Critical vulnerabilities, curated daily for security professionals
đ¯ SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
đ
Archived Security Brief
Sunday's vulnerability disclosures dropped to 2 critical CVEs, an 85% decrease from Saturday's 13 critical issues. High-priority vulnerabilities also declined significantly to 39, down 57% from yesterday's 91. The actively exploited vulnerability count holds steady at 17 KEV entries, including threats affecting Fortinet products, Android Framework, SonicWall SMA1000, Cisco products, and Microsoft Windows. Notable critical vulnerabilities include CVE-2025-13329 and CVE-2025-13619, both WordPress plugin file upload and privilege escalation flaws. With 0% patch availability reported, organizations should prioritize network segmentation and access controls for affected systems.
2 critical CVEs disclosed, down 85% from Saturday's 13
39 high-priority vulnerabilities, a 57% decrease from yesterday
17 actively exploited vulnerabilities affecting Fortinet, Android, SonicWall, Cisco, and Microsoft
WordPress plugins, WinRAR, GeoServer, and Apple products among affected systems
Immediate action: Focus immediate attention on the 17 actively exploited KEV vulnerabilities, particularly those affecting perimeter devices like Fortinet, SonicWall SMA1000, and WatchGuard Firebox. Implement network segmentation, disable unnecessary services, and enhance monitoring for affected systems until patches become available. Weekend security teams should maintain heightened awareness given the number of exploitation-active vulnerabilities.
đĄ Tip: Swipe CVE cards left to â star, right to â remove
Section Navigation
â ī¸
CISA Known Exploited Vulnerabilities
â ī¸ CISA KEVURGENT
CVE-2025-59718
9.5đ
FortinetMultiple Products
â° Federal Deadline:December 22, 2025(2 days remaining)
Fortinet Multiple Products Improper Verification of Cryptographic Signature Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-48633
9.5đ
AndroidFramework
â° Federal Deadline:December 22, 2025(2 days remaining)
Android Framework Information Disclosure Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-48572
9.5đ
AndroidFramework
â° Federal Deadline:December 22, 2025(2 days remaining)
Android Framework Privilege Escalation Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-40602
9.5
SonicWallSMA1000 appliance
â° Federal Deadline:December 23, 2025(3 days remaining)
SonicWall SMA1000 Missing Authorization Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-20393
9.5
CiscoMultiple Products
â° Federal Deadline:December 23, 2025(3 days remaining)
Cisco Multiple Products Improper Input Validation Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2021-26828
9.5
OpenPLCScadaBR
â° Federal Deadline:December 23, 2025(3 days remaining)
OpenPLC ScadaBR Unrestricted Upload of File with Dangerous Type Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-14733
9.5
WatchGuardFirebox
â° Federal Deadline:December 25, 2025(5 days remaining)
WatchGuard Firebox Out of Bounds Write Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2022-37055
9.5
D-LinkRouters
â° Federal Deadline:December 28, 2025(8 days remaining)
D-Link Routers Buffer Overflow Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-66644
9.5
Array Networks ArrayOS AG
â° Federal Deadline:December 28, 2025(8 days remaining)
Array Networks ArrayOS AG OS Command Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-6218
9.5
RARLABWinRAR
â° Federal Deadline:December 29, 2025(9 days remaining)
RARLAB WinRAR Path Traversal Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-62221
9.5đ
MicrosoftWindows
â° Federal Deadline:December 29, 2025(9 days remaining)
Microsoft Windows Use After Free Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-58360
9.5
OSGeoGeoServer
â° Federal Deadline:December 31, 2025(11 days remaining)
OSGeo GeoServer Improper Restriction of XML External Entity Reference Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2018-4063
9.5
Sierra WirelessAirLink ALEOS
â° Federal Deadline:January 1, 2026(12 days remaining)
Sierra Wireless AirLink ALEOS Unrestricted Upload of File with Dangerous Type Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-14174
9.5đ
GoogleChromium
â° Federal Deadline:January 1, 2026(12 days remaining)
Google Chromium Out of Bounds Memory Access Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-14611
9.5
GladinetCentreStack and Triofox
â° Federal Deadline:January 4, 2026(15 days remaining)
Gladinet CentreStack and Triofox Hard Coded Cryptographic Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-43529
9.5đ
AppleMultiple Products
â° Federal Deadline:January 4, 2026(15 days remaining)
Apple Multiple Products Use-After-Free WebKit Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-59374
9.5
ASUSLive Update
â° Federal Deadline:January 6, 2026(17 days remaining)
ASUS Live Update Embedded Malicious Code Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
đ¨
Critical Vulnerabilities
CVE-2025-13329
9.8đ
The File Uploader for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the callback function for theMultiple Products
The File Uploader for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the callback function for the 'add-image-data' REST API endpoint in all versions up to, and including, 1.0.3. This makes it possible for unauthenticated attackers to upload arbitrary files to the Uploadcare service and subsequently download them on the affected site's server which may make remote code execution possible.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-13619
9.8đ
The Flex Store Users plugin for WordPress is vulnerable to Privilege Escalation in all versions upMultiple Products
The Flex Store Users plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.1.0. This is due to the 'fsUserHandle::signup' and the 'fsSellerRole::add_role_seller' functions not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site. Note: The vulnerability can be exploited with the 'fs_type' parameter if the Flex Store Seller plugin is also activated.
CVSS Base9.8
â
CRSSelect profile
â ī¸
High Priority Updates
CVE-2025-14071
7.5đ
WordPressMultiple Products
The Live Composer â Free WordPress Website Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2
CVSS Base7.5
â
CRSSelect profile
CVE-2025-14800
8.1đ
WordPressMultiple Products
The Redirection for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'move_file_to_upload' function in all versions up to, and including, 3
CVSS Base8.1
â
CRSSelect profile
CVE-2025-12980
7.5đ
WordPressMultiple Products
The Post Grid Gutenberg Blocks for News, Magazines, Blog Websites â PostX plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the '/ultp/v2/get_dynamic_content/' REST API endpoint in all versions up to, and including, 5
CVSS Base7.5
â
CRSSelect profile
CVE-2025-7782
7.6đ
WordPressMultiple Products
The WP JobHunt plugin for WordPress, used by the JobCareer theme, is vulnerable to unauthorized modification of data due to a missing capability check on the 'cs_update_application_status_callback' function in all versions up to, and including, 7
CVSS Base7.6
â
CRSSelect profile
CVE-2025-14812
7.5đ
priorMultiple Products
ArcSearch for iOS versions prior to 1
CVSS Base7.5
â
CRSSelect profile
CVE-2025-14809
7.4đ
priorMultiple Products
ArcSearch for Android versions prior to 1
CVSS Base7.4
â
CRSSelect profile
CVE-2025-9343
7.2đ
WordPressMultiple Products
The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to Stored Cross-Site Scripting via ticket subjects in all versions up to, and including, 3
CVSS Base7.2
â
CRSSelect profile
CVE-2025-14855
7.2đ
WordPressMultiple Products
The SureForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form field parameters in all versions up to, and including, 2
CVSS Base7.2
â
CRSSelect profile
CVE-2025-50681
7.5đ
igmpproxyMultiple Products
igmpproxy 0
CVSS Base7.5
â
CRSSelect profile
CVE-2023-53945
8.8đ
BrainyCPMultiple Products
BrainyCP 1
CVSS Base8.8
â
CRSSelect profile
CVE-2023-53952
8.8đ
DotclearMultiple Products
Dotclear 2
CVSS Base8.8
â
CRSSelect profile
CVE-2023-53956
8.8đ
FlatnuxMultiple Products
Flatnux 2021-03
CVSS Base8.8
â
CRSSelect profile
CVE-2025-14992
8.8đ
securityMultiple Products
A security vulnerability has been detected in Tenda AC18 15
CVSS Base8.8
â
CRSSelect profile
CVE-2025-14993
8.8đ
wasMultiple Products
A vulnerability was detected in Tenda AC18 15
CVSS Base8.8
â
CRSSelect profile
CVE-2025-14994
8.8đ
flawMultiple Products
A flaw has been found in Tenda FH1201 and FH1206 1
CVSS Base8.8
â
CRSSelect profile
CVE-2025-14995
8.8
hasMultiple Products
A vulnerability has been found in Tenda FH1201 1
CVSS Base8.8
â
CRSSelect profile
CVE-2023-53946
8.4
ArcsoftMultiple Products
Arcsoft PhotoStudio 6
CVSS Base8.4
â
CRSSelect profile
CVE-2023-53947
8.4
InventoryMultiple Products
OCS Inventory NG 2
CVSS Base8.4
â
CRSSelect profile
CVE-2023-53949
8.4
AspEmailMultiple Products
AspEmail 5
CVSS Base8.4
â
CRSSelect profile
CVE-2025-68477
7.7
LangflowMultiple Products
Langflow is a tool for building and deploying AI-powered agents and workflows
CVSS Base7.7
â
CRSSelect profile
CVE-2023-25446
7.7
HappyFiles HappyFilesMultiple Products
Missing Authorization vulnerability in HappyFiles HappyFiles Pro happyfiles-pro allows Exploiting Incorrectly Configured Access Control Security Levels
CVSS Base7.7
â
CRSSelect profile
CVE-2025-67442
7.6
UnknownMultiple Products
EVE-NG 6
CVSS Base7.6
â
CRSSelect profile
CVE-2025-14847
7.5
unauthenticatedMultiple Products
Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client
CVSS Base7.5
â
CRSSelect profile
CVE-2025-66909
7.5
TurmsMultiple Products
Turms AI-Serving module v0
CVSS Base7.5
â
CRSSelect profile
CVE-2025-66905
7.5
takeMultiple Products
The Takes web framework's TkFiles take thru 2
CVSS Base7.5
â
CRSSelect profile
CVE-2023-53958
7.5
ServiceMultiple Products
LDAP Tool Box Self Service Password 1
CVSS Base7.5
â
CRSSelect profile
CVE-2025-68644
7.4
RPSMultiple Products
Yealink RPS before 2025-06-27 allows unauthorized access to information, including AutoP URL addresses
CVSS Base7.4
â
CRSSelect profile
CVE-2025-14950
7.3
TrackingMultiple Products
A weakness has been identified in code-projects Scholars Tracking System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14951
7.3
TrackingMultiple Products
A security vulnerability has been detected in code-projects Scholars Tracking System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14952
7.3
ManagementMultiple Products
A vulnerability was detected in Campcodes Supplier Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14959
7.3
StockMultiple Products
A weakness has been identified in code-projects Simple Stock System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14960
7.3
ManagementMultiple Products
A security vulnerability has been detected in code-projects Simple Blood Donor Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14961
7.3
ManagementMultiple Products
A vulnerability was detected in code-projects Simple Blood Donor Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14967
7.3
ManagementMultiple Products
A vulnerability was identified in itsourcecode Student Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14968
7.3
StockMultiple Products
A security flaw has been discovered in code-projects Simple Stock System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14989
7.3
ManagementMultiple Products
A vulnerability was identified in Campcodes Complete Online Beauty Parlor Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14990
7.3
ManagementMultiple Products
A security flaw has been discovered in Campcodes Complete Online Beauty Parlor Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-1927
7.1
Restajet InformationMultiple Products
Cross-Site Request Forgery (CSRF) vulnerability in Restajet Information Technologies Inc
CVSS Base7.1
â
CRSSelect profile
CVE-2025-68478
7.1
LangflowMultiple Products
Langflow is a tool for building and deploying AI-powered agents and workflows