges locally
CVSS Base7.8
â
CRSSelect profile
CVE-2025-62474
7.8đ
ConnectionMultiple Products
Improper access control in Windows Remote Access Connection Manager allows an authorized attacker to elevate privileges locally
CVSS Base7.8
â
CRSSelect profile
CVE-2025-63003
7.5đ
fuelthemes NorthMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in fuelthemes North - Required Plugin north-plugin allows PHP Local File Inclusion
CVSS Base7.5
â
CRSSelect profile
CVE-2025-63074
7.5đ
ImproperMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Dream-Theme The7 dt-the7 allows PHP Local File Inclusion
CVSS Base7.5
â
CRSSelect profile
CVE-2025-62557
8.4đ
MicrosoftMultiple Products
Use after free in Microsoft Office allows an unauthorized attacker to execute code locally
CVSS Base8.4
â
CRSSelect profile
CVE-2025-62454
7.8đ
UnknownMultiple Products
Heap-based buffer overflow in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally
CVSS Base7.8
â
CRSSelect profile
CVE-2025-62458
7.8đ
UnknownMultiple Products
Heap-based buffer overflow in Windows Win32K - GRFX allows an authorized attacker to elevate privileges locally
CVSS Base7.8
â
CRSSelect profile
CVE-2025-62470
7.8đ
UnknownMultiple Products
Heap-based buffer overflow in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally
CVSS Base7.8
â
CRSSelect profile
CVE-2025-62553
7.8đ
MicrosoftMultiple Products
Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally
CVSS Base7.8
â
CRSSelect profile
CVE-2025-62558
7.8đ
MicrosoftMultiple Products
Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally
CVSS Base7.8
â
CRSSelect profile
CVE-2025-62559
7.8đ
MicrosoftMultiple Products
Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally
CVSS Base7.8
â
CRSSelect profile
CVE-2025-62562
7.8đ
MicrosoftMultiple Products
Use after free in Microsoft Office Outlook allows an unauthorized attacker to execute code locally
CVSS Base7.8
â
CRSSelect profile
CVE-2025-62563
7.8
MicrosoftMultiple Products
Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally
CVSS Base7.8
â
CRSSelect profile
CVE-2025-64679
7.8
UnknownMultiple Products
Heap-based buffer overflow in Windows DWM Core Library allows an authorized attacker to elevate privileges locally
CVSS Base7.8
â
CRSSelect profile
CVE-2025-64680
7.8
UnknownMultiple Products
Heap-based buffer overflow in Windows DWM Core Library allows an authorized attacker to elevate privileges locally
CVSS Base7.8
â
CRSSelect profile
CVE-2025-62550
8.8
UnknownMultiple Products
Out-of-bounds write in Azure Monitor Agent allows an authorized attacker to execute code over a network
CVSS Base8.8
â
CRSSelect profile
CVE-2025-64672
8.8
MicrosoftMultiple Products
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network
CVSS Base8.8
â
CRSSelect profile
CVE-2025-14390
8.8
WordPressMultiple Products
The Video Merchant plugin for WordPress is vulnerable to Cross-Site Request Forgery in version <= 5
CVSS Base8.8
â
CRSSelect profile
CVE-2025-62554
8.4
MicrosoftMultiple Products
Access of resource using incompatible type ('type confusion') in Microsoft Office allows an unauthorized attacker to execute code locally
CVSS Base8.4
â
CRSSelect profile
CVE-2025-67509
8.2
NeuronMultiple Products
Neuron is a PHP framework for creating and orchestrating AI Agents
CVSS Base8.2
â
CRSSelect profile
CVE-2025-14333
8.1
FirefoxMultiple Products
Memory safety bugs present in Firefox ESR 140
CVSS Base8.1
â
CRSSelect profile
CVE-2025-54100
7.8
ImproperMultiple Products
Improper neutralization of special elements used in a command ('command injection') in Windows PowerShell allows an unauthorized attacker to execute code locally
CVSS Base7.8
â
CRSSelect profile
CVE-2025-55233
7.8
UnknownMultiple Products
Out-of-bounds read in Windows Projected File System allows an authorized attacker to elevate privileges locally
CVSS Base7.8
â
CRSSelect profile
CVE-2025-59516
7.8
MissingMultiple Products
Missing authentication for critical function in Windows Storage VSP Driver allows an authorized attacker to elevate privileges locally
CVSS Base7.8
â
CRSSelect profile
CVE-2025-59517
7.8
ImproperMultiple Products
Improper access control in Windows Storage VSP Driver allows an authorized attacker to elevate privileges locally
CVSS Base7.8
â
CRSSelect profile
CVE-2025-62455
7.8
ImproperMultiple Products
Improper input validation in Windows Message Queuing allows an authorized attacker to elevate privileges locally
CVSS Base7.8
â
CRSSelect profile
CVE-2025-62457
7.8
UnknownMultiple Products
Out-of-bounds read in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally
CVSS Base7.8
â
CRSSelect profile
CVE-2025-62461
7.8
BufferMultiple Products
Buffer over-read in Windows Projected File System Filter Driver allows an authorized attacker to elevate privileges locally
CVSS Base7.8
â
CRSSelect profile
CVE-2025-62462
7.8
BufferMultiple Products
Buffer over-read in Windows Projected File System allows an authorized attacker to elevate privileges locally
CVSS Base7.8
â
CRSSelect profile
CVE-2025-62464
7.8
BufferMultiple Products
Buffer over-read in Windows Projected File System allows an authorized attacker to elevate privileges locally
CVSS Base7.8
â
CRSSelect profile
CVE-2025-62466
7.8
WindowsMultiple Products
Null pointer dereference in Windows Client-Side Caching (CSC) Service allows an authorized attacker to elevate privileges locally
CVSS Base7.8
â
CRSSelect profile
CVE-2025-62467
7.8
IntegerMultiple Products
Integer overflow or wraparound in Windows Projected File System allows an authorized attacker to elevate privileges locally
CVSS Base7.8
â
CRSSelect profile
CVE-2025-62552
7.8
MicrosoftMultiple Products
Relative path traversal in Microsoft Office Access allows an unauthorized attacker to execute code locally
CVSS Base7.8
â
CRSSelect profile
CVE-2025-62556
7.8
MicrosoftMultiple Products
Untrusted pointer dereference in Microsoft Office Excel allows an unauthorized attacker to execute code locally
CVSS Base7.8
â
CRSSelect profile
CVE-2025-62560
7.8
MicrosoftMultiple Products
Untrusted pointer dereference in Microsoft Office Excel allows an unauthorized attacker to execute code locally
CVSS Base7.8
â
CRSSelect profile
CVE-2025-62561
7.8
MicrosoftMultiple Products
Untrusted pointer dereference in Microsoft Office Excel allows an unauthorized attacker to execute code locally
CVSS Base7.8
â
CRSSelect profile
CVE-2025-62564
7.8
MicrosoftMultiple Products
Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to execute code locally
CVSS Base7.8
â
CRSSelect profile
CVE-2025-62571
7.8
ImproperMultiple Products
Improper input validation in Windows Installer allows an authorized attacker to elevate privileges locally
CVSS Base7.8
â
CRSSelect profile
CVE-2025-64661
7.8
ConcurrentMultiple Products
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Shell allows an authorized attacker to elevate privileges locally
CVSS Base7.8
â
CRSSelect profile
CVE-2025-64785
7.8
ReaderMultiple Products
Acrobat Reader versions 24
CVSS Base7.8
â
CRSSelect profile
CVE-2025-64899
7.8
ReaderMultiple Products
Acrobat Reader versions 24
CVSS Base7.8
â
CRSSelect profile
CVE-2025-67460
7.8
ZoomMultiple Products
Protection Mechanism Failure of Software Downgrade in Zoom Rooms for Windows before 6
CVSS Base7.8
â
CRSSelect profile
CVE-2025-40820
7.5
AffectedMultiple Products
Affected products do not properly enforce TCP sequence number validation in specific scenarios but accept values within a broad range
CVSS Base7.5
â
CRSSelect profile
CVE-2025-60024
8.8
FortinetMultiple Products
Multiple Improper Limitations of a Pathname to a Restricted Directory ('Path Traversal') vulnerabilities [CWE-22] vulnerability in Fortinet FortiVoice 7
CVSS Base8.8
â
CRSSelect profile
CVE-2025-66675
8.2
Apache Denial ofMultiple Products
Denial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion
CVSS Base8.2
â
CRSSelect profile
CVE-2025-64447
8.1
FortinetMultiple Products
A reliance on cookies without validation and integrity checking vulnerability in Fortinet FortiWeb 8
CVSS Base8.1
â
CRSSelect profile
CVE-2025-66626
8.1
KubernetesMultiple Products
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes
CVSS Base8.1
â
CRSSelect profile
CVE-2025-67641
8
JenkinsMultiple Products
Jenkins Coverage Plugin 2
CVSS Base8
â
CRSSelect profile
CVE-2025-13659
8.8
EndpointMultiple Products
Improper control of dynamically managed code resources in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote, unauthenticated attacker to write arbitrary files on the server, potentially leading to remote code execution
CVSS Base8.8
â
CRSSelect profile
CVE-2025-41730
8.8
unauthenticatedMultiple Products
An unauthenticated remote attacker can abuse unsafe sscanf calls within the check_account() function to write arbitrary data into fixed-size stack buffers which leads to full device compromise
CVSS Base8.8
â
CRSSelect profile
CVE-2025-41732
8.8
unauthenticatedMultiple Products
An unauthenticated remote attacker can abuse unsafe sscanf calls within the check_cookie() function to write arbitrary data into fixed-size stack buffers which leads to full device compromise
CVSS Base8.8
â
CRSSelect profile
CVE-2025-42874
7.9
SAPMultiple Products
SAP NetWeaver remote service for Xcelsius allows an attacker with network access and high privileges to execute arbitrary code on the affected system due to insufficient input validation and improper handling of remote method calls
CVSS Base7.9
â
CRSSelect profile
CVE-2025-14323
8.8
PrivilegeMultiple Products
Privilege escalation in the DOM: Notifications component
CVSS Base8.8
â
CRSSelect profile
CVE-2025-14328
8.8
PrivilegeMultiple Products
Privilege escalation in the Netmonitor component
CVSS Base8.8
â
CRSSelect profile
CVE-2025-14329
8.8
PrivilegeMultiple Products
Privilege escalation in the Netmonitor component
CVSS Base8.8
â
CRSSelect profile
CVE-2025-33213
8.8
NVIDIAMultiple Products
NVIDIA Merlin Transformers4Rec for Linux contains a vulnerability in the Trainer component, where a user could cause a deserialization issue
CVSS Base8.8
â
CRSSelect profile
CVE-2025-33214
8.8
NVIDIAMultiple Products
NVIDIA NVTabular for Linux contains a vulnerability in the Workflow component, where a user could cause a deserialization issue
CVSS Base8.8
â
CRSSelect profile
CVE-2025-13662
7.8
EndpointMultiple Products
Improper verification of cryptographic signatures in the patch management component of Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote unauthenticated attacker to execute arbitrary code
CVSS Base7.8
â
CRSSelect profile
CVE-2025-62093
8.5
LambertGroupMultiple Products
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup Image&Video FullScreen Background lbg_fullscreen_fullwidth_slider allows SQL Injection
CVSS Base8.5
â
CRSSelect profile
CVE-2024-56835
8.8
hasMultiple Products
A vulnerability has been identified in RUGGEDCOM ROX II family (All versions < V2
CVSS Base8.8
â
CRSSelect profile
CVE-2025-56704
8.8
LeptonCMSMultiple Products
LeptonCMS version 7
CVSS Base8.8
â
CRSSelect profile
CVE-2024-2104
8.8
GATTMultiple Products
Due to improper BLE security configurations on the device's GATT server, an adjacent unauthenticated attacker can read and write device control commands through the mobile app service wich could render the device unusable
CVSS Base8.8
â
CRSSelect profile
CVE-2025-66627
8.4
WasmiMultiple Products
Wasmi is a WebAssembly interpreter focused on constrained and embedded systems
CVSS Base8.4
â
CRSSelect profile
CVE-2025-64671
8.4
ImproperMultiple Products
Improper neutralization of special elements used in a command ('command injection') in Copilot allows an unauthorized attacker to execute code locally
CVSS Base8.4
â
CRSSelect profile
CVE-2025-61810
8.4
ColdFusionMultiple Products
ColdFusion versions 2025
CVSS Base8.4
â
CRSSelect profile
CVE-2025-61811
8.4
ColdFusionMultiple Products
ColdFusion versions 2025
CVSS Base8.4
â
CRSSelect profile
CVE-2025-61812
8.4
ColdFusionMultiple Products
ColdFusion versions 2025
CVSS Base8.4
â
CRSSelect profile
CVE-2025-40937
8.3
SIMATICMultiple Products
A vulnerability has been identified in SIMATIC CN 4100 (All versions < V4
CVSS Base8.3
â
CRSSelect profile
CVE-2025-42878
8.2
SAPMultiple Products
SAP Web Dispatcher and ICM may expose internal testing interfaces that are not intended for production
CVSS Base8.2
â
CRSSelect profile
CVE-2025-63057
8.2
Roxnor Wp UltimateMultiple Products
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Roxnor Wp Ultimate Review wp-ultimate-review allows DOM-Based XSS
CVSS Base8.2
â
CRSSelect profile
CVE-2025-61813
8.2
ColdFusionMultiple Products
ColdFusion versions 2025
CVSS Base8.2
â
CRSSelect profile
CVE-2025-40801
8.1
hasMultiple Products
A vulnerability has been identified in COMOS V10
CVSS Base8.1
â
CRSSelect profile
CVE-2025-40938
8.1
SIMATICMultiple Products
A vulnerability has been identified in SIMATIC CN 4100 (All versions < V4
CVSS Base8.1
â
CRSSelect profile
CVE-2025-65594
8.1
OpenSISMultiple Products
OpenSIS 9
CVSS Base8.1
â
CRSSelect profile
CVE-2025-67507
8.1
FilamentMultiple Products
Filament is a collection of full-stack components for accelerated Laravel development
CVSS Base8.1
â
CRSSelect profile
CVE-2025-14322
8
SandboxMultiple Products
Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component
CVSS Base8
â
CRSSelect profile
CVE-2025-67495
8
ZITADELMultiple Products
ZITADEL is an open-source identity infrastructure tool
CVSS Base8
â
CRSSelect profile
CVE-2025-66533
7.8
StellarWP GiveWP giveMultiple Products
Improper Control of Generation of Code ('Code Injection') vulnerability in StellarWP GiveWP give allows Code Injection
CVSS Base7.8
â
CRSSelect profile
CVE-2025-62572
7.8
UnknownMultiple Products
Out-of-bounds read in Application Information Services allows an authorized attacker to elevate privileges locally
CVSS Base7.8
â
CRSSelect profile
CVE-2025-64673
7.8
ImproperMultiple Products
Improper access control in Storvsp
CVSS Base7.8
â
CRSSelect profile
CVE-2025-64783
7.8
SDKMultiple Products
DNG SDK versions 1
CVSS Base7.8
â
CRSSelect profile
CVE-2025-67488
7.8
SiYuanMultiple Products
SiYuan is self-hosted, open source personal knowledge management software
CVSS Base7.8
â
CRSSelect profile
CVE-2025-12046
7.8
DLLMultiple Products
A DLL hijacking vulnerability was reported in the Lenovo App Store and Lenovo Browser applications that could allow a local authenticated user to execute code with elevated privileges under certain conditions
CVSS Base7.8
â
CRSSelect profile
CVE-2025-13152
7.8
OneMultiple Products
A potential DLL hijacking vulnerability was reported in Lenovo One Client during an internal security assessment that could allow a local authenticated user to execute code with elevated privileges
CVSS Base7.8
â
CRSSelect profile
CVE-2025-13155
7.8
BaiyingMultiple Products
An improper permissions vulnerability was reported in Lenovo Baiying Client that could allow a local authenticated user to execute code with elevated privileges
CVSS Base7.8
â
CRSSelect profile
CVE-2025-65199
7.8
commandMultiple Products
A command injection vulnerability exists in Windscribe for Linux Desktop App that allows a local user who is a member of the windscribe group to execute arbitrary commands as root via the 'adapterName' parameter of the 'changeMTU' function
CVSS Base7.8
â
CRSSelect profile
CVE-2025-24857
7.6
ImproperMultiple Products
Improper access control for volatile memory containing boot code in Universal Boot Loader (U-Boot) before 2017
CVSS Base7.6
â
CRSSelect profile
CVE-2024-56836
7.5
hasMultiple Products
A vulnerability has been identified in RUGGEDCOM ROX II family (All versions < V2
CVSS Base7.5
â
CRSSelect profile
CVE-2025-14309
7.5
ravynsoft NULLMultiple Products
NULL Pointer Dereference vulnerability in ravynsoft ravynos
CVSS Base7.5
â
CRSSelect profile
CVE-2025-14327
7.5
SpoofingMultiple Products
Spoofing issue in the Downloads Panel component
CVSS Base7.5
â
CRSSelect profile
CVE-2025-42877
7.5
CommunicationMultiple Products
SAP Web Dispatcher, Internet Communication Manager (ICM), and SAP Content Server allow an unauthenticated user to exploit logical errors that lead to a memory corruption vulnerability
CVSS Base7.5
â
CRSSelect profile
CVE-2025-59030
7.5
attackerMultiple Products
An attacker can trigger the removal of cached records by sending a NOTIFY query over TCP