Critical vulnerabilities, curated daily for security professionals
đ¯ SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
đ
Archived Security Brief
Monday's security landscape reveals 6 critical vulnerabilities, a 100% increase from Sunday's 3 critical disclosures. High-priority CVEs decreased 13% to 46, indicating a shift toward more severe findings. The 11 actively exploited vulnerabilities remain unchanged, with notable entries targeting Android Framework, Microsoft Windows, WinRAR, and GeoServer. Critical findings include multiple Shiguangwu sgwbox vulnerabilities (CVE-2025-14707, CVE-2025-14708, CVE-2025-14709) all scoring CVSS 9.8, alongside Tenda product flaws. Patch availability stands at 0%, requiring organizations to implement compensating controls until vendor updates become available.
Critical CVEs doubled from 3 to 6, a 100% increase from Sunday
High-priority CVEs decreased 13% to 46 disclosures
11 actively exploited vulnerabilities targeting Android Framework, Microsoft Windows, WinRAR, GeoServer, and D-Link routers
0% patch availability requires immediate compensating control implementation
Shiguangwu sgwbox and Tenda products account for all 6 critical vulnerabilities
Immediate action: Prioritize network segmentation and access restrictions for affected Shiguangwu sgwbox devices, Tenda products, and systems running Android Framework, WinRAR, or GeoServer. With zero patches currently available, implement web application firewalls, disable unnecessary services, and enhance monitoring for exploitation indicators. Monday staffing should account for assessing exposure to the actively exploited vulnerabilities across infrastructure.
đĄ Tip: Swipe CVE cards left to â star, right to â remove
Section Navigation
â ī¸
CISA Known Exploited Vulnerabilities
â ī¸ CISA KEVURGENT
CVE-2021-26829
9.5
OpenPLCScadaBR
â° Federal Deadline:December 18, 2025(4 days remaining)
OpenPLC ScadaBR Cross-site Scripting Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-48633
9.5đ
AndroidFramework
â° Federal Deadline:December 22, 2025(8 days remaining)
Android Framework Information Disclosure Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-48572
9.5đ
AndroidFramework
â° Federal Deadline:December 22, 2025(8 days remaining)
Android Framework Privilege Escalation Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2021-26828
9.5
OpenPLCScadaBR
â° Federal Deadline:December 23, 2025(9 days remaining)
OpenPLC ScadaBR Unrestricted Upload of File with Dangerous Type Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2022-37055
9.5
D-LinkRouters
â° Federal Deadline:December 28, 2025(14 days remaining)
D-Link Routers Buffer Overflow Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-66644
9.5
Array Networks ArrayOS AG
â° Federal Deadline:December 28, 2025(14 days remaining)
Array Networks ArrayOS AG OS Command Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-6218
9.5
RARLABWinRAR
â° Federal Deadline:December 29, 2025(15 days remaining)
RARLAB WinRAR Path Traversal Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-62221
9.5đ
MicrosoftWindows
â° Federal Deadline:December 29, 2025(15 days remaining)
Microsoft Windows Use After Free Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-58360
9.5
OSGeoGeoServer
â° Federal Deadline:December 31, 2025(17 days remaining)
OSGeo GeoServer Improper Restriction of XML External Entity Reference Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2018-4063
9.5
Sierra WirelessAirLink ALEOS
â° Federal Deadline:January 1, 2026(18 days remaining)
Sierra Wireless AirLink ALEOS Unrestricted Upload of File with Dangerous Type Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-14174
9.5đ
GoogleChromium
â° Federal Deadline:January 1, 2026(18 days remaining)
Google Chromium Out of Bounds Memory Access Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
đ¨
Critical Vulnerabilities
CVE-2025-14707
9.8đ
A security flaw has been discovered in Shiguangwu sgwboxMultiple Products
A security flaw has been discovered in Shiguangwu sgwbox N3 2.0.25. Affected is an unknown function of the file /usr/sbin/http_eshell_server of the component DOCKER Feature. Performing manipulation of the argument params results in command injection. The attack may be initiated remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-14665
9.8đ
A security flaw has been discovered in TendaMultiple Products
A security flaw has been discovered in Tenda WH450 1.0.0.18. Impacted is an unknown function of the file /goform/DhcpListClient of the component HTTP Request Handler. The manipulation of the argument page results in stack-based buffer overflow. The attack can be executed remotely. The exploit has been released to the public and may be exploited.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-14708
9.8đ
A weakness has been identified in Shiguangwu sgwboxMultiple Products
A weakness has been identified in Shiguangwu sgwbox N3 2.0.25. Affected by this vulnerability is an unknown functionality of the file /usr/sbin/http_eshell_server of the component WIREDCFGGET Interface. Executing manipulation of the argument params can lead to buffer overflow. The attack may be launched remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-14709
9.8đ
A security vulnerability has been detected in Shiguangwu sgwboxMultiple Products
A security vulnerability has been detected in Shiguangwu sgwbox N3 2.0.25. Affected by this issue is some unknown functionality of the file /usr/sbin/http_eshell_server of the component WIRELESSCFGGET Interface. The manipulation of the argument params leads to buffer overflow. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-14705
9.8đ
A vulnerability was determined in Shiguangwu sgwboxMultiple Products
A vulnerability was determined in Shiguangwu sgwbox N3 2.0.25. This affects an unknown function of the component SHARESERVER Feature. This manipulation of the argument params causes command injection. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-14706
9.8đ
A vulnerability was identified in Shiguangwu sgwboxMultiple Products
A vulnerability was identified in Shiguangwu sgwbox N3 2.0.25. This impacts an unknown function of the file /usr/sbin/http_eshell_server of the component NETREBOOT Interface. Such manipulation leads to command injection. The attack can be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Base9.8
â
CRSSelect profile
â ī¸
High Priority Updates
CVE-2025-14476
8.8đ
WordPressMultiple Products
The Doubly â Cross Domain Copy Paste for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1
CVSS Base8.8
â
CRSSelect profile
CVE-2025-13077
7.5đ
WordPressMultiple Products
The اŲØ˛ŲŲŲ ŲžÛاŲ ÚŠ ŲŲڊاŲ ØąØŗ ŲŲŲ ØØąŲŲ Ø§Û (ØŦدÛد) payamito sms woocommerce plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'columns' parameter in all versions up to, and including, 1
CVSS Base7.5
â
CRSSelect profile
CVE-2025-14397
8.8đ
WordPressMultiple Products
The Postem Ipsum plugin for WordPress is vulnerable to unauthorized modification of data to Privilege Escalation due to a missing capability check on the postem_ipsum_generate_users() function in all versions up to, and including, 3
CVSS Base8.8
â
CRSSelect profile
CVE-2025-13089
7.5đ
WordPressMultiple Products
The WP Directory Kit plugin for WordPress is vulnerable to SQL Injection via the 'hide_fields' and the 'attr_search' parameter in all versions up to, and including, 1
CVSS Base7.5
â
CRSSelect profile
CVE-2025-13126
7.5đ
WordPressMultiple Products
The wpForo Forum plugin for WordPress is vulnerable to generic SQL Injection via the `post_args` and `topic_args` parameters in all versions up to, and including, 2
CVSS Base7.5
â
CRSSelect profile
CVE-2025-13094
8.8đ
WordPressMultiple Products
The WP3D Model Import Viewer plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the handle_import_file() function in all versions up to, and including, 1
CVSS Base8.8
â
CRSSelect profile
CVE-2025-14475
8.1đ
WordPressMultiple Products
The Extensive VC Addons for WPBakery page builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1
CVSS Base8.1
â
CRSSelect profile
CVE-2025-14022
7.7đ
LINEMultiple Products
LINE client for iOS prior to 15
CVSS Base7.7
â
CRSSelect profile
CVE-2025-14542
7.5đ
arisesMultiple Products
The vulnerability arises when a client fetches a toolsâ JSON specification, known as a Manual, from a remote Manual Endpoint
CVSS Base7.5
â
CRSSelect profile
CVE-2025-14712
7.5đ
StudentMultiple Products
Student Learning Assessment and Support System developed by JHENG GAO has a Exposure of Sensitive Information vulnerability, allowing unauthenticated remote attackers to view a specific page and obtain test accounts and password
CVSS Base7.5
â
CRSSelect profile
CVE-2025-14654
8.8đ
wasMultiple Products
A vulnerability was identified in Tenda AC20 16
CVSS Base8.8
â
CRSSelect profile
CVE-2025-14655
8.8đ
securityMultiple Products
A security flaw has been discovered in Tenda AC20 16
CVSS Base8.8
â
CRSSelect profile
CVE-2025-14656
8.8đ
weaknessMultiple Products
A weakness has been identified in Tenda AC20 16
CVSS Base8.8
â
CRSSelect profile
CVE-2025-14659
8.8đ
D-LinkMultiple Products
A vulnerability was detected in D-Link DIR-860LB1 and DIR-868LB1 203b01/203b03
CVSS Base8.8
â
CRSSelect profile
CVE-2025-67900
8.1đ
AgentMultiple Products
NXLog Agent before 6
CVSS Base8.1
â
CRSSelect profile
CVE-2025-14587
7.3
ManagementMultiple Products
A vulnerability was identified in itsourcecode Online Pet Shop Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14588
7.3
ManagementMultiple Products
A security flaw has been discovered in itsourcecode Student Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14590
7.3
ManagementMultiple Products
A security vulnerability has been detected in code-projects Prison Management System 2
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14619
7.3
ManagementMultiple Products
A vulnerability was found in code-projects Student File Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14620
7.3
ManagementMultiple Products
A vulnerability was determined in code-projects Student File Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14621
7.3
ManagementMultiple Products
A vulnerability was identified in code-projects Student File Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14622
7.3
ManagementMultiple Products
A security flaw has been discovered in code-projects Student File Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14623
7.3
ManagementMultiple Products
A weakness has been identified in code-projects Student File Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14637
7.3
ManagementMultiple Products
A weakness has been identified in itsourcecode Online Pet Shop Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14638
7.3
ManagementMultiple Products
A security vulnerability has been detected in itsourcecode Online Pet Shop Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14639
7.3
ManagementMultiple Products
A vulnerability was detected in itsourcecode Student Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14640
7.3
ManagementMultiple Products
A flaw has been found in code-projects Student File Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14643
7.3
RecordMultiple Products
A vulnerability was found in code-projects Simple Attendance Record System 2
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14644
7.3
ManagementMultiple Products
A vulnerability was determined in itsourcecode Student Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14645
7.3
ManagementMultiple Products
A vulnerability was identified in code-projects Student File Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14646
7.3
ManagementMultiple Products
A security flaw has been discovered in code-projects Student File Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14647
7.3
BookMultiple Products
A weakness has been identified in code-projects Computer Book Store 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14649
7.3
OrderingMultiple Products
A vulnerability was detected in itsourcecode Online Cake Ordering System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14650
7.3
OrderingMultiple Products
A flaw has been found in itsourcecode Online Cake Ordering System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14652
7.3
OrderingMultiple Products
A vulnerability was found in itsourcecode Online Cake Ordering System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14653
7.3
ManagementMultiple Products
A vulnerability was determined in itsourcecode Student Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14661
7.3
ManagemenMultiple Products
A vulnerability has been found in itsourcecode Student Managemen System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14664
7.3
ManagementMultiple Products
A vulnerability was identified in Campcodes Supplier Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14666
7.3
TrackingMultiple Products
A weakness has been identified in itsourcecode COVID Tracking System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14667
7.3
TrackingMultiple Products
A security vulnerability has been detected in itsourcecode COVID Tracking System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14668
7.3
ExaminationMultiple Products
A vulnerability was detected in campcodes Advanced Online Examination System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14672
7.3
flawMultiple Products
A flaw has been found in gmg137 snap7-rs up to 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14673
7.3
hasMultiple Products
A vulnerability has been found in gmg137 snap7-rs up to 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14704
7.3
wasMultiple Products
A vulnerability was found in Shiguangwu sgwbox N3 2
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14710
7.3
HotelsMultiple Products
A vulnerability was detected in FantasticLBP Hotels Server up to 67b44df162fab26df209bd5d5d542875fcbec1d0
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14711
7.3
HotelsMultiple Products
A flaw has been found in FantasticLBP Hotels Server up to 67b44df162fab26df209bd5d5d542875fcbec1d0