Critical vulnerabilities, curated daily for security professionals
π― SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
π
Archived Security Brief
Yesterday's CVE disclosures included just 1 critical vulnerability, a 95% decrease from the prior day's 20 critical issues. High-priority vulnerabilities totaled 95, representing a modest 5% decline from 100 the previous day. Seven actively exploited vulnerabilities were added to the KEV catalog, including issues affecting Google Chromium, Apple products, MongoDB, Gladinet CentreStack, and ASUS Live Update utilities. The lone critical vulnerability CVE-2025-69288 (CVSS 9.1) affects Titra, an open source project time tracking tool, while legacy issues CVE-2018-4063 in Sierra Wireless AirLink and CVE-2023-52163 in Digiever DS-2105 Pro continue to see active exploitation. Patch availability stands at 0%, indicating organizations should implement compensating controls and monitor vendor advisories closely.
1 critical vulnerability disclosed, down 95% from 20 the prior day
95 high-priority CVEs identified, a 5% decrease from the previous day
7 actively exploited vulnerabilities affecting Google, Apple, MongoDB, Gladinet, ASUS, Sierra Wireless, and Digiever
0% patch availability at time of disclosure requires compensating controls
Legacy vulnerabilities from 2018 and 2023 remain under active exploitation
Immediate action: Organizations using Google Chromium, Apple products, MongoDB, Gladinet CentreStack/Triofox, ASUS Live Update, Sierra Wireless AirLink, or Digiever devices should prioritize reviewing exposure to the 7 actively exploited vulnerabilities. With no patches currently available, implement network segmentation, access restrictions, and enhanced monitoring while awaiting vendor remediation guidance.
π‘ Tip: Swipe CVE cards left to β star, right to β remove
Section Navigation
β οΈ
CISA Known Exploited Vulnerabilities
β οΈ CISA KEVURGENT
CVE-2018-4063 (reserved 2018, disclosed 2025)
9.5
Sierra WirelessAirLink ALEOS
β° Federal Deadline:January 1, 2026(1 days remaining)
Sierra Wireless AirLink ALEOS Unrestricted Upload of File with Dangerous Type Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2025-14174
9.5π
GoogleChromium
β° Federal Deadline:January 1, 2026(1 days remaining)
Google Chromium Out of Bounds Memory Access Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2025-14611
9.5
GladinetCentreStack and Triofox
β° Federal Deadline:January 4, 2026(4 days remaining)
Gladinet CentreStack and Triofox Hard Coded Cryptographic Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2025-43529
9.5π
AppleMultiple Products
β° Federal Deadline:January 4, 2026(4 days remaining)
Apple Multiple Products Use-After-Free WebKit Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2025-59374
9.5
ASUSLive Update
β° Federal Deadline:January 6, 2026(6 days remaining)
ASUS Live Update Embedded Malicious Code Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2023-52163 (reserved 2023, disclosed 2025)
9.5
DigieverDS-2105 Pro
β° Federal Deadline:January 11, 2026(11 days remaining)
Digiever DS-2105 Pro Missing Authorization Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2025-14847
9.5
MongoDBMongoDB and MongoDB Server
β° Federal Deadline:January 18, 2026(18 days remaining)
MongoDB and MongoDB Server Improper Handling of Length Parameter Inconsistency Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
π¨
Critical Vulnerabilities
CVE-2025-69288
9.1π
Titra is open source project time trackingMultiple Products
Titra is open source project time tracking software. Prior to version 0.99.49, Titra allows any authenticated Admin user to modify the timeEntryRule in the database. The value is then passed to a NodeVM value to execute as code. Without sanitization, it leads to a Remote Code Execution. Version 0.99.49 fixes the issue.
CVSS Base9.1
β
CRSSelect profile
β οΈ
High Priority Updates
CVE-2025-14509 (reserved 2025, disclosed 2026)
7.2π
WordPressMultiple Products
The Lucky Wheel for WooCommerce β Spin a Sale plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 1
CVSS Base7.2
β
CRSSelect profile
CVE-2025-28949 (reserved 2025, disclosed 2026)
8.5π
WordPressMultiple Products
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Codedraft Mediabay - WordPress Media Library Folders allows Blind SQL Injection
CVSS Base8.5
β
CRSSelect profile
CVE-2025-68996 (reserved 2025, disclosed 2026)
7.5π
WebCodingPlaceMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WebCodingPlace Responsive Posts Carousel Pro responsive-posts-carousel-pro allows PHP Local File Inclusion
CVSS Base7.5
β
CRSSelect profile
CVE-2025-62753 (reserved 2025, disclosed 2026)
7.5π
MadrasThemes MASMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in MadrasThemes MAS Videos allows PHP Local File Inclusion
CVSS Base7.5
β
CRSSelect profile
CVE-2025-68979 (reserved 2025, disclosed 2026)
8.1π
GoogleMultiple Products
Authorization Bypass Through User-Controlled Key vulnerability in SimpleCalendar Google Calendar Events google-calendar-events allows Exploiting Incorrectly Configured Access Control Security Levels
CVSS Base8.1
β
CRSSelect profile
CVE-2025-15263 (reserved 2025, disclosed 2026)
7.3π
PHPMultiple Products
A weakness has been identified in BiggiDroid Simple PHP CMS 1
CVSS Base7.3
β
CRSSelect profile
CVE-2025-50053 (reserved 2025, disclosed 2026)
7.1π
nebelhorn BlappstaMultiple Products
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in nebelhorn Blappsta Mobile App Plugin & Your native, mobile iPhone App and Android App allows Reflected XSS
CVSS Base7.1
β
CRSSelect profile
CVE-2022-50800 (reserved 2022, disclosed 2026)
7.5π
UnknownMultiple Products
H3C SSL VPN contains a user enumeration vulnerability that allows attackers to identify valid usernames through the 'txtUsrName' POST parameter
A high-severity remote code execution vulnerability exists in feast-dev/feast version 0
CVSS Base7.8
β
CRSSelect profile
CVE-2021-47741 (reserved 2021, disclosed 2026)
7.5
ZBLMultiple Products
ZBL EPON ONU Broadband Router V100R001 contains a privilege escalation vulnerability that allows limited administrative users to elevate access by sending requests to configuration endpoints
CVSS Base7.5
β
CRSSelect profile
CVE-2025-15387 (reserved 2025, disclosed 2026)
8.8
VPNMultiple Products
VPN Firewall developed by QNO Technology has a Insufficient Entropy vulnerability, allowing unauthenticated remote attackers to obtain any logged-in user session through brute-force attacks and subsequently log into the system
CVSS Base8.8
β
CRSSelect profile
CVE-2025-15388 (reserved 2025, disclosed 2026)
8.8
theMultiple Products
VPN Firewall developed by QNO Technology has an OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the server
CVSS Base8.8
β
CRSSelect profile
CVE-2025-15389 (reserved 2025, disclosed 2026)
8.8
theMultiple Products
VPN Firewall developed by QNO Technology has an OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the server
CVSS Base8.8
β
CRSSelect profile
CVE-2025-68989 (reserved 2025, disclosed 2026)
7.5
Renzo Johnson ContactMultiple Products
Insertion of Sensitive Information Into Sent Data vulnerability in Renzo Johnson Contact Form 7 Extension For Mailchimp contact-form-7-mailchimp-extension allows Retrieve Embedded Sensitive Data
CVSS Base7.5
β
CRSSelect profile
CVE-2025-30628 (reserved 2025, disclosed 2026)
8.5
ImproperMultiple Products
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AA-Team Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer) allows SQL Injection
CVSS Base8.5
β
CRSSelect profile
CVE-2024-58337 (reserved 2024, disclosed 2026)
7.5
AkuvoxMultiple Products
Akuvox Smart Intercom S539 contains an improper access control vulnerability that allows users with 'User' privileges to modify API access settings and configurations
CVSS Base7.5
β
CRSSelect profile
CVE-2021-47726 (reserved 2021, disclosed 2026)
7.5
NuComMultiple Products
NuCom 11N Wireless Router 5
CVSS Base7.5
β
CRSSelect profile
CVE-2025-59129 (reserved 2025, disclosed 2026)
7.6
ImproperMultiple Products
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Appointify allows Blind SQL Injection
CVSS Base7.6
β
CRSSelect profile
CVE-2025-68976 (reserved 2025, disclosed 2026)
8.8
Missing AuthorizationMultiple Products
Missing Authorization vulnerability in Eagle-Themes Eagle Booking eagle-booking allows Exploiting Incorrectly Configured Access Control Security Levels
CVSS Base8.8
β
CRSSelect profile
CVE-2025-15252 (reserved 2025, disclosed 2026)
8.8
flawMultiple Products
A flaw has been found in Tenda M3 1
CVSS Base8.8
β
CRSSelect profile
CVE-2025-15253 (reserved 2025, disclosed 2026)
8.8
hasMultiple Products
A vulnerability has been found in Tenda M3 1
CVSS Base8.8
β
CRSSelect profile
CVE-2025-15356 (reserved 2025, disclosed 2026)
8.8
hasMultiple Products
A vulnerability has been found in Tenda AC20 up to 16
CVSS Base8.8
β
CRSSelect profile
CVE-2022-50793 (reserved 2022, disclosed 2026)
8.8
UnknownMultiple Products
SOUND4 IMPACT/FIRST/PULSE/Eco <=2
CVSS Base8.8
β
CRSSelect profile
CVE-2021-47742 (reserved 2021, disclosed 2026)
8.8
EpicMultiple Products
Epic Games Psyonix Rocket League <=1
CVSS Base8.8
β
CRSSelect profile
CVE-2021-47745 (reserved 2021, disclosed 2026)
8.8
CypressMultiple Products
Cypress Solutions CTM-200 2
CVSS Base8.8
β
CRSSelect profile
CVE-2021-47747 (reserved 2021, disclosed 2026)
8.8
meterNMultiple Products
meterN 1
CVSS Base8.8
β
CRSSelect profile
CVE-2022-50789 (reserved 2022, disclosed 2026)
8.4
UnknownMultiple Products
SOUND4 IMPACT/FIRST/PULSE/Eco <=2
CVSS Base8.4
β
CRSSelect profile
CVE-2022-50791 (reserved 2022, disclosed 2026)
8.4
UnknownMultiple Products
SOUND4 IMPACT/FIRST/PULSE/Eco <=2
CVSS Base8.4
β
CRSSelect profile
CVE-2022-50795 (reserved 2022, disclosed 2026)
8.4
UnknownMultiple Products
SOUND4 IMPACT/FIRST/PULSE/Eco <=2
CVSS Base8.4
β
CRSSelect profile
CVE-2024-58315 (reserved 2024, disclosed 2026)
8.4
KeyMultiple Products
Tosibox Key Service 3
CVSS Base8.4
β
CRSSelect profile
CVE-2020-36903 (reserved 2020, disclosed 2026)
8.4
SeleaMultiple Products
Selea CarPlateServer 4
CVSS Base8.4
β
CRSSelect profile
CVE-2022-50694 (reserved 2022, disclosed 2026)
8.2
UnknownMultiple Products
SOUND4 IMPACT/FIRST/PULSE/Eco <=2
CVSS Base8.2
β
CRSSelect profile
CVE-2023-54163 (reserved 2023, disclosed 2026)
8.2
mKlikMultiple Products
NLB mKlik Macedonia 3
CVSS Base8.2
β
CRSSelect profile
CVE-2025-68975 (reserved 2025, disclosed 2026)
8.1
AuthorizationMultiple Products
Authorization Bypass Through User-Controlled Key vulnerability in Eagle-Themes Eagle Booking eagle-booking allows Exploiting Incorrectly Configured Access Control Security Levels
CVSS Base8.1
β
CRSSelect profile
CVE-2025-68980 (reserved 2025, disclosed 2026)
8.1
designthemesMultiple Products
Missing Authorization vulnerability in designthemes WeDesignTech Portfolio wedesigntech-portfolio allows Exploiting Incorrectly Configured Access Control Security Levels
CVSS Base8.1
β
CRSSelect profile
CVE-2025-68982 (reserved 2025, disclosed 2026)
8.1
designthemesMultiple Products
Missing Authorization vulnerability in designthemes DesignThemes LMS Addon designthemes-lms-addon allows Exploiting Incorrectly Configured Access Control Security Levels
CVSS Base8.1
β
CRSSelect profile
CVE-2025-15112 (reserved 2025, disclosed 2026)
8
SecurityMultiple Products
Ksenia Security Lares 4
CVSS Base8
β
CRSSelect profile
CVE-2025-15113 (reserved 2025, disclosed 2026)
7.8
SecurityMultiple Products
Ksenia Security Lares 4
CVSS Base7.8
β
CRSSelect profile
CVE-2025-15371 (reserved 2025, disclosed 2026)
7.8
hasMultiple Products
A vulnerability has been found in Tenda i24, 4G03 Pro, 4G05, 4G08, G0-8G-PoE, Nova MW5G and TEG5328F up to 65
CVSS Base7.8
β
CRSSelect profile
CVE-2025-68988 (reserved 2025, disclosed 2026)
7.5
Exposure of SensitiveMultiple Products
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in o2oe E-Invoice App Malaysia einvoiceapp-malaysia allows Retrieve Embedded Sensitive Data
CVSS Base7.5
β
CRSSelect profile
CVE-2025-69256 (reserved 2025, disclosed 2026)
7.5
TheMultiple Products
The Serverless Framework is a framework for using AWS Lambda and other managed cloud services to build applications
CVSS Base7.5
β
CRSSelect profile
CVE-2022-50692 (reserved 2022, disclosed 2026)
7.5
EcoMultiple Products
SOUND4 IMPACT/FIRST/PULSE/Eco versions 2
CVSS Base7.5
β
CRSSelect profile
CVE-2022-50788 (reserved 2022, disclosed 2026)
7.5
UnknownMultiple Products
SOUND4 IMPACT/FIRST/PULSE/Eco <=2
CVSS Base7.5
β
CRSSelect profile
CVE-2022-50796 (reserved 2022, disclosed 2026)
7.5
UnknownMultiple Products
SOUND4 IMPACT/FIRST/PULSE/Eco <=2
CVSS Base7.5
β
CRSSelect profile
CVE-2022-50798 (reserved 2022, disclosed 2026)
7.5
SoXMultiple Products
SoX 14
CVSS Base7.5
β
CRSSelect profile
CVE-2022-50799 (reserved 2022, disclosed 2026)
7.5
FTPMultiple Products
Fetch FTP Client 5
CVSS Base7.5
β
CRSSelect profile
CVE-2023-53983 (reserved 2023, disclosed 2026)
7.5
AneviaMultiple Products
Anevia Flamingo XL/XS 3
CVSS Base7.5
β
CRSSelect profile
CVE-2023-54327 (reserved 2023, disclosed 2026)
7.5
LANMultiple Products
Tinycontrol LAN Controller 1
CVSS Base7.5
β
CRSSelect profile
CVE-2025-15111 (reserved 2025, disclosed 2026)
7.5
SecurityMultiple Products
Ksenia Security Lares 4
CVSS Base7.5
β
CRSSelect profile
CVE-2020-36904 (reserved 2020, disclosed 2026)
7.5
SeleaMultiple Products
Selea CarPlateServer 4
CVSS Base7.5
β
CRSSelect profile
CVE-2021-47740 (reserved 2021, disclosed 2026)
7.5
LTEMultiple Products
KZTech JT3500V 4G LTE CPE 2
CVSS Base7.5
β
CRSSelect profile
CVE-2021-47744 (reserved 2021, disclosed 2026)
7.5
CypressMultiple Products
Cypress Solutions CTM-200/CTM-ONE 1
CVSS Base7.5
β
CRSSelect profile
CVE-2025-15243 (reserved 2025, disclosed 2026)
7.3
StockMultiple Products
A flaw has been found in code-projects Simple Stock System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2025-15247 (reserved 2025, disclosed 2026)
7.3
wasMultiple Products
A vulnerability was identified in gmg137 snap7-rs up to 153d3e8c16decd7271e2a5b2e3da4d6f68589424
CVSS Base7.3
β
CRSSelect profile
CVE-2025-15256 (reserved 2025, disclosed 2026)
7.3
wasMultiple Products
A vulnerability was identified in Edimax BR-6208AC 1
CVSS Base7.3
β
CRSSelect profile
CVE-2025-15257 (reserved 2025, disclosed 2026)
7.3
securityMultiple Products
A security flaw has been discovered in Edimax BR-6208AC 1
CVSS Base7.3
β
CRSSelect profile
CVE-2025-15264 (reserved 2025, disclosed 2026)
7.3
wasMultiple Products
A vulnerability was determined in FeehiCMS up to 2
CVSS Base7.3
β
CRSSelect profile
CVE-2025-15353 (reserved 2025, disclosed 2026)
7.3
ManagementMultiple Products
A vulnerability was detected in itsourcecode Society Management System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2025-15354 (reserved 2025, disclosed 2026)
7.3
ManagementMultiple Products
A flaw has been found in itsourcecode Society Management System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2026-0544
7.3
ManagementMultiple Products
A security flaw has been discovered in itsourcecode School Management System 1
Cross-Site Request Forgery (CSRF) vulnerability in Marcin Kijak Noindex by Path allows Stored XSS
CVSS Base7.1
β
CRSSelect profile
CVE-2025-49354 (reserved 2025, disclosed 2026)
7.1
MindstienMultiple Products
Cross-Site Request Forgery (CSRF) vulnerability in Mindstien Technologies Recent Posts From Each Category allows Stored XSS
CVSS Base7.1
β
CRSSelect profile
CVE-2025-68885 (reserved 2025, disclosed 2026)
7.1
Page Carbajal CustomMultiple Products
Cross-Site Request Forgery (CSRF) vulnerability in Page Carbajal Custom Post Status allows Stored XSS
CVSS Base7.1
β
CRSSelect profile
CVE-2025-49028 (reserved 2025, disclosed 2026)
7.1
Zoho Mail ZohoMultiple Products
Cross-Site Request Forgery (CSRF) vulnerability in Zoho Mail Zoho ZeptoMail allows Stored XSS
CVSS Base7.1
β
CRSSelect profile
CVE-2025-23608 (reserved 2025, disclosed 2026)
7.1
Omar Mohamed MohamoudMultiple Products
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Omar Mohamed Mohamoud LIVE TV allows Reflected XSS
CVSS Base7.1
β
CRSSelect profile
CVE-2025-23667 (reserved 2025, disclosed 2026)
7.1
Christopher ChurchillMultiple Products
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Christopher Churchill allows Reflected XSS
CVSS Base7.1
β
CRSSelect profile
CVE-2025-23705 (reserved 2025, disclosed 2026)
7.1
Terry Zielke ZielkeMultiple Products
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Terry Zielke Zielke Design Project Gallery allows Reflected XSS
CVSS Base7.1
β
CRSSelect profile
CVE-2025-23707 (reserved 2025, disclosed 2026)
7.1
Matamko En MasseMultiple Products
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Matamko En Masse allows Reflected XSS
CVSS Base7.1
β
CRSSelect profile
CVE-2025-23719 (reserved 2025, disclosed 2026)
7.1
zckevinMultiple Products
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in zckevin ZhinaTwitterWidget allows Reflected XSS
CVSS Base7.1
β
CRSSelect profile
CVE-2025-23757 (reserved 2025, disclosed 2026)
7.1
Proloy Chakroborty ZDMultiple Products
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Proloy Chakroborty ZD Scribd iPaper allows Reflected XSS