Critical vulnerabilities, curated daily for security professionals
đ¯ SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
đ
Archived Security Brief
Yesterday's disclosures included 4 critical vulnerabilities (CVSS 9.0+), a notable increase from zero critical issues the prior day. High-priority CVEs decreased 76% to 23 from the previous day's 95. Eleven actively exploited vulnerabilities remain on the CISA KEV list, including CVE-2025-66644 affecting Array Networks ArrayOS AG, CVE-2025-6218 in RARLAB WinRAR, and CVE-2025-62221 targeting Microsoft Windows. Notable critical disclosures include CVE-2025-66203 (CVSS 9.9) in StreamVault video download integration, CVE-2025-68668 (CVSS 9.9), and CVE-2025-13915 (CVSS 9.8) affecting IBM API Connect. Patch availability stands at 0%, requiring organizations to implement compensating controls until vendor fixes become available.
4 critical vulnerabilities disclosed, up from 0 the prior day
23 high-priority CVEs, a 76% decrease from 95 the previous day
11 actively exploited vulnerabilities including D-Link Routers, Microsoft Windows, Google Chromium, and Apple products
0% patch availability for disclosed vulnerabilities
IBM API Connect, StreamVault, Array Networks, and WinRAR among affected products
Immediate action: Priority review is recommended for organizations using IBM API Connect, Array Networks ArrayOS AG, RARLAB WinRAR, and Microsoft Windows systems. With no patches currently available, implement network segmentation and enhanced monitoring for affected products while awaiting vendor updates.
đĄ Tip: Swipe CVE cards left to â star, right to â remove
Section Navigation
â ī¸
CISA Known Exploited Vulnerabilities
â ī¸ CISA KEVURGENT
CVE-2022-37055
9.5
D-LinkRouters
â° Federal Deadline:December 28, 2025(2 days remaining)
D-Link Routers Buffer Overflow Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-66644
9.5
Array Networks ArrayOS AG
â° Federal Deadline:December 28, 2025(2 days remaining)
Array Networks ArrayOS AG OS Command Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-6218
9.5
RARLABWinRAR
â° Federal Deadline:December 29, 2025(3 days remaining)
RARLAB WinRAR Path Traversal Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-62221
9.5đ
MicrosoftWindows
â° Federal Deadline:December 29, 2025(3 days remaining)
Microsoft Windows Use After Free Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-58360
9.5
OSGeoGeoServer
â° Federal Deadline:December 31, 2025(5 days remaining)
OSGeo GeoServer Improper Restriction of XML External Entity Reference Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2018-4063
9.5
Sierra WirelessAirLink ALEOS
â° Federal Deadline:January 1, 2026(6 days remaining)
Sierra Wireless AirLink ALEOS Unrestricted Upload of File with Dangerous Type Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-14174
9.5đ
GoogleChromium
â° Federal Deadline:January 1, 2026(6 days remaining)
Google Chromium Out of Bounds Memory Access Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-14611
9.5
GladinetCentreStack and Triofox
â° Federal Deadline:January 4, 2026(9 days remaining)
Gladinet CentreStack and Triofox Hard Coded Cryptographic Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-43529
9.5đ
AppleMultiple Products
â° Federal Deadline:January 4, 2026(9 days remaining)
Apple Multiple Products Use-After-Free WebKit Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-59374
9.5
ASUSLive Update
â° Federal Deadline:January 6, 2026(11 days remaining)
ASUS Live Update Embedded Malicious Code Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2023-52163
9.5
DigieverDS-2105 Pro
â° Federal Deadline:January 11, 2026(16 days remaining)
Digiever DS-2105 Pro Missing Authorization Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
đ¨
Critical Vulnerabilities
CVE-2025-66203
9.9đ
StreamVault is a video download integrationMultiple Products
StreamVault is a video download integration solution. Prior to version 251126, a Remote Code Execution (RCE) vulnerability exists in the stream-vault application (SpiritApplication). The application allows administrators to configure yt-dlp arguments via the /admin/api/saveConfig endpoint without sufficient validation. These arguments are stored globally and subsequently used in YtDlpUtil.java when constructing the command line to execute yt-dlp. This issue has been patched in version 251126.
CVSS Base9.9
â
CRSSelect profile
CVE-2024-44065
9.8đ
UnknownMultiple Products
Time-based blind SQL Injection vulnerability in Cloudlog v2.6.15 at the endpoint /index.php/logbookadvanced/search in the qsoresults parameter.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-68668
9.9đ
UnknownMultiple Products
n8n is an open source workflow automation platform. From version 1.0.0 to before 2.0.0, a sandbox bypass vulnerability exists in the Python Code Node that uses Pyodide. An authenticated user with permission to create or modify workflows can exploit this vulnerability to execute arbitrary commands on the host system running n8n, using the same privileges as the n8n process. This issue has been patched in version 2.0.0. Workarounds for this issue involve disabling the Code Node by setting the environment variable NODES_EXCLUDE: "[\"n8n-nodes-base.code\"]", disabling Python support in the Code node by setting the environment variable N8N_PYTHON_ENABLED=false, which was introduced in n8n version 1.104.0, and configuring n8n to use the task runner based Python sandbox via the N8N_RUNNERS_ENABLED and N8N_NATIVE_PYTHON_RUNNER environment variables.
CVSS Base9.9
â
CRSSelect profile
CVE-2025-13915
9.8đ
IBM API ConnectMultiple Products
IBM API Connect 10.0.8.0 through 10.0.8.5, and 10.0.11.0 could allow a remote attacker to bypass authentication mechanisms and gain unauthorized access to the application.
CVSS Base9.8
â
CRSSelect profile
â ī¸
High Priority Updates
CVE-2025-57403
7.5đ
ColaMultiple Products
Cola Dnslog v1
CVSS Base7.5
â
CRSSelect profile
CVE-2025-15089
8.8đ
hasMultiple Products
A vulnerability has been found in UTT čŋå 512W up to 1
CVSS Base8.8
â
CRSSelect profile
CVE-2025-15090
8.8đ
wasMultiple Products
A vulnerability was found in UTT čŋå 512W up to 1
CVSS Base8.8
â
CRSSelect profile
CVE-2025-15091
8.8đ
wasMultiple Products
A vulnerability was determined in UTT čŋå 512W up to 1
CVSS Base8.8
â
CRSSelect profile
CVE-2025-15092
8.8đ
wasMultiple Products
A vulnerability was identified in UTT čŋå 512W up to 1
CVSS Base8.8
â
CRSSelect profile
CVE-2025-67729
8.8đ
LMDeployMultiple Products
LMDeploy is a toolkit for compressing, deploying, and serving LLMs
CVSS Base8.8
â
CRSSelect profile
CVE-2025-59887
8.6đ
ImproperMultiple Products
Improper authentication of library files in the Eaton UPS Companion software installer could lead to arbitrary code execution of an attacker with the access to the software package
CVSS Base8.6
â
CRSSelect profile
CVE-2025-68939
8.2đ
GiteaMultiple Products
Gitea before 1
CVSS Base8.2
â
CRSSelect profile
CVE-2025-67450
7.8đ
insecureMultiple Products
Due to insecure library loading in the Eaton UPS Companion software executable, an attacker with access to the software package
could perform arbitrary code execution
CVSS Base7.8
â
CRSSelect profile
CVE-2025-12771
7.8đ
IBMMultiple Products
IBM Concert 1
CVSS Base7.8
â
CRSSelect profile
CVE-2025-64645
7.7đ
IBMMultiple Products
IBM Concert 1
CVSS Base7.7
â
CRSSelect profile
CVE-2025-2307
7.6đ
Verisay CommunicationMultiple Products
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Verisay Communication and Information Technology Industry and Trade Ltd
CVSS Base7.6
â
CRSSelect profile
CVE-2025-2405
7.6đ
Verisay CommunicationMultiple Products
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Verisay Communication and Information Technology Industry and Trade Ltd
CVSS Base7.6
â
CRSSelect profile
CVE-2025-2406
7.6đ
Verisay CommunicationMultiple Products
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Verisay Communication and Information Technology Industry and Trade Ltd
CVSS Base7.6
â
CRSSelect profile
CVE-2025-25341
7.5đ
theMultiple Products
A vulnerability exists in the libxmljs 1
CVSS Base7.5
â
CRSSelect profile
CVE-2025-67014
7.5
GmbHMultiple Products
Incorrect access control in DEV Systemtechnik GmbH DEV 7113 RF over Fiber Distribution System 32-0078 H
CVSS Base7.5
â
CRSSelect profile
CVE-2025-67015
7.5
IncorrectMultiple Products
Incorrect access control in Comtech EF Data CDM-625 / CDM-625A Advanced Satellite Modem with firmware v2
CVSS Base7.5
â
CRSSelect profile
CVE-2024-42718
7.5
Croogo CMS A pathMultiple Products
A path traversal vulnerability in Croogo CMS 4
CVSS Base7.5
â
CRSSelect profile
CVE-2025-59946
7.5
NanoMQMultiple Products
NanoMQ MQTT Broker (NanoMQ) is an Edge Messaging Platform
CVSS Base7.5
â
CRSSelect profile
CVE-2025-15097
7.3
AlteryxMultiple Products
A vulnerability was found in Alteryx Server
CVSS Base7.3
â
CRSSelect profile
CVE-2025-15099
7.3
wasMultiple Products
A vulnerability was identified in simstudioai sim up to 0
CVSS Base7.3
â
CRSSelect profile
CVE-2025-61914
7.3
UnknownMultiple Products
n8n is an open source workflow automation platform
CVSS Base7.3
â
CRSSelect profile
CVE-2025-68697
7.1
UnknownMultiple Products
n8n is an open source workflow automation platform