Critical vulnerabilities, curated daily for security professionals
đ¯ SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
đ
Archived Security Brief
Saturday's vulnerability landscape shows nine critical vulnerabilities (CVSS 9.0+), a 31% decrease from Friday's thirteen issues, while high-priority disclosures increased to 100 CVEs representing a 32% increase. The actively exploited vulnerability count expanded to eleven issues including newly added Sierra Wireless AirLink ALEOS and additional Android Framework entries. Notable critical vulnerabilities include WordPress plugin arbitrary file deletion (CVE-2025-14344), Apache insufficiently protected credentials (CVE-2025-58130), and Dormakaba Saflok physical access control system vulnerabilities (CVE-2024-58311). Zero patch availability across all 109 vulnerabilities continues to require compensating controls and enhanced weekend monitoring given reduced staffing levels.
Nine critical vulnerabilities (CVSS 9.0+), a 31% decrease from Friday's thirteen critical issues
100 high-priority vulnerabilities (CVSS 7.0-8.9), a 32% increase from Friday's 76 issues
Eleven actively exploited vulnerabilities requiring priority remediation, including newly cataloged Sierra Wireless AirLink and additional Android Framework entries
Zero patch availability across all 109 vulnerabilities requires implementation of compensating controls
WordPress ecosystem vulnerabilities include Gravity Forms plugin arbitrary file deletion and LazyTasks privilege escalation
Immediate action: Security teams should prioritize the eleven actively exploited vulnerabilities, particularly the newly cataloged Sierra Wireless AirLink ALEOS and Android Framework issues. Organizations using Dormakaba Saflok physical access systems, OpenPLC SCADA, or D-Link network devices should implement network segmentation and enhanced monitoring. Given zero patch availability and weekend staffing reductions, teams should establish clear escalation procedures and ensure monitoring coverage for critical infrastructure systems.
đĄ Tip: Swipe CVE cards left to â star, right to â remove
Section Navigation
â ī¸
CISA Known Exploited Vulnerabilities
â ī¸ CISA KEVURGENT
CVE-2021-26829
9.5
OpenPLCScadaBR
â° Federal Deadline:December 18, 2025(6 days remaining)
OpenPLC ScadaBR Cross-site Scripting Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-48633
9.5đ
AndroidFramework
â° Federal Deadline:December 22, 2025(10 days remaining)
Android Framework Information Disclosure Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-48572
9.5đ
AndroidFramework
â° Federal Deadline:December 22, 2025(10 days remaining)
Android Framework Privilege Escalation Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2021-26828
9.5
OpenPLCScadaBR
â° Federal Deadline:December 23, 2025(11 days remaining)
OpenPLC ScadaBR Unrestricted Upload of File with Dangerous Type Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2022-37055
9.5
D-LinkRouters
â° Federal Deadline:December 28, 2025(16 days remaining)
D-Link Routers Buffer Overflow Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-66644
9.5
Array Networks ArrayOS AG
â° Federal Deadline:December 28, 2025(16 days remaining)
Array Networks ArrayOS AG OS Command Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-6218
9.5
RARLABWinRAR
â° Federal Deadline:December 29, 2025(17 days remaining)
RARLAB WinRAR Path Traversal Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-62221
9.5đ
MicrosoftWindows
â° Federal Deadline:December 29, 2025(17 days remaining)
Microsoft Windows Use After Free Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-58360
9.5
OSGeoGeoServer
â° Federal Deadline:December 31, 2025(19 days remaining)
OSGeo GeoServer Improper Restriction of XML External Entity Reference Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2018-4063
9.5
Sierra WirelessAirLink ALEOS
â° Federal Deadline:January 1, 2026(20 days remaining)
Sierra Wireless AirLink ALEOS Unrestricted Upload of File with Dangerous Type Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
đ¨
Critical Vulnerabilities
CVE-2025-12963
9.8đ
The LazyTasksMultiple Products
The LazyTasks â Project & Task Management with Collaboration, Kanban and Gantt Chart plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.2.29. This is due to the plugin not properly validating a user's identity via the 'wp-json/lazytasks/api/v1/user/role/edit/' REST API endpoint prior to updating their details like email address. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. It is also possible for attackers to abuse this endpoint to grant users with access to additional roles within the plugin
CVSS Base9.8
â
CRSSelect profile
CVE-2025-14344
9.8đ
The Multi Uploader for Gravity Forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in theMultiple Products
The Multi Uploader for Gravity Forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'plupload_ajax_delete_file' function in all versions up to, and including, 1.1.7. This makes it possible for unauthenticated attackers to delete arbitrary files on the server.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-58130
9.1đ
Insufficiently Protected Credentials vulnerability in ApacheMultiple Products
Insufficiently Protected Credentials vulnerability in Apache Fineract.
This issue affects Apache Fineract: through 1.11.0. The issue is fixed in version 1.12.1.
Users are encouraged to upgrade to version 1.13.0, the latest release.
CVSS Base9.1
â
CRSSelect profile
CVE-2025-67728
9.8đ
Fireshare facilitatesMultiple Products
Fireshare facilitates self-hosted media and link sharing. Versions 1.2.30 and below allow an authenticated user, or unauthenticated user if the Public Uploads setting is enabled, to craft a malicious filename when uploading a video file. The malicious filename is then concatenated directly into a shell command, which can be used for uploading files to arbitrary directories via path traversal, or executing system commands for Remote Code Execution (RCE). This issue is fixed in version 1.3.0.
CVSS Base9.8
â
CRSSelect profile
CVE-2024-14010
9.8đ
TyporaMultiple Products
Typora 1.7.4 contains a command injection vulnerability in the PDF export preferences that allows attackers to execute arbitrary system commands. Attackers can inject malicious commands into the 'run command' input field during PDF export to achieve remote code execution.
CVSS Base9.8
â
CRSSelect profile
CVE-2024-58299
9.8đ
PCMan FTP ServerMultiple Products
PCMan FTP Server 2.0 contains a buffer overflow vulnerability in the 'pwd' command that allows remote attackers to execute arbitrary code. Attackers can send a specially crafted payload during the FTP login process to overwrite memory and potentially gain system access.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-65854
9.8đ
Insecure permissions in the scheduled tasks feature of MineAdminMultiple Products
Insecure permissions in the scheduled tasks feature of MineAdmin v3.x allows attackers to execute arbitrary commands and execute a full account takeover.
CVSS Base9.8
â
CRSSelect profile
CVE-2024-58311
9.8đ
Dormakaba Saflok SystemMultiple Products
Dormakaba Saflok System 6000 contains a predictable key generation algorithm that allows attackers to derive card access keys from a 32-bit unique identifier. Attackers can exploit the deterministic key generation process by calculating valid access keys using a simple mathematical transformation of the card's unique identifier.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-66430
9.1đ
PleskMultiple Products
Plesk 18.0 has Incorrect Access Control.
CVSS Base9.1
â
CRSSelect profile
â ī¸
High Priority Updates
â ī¸ CISA KEV
CVE-2025-14174
8.8đ
GoogleMultiple Products
â° Federal Deadline:January 1, 2026(20 days remaining)
Out of bounds memory access in ANGLE in Google Chrome on Mac prior to 143
CVSS Base8.8
â
CRSSelect profile
CVE-2025-14044
8.1đ
WordPressMultiple Products
The Visitor Logic Lite plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1
CVSS Base8.1
â
CRSSelect profile
CVE-2025-14169
7.5đ
WordPressMultiple Products
The FunnelKit - Funnel Builder for WooCommerce Checkout plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'opid' parameter in all versions up to, and including, 3
CVSS Base7.5
â
CRSSelect profile
CVE-2025-14068
7.5đ
WordPressMultiple Products
The WPNakama plugin for WordPress is vulnerable to time-based SQL Injection via the 'order_by' parameter in all versions up to, and including, 0
CVSS Base7.5
â
CRSSelect profile
CVE-2025-12824
8.8đ
WordPressMultiple Products
The Player Leaderboard plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1
CVSS Base8.8
â
CRSSelect profile
CVE-2025-12968
8.8đ
WordPressMultiple Products
The Infility Global plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation and capability checks in all versions up to, and including, 2
CVSS Base8.8
â
CRSSelect profile
CVE-2025-13334
8.1đ
WordPressMultiple Products
The Blaze Demo Importer plugin for WordPress is vulnerable to unauthorized database resets and file deletion due to a missing capability check on the "blaze_demo_importer_install_demo" function in all versions up to, and including, 1
CVSS Base8.1
â
CRSSelect profile
CVE-2025-55312
7.8đ
WindowsMultiple Products
An issue was discovered in Foxit PDF and Editor for Windows before 13
CVSS Base7.8
â
CRSSelect profile
CVE-2025-55313
7.8đ
macOSMultiple Products
An issue was discovered in Foxit PDF and Editor for Windows and macOS before 13
CVSS Base7.8
â
CRSSelect profile
CVE-2025-55314
7.8đ
macOSMultiple Products
An issue was discovered in Foxit PDF and Editor for Windows and macOS before 13
CVSS Base7.8
â
CRSSelect profile
CVE-2025-64669
7.8đ
ImproperMultiple Products
Improper access control in Windows Admin Center allows an authorized attacker to elevate privileges locally
CVSS Base7.8
â
CRSSelect profile
CVE-2025-36918
7.8đ
InMultiple Products
In aoc_service_read_message of aoc_ipc_core
CVSS Base7.8
â
CRSSelect profile
CVE-2025-59802
7.5đ
ReaderMultiple Products
Foxit PDF Editor and Reader before 2025
CVSS Base7.5
â
CRSSelect profile
CVE-2025-13886
7.5đ
WordPressMultiple Products
The LT Unleashed plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1
CVSS Base7.5
â
CRSSelect profile
CVE-2025-58137
8.1đ
ApacheMultiple Products
Authorization Bypass Through User-Controlled Key vulnerability in Apache Fineract
CVSS Base8.1
â
CRSSelect profile
CVE-2025-54981
7.5
WeakMultiple Products
Weak Encryption Algorithm in StreamPark, The use of an AES cipher in ECB mode and a weak random number generator for encrypting sensitive data, including JWT tokens, may have risked exposing sensitive authentication data
This issue affects Apache StreamPark: from 2
CVSS Base7.5
â
CRSSelect profile
CVE-2025-26866
8.8
remoteMultiple Products
A remote code execution vulnerability exists where a malicious Raft node can exploit insecure Hessian deserialization within the PD store
CVSS Base8.8
â
CRSSelect profile
CVE-2025-67725
7.5
TornadoMultiple Products
Tornado is a Python web framework and asynchronous networking library
CVSS Base7.5
â
CRSSelect profile
CVE-2025-67726
7.5
TornadoMultiple Products
Tornado is a Python web framework and asynchronous networking library
CVSS Base7.5
â
CRSSelect profile
CVE-2025-56110
8.8
Ruijie OS CommandMultiple Products
OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR860 allowing attackers to execute arbitrary commands via a crafted POST request to the action_deal_update in file /usr/lib/lua/luci/controller/api/rcmsAPI
CVSS Base8.8
â
CRSSelect profile
CVE-2025-44016
8.8
DEXMultiple Products
A vulnerability in TeamViewer DEX Client (former 1E client) - Content Distribution Service (NomadBranch
CVSS Base8.8
â
CRSSelect profile
CVE-2025-14526
8.8
securityMultiple Products
A security flaw has been discovered in Tenda CH22 1
CVSS Base8.8
â
CRSSelect profile
CVE-2025-56077
8.8
Ruijie OS CommandMultiple Products
OS Command Injection vulnerability in Ruijie RG-RAP2200(E) 247 2200 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_sta/nbr_cwmp
CVSS Base8.8
â
CRSSelect profile
CVE-2025-56079
8.8
Ruijie OS CommandMultiple Products
OS Command Injection vulnerability in Ruijie RG-EW1300G EW1300G V1
CVSS Base8.8
â
CRSSelect profile
CVE-2025-56082
8.8
Ruijie OS CommandMultiple Products
OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR600W allowing attackers to execute arbitrary commands via a crafted POST request to the check_changes in file /usr/lib/lua/luci/controller/admin/common
CVSS Base8.8
â
CRSSelect profile
CVE-2025-56083
8.8
Ruijie OS CommandMultiple Products
OS Command Injection vulnerability in Ruijie X30-PRO X30-PRO-V1_09241521 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_sta/nbr_networkId_merge
CVSS Base8.8
â
CRSSelect profile
CVE-2025-56084
8.8
Ruijie OS CommandMultiple Products
OS Command Injection vulnerability in Ruijie RG-EW1800GX PRO B11P226_EW1800GX-PRO_10223117 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_sta/nbr_cwmp
CVSS Base8.8
â
CRSSelect profile
CVE-2025-56085
8.8
Ruijie OS CommandMultiple Products
OS Command Injection vulnerability in Ruijie RG-EW1200 EW_3
CVSS Base8.8
â
CRSSelect profile
CVE-2025-56086
8.8
Ruijie OS CommandMultiple Products
OS Command Injection vulnerability in Ruijie RG-EW1200 EW_3
CVSS Base8.8
â
CRSSelect profile
CVE-2025-56087
8.8
Ruijie OS CommandMultiple Products
OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR600W allowing attackers to execute arbitrary commands via a crafted POST request to the run_tcpdump in file /usr/lib/lua/luci/controller/admin/common_tcpdump
CVSS Base8.8
â
CRSSelect profile
CVE-2025-56088
8.8
Ruijie OS CommandMultiple Products
OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR860 allowing attackers to execute arbitrary commands via a crafted POST request to the action_service in file /usr/lib/lua/luci/controller/admin/service
CVSS Base8.8
â
CRSSelect profile
CVE-2025-56089
8.8
Ruijie OS CommandMultiple Products
OS Command Injection vulnerability in Ruijie M18 EW_3
CVSS Base8.8
â
CRSSelect profile
CVE-2025-56090
8.8
Ruijie OS CommandMultiple Products
OS Command Injection vulnerability in Ruijie RG-EW1200G PRO RG-EW1200G PRO V1
CVSS Base8.8
â
CRSSelect profile
CVE-2025-56091
8.8
Ruijie OS CommandMultiple Products
OS Command Injection vulnerability in Ruijie RG-EW1800GX B11P226_EW1800GX_10223121 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_config/config_retain
CVSS Base8.8
â
CRSSelect profile
CVE-2025-66918
8.8
UnknownMultiple Products
edoc-doctor-appointment-system v1
CVSS Base8.8
â
CRSSelect profile
CVE-2025-56092
8.8
Ruijie OS CommandMultiple Products
OS Command Injection vulnerability in Ruijie X30 PRO V1 X30-PRO-V1_09241521 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/networkConnect
CVSS Base8.8
â
CRSSelect profile
CVE-2025-56093
8.8
Ruijie OS CommandMultiple Products
OS Command Injection vulnerability in Ruijie X30-PRO X30-PRO-V1_09241521 allowing attackers to execute arbitrary commands via a crafted POST request to the setWisp in file /usr/lib/lua/luci/modules/wireless
CVSS Base8.8
â
CRSSelect profile
CVE-2025-56094
8.8
Ruijie OS CommandMultiple Products
OS Command Injection vulnerability in Ruijie X30-PRO X30-PRO-V1_09241521 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/host_access_delay
CVSS Base8.8
â
CRSSelect profile
CVE-2025-56095
8.8
Ruijie OS CommandMultiple Products
OS Command Injection vulnerability in Ruijie RG-EW1200G PRO RG-EW1200G PRO V1
CVSS Base8.8
â
CRSSelect profile
CVE-2025-56096
8.8
Ruijie OS CommandMultiple Products
OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR600W allowing attackers to execute arbitrary commands via a crafted POST request to the restart_modules in file /usr/lib/lua/luci/controller/admin/common
CVSS Base8.8
â
CRSSelect profile
CVE-2025-56097
8.8
Ruijie OS CommandMultiple Products
OS Command Injection vulnerability in Ruijie RG-EW1800GX PRO B11P226_EW1800GX-PRO_10223117 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_config/config_retain
CVSS Base8.8
â
CRSSelect profile
CVE-2025-56098
8.8
Ruijie OS CommandMultiple Products
OS Command Injection vulnerability in Ruijie X30-PRO X30-PRO-V1_09241521 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/networkConnect
CVSS Base8.8
â
CRSSelect profile
CVE-2025-56099
8.8
Ruijie OS CommandMultiple Products
OS Command Injection vulnerability in Ruijie RG-YST AP_3
CVSS Base8.8
â
CRSSelect profile
CVE-2025-56101
8.8
Ruijie OS CommandMultiple Products
OS Command Injection vulnerability in Ruijie M18 EW_3
CVSS Base8.8
â
CRSSelect profile
CVE-2025-56102
8.8
Ruijie OS CommandMultiple Products
OS Command Injection vulnerability in Ruijie RG-EW1800GX B11P226_EW1800GX_10223121 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/networkConnect
CVSS Base8.8
â
CRSSelect profile
CVE-2025-56106
8.8
Ruijie OS CommandMultiple Products
OS Command Injection vulnerability in Ruijie RG-EW1800GX B11P226_EW1800GX_10223121 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_sta/nbr_cwmp
CVSS Base8.8
â
CRSSelect profile
CVE-2025-56107
8.8
Ruijie OS CommandMultiple Products
OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR600W allowing attackers to execute arbitrary commands via a crafted POST request to the submit_wifi in file /usr/lib/lua/luci/controller/admin/common_quick_config
CVSS Base8.8
â
CRSSelect profile
CVE-2025-56108
8.8
Ruijie OS CommandMultiple Products
OS Command Injection vulnerability in Ruijie X30-PRO X30-PRO-V1_09241521 allowing attackers to execute arbitrary commands via a crafted POST request to the pwdmodify in file /usr/lib/lua/luci/modules/common
CVSS Base8.8
â
CRSSelect profile
CVE-2025-56109
8.8
Ruijie OS CommandMultiple Products
OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR860 allowing attackers to execute arbitrary commands via a crafted POST request to the action_wireless in file /usr/lib/lua/luci/control/admin/wireless
CVSS Base8.8
â
CRSSelect profile
CVE-2025-56111
8.8
Ruijie OS CommandMultiple Products
OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR860 allowing attackers to execute arbitrary commands via a crafted POST request to the network_set_wan_conf in file /usr/lib/lua/luci/controller/admin/netport
CVSS Base8.8
â
CRSSelect profile
CVE-2025-56113
8.8
Ruijie OS CommandMultiple Products
OS Command Injection vulnerability in Ruijie RG-YST EST, YSTAP_3
CVSS Base8.8
â
CRSSelect profile
CVE-2025-56114
8.8
Ruijie OS CommandMultiple Products
OS Command Injection vulnerability in Ruijie M18 EW_3
CVSS Base8.8
â
CRSSelect profile
CVE-2025-56117
8.8
Ruijie OS CommandMultiple Products
OS Command Injection vulnerability in Ruijie X30-PRO X30-PRO-V1_09241521 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_sta/nbr_cwmp
CVSS Base8.8
â
CRSSelect profile
CVE-2025-56118
8.8
Ruijie OS CommandMultiple Products
OS Command Injection vulnerability in Ruijie X60 PRO X60_10212014RG-X60 PRO V1
CVSS Base8.8
â
CRSSelect profile
CVE-2025-56120
8.8
Ruijie OS CommandMultiple Products
OS Command Injection vulnerability in Ruijie X60 PRO X60_10212014RG-X60 PRO V1
CVSS Base8.8
â
CRSSelect profile
CVE-2025-56122
8.8
Ruijie OS CommandMultiple Products
OS Command Injection vulnerability in Ruijie RG-EW1800GX PRO B11P226_EW1800GX-PRO_10223117 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/networkConnect
CVSS Base8.8
â
CRSSelect profile
CVE-2025-56123
8.8
Ruijie OS CommandMultiple Products
OS Command Injection vulnerability in Ruijie RG-EW1200G PRO RG-EW1200G PRO V1
CVSS Base8.8
â
CRSSelect profile
CVE-2025-56127
8.8
Ruijie OS CommandMultiple Products
OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR600W allowing attackers to execute arbitrary commands via a crafted POST request to the get_wanobj in file /usr/lib/lua/luci/controller/admin/common
CVSS Base8.8
â
CRSSelect profile
CVE-2025-56129
8.8
Ruijie OS CommandMultiple Products
OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR860 allowing attackers to execute arbitrary commands via a crafted POST request to the action_diagnosis in file /usr/lib/lua/luci/controller/admin/diagnosis
CVSS Base8.8
â
CRSSelect profile
CVE-2025-56130
8.8
Ruijie OS CommandMultiple Products
OS Command Injection vulnerability in Ruijie RG-S1930 S1930SWITCH_3
CVSS Base8.8
â
CRSSelect profile
CVE-2025-13481
8.8
IBMMultiple Products
IBM Aspera Orchestrator 4
CVSS Base8.8
â
CRSSelect profile
CVE-2025-66429
8.8
issueMultiple Products
An issue was discovered in cPanel 110 through 132
CVSS Base8.8
â
CRSSelect profile
CVE-2025-66419
8.8
MaxKBMultiple Products
MaxKB is an open-source AI assistant for enterprise
CVSS Base8.8
â
CRSSelect profile
CVE-2025-66446
8.8
MaxKBMultiple Products
MaxKB is an open-source AI assistant for enterprise
CVSS Base8.8
â
CRSSelect profile
CVE-2025-13506
8.8
Nebim Neyir ComputerMultiple Products
Execution with Unnecessary Privileges vulnerability in Nebim Neyir Computer Industry and Services Inc
CVSS Base8.8
â
CRSSelect profile
CVE-2025-65530
8.8
evalMultiple Products
An eval injection in the malware de-obfuscation routines of CloudLinux ai-bolit before v32
CVSS Base8.8
â
CRSSelect profile
CVE-2024-58305
8.8
WonderCMSMultiple Products
WonderCMS 4
CVSS Base8.8
â
CRSSelect profile
CVE-2024-58314
8.8
AtcomMultiple Products
Atcom 100M IP Phones firmware version 2
CVSS Base8.8
â
CRSSelect profile
CVE-2025-14572
8.8
wasMultiple Products
A vulnerability was found in UTT čŋå 512W up to 1
CVSS Base8.8
â
CRSSelect profile
CVE-2025-12716
8.7
versionsMultiple Products
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18
CVSS Base8.7
â
CRSSelect profile
CVE-2025-8405
8.7
versionsMultiple Products
GitLab has remediated a security issue in GitLab CE/EE affecting all versions from 17
CVSS Base8.7
â
CRSSelect profile
CVE-2025-8083
8.6
PresetMultiple Products
The Preset configuration https://v2
CVSS Base8.6
â
CRSSelect profile
CVE-2025-67738
8.5
UnknownMultiple Products
squid/cachemgr
CVSS Base8.5
â
CRSSelect profile
CVE-2025-67750
8.4
LightningMultiple Products
Lightning Flow Scanner provides a A CLI plugin, VS Code Extension and GitHub Action for analysis and optimization of Salesforce Flows
CVSS Base8.4
â
CRSSelect profile
CVE-2025-14523
8.2
forMultiple Products
A flaw in libsoupâs HTTP header handling allows multiple Host: headers in a request and returns the last occurrence for server-side processing
CVSS Base8.2
â
CRSSelect profile
CVE-2025-10451
8.2
UncheckedMultiple Products
Unchecked output buffer may allowed arbitrary code execution in SMM and potentially result in SMM memory corruption
CVSS Base8.2
â
CRSSelect profile
CVE-2025-66492
8.2
MasaMultiple Products
Masa CMS is an open source Enterprise Content Management platform
CVSS Base8.2
â
CRSSelect profile
CVE-2025-13148
8.1
IBMMultiple Products
IBM Aspera Orchestrator 4
CVSS Base8.1
â
CRSSelect profile
CVE-2025-12029
8
versionsMultiple Products
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15
CVSS Base8
â
CRSSelect profile
CVE-2025-36923
8
InMultiple Products
In NrmmDecoder::DecodeSORTransparentContext of cn_NrmmDecoder
CVSS Base8
â
CRSSelect profile
CVE-2025-36924
8
InMultiple Products
In ss_DecodeLcsAssistDataReqMsg(void) of ss_LcsManagement
CVSS Base8
â
CRSSelect profile
CVE-2025-67508
8
lineMultiple Products
gardenctl is a command-line client for the Gardener which configures access to clusters and cloud provider CLI tools
CVSS Base8
â
CRSSelect profile
CVE-2025-64701
7.8
QNDMultiple Products
QND Premium/Advance/Standard Ver
CVSS Base7.8
â
CRSSelect profile
CVE-2025-56124
7.8
Ruijie OS CommandMultiple Products
OS Command Injection vulnerability in Ruijie X60 PRO X60_10212014RG-X60 PRO V1
CVSS Base7.8
â
CRSSelect profile
CVE-2025-36919
7.8
InMultiple Products
In aocc_read of aoc_channel_dev
CVSS Base7.8
â
CRSSelect profile
CVE-2025-36925
7.8
InMultiple Products
In WAVES_send_data_to_dsp of libaoc_waves
CVSS Base7.8
â
CRSSelect profile
CVE-2025-36927
7.8
GetTachyonCommandMultiple Products
In GetTachyonCommand of tachyon_server_common
CVSS Base7.8
â
CRSSelect profile
CVE-2025-36928
7.8
GetHostAddressMultiple Products
In GetHostAddress of gxp_buffer
CVSS Base7.8
â
CRSSelect profile
CVE-2025-36930
7.8
GetHostAddressMultiple Products
In GetHostAddress of gxp_buffer
CVSS Base7.8
â
CRSSelect profile
CVE-2025-36931
7.8
GetHostAddressMultiple Products
In GetHostAddress of gxp_buffer
CVSS Base7.8
â
CRSSelect profile
CVE-2025-40829
7.8
hasMultiple Products
A vulnerability has been identified in Simcenter Femap (All versions < V2512)
CVSS Base7.8
â
CRSSelect profile
CVE-2025-13003
7.6
Aksis ComputerMultiple Products
Authorization Bypass Through User-Controlled Key vulnerability in Aksis Computer Services and Consulting Inc
CVSS Base7.6
â
CRSSelect profile
CVE-2025-13124
7.6
Netiket InformationMultiple Products
Authorization Bypass Through User-Controlled Key vulnerability in Netiket Information Technologies Ltd
CVSS Base7.6
â
CRSSelect profile
CVE-2025-13214
7.6
IBMMultiple Products
IBM Aspera Orchestrator 4
CVSS Base7.6
â
CRSSelect profile
CVE-2025-12562
7.5
versionsMultiple Products
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11
CVSS Base7.5
â
CRSSelect profile
CVE-2025-55184
7.5
ReactMultiple Products
A pre-authentication denial of service vulnerability exists in React Server Components versions 19
CVSS Base7.5
â
CRSSelect profile
CVE-2024-58304
7.5
CARTMultiple Products
SPA-CART CMS 1
CVSS Base7.5
â
CRSSelect profile
CVE-2025-67779
7.5
ReactMultiple Products
It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case
CVSS Base7.5
â
CRSSelect profile
CVE-2024-58316
7.5
SystemMultiple Products
Online Shopping System Advanced 1
CVSS Base7.5
â
CRSSelect profile
CVE-2025-14514
7.3
ManagementMultiple Products
A flaw has been found in Campcodes Supplier Management System 1