Critical vulnerabilities, curated daily for security professionals
đ¯ SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
đ
Archived Security Brief
Monday's vulnerability landscape includes 4 critical CVEs (CVSS 9.0+), a 100% increase from yesterday's 2 critical disclosures. High-priority vulnerabilities decreased to 19 from yesterday's 39, representing a 51% reduction. The 17 actively exploited (KEV) vulnerabilities include threats affecting Fortinet products, Android Framework, SonicWall SMA1000, Cisco products, and Microsoft Windows. Notable critical disclosures include CVE-2025-15006 and CVE-2025-15007 affecting Tenda products, and CVE-2025-15016 impacting Ragic Enterprise Cloud Database, all with CVSS 9.8 scores. Patch availability currently stands at 0%, requiring organizations to implement compensating controls while monitoring for vendor updates.
4 critical vulnerabilities disclosed, up 100% from yesterday's 2 critical CVEs
19 high-priority CVEs, down 51% from yesterday's 39 high-severity disclosures
17 actively exploited vulnerabilities affecting Fortinet, Android, SonicWall, Cisco, Microsoft, and Apple products
0% patch availability requires immediate implementation of compensating controls
Multiple Tenda products and Ragic Enterprise Cloud Database among critical disclosures with CVSS 9.8
Immediate action: Prioritize network segmentation and access controls for systems affected by KEV vulnerabilities, particularly Fortinet, SonicWall SMA1000, and Cisco products. Monitor vendor security advisories for patch releases and implement network-based detection for exploitation attempts. Beginning-of-week staffing should account for elevated KEV count requiring coordinated response across security teams.
đĄ Tip: Swipe CVE cards left to â star, right to â remove
Section Navigation
â ī¸
CISA Known Exploited Vulnerabilities
â ī¸ CISA KEVURGENT
CVE-2025-59718
9.5đ
FortinetMultiple Products
â° Federal Deadline:December 22, 2025(1 days remaining)
Fortinet Multiple Products Improper Verification of Cryptographic Signature Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-48633
9.5đ
AndroidFramework
â° Federal Deadline:December 22, 2025(1 days remaining)
Android Framework Information Disclosure Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-48572
9.5đ
AndroidFramework
â° Federal Deadline:December 22, 2025(1 days remaining)
Android Framework Privilege Escalation Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-40602
9.5
SonicWallSMA1000 appliance
â° Federal Deadline:December 23, 2025(2 days remaining)
SonicWall SMA1000 Missing Authorization Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-20393
9.5
CiscoMultiple Products
â° Federal Deadline:December 23, 2025(2 days remaining)
Cisco Multiple Products Improper Input Validation Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2021-26828
9.5
OpenPLCScadaBR
â° Federal Deadline:December 23, 2025(2 days remaining)
OpenPLC ScadaBR Unrestricted Upload of File with Dangerous Type Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-14733
9.5
WatchGuardFirebox
â° Federal Deadline:December 25, 2025(4 days remaining)
WatchGuard Firebox Out of Bounds Write Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2022-37055
9.5
D-LinkRouters
â° Federal Deadline:December 28, 2025(7 days remaining)
D-Link Routers Buffer Overflow Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-66644
9.5
Array Networks ArrayOS AG
â° Federal Deadline:December 28, 2025(7 days remaining)
Array Networks ArrayOS AG OS Command Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-6218
9.5
RARLABWinRAR
â° Federal Deadline:December 29, 2025(8 days remaining)
RARLAB WinRAR Path Traversal Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-62221
9.5đ
MicrosoftWindows
â° Federal Deadline:December 29, 2025(8 days remaining)
Microsoft Windows Use After Free Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-58360
9.5
OSGeoGeoServer
â° Federal Deadline:December 31, 2025(10 days remaining)
OSGeo GeoServer Improper Restriction of XML External Entity Reference Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2018-4063
9.5
Sierra WirelessAirLink ALEOS
â° Federal Deadline:January 1, 2026(11 days remaining)
Sierra Wireless AirLink ALEOS Unrestricted Upload of File with Dangerous Type Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-14174
9.5đ
GoogleChromium
â° Federal Deadline:January 1, 2026(11 days remaining)
Google Chromium Out of Bounds Memory Access Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-14611
9.5
GladinetCentreStack and Triofox
â° Federal Deadline:January 4, 2026(14 days remaining)
Gladinet CentreStack and Triofox Hard Coded Cryptographic Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-43529
9.5đ
AppleMultiple Products
â° Federal Deadline:January 4, 2026(14 days remaining)
Apple Multiple Products Use-After-Free WebKit Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-59374
9.5
ASUSLive Update
â° Federal Deadline:January 6, 2026(16 days remaining)
ASUS Live Update Embedded Malicious Code Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
đ¨
Critical Vulnerabilities
CVE-2025-15006
9.8đ
A weakness has been identified in TendaMultiple Products
A weakness has been identified in Tenda WH450 1.0.0.18. Affected by this vulnerability is an unknown functionality of the file /goform/CheckTools of the component HTTP Request Handler. This manipulation of the argument ipaddress causes stack-based buffer overflow. The attack can be initiated remotely. The exploit has been made available to the public and could be exploited.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-15016
9.8đ
Enterprise Cloud Database developed by Ragic has aMultiple Products
Enterprise Cloud Database developed by Ragic has a Hard-coded Cryptographic Key vulnerability, allowing unauthenticated remote attackers to exploit the fixed key to generate verification information and log into the system as any user.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-15007
9.8đ
A security vulnerability has been detected in TendaMultiple Products
A security vulnerability has been detected in Tenda WH450 1.0.0.18. Affected by this issue is some unknown functionality of the file /goform/L7Im of the component HTTP Request Handler. Such manipulation of the argument page leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed publicly and may be used.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-15010
9.8đ
A vulnerability has been found in TendaMultiple Products
A vulnerability has been found in Tenda WH450 1.0.0.18. This issue affects some unknown processing of the file /goform/SafeUrlFilter. The manipulation of the argument page leads to stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used.
CVSS Base9.8
â
CRSSelect profile
â ī¸
High Priority Updates
CVE-2025-14071
7.5đ
WordPressMultiple Products
The Live Composer â Free WordPress Website Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2
CVSS Base7.5
â
CRSSelect profile
CVE-2025-14800
8.1đ
WordPressMultiple Products
The Redirection for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'move_file_to_upload' function in all versions up to, and including, 3
CVSS Base8.1
â
CRSSelect profile
CVE-2025-12980
7.5đ
WordPressMultiple Products
The Post Grid Gutenberg Blocks for News, Magazines, Blog Websites â PostX plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the '/ultp/v2/get_dynamic_content/' REST API endpoint in all versions up to, and including, 5
CVSS Base7.5
â
CRSSelect profile
CVE-2025-15015
7.5đ
EnterpriseMultiple Products
Enterprise Cloud Database developed by Ragic has a Arbitrary File Read vulnerability, allowing unauthenticated remote attackers to exploit Relative Path Traversal to download arbitrary system files
CVSS Base7.5
â
CRSSelect profile
CVE-2025-7782
7.6đ
WordPressMultiple Products
The WP JobHunt plugin for WordPress, used by the JobCareer theme, is vulnerable to unauthorized modification of data due to a missing capability check on the 'cs_update_application_status_callback' function in all versions up to, and including, 7
CVSS Base7.6
â
CRSSelect profile
CVE-2025-9343
7.2đ
WordPressMultiple Products
The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to Stored Cross-Site Scripting via ticket subjects in all versions up to, and including, 3
CVSS Base7.2
â
CRSSelect profile
CVE-2025-14855
7.2đ
WordPressMultiple Products
The SureForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form field parameters in all versions up to, and including, 2
CVSS Base7.2
â
CRSSelect profile
CVE-2025-14992
8.8đ
securityMultiple Products
A security vulnerability has been detected in Tenda AC18 15
CVSS Base8.8
â
CRSSelect profile
CVE-2025-14993
8.8đ
wasMultiple Products
A vulnerability was detected in Tenda AC18 15
CVSS Base8.8
â
CRSSelect profile
CVE-2025-14994
8.8đ
flawMultiple Products
A flaw has been found in Tenda FH1201 and FH1206 1
CVSS Base8.8
â
CRSSelect profile
CVE-2025-14995
8.8đ
hasMultiple Products
A vulnerability has been found in Tenda FH1201 1
CVSS Base8.8
â
CRSSelect profile
CVE-2023-25446
7.7đ
HappyFiles HappyFilesMultiple Products
Missing Authorization vulnerability in HappyFiles HappyFiles Pro happyfiles-pro allows Exploiting Incorrectly Configured Access Control Security Levels
CVSS Base7.7
â
CRSSelect profile
CVE-2025-68644
7.4đ
RPSMultiple Products
Yealink RPS before 2025-06-27 allows unauthorized access to information, including AutoP URL addresses
CVSS Base7.4
â
CRSSelect profile
CVE-2025-14989
7.3đ
ManagementMultiple Products
A vulnerability was identified in Campcodes Complete Online Beauty Parlor Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14990
7.3đ
ManagementMultiple Products
A security flaw has been discovered in Campcodes Complete Online Beauty Parlor Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-15002
7.3
hasMultiple Products
A vulnerability has been found in SeaCMS up to 13
CVSS Base7.3
â
CRSSelect profile
CVE-2025-15008
7.3
wasMultiple Products
A vulnerability was detected in Tenda WH450 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-15011
7.3
StockMultiple Products
A vulnerability was found in code-projects Simple Stock System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-15012
7.3
ManagementMultiple Products
A vulnerability was determined in code-projects Refugee Food Management System 1