CVEs from 2025
Total
8,834
critical
critical 1,313
high
high 1,950
medium
medium 1,966
low
low 200
% Critical
14.9%
% with KEV
2.1%
% with exploit
2.8%
Top vendors
- qualcomm 1,123
- fabian 285
- campcodes 232
- phpgurukul 189
- code-projects 121
- redhat 108
- microsoft 107
- portabilis 94
Top products
- i-educar 80
- office_long_term_servicing_channel 35
- office 34
- best_salon_management_system 33
- apartment_management_system 30
- gcp 29
- inventory_management_system 28
- online_learning_management_system 21
Top packages
- Go/github.com/mattermost/mattermost/server/v8 258
- Go/github.com/mattermost/mattermost-server 249
- Packagist/magento/community-edition 231
- Packagist/moodle/moodle 162
- Go/github.com/mattermost/mattermost-server/v5 99
- Go/github.com/mattermost/mattermost-server/v6 99
- Maven/com.liferay.portal:release.dxp.bom 61
- Maven/org.apache.tomcat.embed:tomcat-embed-core 53
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-62242 | unknown | — | — | 8mo ago | Liferay Account Admin Web vulnerable to Authorization Bypass Through User-Controlled Key | |||
| CVE-2025-62241 | unknown | — | — | 8mo ago | Liferay Commerce Order Content Web is Vulnerable to Authorization Bypass Through User-Controlled Key | |||
| CVE-2025-62246 | unknown | — | — | 8mo ago | Liferay Mentions Web is Vulnerable to Cross-site Scripting | |||
| CVE-2025-62252 | unknown | — | — | 8mo ago | Liferay is Vulnerable to Authorization Bypass Through User-Controlled Key | |||
| CVE-2025-62243 | unknown | — | — | 8mo ago | Liferay Publications is vulnerable to Incorrect Authorization | |||
| CVE-2025-62244 | unknown | — | — | 8mo ago | Liferay Publications vulnerable to Authorization Bypass Through User-Controlled Key | |||
| CVE-2025-62706 | unknown | — | — | 8mo ago | Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JWE zip=DEF path performs unbounded DEFLATE decompression. A very small ciphertext can exp… | |||
| CVE-2025-62245 | unknown | — | — | 8mo ago | Liferay Portal is vulnerable to CSRF through publication comments | |||
| CVE-2025-11581 | unknown | — | — | 8mo ago | PowerJob OpenAPIController is missing authorization | |||
| CVE-2025-61920 | unknown | — | — | 8mo ago | Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JOSE implementation accepts unbounded JWS/JWT header and signature segments. A remote atta… | |||
| CVE-2025-11580 | unknown | — | — | 8mo ago | PowerJob has Missing Authorization in its /user/list file | |||
| CVE-2025-62238 | unknown | — | — | 8mo ago | Liferay Portal's Membership page is vulnerable to XSS through “name“ text field | |||
| CVE-2025-62239 | unknown | — | — | 8mo ago | Liferay Portal is vulnerable to XSS through its workflow process builder | |||
| CVE-2025-62237 | unknown | — | — | 8mo ago | Liferay Portal Commerce is vulnerable to XSS through account "name" field | |||
| CVE-2025-11579 | unknown | — | — | 8mo ago | github.com/nwaples/rardecode versions <=2.1.1 fail to restrict the dictionary size when reading large RAR dictionary sizes, which allows an attacker to provide a specially crafted RAR file and cause … | |||
| CVE-2025-30001 | unknown | — | — | 8mo ago | Apache StreamPark contains an Incorrect Execution-Assigned Permissions vulnerability | |||
| CVE-2025-37727 | unknown | — | — | 8mo ago | Elasticsearch: Insertion of Sensitive Information into Log File via reindex API | |||
| CVE-2025-62240 | unknown | — | — | 8mo ago | Liferay Portal is vulnerable to XSS through its Calendar Events parameters | |||
| CVE-2025-62228 | unknown | — | — | 8mo ago | Apache Flink CDC is vulnerable to SQL Injection through maliciously crafted identifiers | |||
| CVE-2025-9162 | unknown | — | — | 8mo ago | Keycloak Potential Variable Reference in Model Storage Services | |||
| CVE-2025-61788 | unknown | — | — | 8mo ago | Opencast's Paella Player 7 is vulnerable to Cross-Site Scripting | |||
| CVE-2025-43771 | unknown | — | — | 8mo ago | Liferay Portal Notifications Widget has multiple XSS vulnerabilities through various text fields | |||
| CVE-2025-43829 | unknown | — | — | 8mo ago | Liferay Portal Commerce Shop is vulnerable to Stored XSS through SVG file | |||
| CVE-2025-43830 | unknown | — | — | 8mo ago | Liferay Portal is vulnerable to Stored XSS through Forms text type field | |||
| CVE-2025-43821 | unknown | — | — | 8mo ago | Liferay Portal is vulnerable to XSS through its Commerce Product's Name text field | |||
| CVE-2025-43822 | unknown | — | — | 8mo ago | Liferay Portal has multiple Stored XSS vulnerabilities on its View Order page | |||
| CVE-2025-43823 | unknown | — | — | 8mo ago | Liferay Portal is vulnerable to XSS through its Commerce Search Result widget | |||
| CVE-2025-43824 | unknown | — | — | 8mo ago | Liferay Profile Widget does not prevent vCard extension spoofing | |||
| CVE-2025-52472 | unknown | — | — | 8mo ago | XWiki Platform is vulnerable to HQL injection via wiki and space search REST API | |||
| CVE-2025-49594 | unknown | — | — | 8mo ago | XWiki OIDC Authenticator: Users with "view" access can create tokens for any users they can view | |||
| CVE-2025-43825 | unknown | — | — | 8mo ago | Liferay Portal exposes sensitive user data through its Freemarker template | |||
| CVE-2025-54286 | unknown | — | — | 8mo ago | Cross-Site Request Forgery (CSRF) in LXD-UI in Canonical LXD versions >= 5.0 on Linux allows an attacker to create and start container instances without user consent via crafted HTML form submissions… | |||
| CVE-2025-54287 | unknown | — | — | 8mo ago | Template Injection in instance snapshot creation component in Canonical LXD (>= 4.0) allows an attacker with instance configuration permissions to read arbitrary files on the host system via special… | |||
| CVE-2025-54288 | unknown | — | — | 8mo ago | Information Spoofing in devLXD Server in Canonical LXD versions 4.0 and above on Linux container platforms allows attackers with root privileges within any container to impersonate other containers a… | |||
| CVE-2025-54289 | unknown | — | — | 8mo ago | Privilege Escalation in operations API in Canonical LXD <6.5 on multiple platforms allows attacker with read permissions to hijack terminal or console sessions and execute arbitrary commands via WebS… | |||
| CVE-2025-54290 | unknown | — | — | 8mo ago | Information disclosure in image export API in Canonical LXD before 6.5 and 5.21.4 on Linux allows network attackers to determine project existence without authentication via crafted requests using wi… | |||
| CVE-2025-54293 | unknown | — | — | 8mo ago | Path Traversal in the log file retrieval function in Canonical LXD 5.0 LTS on Linux allows authenticated remote attackers to read arbitrary files on the host system via crafted log file names or symb… | |||
| CVE-2025-54291 | unknown | — | — | 8mo ago | Information disclosure in images API in Canonical LXD before 6.5 and 5.21.4 on all platforms allows unauthenticated remote attackers to determine project existence via differing HTTP status code resp… | |||
| CVE-2025-61734 | unknown | — | — | 8mo ago | Apache Kylin Files or Directories Accessible to External Parties | |||
| CVE-2025-61733 | unknown | — | — | 8mo ago | Apache Kylin Authentication Bypass Vulnerability | |||
| CVE-2025-61735 | unknown | — | — | 8mo ago | Apache Kylin Server-Side Request Forgery (SSRF) Vulnerability | |||
| CVE-2025-43826 | unknown | — | — | 8mo ago | Liferay Portal Vulnerable to XSS in Web Content translation | |||
| CVE-2025-43827 | unknown | — | — | 8mo ago | Liferay Portal Vulnerable to IDOR via audit events | |||
| CVE-2025-43811 | unknown | — | — | 8mo ago | Liferay Portal vulnerable to cross-site scripting in the related asset selector | |||
| CVE-2025-43818 | unknown | — | — | 8mo ago | Liferay Portal vulnerable to cross-site scripting in the Calendar widget | |||
| CVE-2025-43813 | unknown | — | — | 8mo ago | Liferay Portal vulnerable to path traversal and denial-of-service in the ComboServlet | |||
| CVE-2025-43815 | unknown | — | — | 8mo ago | Liferay Portal vulnerable to reflected cross-site scripting on the page configuration page | |||
| CVE-2025-43817 | unknown | — | — | 8mo ago | Liferay Portal vulnerable to reflected cross-site scripting via the `redirect` parameter | |||
| CVE-2025-43820 | unknown | — | — | 8mo ago | Liferay Portal vulnerable to cross-site scripting in the Calendar widget | |||
| CVE-2025-43812 | unknown | — | — | 8mo ago | Liferay Portal vulnerable to cross-site scripting in the web content template | |||
| CVE-2025-59952 | unknown | — | — | 8mo ago | MinIO Java Client XML Tag Value Substitution Vulnerability | |||
| CVE-2025-59842 | unknown | — | — | 8mo ago | jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. Prior to version 4.4.8, links generated with LaTeX typesetters in Markd… | |||
| CVE-2025-1396 | unknown | — | — | 8mo ago | WSO2's Input Validation Management Service contains Observable Discrepancy when Multi-Attribute Login is enabled | |||
| CVE-2025-56769 | unknown | — | — | 8mo ago | Hutool allows remote code execution (RCE) via the QLExpressEngine class | |||
| CVE-2025-43816 | unknown | — | — | 8mo ago | Liferay Portal and DXP vulnerable to a memory leak | |||
| CVE-2025-55560 | unknown | — | — | 8mo ago | An issue in pytorch v2.7.0 can lead to a Denial of Service (DoS) when a PyTorch model consists of torch.Tensor.to_sparse() and torch.Tensor.to_dense() and is compiled by Inductor. | |||
| CVE-2025-55558 | unknown | — | — | 8mo ago | A buffer overflow occurs in pytorch v2.7.0 when a PyTorch model consists of torch.nn.Conv2d, torch.nn.functional.hardshrink, and torch.Tensor.view-torch.mv() and is compiled by Inductor, leading to a… | |||
| CVE-2025-55557 | unknown | — | — | 8mo ago | A Name Error occurs in pytorch v2.7.0 when a PyTorch model consists of torch.cummin and is compiled by Inductor, leading to a Denial of Service (DoS). | |||
| CVE-2025-55554 | unknown | — | — | 8mo ago | pytorch v2.8.0 was discovered to contain an integer overflow in the component torch.nan_to_num-.long(). | |||
| CVE-2025-55553 | unknown | — | — | 8mo ago | A syntax error in the component proxy_tensor.py of pytorch v2.7.0 allows attackers to cause a Denial of Service (DoS). | |||
| CVE-2025-55552 | unknown | — | — | 8mo ago | pytorch v2.8.0 was discovered to display unexpected behavior when the components torch.rot90 and torch.randn_like are used together. | |||
| CVE-2025-55551 | unknown | — | — | 8mo ago | An issue in the component torch.linalg.lu of pytorch v2.8.0 allows attackers to cause a Denial of Service (DoS) when performing a slice operation. | |||
| CVE-2025-46153 | unknown | — | — | 8mo ago | PyTorch before 3.7.0 has a bernoulli_p decompose function in decompositions.py even though it lacks full consistency with the eager CPU implementation, negatively affecting nn.Dropout1d, nn.Dropout2d… | |||
| CVE-2025-46152 | unknown | — | — | 8mo ago | In PyTorch before 2.7.0, bitwise_right_shift produces incorrect output for certain out-of-bounds values of the "other" argument. | |||
| CVE-2025-46150 | unknown | — | — | 8mo ago | In PyTorch before 2.7.0, when torch.compile is used, FractionalMaxPool2d has inconsistent results. | |||
| CVE-2025-46149 | unknown | — | — | 8mo ago | In PyTorch before 2.7.0, when inductor is used, nn.Fold has an assertion error. | |||
| CVE-2025-46148 | unknown | — | — | 8mo ago | In PyTorch through 2.6.0, when eager is used, nn.PairwiseDistance(p=2) produces incorrect results. | |||
| CVE-2025-8869 | unknown | — | — | 8mo ago | When extracting a tar archive pip may not check symbolic links point into the extraction directory if the tarfile module doesn't implement PEP 706. Note that upgrading pip to a "fixed" version for th… | |||
| CVE-2025-58457 | unknown | — | — | 8mo ago | Apache ZooKeeper: Insufficient Permission Check in AdminServer Snapshot/Restore Commands | |||
| CVE-2025-48392 | unknown | — | — | 8mo ago | Apache IoTDB: DoS Vulnerability | |||
| CVE-2025-48459 | unknown | — | — | 8mo ago | Apache IoTDB: Deserialization of untrusted Data | |||
| CVE-2025-43819 | unknown | — | — | 8mo ago | Liferay Portal and DXP does not properly expire sessions | |||
| CVE-2025-59822 | unknown | — | — | 8mo ago | Http4s vulnerable to HTTP Request Smuggling due to improper handling of HTTP trailer section | |||
| CVE-2025-4760 | unknown | — | — | 8mo ago | WSO2 carbon-apimgt affected by an authenticated stored cross-site scripting (XSS) vulnerability | |||
| CVE-2025-43814 | unknown | — | — | 8mo ago | Liferay Portal and DXP audit events record password reminder answers | |||
| CVE-2025-43810 | unknown | — | — | 8mo ago | Liferay Portal and DXP allows users to add a note to a different virtual instance | |||
| CVE-2025-43806 | unknown | — | — | 8mo ago | Liferay Portal and DXP does not properly check permission with import and export tasks | |||
| CVE-2025-43807 | unknown | — | — | 8mo ago | Liferay has a stored cross-site scripting (XSS) vulnerability via a a publication’s “Name” text field | |||
| CVE-2025-6544 | unknown | — | — | 8mo ago | H2O affected by a deserialization vulnerability | |||
| CVE-2025-59420 | unknown | — | — | 8mo ago | Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.4, Authlib’s JWS verification accepts tokens that declare unknown critical header parameters (crit), vi… | |||
| CVE-2025-5962 | medium | — | — | 8mo ago | RHSA-2025:16346: command-line-assistant security update (Moderate) | |||
| CVE-2025-43808 | unknown | — | — | 9mo ago | Liferay Portal Commerce component has Incorrect Permission Assignment for Critical Resource | |||
| CVE-2025-43809 | unknown | — | — | 9mo ago | Liferay Portal Cross-Site Request Forgery (CSRF) vulnerability | |||
| CVE-2025-43803 | unknown | — | — | 9mo ago | Liferay Contacts Center widget has insecure direct object reference | |||
| CVE-2025-9906 | unknown | — | — | 9mo ago | Keras is vulnerable to Deserialization of Untrusted Data | |||
| CVE-2025-8419 | unknown | — | — | 9mo ago | Keycloak SMTP Inject Vulnerability | |||
| CVE-2025-59340 | unknown | — | — | 9mo ago | jinjava has Sandbox Bypass via JavaType-Based Deserialization | |||
| CVE-2025-59474 | unknown | — | — | 9mo ago | Jenkins has a missing permission check, allowing users to obtain agent names | |||
| CVE-2025-59476 | unknown | — | — | 9mo ago | Jenkins has a log message injection vulnerability | |||
| CVE-2025-43804 | unknown | — | — | 9mo ago | Liferay search widget vulnerable to Cross-site Scripting | |||
| CVE-2025-43805 | unknown | — | — | 9mo ago | Liferay Portal allows remote attackers to view display page templates via crafted URLs | |||
| CVE-2025-59432 | unknown | — | — | 9mo ago | Timing Attack Vulnerability in SCRAM Authentication | |||
| CVE-2025-43801 | unknown | — | — | 9mo ago | Liferay Portal has unchecked input for loop condition vulnerability in XML-RPC | |||
| CVE-2025-10492 | unknown | — | — | 9mo ago | JasperReports has a Java deserialisation vulnerability | |||
| CVE-2025-41243 | unknown | — | — | 9mo ago | Spring Expression language property modification using Spring Cloud Gateway Server WebFlux | |||
| CVE-2025-41249 | unknown | — | — | 9mo ago | Spring Framework annotation detection mechanism may result in improper authorization | |||
| CVE-2025-41248 | unknown | — | — | 9mo ago | Spring Security annotation detection mechanism has authorization bypass | |||
| CVE-2025-59154 | unknown | — | — | 9mo ago | Openfire has potential identity spoofing issue via unsafe CN parsing | |||
| CVE-2025-43802 | unknown | — | — | 9mo ago | Liferay Stored Cross-site Scripting vulnerability | |||
| CVE-2025-43798 | unknown | — | — | 9mo ago | Liferay DXP Missing Critical Step in Authentication |