Critical vulnerabilities, curated daily for security professionals
đ¯ SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
đ
Archived Security Brief
Yesterday's disclosures include 3 critical CVEs, a 50% increase from the prior day's 2 critical vulnerabilities. High-priority CVEs doubled to 26, indicating increased vulnerability disclosure activity following the weekend. Nine actively exploited vulnerabilities were added to the KEV catalog, including CVE-2025-6218 affecting WinRAR, CVE-2025-62221 targeting Microsoft Windows, and CVE-2025-14174 in Google Chromium. Critical vulnerabilities CVE-2025-52691, CVE-2025-15226, and CVE-2025-15228 all involve arbitrary file upload flaws affecting multiple products. Patch availability currently stands at 0%, requiring organizations to implement compensating controls until vendor fixes are released.
3 critical CVEs disclosed (50% increase from prior day's 2)
26 high-priority CVEs identified (100% increase from 13)
9 actively exploited vulnerabilities including WinRAR, Windows, GeoServer, and Chrome
Arbitrary file upload vulnerabilities affect Sunnet WMPro and WELLTEND BPMFlowWebkit
Immediate action: Prioritize review of Microsoft Windows, Google Chrome, and WinRAR installations given active exploitation status. With no patches currently available for disclosed vulnerabilities, implement network segmentation and monitor for indicators of compromise while awaiting vendor releases.
đĄ Tip: Swipe CVE cards left to â star, right to â remove
Section Navigation
â ī¸
CISA Known Exploited Vulnerabilities
â ī¸ CISA KEVURGENT
CVE-2025-6218
9.5
RARLABWinRAR
â° Federal Deadline:December 29, 2025(1 days remaining)
RARLAB WinRAR Path Traversal Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-62221
9.5đ
MicrosoftWindows
â° Federal Deadline:December 29, 2025(1 days remaining)
Microsoft Windows Use After Free Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-58360
9.5
OSGeoGeoServer
â° Federal Deadline:December 31, 2025(3 days remaining)
OSGeo GeoServer Improper Restriction of XML External Entity Reference Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2018-4063
9.5
Sierra WirelessAirLink ALEOS
â° Federal Deadline:January 1, 2026(4 days remaining)
Sierra Wireless AirLink ALEOS Unrestricted Upload of File with Dangerous Type Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-14174
9.5đ
GoogleChromium
â° Federal Deadline:January 1, 2026(4 days remaining)
Google Chromium Out of Bounds Memory Access Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-14611
9.5
GladinetCentreStack and Triofox
â° Federal Deadline:January 4, 2026(7 days remaining)
Gladinet CentreStack and Triofox Hard Coded Cryptographic Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-43529
9.5đ
AppleMultiple Products
â° Federal Deadline:January 4, 2026(7 days remaining)
Apple Multiple Products Use-After-Free WebKit Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-59374
9.5
ASUSLive Update
â° Federal Deadline:January 6, 2026(9 days remaining)
ASUS Live Update Embedded Malicious Code Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2023-52163
9.5
DigieverDS-2105 Pro
â° Federal Deadline:January 11, 2026(14 days remaining)
Digiever DS-2105 Pro Missing Authorization Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
đ¨
Critical Vulnerabilities
CVE-2025-52691
10đ
Successful exploitation of the vulnerability could allow an unauthenticated attacker to upload arbitrary files to any location on the mailMultiple Products
Successful exploitation of the vulnerability could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially enabling remote code execution.
CVSS Base10
â
CRSSelect profile
CVE-2025-15226
9.8đ
WMPro developed by Sunnet has a Arbitrary File UploadMultiple Products
WMPro developed by Sunnet has a Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-15228
9.8đ
BPMFlowWebkit developed by WELLTEND TECHNOLOGY has a Arbitrary File UploadMultiple Products
BPMFlowWebkit developed by WELLTEND TECHNOLOGY has a Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.
CVSS Base9.8
â
CRSSelect profile
â ī¸
High Priority Updates
CVE-2025-15142
7.3đ
identifiedMultiple Products
A vulnerability was identified in 9786 phpok3w up to 901d96a06809fb28b17f3a4362c59e70411c933c
CVSS Base7.3
â
CRSSelect profile
CVE-2025-15067
7.7đ
WebMultiple Products
Unrestricted Upload of File with Dangerous Type vulnerability in Innorix Innorix WP allows Upload a Web Shell to a Web Server
CVSS Base7.7
â
CRSSelect profile
CVE-2025-15225
7.5đ
WMProMultiple Products
WMPro developed by Sunnet has an Arbitrary File Read vulnerability, allowing unauthenticated remote attackers to exploit Relative Path Traversal to read arbitrary system files
CVSS Base7.5
â
CRSSelect profile
CVE-2025-15227
7.5đ
BPMFlowWebkitMultiple Products
BPMFlowWebkit developed by WELLTEND TECHNOLOGY has a Arbitrary File Read vulnerability, allowing unauthenticated remote attackers to exploit Absolute Path Traversal to download arbitrary system files
CVSS Base7.5
â
CRSSelect profile
CVE-2025-15136
8.8đ
securityMultiple Products
A security vulnerability has been detected in TRENDnet TEW-800MB 1
CVSS Base8.8
â
CRSSelect profile
CVE-2025-15137
8.8đ
wasMultiple Products
A vulnerability was detected in TRENDnet TEW-800MB 1
CVSS Base8.8
â
CRSSelect profile
CVE-2025-15069
7.1đ
Gmission Web FaxMultiple Products
Improper Authentication vulnerability in Gmission Web Fax allows Privilege Escalation
CVSS Base7.1
â
CRSSelect profile
CVE-2025-68973
7.8đ
GnuPGMultiple Products
In GnuPG through 2
CVSS Base7.8
â
CRSSelect profile
CVE-2025-15068
7.7đ
Gmission Web FaxMultiple Products
Missing Authorization vulnerability in Gmission Web Fax allows Privilege Abuse, Session Credential Falsification through Manipulation
CVSS Base7.7
â
CRSSelect profile
CVE-2025-15109
7.3đ
flawMultiple Products
A flaw has been found in jackq XCMS up to 3fab5342cc509945a7ce1b8ec39d19f701b89261
CVSS Base7.3
â
CRSSelect profile
CVE-2025-15127
7.3đ
securityMultiple Products
A security vulnerability has been detected in FantasticLBP Hotels_Server up to 67b44df162fab26df209bd5d5d542875fcbec1d0
CVSS Base7.3
â
CRSSelect profile
CVE-2025-15140
7.3đ
wasMultiple Products
A vulnerability was found in saiftheboss7 onlinemcqexam up to 0e56806132971e49721db3ef01868098c7b42ada
CVSS Base7.3
â
CRSSelect profile
CVE-2025-15165
7.3đ
OrderingMultiple Products
A vulnerability has been found in itsourcecode Online Cake Ordering System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-15166
7.3đ
OrderingMultiple Products
A vulnerability was found in itsourcecode Online Cake Ordering System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-15167
7.3đ
OrderingMultiple Products
A vulnerability was determined in itsourcecode Online Cake Ordering System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-15168
7.3
ManagementMultiple Products
A vulnerability was identified in itsourcecode Student Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-15181
7.3
ManagementMultiple Products
A security flaw has been discovered in code-projects Refugee Food Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-15160
7.2
hasMultiple Products
A vulnerability has been found in Tenda WH450 1
CVSS Base7.2
â
CRSSelect profile
CVE-2025-15161
7.2
wasMultiple Products
A vulnerability was found in Tenda WH450 1
CVSS Base7.2
â
CRSSelect profile
CVE-2025-15162
7.2
wasMultiple Products
A vulnerability was determined in Tenda WH450 1
CVSS Base7.2
â
CRSSelect profile
CVE-2025-15163
7.2
wasMultiple Products
A vulnerability was identified in Tenda WH450 1
CVSS Base7.2
â
CRSSelect profile
CVE-2025-15164
7.2
securityMultiple Products
A security flaw has been discovered in Tenda WH450 1