Critical vulnerabilities, curated daily for security professionals
đ¯ SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
đ
Archived Security Brief
Yesterday's disclosures reveal 14 critical vulnerabilities (CVSS 9.0+), a substantial increase from zero critical CVEs the prior day. High-priority vulnerabilities also increased significantly to 59, up 269% from the previous day's 16. Three actively exploited vulnerabilities remain on CISA's KEV catalog, affecting ASUS Live Update, Digiever DS-2105 Pro, and MongoDB Server. Notable critical issues include multiple Coolify vulnerabilities (CVE-2025-64419, CVE-2025-64420, CVE-2025-59157) with CVSS scores up to 9.9, WordPress plugin privilege escalation flaws, and SQL injection vulnerabilities across multiple products. Patch availability stands at 0%, requiring organizations to implement compensating controls and monitor vendor advisories.
14 critical CVEs disclosed, up from 0 the prior day
59 high-priority CVEs represent a 269% increase from 16
3 actively exploited vulnerabilities affect ASUS, Digiever, and MongoDB products
0% patch availability requires compensating controls and vendor monitoring
Coolify platform and multiple WordPress plugins are primary affected systems
Immediate action: Organizations using Coolify, WordPress with AS Password Field or FS Registration Password plugins, ASUS Live Update, Digiever DS-2105 Pro, or MongoDB should prioritize review. With no patches currently available, implement network segmentation, access restrictions, and enhanced monitoring for affected systems.
đĄ Tip: Swipe CVE cards left to â star, right to â remove
Section Navigation
â ī¸
CISA Known Exploited Vulnerabilities
â ī¸ CISA KEVURGENT
CVE-2025-59374
9.5
ASUSLive Update
â° Federal Deadline:January 6, 2026(1 days remaining)
ASUS Live Update Embedded Malicious Code Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2023-52163 (reserved 2023, disclosed 2025)
9.5
DigieverDS-2105 Pro
â° Federal Deadline:January 11, 2026(6 days remaining)
Digiever DS-2105 Pro Missing Authorization Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-14847
9.5
MongoDBMongoDB and MongoDB Server
â° Federal Deadline:January 18, 2026(13 days remaining)
MongoDB and MongoDB Server Improper Handling of Length Parameter Inconsistency Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
đ¨
Critical Vulnerabilities
CVE-2025-64419 (reserved 2025, disclosed 2026)
9.6đ
Coolify is anMultiple Products
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.445, parameters coming from docker-compose.yaml are not sanitized when used in commands. If a victim user creates an application from an attacker repository (using build pack "docker compose"), the attacker can execute commands on the Coolify instance as root. Version 4.0.0-beta.445 fixes the issue.
CVSS Base9.6
â
CRSSelect profile
CVE-2025-64420 (reserved 2025, disclosed 2026)
9.9đ
Coolify is anMultiple Products
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions prior to and including v4.0.0-beta.434, low privileged users are able to see the private key of the root user on the Coolify instance. This allows them to ssh to the server and authenticate as root user, using the private key. As of time of publication, it is unclear if a patch is available.
CVSS Base9.9
â
CRSSelect profile
CVE-2025-14996 (reserved 2025, disclosed 2026)
9.8đ
The AS Password Field In Default Registration Form plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions upMultiple Products
The AS Password Field In Default Registration Form plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.0.0. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-15001 (reserved 2025, disclosed 2026)
9.8đ
The FS Registration Password plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions upMultiple Products
The FS Registration Password plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.1. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-59157 (reserved 2025, disclosed 2026)
9.9đ
Coolify is anMultiple Products
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.420.7, the Git Repository field during project creation is vulnerable to command injection. User input is not properly sanitized, allowing attackers to inject arbitrary shell commands that execute on the underlying server during the deployment workflow. A regular member user can exploit this vulnerability. Version 4.0.0-beta.420.7 contains a patch for the issue.
CVSS Base9.9
â
CRSSelect profile
CVE-2025-31048 (reserved 2025, disclosed 2026)
9.9đ
Unrestricted Upload of File with Dangerous Type vulnerability in Themify Shopo allows Upload a Web Shell to a WebMultiple Products
Unrestricted Upload of File with Dangerous Type vulnerability in Themify Shopo allows Upload a Web Shell to a Web Server.This issue affects Shopo: from n/a through 1.1.4.
CVSS Base9.9
â
CRSSelect profile
CVE-2025-15029 (reserved 2025, disclosed 2026)
9.8đ
Improper Neutralization of Special Elements used in an SQL CommandMultiple Products
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Centreon Infra Monitoring (Awie export modules) allows SQL Injection to unauthenticated user.
This issue affects Infra Monitoring: from 25.10.0 before 25.10.2, from 24.10.0 before 24.10.3, from 24.04.0 before 24.04.3.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-21675
9.8đ
iccDEV provides a set of libraries and tools for working with ICC color managementMultiple Products
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below contain a Use After Free vulnerability in the CIccXform::Create() function, where it deletes the hint. This issue is fixed in version 2.3.1.1.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-30633 (reserved 2025, disclosed 2026)
9.3đ
Improper Neutralization of Special Elements used in an SQL CommandMultiple Products
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AA-Team Amazon Native Shopping Recommendations allows SQL Injection.This issue affects Amazon Native Shopping Recommendations: from n/a through 1.3.
CVSS Base9.3
â
CRSSelect profile
CVE-2025-68865 (reserved 2025, disclosed 2026)
9.3đ
Improper Neutralization of Special Elements used in an SQL CommandMultiple Products
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Infility Infility Global allows SQL Injection.This issue affects Infility Global: from n/a through 2.14.48.
CVSS Base9.3
â
CRSSelect profile
CVE-2025-39484 (reserved 2025, disclosed 2026)
9.3đ
Improper Neutralization of Special Elements used in an SQL CommandMultiple Products
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Waituk Entrada allows SQL Injection.This issue affects Entrada: from n/a through 5.7.7.
CVSS Base9.3
â
CRSSelect profile
CVE-2025-15026 (reserved 2025, disclosed 2026)
9.8đ
Missing Authentication for Critical Function vulnerability in Centreon Infra MonitoringMultiple Products
Missing Authentication for Critical Function vulnerability in Centreon Infra Monitoring centreon-awie (Awie import module) allows Accessing Functionality Not Properly Constrained by ACLs.
This issue affects Infra Monitoring: from 25.10.0 before 25.10.2, from 24.10.0 before 24.10.3, from 24.04.0 before 24.04.3.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-14346 (reserved 2025, disclosed 2026)
9.8đ
WHILL ModelMultiple Products
WHILL Model C2 Electric Wheelchairs and Model F Power Chairs do not enforce authentication for Bluetooth connections. An attacker within range can pair with the device and issue movement commands, override speed restrictions, and manipulate configuration profiles without any credentials or user interaction.
CVSS Base9.8
â
CRSSelect profile
CVE-2023-50897 (reserved 2023, disclosed 2026)
9.1đ
Unrestricted Upload of File with Dangerous Type vulnerability in Meow Apps Media File Renamer allows Using MaliciousMultiple Products
Unrestricted Upload of File with Dangerous Type vulnerability in Meow Apps Media File Renamer allows Using Malicious Files.This issue affects Media File Renamer: from n/a through 5.7.7.
CVSS Base9.1
â
CRSSelect profile
â ī¸
High Priority Updates
CVE-2025-69087 (reserved 2025, disclosed 2026)
8.1đ
jwsthemes FreeAgentMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jwsthemes FreeAgent allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2025-15364 (reserved 2025, disclosed 2026)
7.3đ
WordPressMultiple Products
The Download Manager plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14124 (reserved 2025, disclosed 2026)
8.6đ
WordPressMultiple Products
The Team WordPress plugin before 5
CVSS Base8.6
â
CRSSelect profile
CVE-2025-14997 (reserved 2025, disclosed 2026)
7.2đ
WordPressMultiple Products
The BuddyPress Xprofile Custom Field Types plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'delete_field' function in all versions up to, and including, 1
CVSS Base7.2
â
CRSSelect profile
CVE-2023-49186 (reserved 2023, disclosed 2026)
7.1đ
KlbTheme Machic CoreMultiple Products
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in KlbTheme Machic Core allows DOM-Based XSS
CVSS Base7.1
â
CRSSelect profile
CVE-2024-53735 (reserved 2024, disclosed 2026)
7.1đ
WebclipMultiple Products
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Corourke iPhone Webclip Manager allows Stored XSS
CVSS Base7.1
â
CRSSelect profile
CVE-2025-69223 (reserved 2025, disclosed 2026)
7.5đ
HTTPMultiple Products
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python
CVSS Base7.5
â
CRSSelect profile
CVE-2025-15240 (reserved 2025, disclosed 2026)
8.8đ
theMultiple Products
QOCA aim AI Medical Cloud Platform developed by Quanta Computer has an Arbitrary File Upload vulnerability, allowing authenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server
CVSS Base8.8
â
CRSSelect profile
CVE-2025-31047 (reserved 2025, disclosed 2026)
8.8đ
Themify Themify EdminMultiple Products
Deserialization of Untrusted Data vulnerability in Themify Themify Edmin allows Object Injection
CVSS Base8.8
â
CRSSelect profile
CVE-2026-21411
8.8đ
AuthenticationMultiple Products
Authentication bypass issue exists in OpenBlocks series versions prior to FW5
CVSS Base8.8
â
CRSSelect profile
CVE-2025-31044 (reserved 2025, disclosed 2026)
8.5đ
ImproperMultiple Products
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AA-Team Premium SEO Pack allows SQL Injection
CVSS Base8.5
â
CRSSelect profile
CVE-2025-68953 (reserved 2025, disclosed 2026)
7.5đ
FrappeMultiple Products
Frappe is a full-stack web application framework
CVSS Base7.5
â
CRSSelect profile
CVE-2025-15446 (reserved 2025, disclosed 2026)
7.3đ
flawMultiple Products
A flaw has been found in Seeyon Zhiyuan OA Web Application System up to 20251223
CVSS Base7.3
â
CRSSelect profile
CVE-2025-15447 (reserved 2025, disclosed 2026)
7.3đ
hasMultiple Products
A vulnerability has been found in Seeyon Zhiyuan OA Web Application System up to 20251223
CVSS Base7.3
â
CRSSelect profile
CVE-2025-15459 (reserved 2025, disclosed 2026)
8.8đ
securityMultiple Products
A security vulnerability has been detected in UTT čŋå 520W 1
CVSS Base8.8
â
CRSSelect profile
CVE-2025-15460 (reserved 2025, disclosed 2026)
8.8đ
wasMultiple Products
A vulnerability was detected in UTT čŋå 520W 1
CVSS Base8.8
â
CRSSelect profile
CVE-2025-15461 (reserved 2025, disclosed 2026)
8.8đ
flawMultiple Products
A flaw has been found in UTT čŋå 520W 1
CVSS Base8.8
â
CRSSelect profile
CVE-2025-15462 (reserved 2025, disclosed 2026)
8.8đ
hasMultiple Products
A vulnerability has been found in UTT čŋå 520W 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-21633
8.8
Unifi ProtectMultiple Products
A malicious actor with access to the adjacent network could obtain unauthorized access to a UniFi Protect Camera by exploiting a discovery protocol vulnerability in the Unifi Protect Application (Version 6
CVSS Base8.8
â
CRSSelect profile
CVE-2025-55204 (reserved 2025, disclosed 2026)
8.8
streamingMultiple Products
muffon is a cross-platform music streaming client for desktop
CVSS Base8.8
â
CRSSelect profile
CVE-2026-21485
8.8
iccDEVMultiple Products
iccDEV provides a set of libraries and tools for working with ICC color management profiles
CVSS Base8.8
â
CRSSelect profile
CVE-2026-21676
8.8
iccDEVMultiple Products
iccDEV provides a set of libraries and tools for working with ICC color management profiles
CVSS Base8.8
â
CRSSelect profile
CVE-2026-21677
8.8
iccDEVMultiple Products
iccDEV provides a set of libraries and tools for working with ICC color management profiles
CVSS Base8.8
â
CRSSelect profile
CVE-2025-68044 (reserved 2025, disclosed 2026)
8.6
Rustaurius Five StarMultiple Products
Authorization Bypass Through User-Controlled Key vulnerability in Rustaurius Five Star Restaurant Reservations allows Exploiting Incorrectly Configured Access Control Security Levels
CVSS Base8.6
â
CRSSelect profile
CVE-2025-49495 (reserved 2025, disclosed 2026)
8.4
ProcessorMultiple Products
An issue was discovered in the WiFi driver in Samsung Mobile Processor Exynos 1380, 1480, 2400, 1580
CVSS Base8.4
â
CRSSelect profile
CVE-2025-53966 (reserved 2025, disclosed 2026)
8.4
ProcessorMultiple Products
An issue was discovered in Samsung Mobile Processor Exynos 1380, 1480, 2400, and 1580
CVSS Base8.4
â
CRSSelect profile
CVE-2025-65110 (reserved 2025, disclosed 2026)
8.1
VegaMultiple Products
Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs
CVSS Base8.1
â
CRSSelect profile
CVE-2025-61916 (reserved 2025, disclosed 2026)
7.9
SpinnakerMultiple Products
Spinnaker is an open source, multi-cloud continuous delivery platform
CVSS Base7.9
â
CRSSelect profile
CVE-2025-57836 (reserved 2025, disclosed 2026)
7.8
SamsungMultiple Products
An issue was discovered in Samsung Magician 6
CVSS Base7.8
â
CRSSelect profile
CVE-2026-21673
7.8
iccDEVMultiple Products
iccDEV provides a set of libraries and tools for working with ICC color management profiles
CVSS Base7.8
â
CRSSelect profile
CVE-2026-21486
7.8
iccDEVMultiple Products
iccDEV provides a set of libraries and tools for working with ICC color management profiles
CVSS Base7.8
â
CRSSelect profile
CVE-2025-68033 (reserved 2025, disclosed 2026)
7.5
Brecht Custom RelatedMultiple Products
Insertion of Sensitive Information Into Sent Data vulnerability in Brecht Custom Related Posts allows Retrieve Embedded Sensitive Data
CVSS Base7.5
â
CRSSelect profile
CVE-2025-68547 (reserved 2025, disclosed 2026)
7.5
WPweb Follow My BlogMultiple Products
Missing Authorization vulnerability in WPweb Follow My Blog Post allows Exploiting Incorrectly Configured Access Control Security Levels
CVSS Base7.5
â
CRSSelect profile
CVE-2025-68850 (reserved 2025, disclosed 2026)
7.5
Codepeople SellMultiple Products
Missing Authorization vulnerability in Codepeople Sell Downloads allows Exploiting Incorrectly Configured Access Control Security Levels
CVSS Base7.5
â
CRSSelect profile
CVE-2025-67303 (reserved 2025, disclosed 2026)
7.5
issueMultiple Products
An issue in ComfyUI-Manager prior to version 3
CVSS Base7.5
â
CRSSelect profile
CVE-2024-30516 (reserved 2024, disclosed 2026)
7.5
SaasProject BookingMultiple Products
Improper Validation of Specified Quantity in Input vulnerability in SaasProject Booking Package allows Accessing Functionality Not Properly Constrained by ACLs
CVSS Base7.5
â
CRSSelect profile
CVE-2025-46255 (reserved 2025, disclosed 2026)
7.5
Marketing Fire LLCMultiple Products
Missing Authorization vulnerability in Marketing Fire LLC LoginWP - Pro allows Accessing Functionality Not Properly Constrained by ACLs
CVSS Base7.5
â
CRSSelect profile
CVE-2025-59467 (reserved 2025, disclosed 2026)
7.5
UCRM ArgentinaMultiple Products
A Cross-Site Scripting (XSS) vulnerability in the UCRM Argentina AFIP invoices Plugin (v1
CVSS Base7.5
â
CRSSelect profile
CVE-2025-43706 (reserved 2025, disclosed 2026)
7.5
ModemMultiple Products
An issue was discovered in L2 in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2400, 1580, 9110, W920, W930, Modem 5123, and Modem 5400
CVSS Base7.5
â
CRSSelect profile
CVE-2025-67419 (reserved 2025, disclosed 2026)
7.5
evershopMultiple Products
A Denial of Service (DoS) vulnerability in evershop 2
CVSS Base7.5
â
CRSSelect profile
CVE-2026-21507
7.5
iccDEVMultiple Products
iccDEV provides a set of libraries and tools for working with ICC color management profiles
CVSS Base7.5
â
CRSSelect profile
CVE-2026-0578
7.3đ
ReservationMultiple Products
A vulnerability has been found in code-projects Online Product Reservation System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2026-0579
7.3đ
ReservationMultiple Products
A vulnerability was found in code-projects Online Product Reservation System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-15456 (reserved 2025, disclosed 2026)
7.3đ
hasMultiple Products
A vulnerability has been found in bg5sbk MiniCMS up to 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-15457 (reserved 2025, disclosed 2026)
7.3đ
wasMultiple Products
A vulnerability was found in bg5sbk MiniCMS up to 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-15458 (reserved 2025, disclosed 2026)
7.3
wasMultiple Products
A vulnerability was determined in bg5sbk MiniCMS up to 1
CVSS Base7.3
â
CRSSelect profile
CVE-2026-0583
7.3
ReservationMultiple Products
A security flaw has been discovered in code-projects Online Product Reservation System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2026-0585
7.3
ReservationMultiple Products
A security vulnerability has been detected in code-projects Online Product Reservation System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2026-0589
7.3
ReservationMultiple Products
A vulnerability was found in code-projects Online Product Reservation System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2026-0592
7.3
ReservationMultiple Products
A security flaw has been discovered in code-projects Online Product Reservation System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2026-0605
7.3
MusicMultiple Products
A security vulnerability has been detected in code-projects Online Music Site 1
CVSS Base7.3
â
CRSSelect profile
CVE-2026-0606
7.3
MusicMultiple Products
A vulnerability was detected in code-projects Online Music Site 1
CVSS Base7.3
â
CRSSelect profile
CVE-2026-0607
7.3
MusicMultiple Products
A flaw has been found in code-projects Online Music Site 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-5965 (reserved 2025, disclosed 2026)
7.2
backupMultiple Products
In the backup parameters, a user with high privilege is able to concatenate custom instructions to the backup setup
CVSS Base7.2
â
CRSSelect profile
CVE-2025-66376 (reserved 2025, disclosed 2026)
7.2
ZimbraMultiple Products
Zimbra Collaboration (ZCS) 10 before 10
CVSS Base7.2
â
CRSSelect profile
CVE-2025-66648 (reserved 2025, disclosed 2026)
7.2
UnknownMultiple Products
vega-functions provides function implementations for the Vega expression language
CVSS Base7.2
â
CRSSelect profile
CVE-2024-30461 (reserved 2024, disclosed 2026)
7.1
Tumult Inc TumultMultiple Products
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Tumult Inc Tumult Hype Animations allows DOM-Based XSS
CVSS Base7.1
â
CRSSelect profile
CVE-2025-52519 (reserved 2025, disclosed 2026)
7.1
ProcessorMultiple Products
An issue was discovered in the Camera in Samsung Mobile Processor and Wearable Processor Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, W920, W930, and W1000
CVSS Base7.1
â
CRSSelect profile
CVE-2025-61781 (reserved 2025, disclosed 2026)
7.1
OpenCTIMultiple Products
OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables