CVEs from 2025
Total
9,420
critical
critical 1,301
high
high 1,899
medium
medium 1,910
low
low 193
% Critical
13.8%
% with KEV
1.9%
% with exploit
2.0%
Top vendors
- fabian 285
- campcodes 232
- phpgurukul 189
- code-projects 121
- microsoft 107
- redhat 106
- portabilis 94
- mayurik 79
Top products
- i-educar 80
- office_long_term_servicing_channel 35
- office 34
- best_salon_management_system 33
- apartment_management_system 30
- inventory_management_system 28
- gcp 24
- online_learning_management_system 21
Top packages
- Go/github.com/mattermost/mattermost/server/v8 258
- Go/github.com/mattermost/mattermost-server 249
- Packagist/magento/community-edition 231
- Packagist/moodle/moodle 162
- Go/github.com/mattermost/mattermost-server/v5 99
- Go/github.com/mattermost/mattermost-server/v6 99
- Maven/com.liferay.portal:release.dxp.bom 61
- Maven/org.apache.tomcat.embed:tomcat-embed-core 53
| CVE | Severity | CVSS | Risk | Published | Description | Impact |
|---|---|---|---|---|---|---|
| CVE-2025-34291 | high | 8.8 | 10.0 | 6mo ago | Langflow versions up to and including 1.6.9 contain a chained vulnerability that enables account takeover and remote code execution. An overly permissive CORS configuration (allow_origins='*' with al… | |
| CVE-2025-43529 | high | — | 9.5 | 5mo ago | Important: webkit2gtk3 security update | |
| CVE-2025-14174 | high | — | 9.5 | 5mo ago | Google Chromium contains an out of bounds memory access vulnerability in ANGLE that could allow a remote attacker to perform out of bounds memory access via a crafted HTML page. This vulnerability co… | |
| CVE-2025-31277 | high | — | 9.5 | 8mo ago | Apple Safari, iOS, watchOS, visionOS, iPadOS, macOS, and tvOS contain a buffer overflow vulnerability that could allow the processing of maliciously crafted web content which may lead to memory corru… | |
| CVE-2025-41244 | high | — | 9.5 | 8mo ago | Important: open-vm-tools security update | |
| CVE-2025-38352 | high | — | 9.5 | 9mo ago | In the Linux kernel, the following vulnerability has been resolved: posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() If an exiting non-autoreaping task has alr… | |
| CVE-2025-6558 | high | — | 9.5 | 10mo ago | Important: webkit2gtk3 security update | |
| CVE-2025-48384 | high | — | 9.5 | 10mo ago | Important: git security update | |
| CVE-2025-27363 | high | — | 9.5 | 1y ago | Important: freetype security update | |
| CVE-2025-24201 | high | — | 9.5 | 1y ago | Important: webkit2gtk3 security update | |
| CVE-2025-24813 | medium | — | 7.0 | 1y ago | Apache Tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT | |
| CVE-2025-68461 | unknown | — | 1.5 | 3mo ago | Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document. | |
| CVE-2025-58360 | unknown | — | 1.5 | 6mo ago | GeoServer is vulnerable to Unauthenticated XML External Entities (XXE) attack via WMS GetMap feature | |
| CVE-2025-24893 | unknown | — | 1.5 | 1y ago | XWiki Platform allows remote code execution as guest via SolrSearchMacros request |