CVEs from 2025
Total
12,202
critical
critical 1,301
high
high 1,894
medium
medium 1,908
low
low 193
% Critical
10.7%
% with KEV
1.5%
% with exploit
1.5%
Top vendors
- fabian 285
- campcodes 232
- phpgurukul 189
- code-projects 121
- microsoft 107
- redhat 106
- portabilis 94
- mayurik 79
Top products
- i-educar 80
- office_long_term_servicing_channel 35
- office 34
- best_salon_management_system 33
- apartment_management_system 30
- inventory_management_system 28
- gcp 23
- online_learning_management_system 21
Top packages
- Go/github.com/mattermost/mattermost/server/v8 258
- Go/github.com/mattermost/mattermost-server 249
- Packagist/magento/community-edition 231
- Packagist/moodle/moodle 162
- Go/github.com/mattermost/mattermost-server/v5 99
- Go/github.com/mattermost/mattermost-server/v6 99
- Maven/com.liferay.portal:release.dxp.bom 61
- Maven/org.apache.tomcat.embed:tomcat-embed-core 53
| CVE | Severity | CVSS | Risk | Published | Description | Impact |
|---|---|---|---|---|---|---|
| CVE-2025-34291 | high | 8.8 | 10.0 | 6mo ago | Langflow versions up to and including 1.6.9 contain a chained vulnerability that enables account takeover and remote code execution. An overly permissive CORS configuration (allow_origins='*' with al… | |
| CVE-2025-54236 | critical | 9.1 | 10.0 | 9mo ago | Adobe Commerce and Magento Open Source contain an improper input validation vulnerability that could allow an attacker to take over customer accounts through the Commerce REST API. | |
| CVE-2025-49113 | critical | — | 10.0 | 1y ago | Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.ph… | |
| CVE-2025-43529 | high | — | 9.5 | 5mo ago | Important: webkit2gtk3 security update | |
| CVE-2025-14174 | high | — | 9.5 | 5mo ago | Google Chromium contains an out of bounds memory access vulnerability in ANGLE that could allow a remote attacker to perform out of bounds memory access via a crafted HTML page. This vulnerability co… | |
| CVE-2025-31277 | high | — | 9.5 | 8mo ago | Apple Safari, iOS, watchOS, visionOS, iPadOS, macOS, and tvOS contain a buffer overflow vulnerability that could allow the processing of maliciously crafted web content which may lead to memory corru… | |
| CVE-2025-41244 | high | — | 9.5 | 8mo ago | Important: open-vm-tools security update | |
| CVE-2025-38352 | high | — | 9.5 | 9mo ago | Important: kernel security update | |
| CVE-2025-6558 | high | — | 9.5 | 10mo ago | Important: webkit2gtk3 security update | |
| CVE-2025-48384 | high | — | 9.5 | 10mo ago | Important: git security update | |
| CVE-2025-27363 | high | — | 9.5 | 1y ago | Important: freetype security update | |
| CVE-2025-24201 | high | — | 9.5 | 1y ago | Important: webkit2gtk3 security update | |
| CVE-2025-24813 | medium | — | 7.0 | 1y ago | Moderate: tomcat security update | |
| CVE-2025-29635 | unknown | — | 1.5 | 1mo ago | D-Link DIR-823X contains a command injection vulnerability that allows an authorized attacker to execute arbitrary commands on remote devices by sending a POST request to /goform/set_prohibiting via … | |
| CVE-2025-48700 | unknown | — | 1.5 | 1mo ago | Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability that could allow attackers to execute arbitrary JavaScript within the user's session, potentially leading to una… | |
| CVE-2025-2749 | unknown | — | 1.5 | 1mo ago | Kentico Xperience contains a path traversal vulnerability that could allow an authenticated user's Staging Sync Server to upload arbitrary data to path relative locations. | |
| CVE-2025-32975 | unknown | — | 1.5 | 1mo ago | Quest KACE Systems Management Appliance (SMA) contains an improper authentication vulnerability that could allow attackers to impersonate legitimate users without valid credentials. | |
| CVE-2025-60710 | unknown | — | 1.5 | 2mo ago | Microsoft Windows contains a link following vulnerability that allows for privilege escalation | |
| CVE-2025-53521 | unknown | — | 1.5 | 2mo ago | F5 BIG-IP APM contains a stack-based buffer overflow vulnerability that could allow a threat actor to achieve remote code execution. | |
| CVE-2025-43520 | unknown | — | 1.5 | 2mo ago | Apple watchOS, iOS, iPadOS, macOS, visionOS, and tvOS contain a classic buffer overflow vulnerability which could allow a malicious application to cause unexpected system termination or write kernel … | |
| CVE-2025-43510 | unknown | — | 1.5 | 2mo ago | Apple watchOS, iOS, iPadOS, macOS, visionOS, and tvOS contain an improper locking vulnerability that could allow a malicious application to cause unexpected changes in memory shared between processes. | |
| CVE-2025-66376 | unknown | — | 1.5 | 2mo ago | Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability in the Classic UI where attackers could abuse Cascading Style Sheets (CSS) @import directives in email HTML. | |
| CVE-2025-47813 | unknown | — | 1.5 | 2mo ago | Wing FTP Server contains a generation of error message containing sensitive information vulnerability when using a long value in the UID cookie. | |
| CVE-2025-26399 | unknown | — | 1.5 | 3mo ago | SolarWinds Web Help Desk contain a deserialization of untrusted data vulnerability in AjaxProxy that could allow an attacker to run commands on the host machine. | |
| CVE-2025-68461 | unknown | — | 1.5 | 3mo ago | Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document. | |
| CVE-2025-15556 | unknown | — | 1.5 | 4mo ago | Notepad++ when using the WinGUp updater, contains a download of code without integrity check vulnerability that could allow an attacker to intercept or redirect update traffic to download and execute… | |
| CVE-2025-40536 | unknown | — | 1.5 | 4mo ago | SolarWinds Web Help Desk contains a security control bypass vulnerability that could allow an unauthenticated attacker to gain access to certain restricted functionality. | |
| CVE-2025-64328 | unknown | — | 1.5 | 4mo ago | Sangoma FreePBX Endpoint Manager contains an OS command injection vulnerability that could allow for a post-authentication command injection by an authenticated known user via the testconnection -> c… | |
| CVE-2025-40551 | unknown | — | 1.5 | 4mo ago | SolarWinds Web Help Desk contains a deserialization of untrusted data vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This c… | |
| CVE-2025-52691 | unknown | — | 1.5 | 4mo ago | SmarterTools SmarterMail contains an unrestricted upload of file with dangerous type vulnerability that could allow an unauthenticated attacker to upload arbitrary files to any location on the mail s… | |
| CVE-2025-68645 | unknown | — | 1.5 | 4mo ago | Synacor Zimbra Collaboration Suite (ZCS) contains a PHP remote file inclusion vulnerability that could allow for remote attackers to craft requests to the /h/rest endpoint to influence internal reque… | |
| CVE-2025-34026 | unknown | — | 1.5 | 4mo ago | Versa Concerto SD-WAN orchestration platform contains an improper authentication vulnerability in the Traefik reverse proxy configuration, allowing at attacker to access administrative endpoints. The… | |
| CVE-2025-37164 | unknown | — | 1.5 | 5mo ago | Hewlett Packard Enterprise (HPE) OneView contains a code injection vulnerability that allows a remote unauthenticated user to perform remote code execution. | |
| CVE-2025-14847 | unknown | — | 1.5 | 5mo ago | MongoDB Server contains an improper handling of length parameter inconsistency vulnerability in Zlib compressed protocol headers. This vulnerability may allow a read of uninitialized heap memory by a… | |
| CVE-2025-68613 | unknown | — | 1.5 | 5mo ago | n8n contains an improper control of dynamically managed code resources vulnerability in its workflow expression evaluation system that allows for remote code execution. | |
| CVE-2025-14733 | unknown | — | 1.5 | 5mo ago | WatchGuard Fireware OS iked process contains an out of bounds write vulnerability in the OS iked process. This vulnerability may allow a remote unauthenticated attacker to execute arbitrary code and … | |
| CVE-2025-20393 | unknown | — | 1.5 | 5mo ago | Cisco Secure Email Gateway, Secure Email, AsyncOS Software, and Web Manager appliances contains an improper input validation vulnerability that allows threat actors to execute arbitrary commands with… | |
| CVE-2025-59374 | unknown | — | 1.5 | 5mo ago | ASUS Live Update contains an embedded malicious code vulnerability client were distributed with unauthorized modifications introduced through a supply chain compromise. The modified builds could caus… | |
| CVE-2025-40602 | unknown | — | 1.5 | 5mo ago | SonicWall SMA1000 contains a missing authorization vulnerability that could allow for privilege escalation appliance management console (AMC) of affected devices. | |
| CVE-2025-59718 | unknown | — | 1.5 | 5mo ago | Fortinet FortiOS, FortiSwitchMaster, FortiProxy, and FortiWeb contain an improper verification of cryptographic signature vulnerability that may allow an unauthenticated attacker to bypass the FortiC… | |
| CVE-2025-14611 | unknown | — | 1.5 | 5mo ago | Gladinet CentreStack and TrioFox contain a hardcoded cryptographic keys vulnerability for their implementation of the AES cryptoscheme. This vulnerability degrades security for public exposed endpoin… | |
| CVE-2025-8110 | unknown | — | 1.5 | 6mo ago | Gogs contains a path traversal vulnerability affecting improper Symbolic link handling in the PutContents API that could allow for code execution. | |
| CVE-2025-62221 | unknown | — | 1.5 | 6mo ago | Microsoft Windows Cloud Files Mini Filter Driver contains a use after free vulnerability that can allow an authorized attacker to elevate privileges locally. | |
| CVE-2025-6218 | unknown | — | 1.5 | 6mo ago | RARLAB WinRAR contains a path traversal vulnerability allowing an attacker to execute code in the context of the current user. | |
| CVE-2025-66644 | unknown | — | 1.5 | 6mo ago | Array Networks ArrayOS AG contains an OS command injection vulnerability that could allow an attacker to execute arbitrary commands. | |
| CVE-2025-55182 | unknown | — | 1.5 | 6mo ago | Meta React Server Components contains a remote code execution vulnerability that could allow unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Ser… | |
| CVE-2025-48633 | unknown | — | 1.5 | 6mo ago | Android Framework contains an unspecified vulnerability that allows for information disclosure. | |
| CVE-2025-48572 | unknown | — | 1.5 | 6mo ago | Android Framework contains an unspecified vulnerability that allows for privilege escalation. | |
| CVE-2025-58360 | unknown | — | 1.5 | 6mo ago | OSGeo GeoServer contains an improper restriction of XML external entity reference vulnerability that occurs when the application accepts XML input through a specific endpoint /geoserver/wms operation… | |
| CVE-2025-61757 | unknown | — | 1.5 | 6mo ago | Oracle Fusion Middleware contains a missing authentication for critical function vulnerability, allowing unauthenticated remote attackers to take over Identity Manager. | |
| CVE-2025-13223 | unknown | — | 1.5 | 6mo ago | Google Chromium V8 contains a type confusion vulnerability that allows for heap corruption. | |
| CVE-2025-58034 | unknown | — | 1.5 | 6mo ago | Fortinet FortiWeb contains an OS command Injection vulnerability that may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests or CLI comman… | |
| CVE-2025-64446 | unknown | — | 1.5 | 7mo ago | Fortinet FortiWeb contains a relative path traversal vulnerability that may allow an unauthenticated attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests. | |
| CVE-2025-9242 | unknown | — | 1.5 | 7mo ago | WatchGuard Firebox contains an out-of-bounds write vulnerability in the OS iked process that may allow a remote unauthenticated attacker to execute arbitrary code. | |
| CVE-2025-62215 | unknown | — | 1.5 | 7mo ago | Microsoft Windows Kernel contains a race condition vulnerability that allows a local attacker with low-level privileges to escalate privileges. Successful exploitation of this vulnerability could ena… | |
| CVE-2025-12480 | unknown | — | 1.5 | 7mo ago | Gladinet Triofox contains an improper access control vulnerability that allows access to initial setup pages even after setup is complete. | |
| CVE-2025-21042 | unknown | — | 1.5 | 7mo ago | Samsung mobile devices contain an out-of-bounds write vulnerability in libimagecodec.quram.so. This vulnerability could allow remote attackers to execute arbitrary code. | |
| CVE-2025-48703 | unknown | — | 1.5 | 7mo ago | CWP Control Web Panel (formerly CentOS Web Panel) contains an OS command Injection vulnerability that allows unauthenticated remote code execution via shell metacharacters in the t_total parameter in… | |
| CVE-2025-11371 | unknown | — | 1.5 | 7mo ago | Gladinet CentreStack and Triofox contains a files or directories accessible to external parties vulnerability that allows unintended disclosure of system files. | |
| CVE-2025-11953 | unknown | — | 1.5 | 7mo ago | React Native Community CLI contains an OS command injection vulnerability which could allow unauthenticated network attackers to send POST requests to the Metro Development Server and run arbitrary e… | |
| CVE-2025-6204 | unknown | — | 1.5 | 7mo ago | Dassault Systèmes DELMIA Apriso contains a code injection vulnerability that could allow an attacker to execute arbitrary code. | |
| CVE-2025-6205 | unknown | — | 1.5 | 7mo ago | Dassault Systèmes DELMIA Apriso contains a missing authorization vulnerability that could allow an attacker to gain privileged access to the application. | |
| CVE-2025-59287 | unknown | — | 1.5 | 7mo ago | Microsoft Windows Server Update Service (WSUS) contains a deserialization of untrusted data vulnerability that allows for remote code execution. | |
| CVE-2025-61932 | unknown | — | 1.5 | 7mo ago | Motex LANSCOPE Endpoint Manager contains an improper verification of source of a communication channel vulnerability allowing an attacker to execute arbitrary code by sending specially crafted packet… | |
| CVE-2025-2746 | unknown | — | 1.5 | 7mo ago | Kentico Xperience CMS contains an authentication bypass using an alternate path or channel vulnerability that could allow an attacker to control administrative objects. | |
| CVE-2025-33073 | unknown | — | 1.5 | 7mo ago | Microsoft Windows SMB Client contains an improper access control vulnerability that could allow for privilege escalation. An attacker could execute a specially crafted malicious script to coerce the … | |
| CVE-2025-2747 | unknown | — | 1.5 | 7mo ago | Kentico Xperience CMS contains an authentication bypass using an alternate path or channel vulnerability that could allow an attacker to control administrative objects. | |
| CVE-2025-61884 | unknown | — | 1.5 | 7mo ago | Oracle E-Business Suite contains a server-side request forgery (SSRF) vulnerability in the Runtime component of Oracle Configurator. This vulnerability is remotely exploitable without authentication. | |
| CVE-2025-54253 | unknown | — | 1.5 | 8mo ago | Adobe Experience Manager Forms in JEE contains an unspecified vulnerability that allows for arbitrary code execution. | |
| CVE-2025-47827 | unknown | — | 1.5 | 8mo ago | IGEL OS contains a use of a key past its expiration date vulnerability that allows for Secure Boot bypass. The igel-flash-driver module improperly verifies a cryptographic signature. Ultimately, a cr… | |
| CVE-2025-59230 | unknown | — | 1.5 | 8mo ago | Microsoft Windows contains an improper access control vulnerability in Windows Remote Access Connection Manager which could allow an authorized attacker to elevate privileges locally. | |
| CVE-2025-24990 | unknown | — | 1.5 | 8mo ago | Microsoft Windows Agere Modem Driver contains an untrusted pointer dereference vulnerability that allows for privilege escalation. An attacker who successfully exploited this vulnerability could gain… | |
| CVE-2025-27915 | unknown | — | 1.5 | 8mo ago | Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability that exists in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. When a user… | |
| CVE-2025-61882 | unknown | — | 1.5 | 8mo ago | Oracle E-Business Suite contains an unspecified vulnerability in the BI Publisher Integration component. The vulnerability allows unauthenticated attacker with network access via HTTP to compromise O… | |
| CVE-2025-4008 | unknown | — | 1.5 | 8mo ago | Smartbedded Meteobridge contains a command injection vulnerability that could allow remote unauthenticated attackers to gain arbitrary command execution with elevated privileges (root) on affected de… | |
| CVE-2025-21043 | unknown | — | 1.5 | 8mo ago | Samsung mobile devices contain an out-of-bounds write vulnerability in libimagecodec.quram.so which allows remote attackers to execute arbitrary code. | |
| CVE-2025-20352 | unknown | — | 1.5 | 8mo ago | Cisco IOS and IOS XE contains a stack-based buffer overflow vulnerability in the Simple Network Management Protocol (SNMP) subsystem that could allow for denial of service or remote code execution. A… | |
| CVE-2025-10035 | unknown | — | 1.5 | 8mo ago | Fortra GoAnywhere MFT contains a deserialization of untrusted data vulnerability allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, … | |
| CVE-2025-32463 | unknown | — | 1.5 | 8mo ago | Sudo contains an inclusion of functionality from untrusted control sphere vulnerability. This vulnerability could allow local attacker to leverage sudo’s -R (--chroot) option to run arbitrary command… | |
| CVE-2025-59689 | unknown | — | 1.5 | 8mo ago | Libraesva Email Security Gateway (ESG) contains a command injection vulnerability which allows command injection via a compressed e-mail attachment. | |
| CVE-2025-20362 | unknown | — | 1.5 | 8mo ago | Cisco Secure Firewall Adaptive Security (ASA) Appliance and Secure Firewall Threat Defense (FTD) Software VPN Web Server contain a missing authorization vulnerability. This vulnerability could be cha… | |
| CVE-2025-20333 | unknown | — | 1.5 | 8mo ago | Cisco Secure Firewall Adaptive Security (ASA) Appliance and Secure Firewall Threat Defense (FTD) Software VPN Web Server contain a buffer overflow vulnerability that allows for remote code execution.… | |
| CVE-2025-10585 | unknown | — | 1.5 | 8mo ago | Google Chromium contains a type confusion vulnerability in the V8 JavaScript and WebAssembly engine. | |
| CVE-2025-5086 | unknown | — | 1.5 | 9mo ago | Dassault Systèmes DELMIA Apriso contains a deserialization of untrusted data vulnerability that could lead to a remote code execution. | |
| CVE-2025-48543 | unknown | — | 1.5 | 9mo ago | Android Runtime contains a use-after-free vulnerability potentially allowing a chrome sandbox escape leading to local privilege escalation. | |
| CVE-2025-53690 | unknown | — | 1.5 | 9mo ago | Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud contain a deserialization of untrusted data vulnerability involving the use of default machine … | |
| CVE-2025-9377 | unknown | — | 1.5 | 9mo ago | TP-Link Archer C7(EU) and TL-WR841N/ND(MS) contain an OS command injection vulnerability that exists in the Parental Control page. The impacted products could be end-of-life (EoL) and/or end-of-servi… | |
| CVE-2025-55177 | unknown | — | 1.5 | 9mo ago | Meta Platforms WhatsApp contains an incorrect authorization vulnerability due to an incomplete authorization of linked device synchronization messages. This vulnerability could allow an unrelated use… | |
| CVE-2025-57819 | unknown | — | 1.5 | 9mo ago | Sangoma FreePBX contains an authentication bypass vulnerability due to insufficiently sanitized user-supplied data allows unauthenticated access to FreePBX Administrator leading to arbitrary database… | |
| CVE-2025-7775 | unknown | — | 1.5 | 9mo ago | Citrix NetScaler ADC and NetScaler Gateway contain a memory overflow vulnerability that could allow for remote code execution and/or denial of service. | |
| CVE-2025-43300 | unknown | — | 1.5 | 9mo ago | Apple iOS, iPadOS, and macOS contain an out-of-bounds write vulnerability in the Image I/O framework. | |
| CVE-2025-54948 | unknown | — | 1.5 | 9mo ago | Trend Micro Apex One Management Console (on-premise) contains an OS command injection vulnerability that could allow a pre-authenticated remote attacker to upload malicious code and execute commands … | |
| CVE-2025-8876 | unknown | — | 1.5 | 10mo ago | N-able N-Central contains a command injection vulnerability via improper sanitization of user input. | |
| CVE-2025-8875 | unknown | — | 1.5 | 10mo ago | N-able N-Central contains an insecure deserialization vulnerability that could lead to command execution. | |
| CVE-2025-8088 | unknown | — | 1.5 | 10mo ago | RARLAB WinRAR contains a path traversal vulnerability affecting the Windows version of WinRAR. This vulnerability could allow an attacker to execute arbitrary code by crafting malicious archive files. | |
| CVE-2025-20337 | unknown | — | 1.5 | 10mo ago | Cisco Identity Services Engine contains an injection vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC due to insufficient validation of user-supplied input allowing an attacker to explo… | |
| CVE-2025-20281 | unknown | — | 1.5 | 10mo ago | Cisco Identity Services Engine contains an injection vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC due to insufficient validation of user-supplied input allowing an attacker to explo… | |
| CVE-2025-49706 | unknown | — | 1.5 | 10mo ago | Microsoft SharePoint contains an improper authentication vulnerability that allows an authorized attacker to perform spoofing over a network. Successfully exploitation could allow an attacker to view… | |
| CVE-2025-2775 | unknown | — | 1.5 | 10mo ago | SysAid On-Prem contains an improper restriction of XML external entity reference vulnerability in the Checkin processing functionality, allowing for administrator account takeover and file read primi… | |
| CVE-2025-54309 | unknown | — | 1.5 | 10mo ago | CrushFTP contains an unprotected alternate channel vulnerability. When the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via… |