Critical vulnerabilities, curated daily for security professionals
đ¯ SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
đ
Archived Security Brief
Sunday's vulnerability landscape reveals 3 critical CVEs, a 67% decrease from Saturday's count of 9. High-priority vulnerabilities dropped 47% to 53 issues, reflecting typical weekend reduction patterns. The 11 actively exploited KEV vulnerabilities remain unchanged from yesterday, with notable entries including Android Framework flaws (CVE-2025-48633, CVE-2025-48572), Array Networks ArrayOS AG (CVE-2025-66644), and Microsoft Windows (CVE-2025-62221). Critical WordPress plugin vulnerabilities include CVE-2025-10738 affecting URL Shortener Plugin and CVE-2025-14440 impacting JAY Login. Patch availability stands at 0%, requiring organizations to prioritize network segmentation and access controls as interim mitigations.
3 critical CVEs identified, down 67% from Saturday's 9 critical issues
53 high-priority vulnerabilities, representing 47% decrease from 100 yesterday
11 actively exploited KEV entries targeting Android Framework, Microsoft Windows, Array Networks, and WinRAR
0% patch availability necessitates compensating controls across all affected systems
WordPress plugins (URL Shortener, JAY Login, Export WP Page to Static HTML) contain SQL injection flaws at CVSS 9.8
Immediate action: Prioritize mitigation of the 11 actively exploited vulnerabilities, particularly Android Framework and Microsoft Windows flaws affecting enterprise environments. Implement network segmentation and restrict access to vulnerable WordPress installations, D-Link routers, and GeoServer deployments until patches become available. Weekend security teams should monitor for exploitation attempts against KEV-listed products and escalate confirmed activity.
đĄ Tip: Swipe CVE cards left to â star, right to â remove
Section Navigation
â ī¸
CISA Known Exploited Vulnerabilities
â ī¸ CISA KEVURGENT
CVE-2021-26829
9.5
OpenPLCScadaBR
â° Federal Deadline:December 18, 2025(5 days remaining)
OpenPLC ScadaBR Cross-site Scripting Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-48633
9.5đ
AndroidFramework
â° Federal Deadline:December 22, 2025(9 days remaining)
Android Framework Information Disclosure Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-48572
9.5đ
AndroidFramework
â° Federal Deadline:December 22, 2025(9 days remaining)
Android Framework Privilege Escalation Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2021-26828
9.5
OpenPLCScadaBR
â° Federal Deadline:December 23, 2025(10 days remaining)
OpenPLC ScadaBR Unrestricted Upload of File with Dangerous Type Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2022-37055
9.5
D-LinkRouters
â° Federal Deadline:December 28, 2025(15 days remaining)
D-Link Routers Buffer Overflow Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-66644
9.5
Array Networks ArrayOS AG
â° Federal Deadline:December 28, 2025(15 days remaining)
Array Networks ArrayOS AG OS Command Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-6218
9.5
RARLABWinRAR
â° Federal Deadline:December 29, 2025(16 days remaining)
RARLAB WinRAR Path Traversal Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-62221
9.5đ
MicrosoftWindows
â° Federal Deadline:December 29, 2025(16 days remaining)
Microsoft Windows Use After Free Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-58360
9.5
OSGeoGeoServer
â° Federal Deadline:December 31, 2025(18 days remaining)
OSGeo GeoServer Improper Restriction of XML External Entity Reference Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2018-4063
9.5
Sierra WirelessAirLink ALEOS
â° Federal Deadline:January 1, 2026(19 days remaining)
Sierra Wireless AirLink ALEOS Unrestricted Upload of File with Dangerous Type Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
đ¨
Critical Vulnerabilities
CVE-2025-10738
9.8đ
The URL Shortener Plugin For WordPress plugin for WordPress is vulnerable to SQL Injection via theMultiple Products
The URL Shortener Plugin For WordPress plugin for WordPress is vulnerable to SQL Injection via the âanalytic_idâ parameter in all versions up to, and including, 3.0.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-14440
9.8đ
The JAY LoginMultiple Products
The JAY Login & Register plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.4.01. This is due to incorrect authentication checking in the 'jay_login_register_process_switch_back' function with the 'jay_login_register_process_switch_back' cookie value. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-11693
9.8đ
The Export WP Page to Static HTMLMultiple Products
The Export WP Page to Static HTML & PDF plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.4 through publicly exposed cookies.txt files containing authentication cookies. This makes it possible for unauthenticated attackers to cookies that may have been injected into the log file if the site administrator triggered a back-up using a specific user role like 'administrator.'
CVSS Base9.8
â
CRSSelect profile
â ī¸
High Priority Updates
â ī¸ CISA KEV
CVE-2025-14174
8.8đ
GoogleMultiple Products
â° Federal Deadline:January 1, 2026(19 days remaining)
Out of bounds memory access in ANGLE in Google Chrome on Mac prior to 143
CVSS Base8.8
â
CRSSelect profile
CVE-2025-14476
8.8đ
WordPressMultiple Products
The Doubly â Cross Domain Copy Paste for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1
CVSS Base8.8
â
CRSSelect profile
CVE-2025-13077
7.5đ
WordPressMultiple Products
The اŲØ˛ŲŲŲ ŲžÛاŲ ÚŠ ŲŲڊاŲ ØąØŗ ŲŲŲ ØØąŲŲ Ø§Û (ØŦدÛد) payamito sms woocommerce plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'columns' parameter in all versions up to, and including, 1
CVSS Base7.5
â
CRSSelect profile
CVE-2025-14397
8.8đ
WordPressMultiple Products
The Postem Ipsum plugin for WordPress is vulnerable to unauthorized modification of data to Privilege Escalation due to a missing capability check on the postem_ipsum_generate_users() function in all versions up to, and including, 3
CVSS Base8.8
â
CRSSelect profile
CVE-2025-13089
7.5đ
WordPressMultiple Products
The WP Directory Kit plugin for WordPress is vulnerable to SQL Injection via the 'hide_fields' and the 'attr_search' parameter in all versions up to, and including, 1
CVSS Base7.5
â
CRSSelect profile
CVE-2025-13126
7.5đ
WordPressMultiple Products
The wpForo Forum plugin for WordPress is vulnerable to generic SQL Injection via the `post_args` and `topic_args` parameters in all versions up to, and including, 2
CVSS Base7.5
â
CRSSelect profile
CVE-2025-13094
8.8đ
WordPressMultiple Products
The WP3D Model Import Viewer plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the handle_import_file() function in all versions up to, and including, 1
CVSS Base8.8
â
CRSSelect profile
CVE-2025-14475
8.1đ
WordPressMultiple Products
The Extensive VC Addons for WPBakery page builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1
CVSS Base8.1
â
CRSSelect profile
CVE-2025-12835
7.3đ
WordPressMultiple Products
The WooMulti WordPress plugin through 17 does not validate a file parameter when deleting files, which could allow any authenticated users, such as subscriber to delete arbitrary files on the server
CVSS Base7.3
â
CRSSelect profile
CVE-2025-54981
7.5đ
WeakMultiple Products
Weak Encryption Algorithm in StreamPark, The use of an AES cipher in ECB mode and a weak random number generator for encrypting sensitive data, including JWT tokens, may have risked exposing sensitive authentication data
This issue affects Apache StreamPark: from 2
CVSS Base7.5
â
CRSSelect profile
CVE-2025-14542
7.5đ
arisesMultiple Products
The vulnerability arises when a client fetches a toolsâ JSON specification, known as a Manual, from a remote Manual Endpoint
CVSS Base7.5
â
CRSSelect profile
CVE-2025-13506
8.8đ
Nebim Neyir ComputerMultiple Products
Execution with Unnecessary Privileges vulnerability in Nebim Neyir Computer Industry and Services Inc
CVSS Base8.8
â
CRSSelect profile
CVE-2025-65530
8.8đ
evalMultiple Products
An eval injection in the malware de-obfuscation routines of CloudLinux ai-bolit before v32
CVSS Base8.8
â
CRSSelect profile
CVE-2024-58305
8.8đ
WonderCMSMultiple Products
WonderCMS 4
CVSS Base8.8
â
CRSSelect profile
CVE-2024-58314
8.8đ
AtcomMultiple Products
Atcom 100M IP Phones firmware version 2
CVSS Base8.8
â
CRSSelect profile
CVE-2025-14572
8.8
wasMultiple Products
A vulnerability was found in UTT čŋå 512W up to 1
CVSS Base8.8
â
CRSSelect profile
CVE-2025-14654
8.8
wasMultiple Products
A vulnerability was identified in Tenda AC20 16
CVSS Base8.8
â
CRSSelect profile
CVE-2025-8083
8.6
PresetMultiple Products
The Preset configuration https://v2
CVSS Base8.6
â
CRSSelect profile
CVE-2025-67750
8.4
LightningMultiple Products
Lightning Flow Scanner provides a A CLI plugin, VS Code Extension and GitHub Action for analysis and optimization of Salesforce Flows
CVSS Base8.4
â
CRSSelect profile
CVE-2025-13970
8
UnknownMultiple Products
OpenPLC_V3 is vulnerable to a cross-site request forgery (CSRF) attack
due to the absence of proper CSRF validation
CVSS Base8
â
CRSSelect profile
CVE-2025-43467
7.8
ThisMultiple Products
This issue was addressed with improved checks
CVSS Base7.8
â
CRSSelect profile
CVE-2025-43527
7.8
permissionsMultiple Products
A permissions issue was addressed with additional restrictions
CVSS Base7.8
â
CRSSelect profile
CVE-2024-58316
7.5
SystemMultiple Products
Online Shopping System Advanced 1
CVSS Base7.5
â
CRSSelect profile
CVE-2025-14565
7.3
wasMultiple Products
A vulnerability was identified in kidaze CourseSelectionSystem up to 42cd892b40a18d50bd4ed1905fa89f939173a464
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14566
7.3
securityMultiple Products
A security flaw has been discovered in kidaze CourseSelectionSystem up to 42cd892b40a18d50bd4ed1905fa89f939173a464
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14570
7.3
ManagementMultiple Products
A flaw has been found in projectworlds Advanced Library Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14571
7.3
ManagementMultiple Products
A vulnerability has been found in projectworlds Advanced Library Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14578
7.3
ManagementMultiple Products
A weakness has been identified in itsourcecode Student Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14583
7.3
EnrollmentMultiple Products
A flaw has been found in campcodes Online Student Enrollment System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14584
7.3
TrackingMultiple Products
A vulnerability has been found in itsourcecode COVID Tracking System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14585
7.3
TrackingMultiple Products
A vulnerability was found in itsourcecode COVID Tracking System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14587
7.3
ManagementMultiple Products
A vulnerability was identified in itsourcecode Online Pet Shop Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14588
7.3
ManagementMultiple Products
A security flaw has been discovered in itsourcecode Student Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14590
7.3
ManagementMultiple Products
A security vulnerability has been detected in code-projects Prison Management System 2
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14619
7.3
ManagementMultiple Products
A vulnerability was found in code-projects Student File Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14620
7.3
ManagementMultiple Products
A vulnerability was determined in code-projects Student File Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14621
7.3
ManagementMultiple Products
A vulnerability was identified in code-projects Student File Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14622
7.3
ManagementMultiple Products
A security flaw has been discovered in code-projects Student File Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14623
7.3
ManagementMultiple Products
A weakness has been identified in code-projects Student File Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14637
7.3
ManagementMultiple Products
A weakness has been identified in itsourcecode Online Pet Shop Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14638
7.3
ManagementMultiple Products
A security vulnerability has been detected in itsourcecode Online Pet Shop Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14639
7.3
ManagementMultiple Products
A vulnerability was detected in itsourcecode Student Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14640
7.3
ManagementMultiple Products
A flaw has been found in code-projects Student File Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14643
7.3
RecordMultiple Products
A vulnerability was found in code-projects Simple Attendance Record System 2
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14644
7.3
ManagementMultiple Products
A vulnerability was determined in itsourcecode Student Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14645
7.3
ManagementMultiple Products
A vulnerability was identified in code-projects Student File Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14646
7.3
ManagementMultiple Products
A security flaw has been discovered in code-projects Student File Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14647
7.3
BookMultiple Products
A weakness has been identified in code-projects Computer Book Store 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14649
7.3
OrderingMultiple Products
A vulnerability was detected in itsourcecode Online Cake Ordering System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14650
7.3
OrderingMultiple Products
A flaw has been found in itsourcecode Online Cake Ordering System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14652
7.3
OrderingMultiple Products
A vulnerability was found in itsourcecode Online Cake Ordering System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14653
7.3
ManagementMultiple Products
A vulnerability was determined in itsourcecode Student Management System 1