Critical vulnerabilities, curated daily for security professionals
đ¯ SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
đ
Archived Security Brief
This disclosure activity includes 9 critical CVEs (CVSS 9.0+), representing a 50% increase from yesterday's 6 critical vulnerabilities. High-priority CVEs rose to 54, up 17% from the previous day's 46 entries. Thirteen vulnerabilities are confirmed actively exploited, including CVE-2025-6218 affecting RARLAB WinRAR, CVE-2025-62221 in Microsoft Windows, and CVE-2025-48633 targeting Android Framework. Critical severity issues concentrate in Shiguangwu sgwbox products with multiple CVSS 9.8 vulnerabilities (CVE-2025-14705 through CVE-2025-14709), alongside Fox LMS CVE-2025-14156 and MooreThreads CVE-2025-65213. Patch availability stands at 0%, requiring organizations to implement compensating controls until vendor remediation becomes available.
9 critical CVEs disclosed, up 50% from yesterday's 6 critical vulnerabilities
54 high-priority CVEs identified, a 17% increase from the previous day
13 actively exploited vulnerabilities including WinRAR, Microsoft Windows, Android Framework, and GeoServer
0% patch availability necessitates compensating controls across all affected systems
Multiple critical vulnerabilities in Shiguangwu sgwbox, Fox LMS, DeepChat, and OpenShift products
Immediate action: Prioritize mitigation for actively exploited CVEs affecting WinRAR (CVE-2025-6218), Microsoft Windows (CVE-2025-62221), and Android Framework (CVE-2025-48633 and CVE-2025-48572). With no patches currently available, implement network segmentation, restrict access to affected services, and enable enhanced logging for detection. Security teams should maintain elevated monitoring throughout the week given the high volume of actively exploited vulnerabilities.
đĄ Tip: Swipe CVE cards left to â star, right to â remove
Section Navigation
â ī¸
CISA Known Exploited Vulnerabilities
â ī¸ CISA KEVURGENT
CVE-2021-26829
9.5
OpenPLCScadaBR
â° Federal Deadline:December 18, 2025(3 days remaining)
OpenPLC ScadaBR Cross-site Scripting Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-48633
9.5đ
AndroidFramework
â° Federal Deadline:December 22, 2025(7 days remaining)
Android Framework Information Disclosure Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-48572
9.5đ
AndroidFramework
â° Federal Deadline:December 22, 2025(7 days remaining)
Android Framework Privilege Escalation Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2021-26828
9.5
OpenPLCScadaBR
â° Federal Deadline:December 23, 2025(8 days remaining)
OpenPLC ScadaBR Unrestricted Upload of File with Dangerous Type Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2022-37055
9.5
D-LinkRouters
â° Federal Deadline:December 28, 2025(13 days remaining)
D-Link Routers Buffer Overflow Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-66644
9.5
Array Networks ArrayOS AG
â° Federal Deadline:December 28, 2025(13 days remaining)
Array Networks ArrayOS AG OS Command Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-6218
9.5
RARLABWinRAR
â° Federal Deadline:December 29, 2025(14 days remaining)
RARLAB WinRAR Path Traversal Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-62221
9.5đ
MicrosoftWindows
â° Federal Deadline:December 29, 2025(14 days remaining)
Microsoft Windows Use After Free Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-58360
9.5
OSGeoGeoServer
â° Federal Deadline:December 31, 2025(16 days remaining)
OSGeo GeoServer Improper Restriction of XML External Entity Reference Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2018-4063
9.5
Sierra WirelessAirLink ALEOS
â° Federal Deadline:January 1, 2026(17 days remaining)
Sierra Wireless AirLink ALEOS Unrestricted Upload of File with Dangerous Type Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-14174
9.5đ
GoogleChromium
â° Federal Deadline:January 1, 2026(17 days remaining)
Google Chromium Out of Bounds Memory Access Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-14611
9.5
GladinetCentreStack and Triofox
â° Federal Deadline:January 4, 2026(20 days remaining)
Gladinet CentreStack and Triofox Hard Coded Cryptographic Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-43529
9.5
AppleMultiple Products
â° Federal Deadline:January 4, 2026(20 days remaining)
Apple Multiple Products Use-After-Free WebKit Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
đ¨
Critical Vulnerabilities
CVE-2025-14156
9.8đ
The Fox LMSMultiple Products
The Fox LMS â WordPress LMS Plugin plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.0.5.1. This is due to the plugin not properly validating the 'role' parameter when creating new users via the `/fox-lms/v1/payments/create-order` REST API endpoint. This makes it possible for unauthenticated attackers to create new user accounts with arbitrary roles, including administrator, leading to complete site compromise.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-67744
9.6đ
DeepChat is anMultiple Products
DeepChat is an open-source artificial intelligence agent platform that unifies models, tools, and agents. Prior to version 0.5.3, a security vulnerability exists in the Mermaid diagram rendering component that allows arbitrary JavaScript execution. Due to the exposure of the Electron IPC renderer to the DOM, this Cross-Site Scripting (XSS) flaw escalates to full Remote Code Execution (RCE), allowing an attacker to execute arbitrary system commands. Two concurrent issues, unsafe Mermaid configuration and an exposed IPC interface, cause this issue. Version 0.5.3 contains a patch.
CVSS Base9.6
â
CRSSelect profile
CVE-2025-14707
9.8đ
A security flaw has been discovered in Shiguangwu sgwboxMultiple Products
A security flaw has been discovered in Shiguangwu sgwbox N3 2.0.25. Affected is an unknown function of the file /usr/sbin/http_eshell_server of the component DOCKER Feature. Performing manipulation of the argument params results in command injection. The attack may be initiated remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-65213
9.8đ
MooreThreadsMultiple Products
MooreThreads torch_musa through all versions contains an unsafe deserialization vulnerability in torch_musa.utils.compare_tool. The compare_for_single_op() and nan_inf_track_for_single_op() functions use pickle.load() on user-controlled file paths without validation, allowing arbitrary code execution. An attacker can craft a malicious pickle file that executes arbitrary Python code when loaded, enabling remote code execution with the privileges of the victim process.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-14708
9.8đ
A weakness has been identified in Shiguangwu sgwboxMultiple Products
A weakness has been identified in Shiguangwu sgwbox N3 2.0.25. Affected by this vulnerability is an unknown functionality of the file /usr/sbin/http_eshell_server of the component WIREDCFGGET Interface. Executing manipulation of the argument params can lead to buffer overflow. The attack may be launched remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-14709
9.8đ
A security vulnerability has been detected in Shiguangwu sgwboxMultiple Products
A security vulnerability has been detected in Shiguangwu sgwbox N3 2.0.25. Affected by this issue is some unknown functionality of the file /usr/sbin/http_eshell_server of the component WIRELESSCFGGET Interface. The manipulation of the argument params leads to buffer overflow. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-14705
9.8đ
A vulnerability was determined in Shiguangwu sgwboxMultiple Products
A vulnerability was determined in Shiguangwu sgwbox N3 2.0.25. This affects an unknown function of the component SHARESERVER Feature. This manipulation of the argument params causes command injection. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-14706
9.8đ
A vulnerability was identified in Shiguangwu sgwboxMultiple Products
A vulnerability was identified in Shiguangwu sgwbox N3 2.0.25. This impacts an unknown function of the file /usr/sbin/http_eshell_server of the component NETREBOOT Interface. Such manipulation leads to command injection. The attack can be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-13888
9.1đ
A flaw was found in OpenShiftMultiple Products
A flaw was found in OpenShift GitOps. Namespace admins can create ArgoCD Custom Resources (CRs) that trick the system into granting them elevated permissions in other namespaces, including privileged namespaces. An authenticated attacker can then use these elevated permissions to create privileged workloads that run on master nodes, effectively giving them root access to the entire cluster.
CVSS Base9.1
â
CRSSelect profile
â ī¸
High Priority Updates
CVE-2025-14383
7.5đ
WordPressMultiple Products
The Booking Calendar plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'dates_to_check' parameter in all versions up to, and including, 10
CVSS Base7.5
â
CRSSelect profile
CVE-2025-14022
7.7đ
LINEMultiple Products
LINE client for iOS prior to 15
CVSS Base7.7
â
CRSSelect profile
CVE-2025-12684
7.1đ
WordPressMultiple Products
The URL Shortify WordPress plugin before 1
CVSS Base7.1
â
CRSSelect profile
CVE-2025-13355
7.1đ
WordPressMultiple Products
The URL Shortify WordPress plugin before 1
CVSS Base7.1
â
CRSSelect profile
CVE-2025-14712
7.5đ
StudentMultiple Products
Student Learning Assessment and Support System developed by JHENG GAO has a Exposure of Sensitive Information vulnerability, allowing unauthenticated remote attackers to view a specific page and obtain test accounts and password
CVSS Base7.5
â
CRSSelect profile
CVE-2025-14654
8.8đ
wasMultiple Products
A vulnerability was identified in Tenda AC20 16
CVSS Base8.8
â
CRSSelect profile
CVE-2025-14655
8.8đ
securityMultiple Products
A security flaw has been discovered in Tenda AC20 16
CVSS Base8.8
â
CRSSelect profile
CVE-2025-14656
8.8đ
weaknessMultiple Products
A weakness has been identified in Tenda AC20 16
CVSS Base8.8
â
CRSSelect profile
CVE-2025-14659
8.8đ
D-LinkMultiple Products
A vulnerability was detected in D-Link DIR-860LB1 and DIR-868LB1 203b01/203b03
CVSS Base8.8
â
CRSSelect profile
CVE-2024-44598
8.8đ
FNTMultiple Products
FNT Command 13
CVSS Base8.8
â
CRSSelect profile
CVE-2025-60786
8.8đ
import a ProjectMultiple Products
A Zip Slip vulnerability in the import a Project component of iceScrum v7
CVSS Base8.8
â
CRSSelect profile
CVE-2025-9121
8.8đ
versionsMultiple Products
Pentaho Data Integration and Analytics Community Dashboard Editor plugin versions before 10
CVSS Base8.8
â
CRSSelect profile
CVE-2025-66449
8.8đ
ConvertXisMultiple Products
ConvertXis a self-hosted online file converter
CVSS Base8.8
â
CRSSelect profile
CVE-2025-11393
8.7đ
flawMultiple Products
A flaw was found in runtimes-inventory-rhel8-operator
CVSS Base8.7
â
CRSSelect profile
CVE-2025-66635
7.2đ
UnknownMultiple Products
Stack-based buffer overflow vulnerability exists in SEIKO EPSON Web Config
CVSS Base7.2
â
CRSSelect profile
CVE-2024-44599
8.3
FNTMultiple Products
FNT Command 13
CVSS Base8.3
â
CRSSelect profile
CVE-2025-65742
8.2
Newgen OmniDocsMultiple Products
An unauthenticated Broken Function Level Authorization (BFLA) vulnerability in Newgen OmniDocs v11
CVSS Base8.2
â
CRSSelect profile
CVE-2025-67900
8.1đ
AgentMultiple Products
NXLog Agent before 6
CVSS Base8.1
â
CRSSelect profile
CVE-2025-10881
7.8
maliciouslyMultiple Products
A maliciously crafted CATPRODUCT file, when parsed through certain Autodesk products, can force a Heap-Based Overflow vulnerability
CVSS Base7.8
â
CRSSelect profile
CVE-2025-10882
7.8
maliciouslyMultiple Products
AA maliciously crafted X_T file, when parsed through certain Autodesk products, can force an Out-of-Bounds Write vulnerability
CVSS Base7.8
â
CRSSelect profile
CVE-2025-10883
7.8
maliciouslyMultiple Products
A maliciously crafted CATPRODUCT file, when parsed through certain Autodesk products, can force an Out-of-Bounds Read vulnerability
CVSS Base7.8
â
CRSSelect profile
CVE-2025-10884
7.8
maliciouslyMultiple Products
AA maliciously crafted CATPART file, when parsed through certain Autodesk products, can force an Out-of-Bounds Write vulnerability
CVSS Base7.8
â
CRSSelect profile
CVE-2025-10886
7.8
maliciouslyMultiple Products
A maliciously crafted MODEL file, when parsed through certain Autodesk products, can force a Memory corruption vulnerability
CVSS Base7.8
â
CRSSelect profile
CVE-2025-10887
7.8
maliciouslyMultiple Products
A maliciously crafted MODEL file, when parsed through certain Autodesk products, can force a Memory corruption vulnerability
CVSS Base7.8
â
CRSSelect profile
CVE-2025-10888
7.8
maliciouslyMultiple Products
AA maliciously crafted MODEL file, when parsed through certain Autodesk products, can force an Out-of-Bounds Write vulnerability
CVSS Base7.8
â
CRSSelect profile
CVE-2025-10889
7.8
maliciouslyMultiple Products
A maliciously crafted CATPART file, when parsed through certain Autodesk products, can force a Memory corruption vulnerability
CVSS Base7.8
â
CRSSelect profile
CVE-2025-10898
7.8
maliciouslyMultiple Products
AA maliciously crafted MODEL file, when parsed through certain Autodesk products, can force an Out-of-Bounds Write vulnerability
CVSS Base7.8
â
CRSSelect profile
CVE-2025-10899
7.8
maliciouslyMultiple Products
AA maliciously crafted MODEL file, when parsed through certain Autodesk products, can force an Out-of-Bounds Write vulnerability
CVSS Base7.8
â
CRSSelect profile
CVE-2025-10900
7.8
maliciouslyMultiple Products
AA maliciously crafted MODEL file, when parsed through certain Autodesk products, can force an Out-of-Bounds Write vulnerability
CVSS Base7.8
â
CRSSelect profile
CVE-2025-14593
7.8
maliciouslyMultiple Products
A maliciously crafted CATPART file, when parsed through certain Autodesk products, can force an Out-of-Bounds Read vulnerability
CVSS Base7.8
â
CRSSelect profile
CVE-2025-9452
7.8
maliciouslyMultiple Products
A maliciously crafted SLDPRT file, when parsed through certain Autodesk products, can force a Memory corruption vulnerability
CVSS Base7.8
â
CRSSelect profile
CVE-2025-9453
7.8
maliciouslyMultiple Products
A maliciously crafted PRT file, when parsed through certain Autodesk products, can force an Out-of-Bounds Read vulnerability
CVSS Base7.8
â
CRSSelect profile
CVE-2025-9454
7.8
maliciouslyMultiple Products
A maliciously crafted PRT file, when parsed through certain Autodesk products, can force an Out-of-Bounds Read vulnerability
CVSS Base7.8
â
CRSSelect profile
CVE-2025-9455
7.8
maliciouslyMultiple Products
A maliciously crafted CATPRODUCT file, when parsed through certain Autodesk products, can force an Out-of-Bounds Read vulnerability
CVSS Base7.8
â
CRSSelect profile
CVE-2025-9456
7.8
maliciouslyMultiple Products
A maliciously crafted SLDPRT file, when parsed through certain Autodesk products, can force a Memory corruption vulnerability
CVSS Base7.8
â
CRSSelect profile
CVE-2025-9457
7.8
maliciouslyMultiple Products
A maliciously crafted PRT file, when parsed through certain Autodesk products, can force a Memory corruption vulnerability
CVSS Base7.8
â
CRSSelect profile
CVE-2025-9459
7.8
maliciouslyMultiple Products
A maliciously crafted SLDPRT file, when parsed through certain Autodesk products, can force an Out-of-Bounds Read vulnerability
CVSS Base7.8
â
CRSSelect profile
CVE-2025-9460
7.8
maliciouslyMultiple Products
A maliciously crafted SLDPRT file, when parsed through certain Autodesk products, can force an Out-of-Bounds Read vulnerability
CVSS Base7.8
â
CRSSelect profile
CVE-2025-14252
7.8
Advantech SUSI driverMultiple Products
An Improper Access Control vulnerability in Advantech SUSI driver (susi
CVSS Base7.8
â
CRSSelect profile
CVE-2025-61976
7.5
CHOCOMultiple Products
CHOCO TEI WATCHER mini (IB-MCT001) contains an issue with improper check for unusual or exceptional conditions
CVSS Base7.5
â
CRSSelect profile
CVE-2025-14653
7.3
ManagementMultiple Products
A vulnerability was determined in itsourcecode Student Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14661
7.3
ManagemenMultiple Products
A vulnerability has been found in itsourcecode Student Managemen System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14664
7.3
ManagementMultiple Products
A vulnerability was identified in Campcodes Supplier Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14666
7.3
TrackingMultiple Products
A weakness has been identified in itsourcecode COVID Tracking System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14667
7.3
TrackingMultiple Products
A security vulnerability has been detected in itsourcecode COVID Tracking System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14668
7.3
ExaminationMultiple Products
A vulnerability was detected in campcodes Advanced Online Examination System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14672
7.3
flawMultiple Products
A flaw has been found in gmg137 snap7-rs up to 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14673
7.3
hasMultiple Products
A vulnerability has been found in gmg137 snap7-rs up to 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14704
7.3
wasMultiple Products
A vulnerability was found in Shiguangwu sgwbox N3 2
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14710
7.3
HotelsMultiple Products
A vulnerability was detected in FantasticLBP Hotels Server up to 67b44df162fab26df209bd5d5d542875fcbec1d0
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14711
7.3
HotelsMultiple Products
A flaw has been found in FantasticLBP Hotels Server up to 67b44df162fab26df209bd5d5d542875fcbec1d0
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14503
7.2
AnMultiple Products
An overly-permissive IAM trust policy in the Harmonix on AWS framework may allow authenticated users to escalate privileges via role assumption
CVSS Base7.2
â
CRSSelect profile
CVE-2025-67751
7.2
ChurchCRMMultiple Products
ChurchCRM is an open-source church management system
CVSS Base7.2
â
CRSSelect profile
CVE-2025-14038
7
HybridMultiple Products
EDB Hybrid Manager contains a flaw that allows an unauthenticated attacker to directly access certain gRPC endpoints