CVEs from 2025
Total
11,985
critical
critical 1,301
high
high 1,894
medium
medium 1,908
low
low 193
% Critical
10.9%
% with KEV
1.5%
% with exploit
1.5%
Top vendors
- fabian 285
- campcodes 232
- phpgurukul 189
- code-projects 121
- microsoft 107
- redhat 106
- portabilis 94
- mayurik 79
Top products
- i-educar 80
- office_long_term_servicing_channel 35
- office 34
- best_salon_management_system 33
- apartment_management_system 30
- inventory_management_system 28
- gcp 24
- online_learning_management_system 21
Top packages
- Go/github.com/mattermost/mattermost/server/v8 258
- Go/github.com/mattermost/mattermost-server 249
- Packagist/magento/community-edition 231
- Packagist/moodle/moodle 162
- Go/github.com/mattermost/mattermost-server/v5 99
- Go/github.com/mattermost/mattermost-server/v6 99
- Maven/com.liferay.portal:release.dxp.bom 61
- Maven/org.apache.tomcat.embed:tomcat-embed-core 53
| CVE | Severity | CVSS | Risk | Published | Description | Impact |
|---|---|---|---|---|---|---|
| CVE-2025-34291 | high | 8.8 | 10.0 | 6mo ago | Langflow versions up to and including 1.6.9 contain a chained vulnerability that enables account takeover and remote code execution. An overly permissive CORS configuration (allow_origins='*' with al… | |
| CVE-2025-54236 | critical | 9.1 | 10.0 | 9mo ago | Adobe Commerce and Magento Open Source contain an improper input validation vulnerability that could allow an attacker to take over customer accounts through the Commerce REST API. | |
| CVE-2025-49113 | critical | — | 10.0 | 1y ago | Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.ph… | |
| CVE-2025-43529 | high | — | 9.5 | 5mo ago | Important: webkit2gtk3 security update | |
| CVE-2025-14174 | high | — | 9.5 | 5mo ago | Google Chromium contains an out of bounds memory access vulnerability in ANGLE that could allow a remote attacker to perform out of bounds memory access via a crafted HTML page. This vulnerability co… | |
| CVE-2025-31277 | high | — | 9.5 | 8mo ago | Apple Safari, iOS, watchOS, visionOS, iPadOS, macOS, and tvOS contain a buffer overflow vulnerability that could allow the processing of maliciously crafted web content which may lead to memory corru… | |
| CVE-2025-41244 | high | — | 9.5 | 8mo ago | Important: open-vm-tools security update | |
| CVE-2025-38352 | high | — | 9.5 | 9mo ago | Important: kernel security update | |
| CVE-2025-6558 | high | — | 9.5 | 10mo ago | Important: webkit2gtk3 security update | |
| CVE-2025-48384 | high | — | 9.5 | 10mo ago | Important: git security update | |
| CVE-2025-27363 | high | — | 9.5 | 1y ago | Important: freetype security update | |
| CVE-2025-24201 | high | — | 9.5 | 1y ago | Important: webkit2gtk3 security update | |
| CVE-2025-24813 | medium | — | 7.0 | 1y ago | Apache Tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT | |
| CVE-2025-68461 | unknown | — | 1.5 | 3mo ago | Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document. |