CVEs from 2025
Total
9,175
critical
critical 1,302
high
high 1,903
medium
medium 1,915
low
low 193
% Critical
14.2%
% with KEV
2.0%
% with exploit
2.2%
Top vendors
- fabian 285
- campcodes 232
- phpgurukul 189
- code-projects 121
- microsoft 107
- redhat 106
- portabilis 94
- mayurik 79
Top products
- i-educar 80
- office_long_term_servicing_channel 35
- office 34
- best_salon_management_system 33
- apartment_management_system 30
- gcp 29
- inventory_management_system 28
- online_learning_management_system 21
Top packages
- Go/github.com/mattermost/mattermost/server/v8 258
- Go/github.com/mattermost/mattermost-server 249
- Packagist/magento/community-edition 231
- Packagist/moodle/moodle 162
- Go/github.com/mattermost/mattermost-server/v5 99
- Go/github.com/mattermost/mattermost-server/v6 99
- Maven/com.liferay.portal:release.dxp.bom 61
- Maven/org.apache.tomcat.embed:tomcat-embed-core 53
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-53243 | high | 8.1 | 8.1 | 9mo ago | Deserialization of Untrusted Data vulnerability in emarket-design Employee Directory – Staff Listing & Team Directory Plugin for WordPress employee-directory allows Object Injection.This issue affect… | |||
| CVE-2025-9262 | high | 8.1 | 8.1 | 9mo ago | wong2 mcp-cli Command Injection Vulnerability | |||
| CVE-2025-49438 | high | 8.1 | 8.1 | 9mo ago | Deserialization of Untrusted Data vulnerability in Max Chirkov Simple Login Log allows Object Injection. This issue affects Simple Login Log: from n/a through 1.1.3. | |||
| CVE-2025-47219 | high | 8.1 | 8.1 | 10mo ago | In GStreamer through 1.26.1, the isomp4 plugin's qtdemux_parse_trak function may read past the end of a heap buffer while parsing an MP4 file, possibly leading to information disclosure. | |||
| CVE-2025-7947 | high | 8.1 | 8.1 | 10mo ago | A vulnerability classified as critical has been found in jshERP up to 3.5. Affected is an unknown function of the file /user/delete of the component Account Handler. The manipulation of the argument … | |||
| CVE-2025-7628 | high | 8.1 | 8.1 | 11mo ago | A vulnerability was found in YiJiuSmile kkFileViewOfficeEdit up to 5fbc57c48e8fe6c1b91e0e7995e2d59615f37abd. It has been classified as critical. This affects the function deleteFile of the file /dele… | |||
| CVE-2025-7079 | high | 8.1 | 8.1 | 11mo ago | A vulnerability, which was classified as problematic, has been found in mao888 bluebell-plus up to 2.3.0. This issue affects some unknown processing of the file bluebell_backend/pkg/jwt/jwt.go of the… | |||
| CVE-2025-52813 | high | 8.1 | 8.1 | 11mo ago | Missing Authorization vulnerability in pietro MobiLoud allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects MobiLoud: from n/a through 4.6.5. | |||
| CVE-2025-7060 | high | 8.1 | 8.1 | 11mo ago | A vulnerability was found in Monitorr up to 1.7.6m. It has been classified as problematic. This affects an unknown part of the file assets/config/_installation/mkdbajax.php of the component Installer… | |||
| CVE-2025-52810 | high | 8.1 | 8.1 | 11mo ago | Path Traversal vulnerability in TMRW-studio Katerio - Magazine allows PHP Local File Inclusion. This issue affects Katerio - Magazine: from n/a through 1.5.1. | |||
| CVE-2025-6329 | high | 8.1 | 8.1 | 11mo ago | A vulnerability was found in ScriptAndTools Real Estate Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file userdelete.php of the component Us… | |||
| CVE-2025-49454 | high | 8.1 | 8.1 | 1y ago | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in LoftOcean TinySalt tinysalt allows PHP Local File Inclusion.This issue affects… | |||
| CVE-2025-5877 | high | 8.1 | 8.1 | 1y ago | A vulnerability, which was classified as problematic, has been found in Fengoffice Feng Office 3.2.2.1. Affected by this issue is some unknown functionality of the file /application/models/Applicatio… | |||
| CVE-2025-5139 | high | 8.1 | 8.1 | 1y ago | A vulnerability was found in Qualitor 8.20/8.24. It has been rated as critical. Affected by this issue is some unknown functionality of the file /html/ad/adconexaooffice365/request/testaConexaoOffice… | |||
| CVE-2025-31633 | high | 8.1 | 8.1 | 1y ago | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in gavias Kiamo - Responsive Business Service WordPress Theme allows PHP Local Fi… | |||
| CVE-2025-31632 | high | 8.1 | 8.1 | 1y ago | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in SpyroPress La Boom allows PHP Local File Inclusion. This issue affects La Boom… | |||
| CVE-2025-39491 | high | 8.1 | 8.1 | 1y ago | Path Traversal vulnerability in WHMPress WHMpress allows Path Traversal. This issue affects WHMpress: from 6.2 through revision. | |||
| CVE-2025-2338 | high | 8.1 | 8.1 | 1y ago | A vulnerability, which was classified as critical, was found in tbeu matio 1.5.28. Affected is the function strdup_vprintf of the file src/io.c. The manipulation leads to heap-based buffer overflow. … | |||
| CVE-2025-2337 | high | 8.1 | 8.1 | 1y ago | A vulnerability, which was classified as critical, has been found in tbeu matio 1.5.28. This issue affects the function Mat_VarPrint of the file src/mat.c. The manipulation leads to heap-based buffer… | |||
| CVE-2025-23368 | high | 8.1 | 8.1 | 1y ago | Wildfly Elytron integration susceptible to brute force attacks via CLI | |||
| CVE-2025-32802 | high | — | 8.0 | — | Kea configuration and API directives can be used to overwrite arbitrary files, subject to permissions granted to Kea. Many common configurations run Kea as root, leave the API entry points unsecured… | |||
| CVE-2025-32803 | high | — | 8.0 | — | In some cases, Kea log files or lease files may be world-readable. This issue affects Kea versions 2.4.0 through 2.4.1, 2.6.0 through 2.6.2, and 2.7.0 through 2.7.8. | |||
| CVE-2025-46803 | high | — | 8.0 | — | The default mode of pseudo terminals (PTYs) allocated by Screen was changed from 0620 to 0622, thereby allowing anyone to write to any Screen PTYs in the system. | |||
| CVE-2025-46805 | high | — | 8.0 | — | Screen version 5.0.0 and older version 4 releases have a TOCTOU race potentially allowing to send SIGHUP, SIGCONT to privileged processes when installed setuid-root. | |||
| CVE-2025-6170 | high | — | 8.0 | — | A flaw was found in the interactive shell of the xmllint command-line tool, used for parsing XML files. When a user inputs an overly long command, the program does not check the input size properly, … | |||
| CVE-2025-23395 | high | — | 8.0 | — | Screen 5.0.0 when it runs with setuid-root privileges does not drop privileges while operating on a user supplied path. This allows unprivileged users to create files in arbitrary locations with `roo… | |||
| CVE-2025-32801 | high | — | 8.0 | — | Kea configuration and API directives can be used to load a malicious hook library. Many common configurations run Kea as root, leave the API entry points unsecured by default, and/or place the contr… | |||
| CVE-2025-46804 | high | — | 8.0 | — | A minor information leak when running Screen with setuid-root privileges allows unprivileged users to deduce information about a path that would otherwise not be available. Affected are older Scree… | |||
| CVE-2025-30232 | high | — | 8.0 | — | A use-after-free in Exim 4.96 through 4.98.1 could allow users (with command-line access) to escalate privileges. | |||
| CVE-2025-40775 | high | — | 8.0 | — | When an incoming DNS protocol message includes a Transaction Signature (TSIG), BIND always checks it. If the TSIG contains an invalid value in the algorithm field, BIND immediately aborts with an as… | |||
| CVE-2025-53367 | high | — | 8.0 | — | DjVuLibre is a GPL implementation of DjVu, a web-centric format for distributing documents and images. Prior to version 3.5.29, the MMRDecoder::scanruns method is affected by an OOB-write vulnerabili… | |||
| CVE-2025-46802 | high | — | 8.0 | — | For a short time they PTY is set to mode 666, allowing any user on the system to connect to the screen session. | |||
| CVE-2025-49091 | high | — | 8.0 | — | KDE Konsole before 25.04.2 allows remote code execution in a certain scenario. It supports loading URLs from the scheme handlers such as a ssh:// or telnet:// or rlogin:// URL. This can be executed r… | |||
| CVE-2025-49795 | high | — | 8.0 | — | A NULL pointer dereference vulnerability was found in libxml2 when processing XPath XML expressions. This flaw allows an attacker to craft a malicious XML input to libxml2, leading to a denial of ser… | |||
| CVE-2025-68183 | high | — | 8.0 | 2d ago | Important: kernel-rt security update | |||
| CVE-2025-68347 | high | — | 8.0 | 2d ago | Important: kernel-rt security update | |||
| CVE-2025-68366 | high | — | 8.0 | 2d ago | In the Linux kernel, the following vulnerability has been resolved: nbd: defer config unlock in nbd_genl_connect There is one use-after-free warning when running NBD_CMD_CONNECT and NBD_CLEAR_SOCK:… | |||
| CVE-2025-38653 | high | — | 8.0 | 2d ago | In the Linux kernel, the following vulnerability has been resolved: proc: use the same treatment to check proc_lseek as ones for proc_read_iter et.al Check pde->proc_ops->proc_lseek directly may ca… | |||
| CVE-2025-71089 | high | — | 8.0 | 2d ago | In the Linux kernel, the following vulnerability has been resolved: iommu: disable SVA when CONFIG_X86 is set Patch series "Fix stale IOTLB entries for kernel address space", v7. This proposes a f… | |||
| CVE-2025-11954 | high | 8.0 | 8.0 | 9d ago | Cross-Site request forgery (CSRF) vulnerability in Sitemio Information Technologies Trade Ltd. Co. WISECP allows Cross Site Request Forgery. This issue affects WISECP: through 20022026. NOTE: The ve… | |||
| CVE-2025-71116 | high | — | 8.0 | 10d ago | Important: kernel-rt security update | |||
| CVE-2025-68741 | high | — | 8.0 | 10d ago | Important: kernel security update | |||
| CVE-2025-15282 | high | — | 8.0 | 11d ago | User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype. | |||
| CVE-2025-13465 | high | — | 8.0 | 11d ago | Important: pcs security update | |||
| CVE-2025-13837 | high | — | 8.0 | 11d ago | When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues | |||
| CVE-2025-46701 | high | — | 8.0 | 11d ago | Apache Tomcat - CGI security constraint bypass | |||
| CVE-2025-43511 | high | — | 8.0 | 11d ago | Important: webkit2gtk3 security update | |||
| CVE-2025-43213 | high | — | 8.0 | 11d ago | Important: webkit2gtk3 security update | |||
| CVE-2025-43214 | high | — | 8.0 | 11d ago | Important: webkit2gtk3 security update | |||
| CVE-2025-46299 | high | — | 8.0 | 11d ago | Important: webkit2gtk3 security update | |||
| CVE-2025-43457 | high | — | 8.0 | 11d ago | Important: webkit2gtk3 security update | |||
| CVE-2025-15284 | high | — | 8.0 | 11d ago | Important: linux-sgx security update | |||
| CVE-2025-55668 | high | — | 8.0 | 11d ago | Session Fixation vulnerability in Apache Tomcat via rewrite valve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Old… | |||
| CVE-2025-61726 | high | — | 8.0 | 11d ago | Important: containernetworking-plugins security update | |||
| CVE-2025-71261 | high | — | 8.0 | 23d ago | Harvester's SUSE Virtualization Registration Client Vulnerable to MITM and DOS | |||
| CVE-2025-40252 | high | — | 8.0 | 25d ago | In the Linux kernel, the following vulnerability has been resolved: net: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont() and qede_tpa_end() The loops in 'qede_tpa_cont()' and 'qede… | |||
| CVE-2025-68724 | high | — | 8.0 | 25d ago | In the Linux kernel, the following vulnerability has been resolved: crypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id Use check_add_overflow() to guard against potential inte… | |||
| CVE-2025-15270 | high | — | 8.0 | 2mo ago | Important: fontforge security update | |||
| CVE-2025-61731 | high | — | 8.0 | 2mo ago | Important: golang security update | |||
| CVE-2025-67873 | high | — | 8.0 | 2mo ago | Important: capstone security update | |||
| CVE-2025-68114 | high | — | 8.0 | 2mo ago | Important: capstone security update | |||
| CVE-2025-15568 | high | 8.0 | 8.0 | 3mo ago | A command injection vulnerability was identified in the web module of Archer AXE75 v1.6/v1.0 router. An authenticated attacker with adjacent-network access may be able to perform remote code executi… | |||
| CVE-2025-69534 | high | — | 8.0 | 3mo ago | Python-Markdown version 3.8 contain a vulnerability where malformed HTML-like sequences can cause html.parser.HTMLParser to raise an unhandled AssertionError during Markdown parsing. Because Python-M… | |||
| CVE-2025-67733 | high | — | 8.0 | 3mo ago | Important: valkey security update | |||
| CVE-2025-38248 | high | — | 8.0 | 3mo ago | In the Linux kernel, the following vulnerability has been resolved: bridge: mcast: Fix use-after-free during router port configuration The bridge maintains a global list of ports behind which a mul… | |||
| CVE-2025-55131 | high | — | 8.0 | 3mo ago | Important: nodejs:20 security update | |||
| CVE-2025-55130 | high | — | 8.0 | 3mo ago | Important: nodejs:20 security update | |||
| CVE-2025-55132 | high | — | 8.0 | 3mo ago | Important: nodejs:20 security update | |||
| CVE-2025-59465 | high | — | 8.0 | 3mo ago | Important: nodejs:20 security update | |||
| CVE-2025-59466 | high | — | 8.0 | 3mo ago | Important: nodejs:20 security update | |||
| CVE-2025-61728 | high | — | 8.0 | 3mo ago | Important: podman security update | |||
| CVE-2025-15059 | high | — | 8.0 | 3mo ago | Important: gimp security update | |||
| CVE-2025-61732 | high | — | 8.0 | 3mo ago | Important: golang security update | |||
| CVE-2025-15269 | high | — | 8.0 | 4mo ago | Important: fontforge security update | |||
| CVE-2025-15279 | high | — | 8.0 | 4mo ago | Important: fontforge security update | |||
| CVE-2025-15275 | high | — | 8.0 | 4mo ago | Important: fontforge security update | |||
| CVE-2025-69971 | high | — | 8.0 | 4mo ago | FUXA has a hardcoded fallback JWT signing secret | |||
| CVE-2025-15468 | high | — | 8.0 | 4mo ago | Important: openssl security update | |||
| CVE-2025-15469 | high | — | 8.0 | 4mo ago | Important: openssl security update | |||
| CVE-2025-66199 | high | — | 8.0 | 4mo ago | Important: openssl security update | |||
| CVE-2025-11187 | high | — | 8.0 | 4mo ago | Important: openssl security update | |||
| CVE-2025-14177 | high | — | 8.0 | 4mo ago | Important: php:8.3 security update | |||
| CVE-2025-14180 | high | — | 8.0 | 4mo ago | Important: php:8.3 security update | |||
| CVE-2025-14178 | high | — | 8.0 | 4mo ago | Important: php:8.3 security update | |||
| CVE-2025-38731 | high | — | 8.0 | 4mo ago | In the Linux kernel, the following vulnerability has been resolved: drm/xe: Fix vm_bind_ioctl double free bug If the argument check during an array bind fails, the bind_ops are freed twice as seen … | |||
| CVE-2025-38349 | high | — | 8.0 | 4mo ago | In the Linux kernel, the following vulnerability has been resolved: eventpoll: don't decrement ep refcount while still holding the ep mutex Jann Horn points out that epoll is decrementing the ep re… | |||
| CVE-2025-38141 | high | — | 8.0 | 4mo ago | In the Linux kernel, the following vulnerability has been resolved: dm: fix dm_blk_report_zones If dm_get_live_table() returned NULL, dm_put_live_table() was never called. Also, it is possible that… | |||
| CVE-2025-66418 | high | — | 8.0 | 4mo ago | Important: resource-agents security update | |||
| CVE-2025-40258 | high | — | 8.0 | 4mo ago | In the Linux kernel, the following vulnerability has been resolved: mptcp: fix race condition in mptcp_schedule_work() syzbot reported use-after-free in mptcp_schedule_work() [1] Issue here is tha… | |||
| CVE-2025-68301 | high | — | 8.0 | 4mo ago | In the Linux kernel, the following vulnerability has been resolved: net: atlantic: fix fragment overflow handling in RX path The atlantic driver can receive packets with more than MAX_SKB_FRAGS (17… | |||
| CVE-2025-40248 | high | — | 8.0 | 4mo ago | In the Linux kernel, the following vulnerability has been resolved: vsock: Ignore signal/timeout on connect() if already established During connect(), acting on a signal/timeout by disconnecting an… | |||
| CVE-2025-68305 | high | — | 8.0 | 4mo ago | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sock: Prevent race in socket write iter and sock bind There is a potential race condition between sock bind and so… | |||
| CVE-2025-40294 | high | — | 8.0 | 4mo ago | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern() In the parse_adv_monitor_pattern() function, the value of the 'len… | |||
| CVE-2025-61729 | high | — | 8.0 | 4mo ago | Important: containernetworking-plugins security update | |||
| CVE-2025-14423 | high | — | 8.0 | 4mo ago | Important: gimp security update | |||
| CVE-2025-14424 | high | — | 8.0 | 4mo ago | Important: gimp security update | |||
| CVE-2025-14422 | high | — | 8.0 | 4mo ago | Important: gimp security update | |||
| CVE-2025-14425 | high | — | 8.0 | 4mo ago | Important: gimp security update | |||
| CVE-2025-68285 | high | — | 8.0 | 4mo ago | In the Linux kernel, the following vulnerability has been resolved: libceph: fix potential use-after-free in have_mon_and_osd_map() The wait loop in __ceph_open_session() can race with the client r… | |||
| CVE-2025-39933 | high | — | 8.0 | 4mo ago | In the Linux kernel, the following vulnerability has been resolved: smb: client: let recv_done verify data_offset, data_length and remaining_data_length This is inspired by the related server fixes. |