Critical vulnerabilities, curated daily for security professionals
đ¯ SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
đ
Archived Security Brief
Friday's vulnerability disclosures include 25 critical CVEs, up 19% from Thursday's 21 critical issues. High-priority vulnerabilities increased significantly to 100 entries, a 49% rise from yesterday's 67. Sixteen actively exploited vulnerabilities require attention, including CVE-2025-20393 affecting Cisco products with a CVSS 10 score, CVE-2025-59718 targeting Fortinet systems, and CVE-2025-6218 impacting RARLAB WinRAR. Notable critical disclosures include CVE-2025-65041 (CVSS 10) affecting Microsoft Partner Center authorization and CVE-2025-65037 (CVSS 10) involving code generation flaws across multiple products. Patch availability stands at 0%, requiring compensating controls across affected systems.
25 critical CVEs disclosed, 19% increase from Thursday's count of 21
100 high-priority vulnerabilities, up 49% from yesterday's 67 entries
16 actively exploited CVEs including Fortinet, Cisco, SonicWall, and WinRAR products
0% patch availability requires immediate compensating control deployment
Android Framework, Microsoft Windows, and Google Chromium among targeted platforms
Immediate action: Prioritize network segmentation and access controls for Fortinet, Cisco, and SonicWall appliances given active exploitation and zero patch availability. Implement application whitelisting and restrict file upload functionality for systems affected by CVE-2025-64231 and CVE-2025-53433. Weekend staffing should include monitoring for exploitation attempts against WinRAR and Chromium vulnerabilities.
đĄ Tip: Swipe CVE cards left to â star, right to â remove
Section Navigation
â ī¸
CISA Known Exploited Vulnerabilities
â ī¸ CISA KEVURGENT
CVE-2025-59718
9.5đ
FortinetMultiple Products
â° Federal Deadline:December 22, 2025(4 days remaining)
Fortinet Multiple Products Improper Verification of Cryptographic Signature Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-48633
9.5đ
AndroidFramework
â° Federal Deadline:December 22, 2025(4 days remaining)
Android Framework Information Disclosure Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-48572
9.5đ
AndroidFramework
â° Federal Deadline:December 22, 2025(4 days remaining)
Android Framework Privilege Escalation Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-40602
9.5
SonicWallSMA1000 appliance
â° Federal Deadline:December 23, 2025(5 days remaining)
SonicWall SMA1000 Missing Authorization Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2021-26828
9.5
OpenPLCScadaBR
â° Federal Deadline:December 23, 2025(5 days remaining)
OpenPLC ScadaBR Unrestricted Upload of File with Dangerous Type Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-20393
10
Cisco is aware of a potentialMultiple Products
â° Federal Deadline:December 23, 2025(5 days remaining)
Cisco is aware of a potential vulnerability. Cisco is currently investigating and will update these details as appropriate as more information becomes available.
CVSS Base10
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2022-37055
9.5
D-LinkRouters
â° Federal Deadline:December 28, 2025(10 days remaining)
D-Link Routers Buffer Overflow Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-66644
9.5
Array Networks ArrayOS AG
â° Federal Deadline:December 28, 2025(10 days remaining)
Array Networks ArrayOS AG OS Command Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-6218
9.5
RARLABWinRAR
â° Federal Deadline:December 29, 2025(11 days remaining)
RARLAB WinRAR Path Traversal Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-62221
9.5đ
MicrosoftWindows
â° Federal Deadline:December 29, 2025(11 days remaining)
Microsoft Windows Use After Free Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-58360
9.5
OSGeoGeoServer
â° Federal Deadline:December 31, 2025(13 days remaining)
OSGeo GeoServer Improper Restriction of XML External Entity Reference Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2018-4063
9.5
Sierra WirelessAirLink ALEOS
â° Federal Deadline:January 1, 2026(14 days remaining)
Sierra Wireless AirLink ALEOS Unrestricted Upload of File with Dangerous Type Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-14174
9.5đ
GoogleChromium
â° Federal Deadline:January 1, 2026(14 days remaining)
Google Chromium Out of Bounds Memory Access Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-14611
9.5
GladinetCentreStack and Triofox
â° Federal Deadline:January 4, 2026(17 days remaining)
Gladinet CentreStack and Triofox Hard Coded Cryptographic Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-59374
9.5
ASUSLive Update
â° Federal Deadline:January 6, 2026(19 days remaining)
ASUS Live Update Embedded Malicious Code Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
đ¨
Critical Vulnerabilities
CVE-2025-64231
9.8đ
Unrestricted Upload of File with Dangerous Type vulnerability in RedefiningTheWeb WordPress Contact FormMultiple Products
Unrestricted Upload of File with Dangerous Type vulnerability in RedefiningTheWeb WordPress Contact Form 7 PDF, Google Sheet & Database rtwwcfp-wordpress-contact-form-7-pdf allows Using Malicious Files.This issue affects WordPress Contact Form 7 PDF, Google Sheet & Database: from n/a through <= 3.0.0.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-53433
9.8đ
Improper Control of Filename forMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes EasyEat easyeat allows PHP Local File Inclusion.This issue affects EasyEat: from n/a through <= 1.9.0.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-65037
10đ
Improper control of generation of codeMultiple Products
Improper control of generation of code ('code injection') in Azure Container Apps allows an unauthorized attacker to execute code over a network.
CVSS Base10
â
CRSSelect profile
CVE-2025-65041
10đ
Improper authorization in Microsoft Partner Center allows an unauthorized attacker to elevate privileges over aMultiple Products
Improper authorization in Microsoft Partner Center allows an unauthorized attacker to elevate privileges over a network.
CVSS Base10
â
CRSSelect profile
CVE-2023-53941
9.8đ
EasyPHP WebserverMultiple Products
EasyPHP Webserver 14.1 contains an OS command injection vulnerability that allows unauthenticated attackers to execute arbitrary system commands by injecting malicious payloads through the app_service_control parameter. Attackers can send POST requests to /index.php?zone=settings with crafted app_service_control values to execute commands with administrative privileges.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-14878
9.8đ
A security flaw has been discovered in TendaMultiple Products
A security flaw has been discovered in Tenda WH450 1.0.0.18. This impacts an unknown function of the file /goform/wirelessRestart of the component HTTP Request Handler. The manipulation of the argument GO results in stack-based buffer overflow. The attack may be performed from remote. The exploit has been released to the public and may be exploited.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-14879
9.8đ
A weakness has been identified in TendaMultiple Products
A weakness has been identified in Tenda WH450 1.0.0.18. Affected is an unknown function of the file /goform/onSSIDChange of the component HTTP Request Handler. This manipulation of the argument ssid_index causes stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-58951
9.3đ
Improper Neutralization of Special Elements used in an SQL CommandMultiple Products
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in smartcms Advance Seat Reservation Management for WooCommerce scw-seat-reservation allows SQL Injection.This issue affects Advance Seat Reservation Management for WooCommerce: from n/a through <= 3.1.
CVSS Base9.3
â
CRSSelect profile
CVE-2025-66078
9.1đ
Improper Control of Generation of CodeMultiple Products
Improper Control of Generation of Code ('Code Injection') vulnerability in jetmonsters Hotel Booking Lite motopress-hotel-booking-lite allows Remote Code Inclusion.This issue affects Hotel Booking Lite: from n/a through <= 5.2.3.
CVSS Base9.1
â
CRSSelect profile
CVE-2025-68398
9.1đ
Weblate is a web based localizationMultiple Products
Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to overwrite Git configuration remotely and override some of its behavior. Version 5.15.1 fixes the issue.
CVSS Base9.1
â
CRSSelect profile
CVE-2025-54723
9.8đ
Deserialization of Untrusted Data vulnerability in BoldThemes DentiCare denticare allows ObjectMultiple Products
Deserialization of Untrusted Data vulnerability in BoldThemes DentiCare denticare allows Object Injection.This issue affects DentiCare: from n/a through < 1.4.3.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-60089
9.8đ
Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms FreshDesk PluginMultiple Products
Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms FreshDesk Plugin gf-freshdesk allows Object Injection.This issue affects WP Gravity Forms FreshDesk Plugin: from n/a through <= 1.3.5.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-60090
9.8đ
Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms InsightlyMultiple Products
Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms Insightly gf-insightly allows Object Injection.This issue affects WP Gravity Forms Insightly: from n/a through <= 1.1.6.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-60091
9.8đ
Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms Zoho CRM and BiginMultiple Products
Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms Zoho CRM and Bigin gf-zoho allows Object Injection.This issue affects WP Gravity Forms Zoho CRM and Bigin: from n/a through <= 1.2.9.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-60174
9.8đ
Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms Constant Contact PluginMultiple Products
Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms Constant Contact Plugin gf-constant-contact allows Object Injection.This issue affects WP Gravity Forms Constant Contact Plugin: from n/a through <= 1.1.2.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-60178
9.8
Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms HubSpotMultiple Products
Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms HubSpot gf-hubspot allows Object Injection.This issue affects WP Gravity Forms HubSpot: from n/a through <= 1.2.6.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-60180
9.8
Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms SalesforceMultiple Products
Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms Salesforce gf-salesforce-crmperks allows Object Injection.This issue affects WP Gravity Forms Salesforce: from n/a through <= 1.5.1.
Incorrect Privilege Assignment vulnerability in PenciDesign Soledad soledad allows Privilege Escalation.This issue affects Soledad: from n/a through <= 8.6.9.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-64206
9.8
Deserialization of Untrusted Data vulnerability in TieLabs Jannah jannah allows ObjectMultiple Products
Deserialization of Untrusted Data vulnerability in TieLabs Jannah jannah allows Object Injection.This issue affects Jannah: from n/a through <= 7.6.0.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-64227
9.8
Deserialization of Untrusted Data vulnerability in BoldGrid Client Invoicing by Sprout InvoicesMultiple Products
Deserialization of Untrusted Data vulnerability in BoldGrid Client Invoicing by Sprout Invoices sprout-invoices allows Object Injection.This issue affects Client Invoicing by Sprout Invoices: from n/a through <= 20.8.7.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-64233
9.8
Deserialization of Untrusted Data vulnerability in BoldThemes Codiqa codiqa allows ObjectMultiple Products
Deserialization of Untrusted Data vulnerability in BoldThemes Codiqa codiqa allows Object Injection.This issue affects Codiqa: from n/a through < 1.2.8.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-64236
9.8
Authentication Bypass Using an Alternate Path or Channel vulnerability in AmentoTech Tuturn allows AuthenticationMultiple Products
Authentication Bypass Using an Alternate Path or Channel vulnerability in AmentoTech Tuturn allows Authentication Abuse.This issue affects Tuturn: from n/a before 3.6.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-60062
9.4
Improper Neutralization of Special Elements used in an SQL CommandMultiple Products
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mmetrodw tPlayer tplayer-html5-audio-player-with-playlist allows SQL Injection.This issue affects tPlayer: from n/a through <= 1.2.1.6.
CVSS Base9.4
â
CRSSelect profile
CVE-2025-64374
9.9
Unrestricted Upload of File with Dangerous Type vulnerability in StylemixThemes Motors motors allows Using MaliciousMultiple Products
Unrestricted Upload of File with Dangerous Type vulnerability in StylemixThemes Motors motors allows Using Malicious Files.This issue affects Motors: from n/a through <= 5.6.81.
CVSS Base9.9
â
CRSSelect profile
CVE-2025-64663
9.9
Custom Question Answering Elevation of PrivilegeMultiple Products
Custom Question Answering Elevation of Privilege Vulnerability
CVSS Base9.9
â
CRSSelect profile
â ī¸
High Priority Updates
CVE-2025-58888
8.2đ
AncoraThemes TheMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes The Flash theflash allows PHP Local File Inclusion
CVSS Base8.2
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-43529
8.8đ
AMultiple Products
â° Federal Deadline:January 4, 2026(17 days remaining)
A use-after-free issue was addressed with improved memory management
CVSS Base8.8
â
CRSSelect profile
CVE-2025-53453
8.2đ
axiomthemes HygiaMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Hygia hygia allows PHP Local File Inclusion
CVSS Base8.2
â
CRSSelect profile
CVE-2025-58803
8.2đ
axiomthemes AlgenixMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Algenix algenix allows PHP Local File Inclusion
CVSS Base8.2
â
CRSSelect profile
CVE-2025-58879
8.2đ
AncoraThemes FestyMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Festy festy allows PHP Local File Inclusion
CVSS Base8.2
â
CRSSelect profile
CVE-2025-58885
8.2đ
AncoraThemesMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Pathfinder pathfinder allows PHP Local File Inclusion
CVSS Base8.2
â
CRSSelect profile
CVE-2025-58889
8.2đ
axiomthemes TownyMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Towny towny allows PHP Local File Inclusion
CVSS Base8.2
â
CRSSelect profile
CVE-2025-58890
8.2đ
AncoraThemes PlayfulMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Playful playful allows PHP Local File Inclusion
CVSS Base8.2
â
CRSSelect profile
CVE-2025-58891
8.2đ
AncoraThemes SangerMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Sanger sanger allows PHP Local File Inclusion
CVSS Base8.2
â
CRSSelect profile
CVE-2025-58892
8.2đ
AncoraThemes TourimoMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Tourimo tourimo allows PHP Local File Inclusion
CVSS Base8.2
â
CRSSelect profile
CVE-2025-58893
8.2đ
axiomthemes AlrightMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Alright alright allows PHP Local File Inclusion
CVSS Base8.2
â
CRSSelect profile
CVE-2025-58894
8.2đ
axiomthemes Good MoodMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Good Mood good-mood allows PHP Local File Inclusion
CVSS Base8.2
â
CRSSelect profile
CVE-2025-58895
8.2đ
AncoraThemes IntegroMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Integro integro allows PHP Local File Inclusion
CVSS Base8.2
â
CRSSelect profile
CVE-2025-58896
8.2đ
AncoraThemes OtakuMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Otaku otaku allows PHP Local File Inclusion
CVSS Base8.2
â
CRSSelect profile
CVE-2025-58898
8.2đ
AncoraThemesMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes HealthHub healthhub allows PHP Local File Inclusion
CVSS Base8.2
â
CRSSelect profile
CVE-2025-58929
8.2
axiomthemes PantryMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Pantry pantry allows PHP Local File Inclusion
CVSS Base8.2
â
CRSSelect profile
CVE-2025-58930
8.2
axiomthemes FitFlexMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes FitFlex fitflex allows PHP Local File Inclusion
CVSS Base8.2
â
CRSSelect profile
CVE-2025-58931
8.2
axiomthemes PalatioMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Palatio palatio allows PHP Local File Inclusion
CVSS Base8.2
â
CRSSelect profile
CVE-2025-58932
8.2
axiomthemes PrismaMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Prisma prisma allows PHP Local File Inclusion
CVSS Base8.2
â
CRSSelect profile
CVE-2025-58940
8.2
axiomthemes BasilMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Basil basil allows PHP Local File Inclusion
CVSS Base8.2
â
CRSSelect profile
CVE-2025-58941
8.2
axiomthemes FabricMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Fabric fabric allows PHP Local File Inclusion
CVSS Base8.2
â
CRSSelect profile
CVE-2025-58942
8.2
axiomthemes DwellMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Dwell dwell allows PHP Local File Inclusion
CVSS Base8.2
â
CRSSelect profile
CVE-2025-58943
8.2
axiomthemes AgricolaMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Agricola agricola allows PHP Local File Inclusion
CVSS Base8.2
â
CRSSelect profile
CVE-2025-58944
8.2
axiomthemesMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Manufactory manufactory allows PHP Local File Inclusion
CVSS Base8.2
â
CRSSelect profile
CVE-2025-58945
8.2
axiomthemes EcoGrowMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes EcoGrow ecogrow allows PHP Local File Inclusion
CVSS Base8.2
â
CRSSelect profile
CVE-2025-58946
8.2
axiomthemes VocalMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Vocal vocal allows PHP Local File Inclusion
CVSS Base8.2
â
CRSSelect profile
CVE-2025-58947
8.2
axiomthemes AthosMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Athos athos allows PHP Local File Inclusion
CVSS Base8.2
â
CRSSelect profile
CVE-2025-60049
8.2
axiomthemes SoleilMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Soleil soleil allows PHP Local File Inclusion
CVSS Base8.2
â
CRSSelect profile
CVE-2025-60050
8.2
axiomthemes PandaMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Panda panda allows PHP Local File Inclusion
CVSS Base8.2
â
CRSSelect profile
CVE-2025-60051
8.2
AncoraThemes RareMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Rare Radio rareradio allows PHP Local File Inclusion
CVSS Base8.2
â
CRSSelect profile
CVE-2025-60052
8.2
AncoraThemesMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes W&D wd allows PHP Local File Inclusion
CVSS Base8.2
â
CRSSelect profile
CVE-2025-60053
8.2
AncoraThemes MaxCubeMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes MaxCube maxcube allows PHP Local File Inclusion
CVSS Base8.2
â
CRSSelect profile
CVE-2025-60054
8.2
AncoraThemes OnLeashMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes OnLeash onleash allows PHP Local File Inclusion
CVSS Base8.2
â
CRSSelect profile
CVE-2025-60055
8.2
AncoraThemes FabricaMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Fabrica fabrica allows PHP Local File Inclusion
CVSS Base8.2
â
CRSSelect profile
CVE-2025-60063
8.2
axiomthemes RosalindaMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Rosalinda rosalinda allows PHP Local File Inclusion
CVSS Base8.2
â
CRSSelect profile
CVE-2025-60072
8.2
Processby AnchorMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Processby Anchor smooth scroll anchor-smooth-scroll allows PHP Local File Inclusion
CVSS Base8.2
â
CRSSelect profile
CVE-2025-64205
8.2
TieLabs Jannah jannahMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in TieLabs Jannah jannah allows PHP Local File Inclusion
CVSS Base8.2
â
CRSSelect profile
CVE-2025-49359
8.1
AncoraThemesMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes ShieldGroup shieldgroup allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2025-49360
8.1
AncoraThemesMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Militarology militarology allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2025-49361
8.1
AncoraThemes MamitaMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Mamita mamita allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2025-49362
8.1
AncoraThemes GraciozaMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Gracioza gracioza allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2025-49363
8.1
AncoraThemes KingsMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Kings & Queens kings-queens allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2025-49364
8.1
AncoraThemes LudosMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Ludos Paradise ludos-paradise allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2025-49365
8.1
AncoraThemes JackMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Jack Well jack-well allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2025-49366
8.1
AncoraThemes HananiMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Hanani hanani allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2025-49367
8.1
AncoraThemes MonyxiMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Monyxi monyxi allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2025-49368
8.1
AncoraThemes PalladioMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Palladio palladio allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2025-49369
8.1
AncoraThemes LettuceMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Lettuce lettuce allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2025-49370
8.1
AncoraThemes LymcoinMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Lymcoin lymcoin allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2025-49371
8.1
AncoraThemes StruxMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Strux strux allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2025-49941
8.1
AncoraThemes GlamChicMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes GlamChic glamchic allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2025-49942
8.1
AncoraThemes GardisMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Gardis gardis allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2025-49943
8.1
AncoraThemes FemmeMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Femme femme allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2025-52745
8.1
AncoraThemes FarmMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Farm Agrico farmagrico allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2025-52768
8.1
AncoraThemes FaithMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Faith & Hope faith-hope allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2025-53429
8.1
AncoraThemes ExitMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Exit Game exit-game allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2025-14364
8.8
WordPressMultiple Products
The Demo Importer Plus plugin for WordPress is vulnerable to unauthorized modification of data, loss of data, and privilege escalation due to a missing capability check on the Ajax::handle_request() function in all versions up to, and including, 2
CVSS Base8.8
â
CRSSelect profile
CVE-2025-13941
8.8
localMultiple Products
A local privilege escalation vulnerability exists in the Foxit PDF Reader/Editor Update Service
CVSS Base8.8
â
CRSSelect profile
CVE-2023-53927
8.8đ
SimpleMultiple Products
PHPJabbers Simple CMS 5
CVSS Base8.8
â
CRSSelect profile
CVE-2023-53929
8.8đ
phpMyFAQMultiple Products
phpMyFAQ 3
CVSS Base8.8
â
CRSSelect profile
CVE-2025-68434
8.8đ
OpenMultiple Products
Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP using CodeIgniter framework
CVSS Base8.8
â
CRSSelect profile
CVE-2025-13641
8.8
WordPressMultiple Products
The Photo Gallery, Sliders, Proofing and Themes â NextGEN Gallery plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3
CVSS Base8.8
â
CRSSelect profile
CVE-2025-14861
8.8
MemoryMultiple Products
Memory safety bugs present in Firefox 146
CVSS Base8.8
â
CRSSelect profile
CVE-2025-64675
8.3
ImproperMultiple Products
Improper neutralization of input during web page generation ('cross-site scripting') in Azure Cosmos DB allows an unauthorized attacker to perform spoofing over a network
CVSS Base8.3
â
CRSSelect profile
CVE-2025-64677
8.2
ImproperMultiple Products
Improper neutralization of input during web page generation ('cross-site scripting') in Office Out-of-Box Experience allows an unauthorized attacker to perform spoofing over a network
CVSS Base8.2
â
CRSSelect profile
CVE-2025-68147
8.1đ
OpenMultiple Products
Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP using CodeIgniter framework
CVSS Base8.1
â
CRSSelect profile
CVE-2025-14727
8.3đ
existsMultiple Products
A vulnerability exists in NGINX Ingress Controller's nginx
CVSS Base8.3
â
CRSSelect profile
CVE-2025-64266
8.8
RentalMultiple Products
Deserialization of Untrusted Data vulnerability in magepeopleteam Booking and Rental Manager booking-and-rental-manager-for-woocommerce allows Object Injection
CVSS Base8.8
â
CRSSelect profile
CVE-2025-14849
8.8
AdvantechMultiple Products
Advantech WebAccess/SCADAÂ
is vulnerable to unrestricted file upload, which may allow an attacker to remotely execute arbitrary code
CVSS Base8.8
â
CRSSelect profile
CVE-2025-67843
8.3
RenderingMultiple Products
A Server-Side Template Injection (SSTI) vulnerability in the MDX Rendering Engine in Mintlify Platform before 2025-11-15 allows remote attackers to execute arbitrary code via inline JSX expressions in an MDX file
CVSS Base8.3
â
CRSSelect profile
CVE-2025-59134
8.8
Jthemes IncorrectMultiple Products
Incorrect Privilege Assignment vulnerability in Jthemes Sale! Immigration law, Visa services support, Migration Agent Consulting immiex allows Privilege Escalation
CVSS Base8.8
â
CRSSelect profile
CVE-2025-60081
8.8
Deserialization ofMultiple Products
Deserialization of Untrusted Data vulnerability in add-ons
CVSS Base8.8
â
CRSSelect profile
CVE-2025-60082
8.8
Deserialization ofMultiple Products
Deserialization of Untrusted Data vulnerability in add-ons
CVSS Base8.8
â
CRSSelect profile
CVE-2025-60083
8.8
Deserialization ofMultiple Products
Deserialization of Untrusted Data vulnerability in add-ons
CVSS Base8.8
â
CRSSelect profile
CVE-2021-47711
8.8
Kentico XperienceMultiple Products
A SQL injection vulnerability in Kentico Xperience allows authenticated editors to inject malicious SQL queries via online marketing macro method parameters
CVSS Base8.8
â
CRSSelect profile
CVE-2025-58710
8.6
Incorrect PrivilegeMultiple Products
Incorrect Privilege Assignment vulnerability in e-plugins Hotel Listing hotel-listing allows Privilege Escalation
CVSS Base8.6
â
CRSSelect profile
CVE-2025-60084
8.6
Deserialization ofMultiple Products
Deserialization of Untrusted Data vulnerability in add-ons
CVSS Base8.6
â
CRSSelect profile
CVE-2025-14314
8.5
Roxnor PopupKitMultiple Products
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Roxnor PopupKit popup-builder-block allows Blind SQL Injection
CVSS Base8.5
â
CRSSelect profile
CVE-2025-64371
8.5
shinetheme TravelerMultiple Products
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in shinetheme Traveler traveler allows Blind SQL Injection
CVSS Base8.5
â
CRSSelect profile
CVE-2025-40892
8.9
StoredMultiple Products
A Stored Cross-Site Scripting vulnerability was discovered in the Reports functionality due to improper validation of an input parameter
CVSS Base8.9
â
CRSSelect profile
CVE-2025-66395
8.8
ChurchCRMMultiple Products
ChurchCRM is an open-source church management system
CVSS Base8.8
â
CRSSelect profile
CVE-2025-66953
8.8
narda miteq UplinkMultiple Products
CSRF vulnerability in narda miteq Uplink Power Contril Unit UPC2 v
CVSS Base8.8
â
CRSSelect profile
CVE-2025-34436
8.8
priorMultiple Products
AVideo versions prior to 20
CVSS Base8.8
â
CRSSelect profile
CVE-2025-34437
8.8
priorMultiple Products
AVideo versions prior to 20
CVSS Base8.8
â
CRSSelect profile
CVE-2025-46281
8.8
logicMultiple Products
A logic issue was addressed with improved checks
CVSS Base8.8
â
CRSSelect profile
CVE-2025-67877
8.8
ChurchCRMMultiple Products
ChurchCRM is an open-source church management system
CVSS Base8.8
â
CRSSelect profile
CVE-2025-68400
8.8
ChurchCRMMultiple Products
ChurchCRM is an open-source church management system
CVSS Base8.8
â
CRSSelect profile
CVE-2023-53905
8.8
ProjectSendMultiple Products
ProjectSend r1605 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into user profile names
CVSS Base8.8
â
CRSSelect profile
CVE-2023-53913
8.8
RukovoditelMultiple Products
Rukovoditel 3
CVSS Base8.8
â
CRSSelect profile
CVE-2023-53924
8.8
UliCMSMultiple Products
UliCMS 2023
CVSS Base8.8
â
CRSSelect profile
CVE-2023-53933
8.8
SerendipityMultiple Products
Serendipity 2
CVSS Base8.8
â
CRSSelect profile
CVE-2019-25229
8.8
Kentico XperienceMultiple Products
An unrestricted file upload vulnerability in Kentico Xperience allows authenticated users with 'Read data' permissions to upload arbitrary file types via MVC form file uploader components
CVSS Base8.8
â
CRSSelect profile
CVE-2023-53942
8.8
FileMultiple Products
File Thingie 2
CVSS Base8.8
â
CRSSelect profile
CVE-2025-62001
8.8
BullWallMultiple Products
BullWall Ransomware Containment contains excluded file paths, such as '$recycle
CVSS Base8.8
â
CRSSelect profile
CVE-2025-52692
8.8
SuccessfulMultiple Products
Successful exploitation of the vulnerability could allow an attacker with local network access to send a specially crafted URL to access certain administration functions without login credentials
CVSS Base8.8
â
CRSSelect profile
CVE-2025-54741
8.6
Tyler Moore SuperMultiple Products
Missing Authorization vulnerability in Tyler Moore Super Blank super-blank allows Exploiting Incorrectly Configured Access Control Security Levels
CVSS Base8.6
â
CRSSelect profile
CVE-2025-14096
8.4
existsMultiple Products
A vulnerability exists in multiple Radiometer products that allow an attacker with physical access to the analyzer possibility to extract credential information
CVSS Base8.4
â
CRSSelect profile
CVE-2025-66397
8.3
ChurchCRMMultiple Products
ChurchCRM is an open-source church management system
CVSS Base8.3
â
CRSSelect profile
CVE-2025-11774
8.2
software keyboardMultiple Products
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in the software keyboard function (hereinafter referred to as "keypad function") of Mitsubishi Electric GENESIS64 versions 10