Critical vulnerabilities, curated daily for security professionals
đ¯ SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
đ
Archived Security Brief
Yesterday's disclosures included 9 critical-severity CVEs, a 200% increase from the prior day's 3. High-priority vulnerabilities also rose substantially to 66 from 26, representing a 154% increase. Eight actively exploited vulnerabilities were added to CISA's Known Exploited Vulnerabilities catalog, including issues affecting GeoServer, Google Chromium, Apple products, MongoDB, and ASUS Live Update. Notable critical vulnerabilities include CVE-2025-52691 (CVSS 10) enabling unauthenticated arbitrary file uploads, CVE-2025-68860 affecting Mobile Builder with authentication bypass, and CVE-2025-68897 involving code generation control issues. Patch availability stands at 0%, requiring organizations to prioritize compensating controls and monitoring.
9 critical CVEs disclosed, up 200% from prior day's 3
66 high-priority CVEs, a 154% increase from 26
8 actively exploited vulnerabilities including GeoServer, Chromium, Apple, MongoDB, and ASUS
0% patch availability for newly disclosed vulnerabilities
Multiple file upload vulnerabilities affecting MapSVG, WMPro, and BPMFlowWebkit systems
Immediate action: Organizations using GeoServer, Apple products, MongoDB, ASUS Live Update, Chromium, or Gladinet CentreStack should review KEV entries immediately. With no patches currently available for newly disclosed critical issues, implement network segmentation and enhanced monitoring for affected systems.
đĄ Tip: Swipe CVE cards left to â star, right to â remove
Section Navigation
â ī¸
CISA Known Exploited Vulnerabilities
â ī¸ CISA KEVURGENT
CVE-2025-58360
9.5
OSGeoGeoServer
â° Federal Deadline:December 31, 2025(2 days remaining)
OSGeo GeoServer Improper Restriction of XML External Entity Reference Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2018-4063
9.5
Sierra WirelessAirLink ALEOS
â° Federal Deadline:January 1, 2026(3 days remaining)
Sierra Wireless AirLink ALEOS Unrestricted Upload of File with Dangerous Type Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-14174
9.5đ
GoogleChromium
â° Federal Deadline:January 1, 2026(3 days remaining)
Google Chromium Out of Bounds Memory Access Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-14611
9.5
GladinetCentreStack and Triofox
â° Federal Deadline:January 4, 2026(6 days remaining)
Gladinet CentreStack and Triofox Hard Coded Cryptographic Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-43529
9.5đ
AppleMultiple Products
â° Federal Deadline:January 4, 2026(6 days remaining)
Apple Multiple Products Use-After-Free WebKit Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-59374
9.5
ASUSLive Update
â° Federal Deadline:January 6, 2026(8 days remaining)
ASUS Live Update Embedded Malicious Code Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2023-52163
9.5
DigieverDS-2105 Pro
â° Federal Deadline:January 11, 2026(13 days remaining)
Digiever DS-2105 Pro Missing Authorization Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-14847
9.5
MongoDBMongoDB and MongoDB Server
â° Federal Deadline:January 18, 2026(20 days remaining)
MongoDB and MongoDB Server Improper Handling of Length Parameter Inconsistency Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
đ¨
Critical Vulnerabilities
CVE-2025-52691
10đ
Successful exploitation of the vulnerability could allow an unauthenticated attacker to upload arbitrary files to any location on the mailMultiple Products
Successful exploitation of the vulnerability could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially enabling remote code execution.
CVSS Base10
â
CRSSelect profile
CVE-2025-15194
9.8đ
A vulnerability was found inMultiple Products
A vulnerability was found in D-Link DIR-600 up to 2.15WWb02. Affected by this vulnerability is an unknown functionality of the file hedwig.cgi of the component HTTP Header Handler. The manipulation of the argument Cookie results in stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been made public and could be used. This vulnerability only affects products that are no longer supported by the maintainer.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-68929
9đ
Frappe is aMultiple Products
Frappe is a full-stack web application framework. Prior to versions 14.99.6 and 15.88.1, an authenticated user with specific permissions could be tricked into accessing a specially crafted link. This could lead to a malicious template being executed on the server, resulting in remote code execution. Versions 14.99.6 and 15.88.1 fix the issue. No known workarounds are available.
CVSS Base9
â
CRSSelect profile
CVE-2025-68562
9.9đ
Unrestricted Upload of File with Dangerous Type vulnerability in RomanCode MapSVG allows Upload a Web Shell to a WebMultiple Products
Unrestricted Upload of File with Dangerous Type vulnerability in RomanCode MapSVG allows Upload a Web Shell to a Web Server.This issue affects MapSVG: from n/a through 8.7.3.
CVSS Base9.9
â
CRSSelect profile
CVE-2025-15226
9.8đ
WMPro developed by Sunnet has a Arbitrary File UploadMultiple Products
WMPro developed by Sunnet has a Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-15228
9.8đ
BPMFlowWebkit developed by WELLTEND TECHNOLOGY has a Arbitrary File UploadMultiple Products
BPMFlowWebkit developed by WELLTEND TECHNOLOGY has a Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-68860
9.8đ
Authentication Bypass Using an Alternate Path or Channel vulnerability in Mobile Builder Mobile builder allows AuthenticationMultiple Products
Authentication Bypass Using an Alternate Path or Channel vulnerability in Mobile Builder Mobile builder allows Authentication Abuse.This issue affects Mobile builder: from n/a through 1.4.2.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-68897
9.9đ
Improper Control of Generation of CodeMultiple Products
Improper Control of Generation of Code ('Code Injection') vulnerability in Mohammad I. Okfie IF AS Shortcode allows Code Injection.This issue affects IF AS Shortcode: from n/a through 1.2.
CVSS Base9.9
â
CRSSelect profile
CVE-2025-15102
9.1đ
UnknownMultiple Products
DVP-12SE11T - Password Protection Bypass
CVSS Base9.1
â
CRSSelect profile
â ī¸
High Priority Updates
CVE-2025-13592
7.2đ
WordPressMultiple Products
The Advanced Ads plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2
CVSS Base7.2
â
CRSSelect profile
CVE-2025-68877
7.5đ
CedCommerceMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CedCommerce CedCommerce Integration for Good Market allows PHP Local File Inclusion
CVSS Base7.5
â
CRSSelect profile
CVE-2025-69200
7.5đ
phpMyFAQMultiple Products
phpMyFAQ is an open source FAQ web application
CVSS Base7.5
â
CRSSelect profile
CVE-2025-68870
7.5đ
reDim GmbH CookieHintMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in reDim GmbH CookieHint WP allows PHP Local File Inclusion
CVSS Base7.5
â
CRSSelect profile
CVE-2025-13417
8.6đ
WordPressMultiple Products
The Plugin Organizer WordPress plugin before 10
CVSS Base8.6
â
CRSSelect profile
CVE-2025-15142
7.3đ
identifiedMultiple Products
A vulnerability was identified in 9786 phpok3w up to 901d96a06809fb28b17f3a4362c59e70411c933c
CVSS Base7.3
â
CRSSelect profile
CVE-2025-23458
7.1đ
RakesshMultiple Products
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rakessh Ads24 Lite allows Reflected XSS
CVSS Base7.1
â
CRSSelect profile
CVE-2025-15067
7.7đ
WebMultiple Products
Unrestricted Upload of File with Dangerous Type vulnerability in Innorix Innorix WP allows Upload a Web Shell to a Web Server
CVSS Base7.7
â
CRSSelect profile
CVE-2025-15225
7.5đ
WMProMultiple Products
WMPro developed by Sunnet has an Arbitrary File Read vulnerability, allowing unauthenticated remote attackers to exploit Relative Path Traversal to read arbitrary system files
CVSS Base7.5
â
CRSSelect profile
CVE-2025-15227
7.5đ
BPMFlowWebkitMultiple Products
BPMFlowWebkit developed by WELLTEND TECHNOLOGY has a Arbitrary File Read vulnerability, allowing unauthenticated remote attackers to exploit Absolute Path Traversal to download arbitrary system files
CVSS Base7.5
â
CRSSelect profile
CVE-2025-15103
8.1đ
UnknownMultiple Products
DVP-12SE11T - Authentication Bypass via Partial Password Disclosure
CVSS Base8.1
â
CRSSelect profile
CVE-2025-15136
8.8đ
securityMultiple Products
A security vulnerability has been detected in TRENDnet TEW-800MB 1
CVSS Base8.8
â
CRSSelect profile
CVE-2025-15137
8.8đ
wasMultiple Products
A vulnerability was detected in TRENDnet TEW-800MB 1
CVSS Base8.8
â
CRSSelect profile
CVE-2025-15189
8.8đ
D-LinkMultiple Products
A vulnerability was identified in D-Link DWR-M920 up to 1
CVSS Base8.8
â
CRSSelect profile
CVE-2025-15190
8.8đ
D-LinkMultiple Products
A security flaw has been discovered in D-Link DWR-M920 up to 1
CVSS Base8.8
â
CRSSelect profile
CVE-2025-15193
8.8
D-LinkMultiple Products
A vulnerability was detected in D-Link DWR-M920 up to 1
CVSS Base8.8
â
CRSSelect profile
CVE-2025-55061
8.8
UnknownMultiple Products
CWE-434 Unrestricted Upload of File with Dangerous Type
CVSS Base8.8
â
CRSSelect profile
CVE-2025-15215
8.8
wasMultiple Products
A vulnerability was determined in Tenda AC10U 15
CVSS Base8.8
â
CRSSelect profile
CVE-2025-15216
8.8
wasMultiple Products
A vulnerability was identified in Tenda AC23 16
CVSS Base8.8
â
CRSSelect profile
CVE-2025-15217
8.8
securityMultiple Products
A security flaw has been discovered in Tenda AC23 16
CVSS Base8.8
â
CRSSelect profile
CVE-2025-15218
8.8
weaknessMultiple Products
A weakness has been identified in Tenda AC10U 15
CVSS Base8.8
â
CRSSelect profile
CVE-2025-15230
8.8
wasMultiple Products
A vulnerability was found in Tenda M3 1
CVSS Base8.8
â
CRSSelect profile
CVE-2025-15231
8.8
wasMultiple Products
A vulnerability was determined in Tenda M3 1
CVSS Base8.8
â
CRSSelect profile
CVE-2025-15232
8.8
wasMultiple Products
A vulnerability was identified in Tenda M3 1
CVSS Base8.8
â
CRSSelect profile
CVE-2025-15233
8.8
securityMultiple Products
A security flaw has been discovered in Tenda M3 1
CVSS Base8.8
â
CRSSelect profile
CVE-2025-15234
8.8
weaknessMultiple Products
A weakness has been identified in Tenda M3 1
CVSS Base8.8
â
CRSSelect profile
CVE-2025-15069
7.1đ
Gmission Web FaxMultiple Products
Improper Authentication vulnerability in Gmission Web Fax allows Privilege Escalation
CVSS Base7.1
â
CRSSelect profile
CVE-2025-68973
7.8đ
GnuPGMultiple Products
In GnuPG through 2
CVSS Base7.8
â
CRSSelect profile
CVE-2025-15068
7.7đ
Gmission Web FaxMultiple Products
Missing Authorization vulnerability in Gmission Web Fax allows Privilege Abuse, Session Credential Falsification through Manipulation
CVSS Base7.7
â
CRSSelect profile
CVE-2025-69217
7.7
STUNMultiple Products
coturn is a free open source implementation of TURN and STUN Server
CVSS Base7.7
â
CRSSelect profile
CVE-2025-15284
7.5
qs Improper InputMultiple Products
Improper Input Validation vulnerability in qs (parse modules) allows HTTP DoS
CVSS Base7.5
â
CRSSelect profile
CVE-2025-68036
7.5
Emraan Cheema CubeWPMultiple Products
Missing Authorization vulnerability in Emraan Cheema CubeWP allows Accessing Functionality Not Properly Constrained by ACLs
CVSS Base7.5
â
CRSSelect profile
CVE-2025-15358
7.5
UnknownMultiple Products
DVP-12SE11T - Denial of Service Vulnerability
CVSS Base7.5
â
CRSSelect profile
CVE-2025-15140
7.3đ
wasMultiple Products
A vulnerability was found in saiftheboss7 onlinemcqexam up to 0e56806132971e49721db3ef01868098c7b42ada
CVSS Base7.3
â
CRSSelect profile
CVE-2025-15165
7.3đ
OrderingMultiple Products
A vulnerability has been found in itsourcecode Online Cake Ordering System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-15166
7.3đ
OrderingMultiple Products
A vulnerability was found in itsourcecode Online Cake Ordering System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-15167
7.3đ
OrderingMultiple Products
A vulnerability was determined in itsourcecode Online Cake Ordering System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-15168
7.3
ManagementMultiple Products
A vulnerability was identified in itsourcecode Student Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-15181
7.3
ManagementMultiple Products
A security flaw has been discovered in code-projects Refugee Food Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-15182
7.3
ManagementMultiple Products
A weakness has been identified in code-projects Refugee Food Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-15183
7.3
ManagementMultiple Products
A security vulnerability has been detected in code-projects Refugee Food Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-15184
7.3
ManagementMultiple Products
A vulnerability was detected in code-projects Refugee Food Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-15185
7.3
ManagementMultiple Products
A flaw has been found in code-projects Refugee Food Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-15186
7.3
ManagementMultiple Products
A vulnerability has been found in code-projects Refugee Food Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-15195
7.3
AssessmentMultiple Products
A vulnerability was determined in code-projects Assessment Management 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-15196
7.3
AssessmentMultiple Products
A vulnerability was identified in code-projects Assessment Management 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-15198
7.3
UploadingMultiple Products
A weakness has been identified in code-projects College Notes Uploading System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-15206
7.3
ManagementMultiple Products
A flaw has been found in Campcodes Supplier Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-15207
7.3
ManagementMultiple Products
A vulnerability has been found in Campcodes Supplier Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-15208
7.3
ManagementMultiple Products
A security flaw has been discovered in code-projects Refugee Food Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-15160
7.2
hasMultiple Products
A vulnerability has been found in Tenda WH450 1
CVSS Base7.2
â
CRSSelect profile
CVE-2025-15161
7.2
wasMultiple Products
A vulnerability was found in Tenda WH450 1
CVSS Base7.2
â
CRSSelect profile
CVE-2025-15162
7.2
wasMultiple Products
A vulnerability was determined in Tenda WH450 1
CVSS Base7.2
â
CRSSelect profile
CVE-2025-15163
7.2
wasMultiple Products
A vulnerability was identified in Tenda WH450 1
CVSS Base7.2
â
CRSSelect profile
CVE-2025-15164
7.2
securityMultiple Products
A security flaw has been discovered in Tenda WH450 1
CVSS Base7.2
â
CRSSelect profile
CVE-2025-15177
7.2
hasMultiple Products
A vulnerability has been found in Tenda WH450 1
CVSS Base7.2
â
CRSSelect profile
CVE-2025-15178
7.2
wasMultiple Products
A vulnerability was found in Tenda WH450 1
CVSS Base7.2
â
CRSSelect profile
CVE-2025-15179
7.2
wasMultiple Products
A vulnerability was determined in Tenda WH450 1
CVSS Base7.2
â
CRSSelect profile
CVE-2025-15180
7.2
wasMultiple Products
A vulnerability was identified in Tenda WH450 1
CVSS Base7.2
â
CRSSelect profile
CVE-2025-68876
7.1
INVELITY Invelity SPSMultiple Products
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in INVELITY Invelity SPS connect allows Reflected XSS
CVSS Base7.1
â
CRSSelect profile
CVE-2025-68878
7.1
PrasadkirpekarMultiple Products
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Prasadkirpekar Advanced Custom CSS allows Reflected XSS
CVSS Base7.1
â
CRSSelect profile
CVE-2025-68879
7.1
Councilsoft ContentMultiple Products
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Councilsoft Content Grid Slider allows Reflected XSS
CVSS Base7.1
â
CRSSelect profile
CVE-2025-68861
7.1
Plugin OptimizerMultiple Products
Missing Authorization vulnerability in Plugin Optimizer allows Exploiting Incorrectly Configured Access Control Security Levels
CVSS Base7.1
â
CRSSelect profile
CVE-2025-23469
7.1
ImproperMultiple Products
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Sleekplan allows Reflected XSS
CVSS Base7.1
â
CRSSelect profile
CVE-2025-23550
7.1
Kemal YAZICI ProductMultiple Products
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kemal YAZICI Product Puller allows Reflected XSS
CVSS Base7.1
â
CRSSelect profile
CVE-2025-23554
7.1
Jakub Glos Off PageMultiple Products
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jakub Glos Off Page SEO allows Reflected XSS