CVEs from 2025
Total
8,834
critical
critical 1,313
high
high 1,950
medium
medium 1,966
low
low 200
% Critical
14.9%
% with KEV
2.1%
% with exploit
2.8%
Top vendors
- qualcomm 1,123
- fabian 285
- campcodes 232
- phpgurukul 189
- code-projects 121
- redhat 108
- microsoft 107
- portabilis 94
Top products
- i-educar 80
- office_long_term_servicing_channel 35
- office 34
- best_salon_management_system 33
- apartment_management_system 30
- gcp 29
- inventory_management_system 28
- online_learning_management_system 21
Top packages
- Go/github.com/mattermost/mattermost/server/v8 258
- Go/github.com/mattermost/mattermost-server 249
- Packagist/magento/community-edition 231
- Packagist/moodle/moodle 162
- Go/github.com/mattermost/mattermost-server/v5 99
- Go/github.com/mattermost/mattermost-server/v6 99
- Maven/com.liferay.portal:release.dxp.bom 61
- Maven/org.apache.tomcat.embed:tomcat-embed-core 53
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-43798 | unknown | — | — | 9mo ago | Liferay DXP Missing Critical Step in Authentication | |||
| CVE-2025-43800 | unknown | — | — | 9mo ago | Liferay Portal Cross-site Scripting (XSS) vulnerability | |||
| CVE-2025-43793 | unknown | — | — | 9mo ago | Liferay Portal has Improper Validation of Specified Quantity in Input | |||
| CVE-2025-43791 | unknown | — | — | 9mo ago | Liferay Portal vulnerable to Cross-site Scripting | |||
| CVE-2025-59328 | unknown | — | — | 9mo ago | Apache Fory Deserialization of Untrusted Data vulnerability | |||
| CVE-2025-43792 | unknown | — | — | 9mo ago | Liferay Portal has External Control of System or Configuration Settings | |||
| CVE-2025-43794 | unknown | — | — | 9mo ago | Liferay Portal has stored cross-site scripting (XSS) vulnerability | |||
| CVE-2025-43795 | unknown | — | — | 9mo ago | Liferay Portal's System, Instance and Site Settings are vulnerable to Open Redirect | |||
| CVE-2025-43796 | unknown | — | — | 9mo ago | Liferay Portal: Missing Rate Limiting in GraphQL Endpoint Enables Resource Exhaustion Attack | |||
| CVE-2025-43787 | unknown | — | — | 9mo ago | Liferay Portal's selection modal is vulnerable to XSS | |||
| CVE-2025-43788 | unknown | — | — | 9mo ago | Liferay Portal's Organization Selector exposes organization data to remote authenticated users | |||
| CVE-2025-43789 | unknown | — | — | 9mo ago | Liferay Portal JSON Web Services Direct Class Invocation Enables Service Access Policy Execution | |||
| CVE-2025-43790 | unknown | — | — | 9mo ago | Liferay Portal is vulnerable to Insecure Direct Object Reference (IDOR) attack through Authentication Bypass | |||
| CVE-2025-43782 | unknown | — | — | 9mo ago | Liferay Portal API Allows Authenticated Users to Access Workflow Definitions by Name | |||
| CVE-2025-48041 | unknown | — | — | 9mo ago | Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Flooding. This vulnerability is associated with program files lib/… | |||
| CVE-2025-48040 | unknown | — | — | 9mo ago | Uncontrolled Resource Consumption vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Flooding. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.e… | |||
| CVE-2025-48039 | unknown | — | — | 9mo ago | Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Resource Leak Exposure. This vulnerability is associated with prog… | |||
| CVE-2025-48038 | unknown | — | — | 9mo ago | Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Resource Leak Exposure. This vulnerability is associated with prog… | |||
| CVE-2025-43783 | unknown | — | — | 9mo ago | Liferay Portal is vulnerable to Reflected XSS attack through get_editor path | |||
| CVE-2025-43784 | unknown | — | — | 9mo ago | Liferay Portal's Incorrect Authorization vulnerability can lead to guest users to obtaining sensitive data | |||
| CVE-2025-43785 | unknown | — | — | 9mo ago | Liferay Portal and Liferay DXP vulnerable to Stored Cross-site Scripting | |||
| CVE-2025-43786 | unknown | — | — | 9mo ago | Liferay Portal exposes ERC which can lead to exploit the time response attack | |||
| CVE-2025-43781 | unknown | — | — | 9mo ago | Liferay Portal is vulnerable to XSS attack through its search bar portlet | |||
| CVE-2025-43775 | unknown | — | — | 9mo ago | Liferay Portal is vulnerable to XSS attacks via its remote app title field | |||
| CVE-2025-43776 | unknown | — | — | 9mo ago | Liferay Portal and Liferay DXP vulnerable to store Cross-site Scripting | |||
| CVE-2025-43777 | unknown | — | — | 9mo ago | Liferay Portal exposes 500 status when attempting login with a deleted client secret | |||
| CVE-2025-43778 | unknown | — | — | 9mo ago | Liferay Portal is vulnerable to XSS attack through fieldset name in Kaleo Forms Admin | |||
| CVE-2025-43774 | unknown | — | — | 9mo ago | Liferay Portal is vulnerable to XSS attack through its Style Book theme | |||
| CVE-2025-43763 | unknown | — | — | 9mo ago | Liferay Portal is vulnerable to SSRF through custom object attachment fields | |||
| CVE-2025-58365 | unknown | — | — | 9mo ago | XWiki Blog Application: Privilege Escalation (PR) from account through blog content | |||
| CVE-2025-58782 | unknown | — | — | 9mo ago | Apache Jackrabbit: Core and JCR Commons are vulnerable to Deserialization of Untrusted Data | |||
| CVE-2025-58369 | unknown | — | — | 9mo ago | FS2 half-shutdown of socket during TLS handshake may result in spin loop on opposite side | |||
| CVE-2025-57807 | unknown | — | — | 9mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. ImageMagick versions lower than 14.8.2 include insecure functions: SeekBlob(), which permits advancing … | |||
| CVE-2025-58056 | unknown | — | — | 9mo ago | Netty vulnerable to request smuggling due to incorrect parsing of chunk extensions | |||
| CVE-2025-9467 | unknown | — | — | 9mo ago | Vaadin Framework possible file bypass via upload validation on the server-side | |||
| CVE-2025-43772 | unknown | — | — | 9mo ago | Liferay Portal Vulnerable to Denial of Service in Kaleo Forms Admin | |||
| CVE-2025-58057 | unknown | — | — | 9mo ago | Netty's decoders vulnerable to DoS via zip bomb style attack | |||
| CVE-2025-55748 | unknown | — | — | 9mo ago | XWiki configuration files can be accessed through jsx and sx endpoints | |||
| CVE-2025-58460 | unknown | — | — | 9mo ago | Jenkins OpenTelemetry Plugin missing permission check allows capturing credentials | |||
| CVE-2025-58458 | unknown | — | — | 9mo ago | Jenkins Git client Plugin file system information disclosure vulnerability | |||
| CVE-2025-58459 | unknown | — | — | 9mo ago | Jenkins global-build-stats Plugin missing permission check can result in graph IDs being enumerated | |||
| CVE-2025-9784 | unknown | — | — | 9mo ago | Undertow MadeYouReset HTTP/2 DDoS Vulnerability | |||
| CVE-2025-46047 | unknown | — | — | 9mo ago | Silverpeas Core Username Enumeration Vulnerability | |||
| CVE-2025-43773 | unknown | — | — | 9mo ago | Liferay Portal allows improper access through the expandoTableLocalService | |||
| CVE-2025-55202 | unknown | — | — | 9mo ago | Opencast has a partial path traversal vulnerability in UI config | |||
| CVE-2025-58059 | unknown | — | — | 9mo ago | Valtimo scripting engine can be used to gain access to sensitive data or resources | |||
| CVE-2025-58049 | unknown | — | — | 9mo ago | XWiki PDF export jobs store sensitive cookies unencrypted in job statuses | |||
| CVE-2025-57803 | unknown | — | — | 9mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-28 and 7.1.2-2 for ImageMagick's 32-bit build, a 32-bit integer overflow in the… | |||
| CVE-2025-55298 | unknown | — | — | 9mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to ImageMagick versions 6.9.13-28 and 7.1.2-2, a format string bug vulnerability exists in Interpr… | |||
| CVE-2025-55212 | unknown | — | — | 9mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-28 and 7.1.2-2, passing a geometry string containing only a colon (":") to mont… | |||
| CVE-2025-55160 | unknown | — | — | 9mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-27 and 7.1.2-1, there is undefined behavior (function-type-mismatch) in splay t… | |||
| CVE-2025-55154 | unknown | — | — | 9mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-27 and 7.1.2-1, the magnified size calculations in ReadOneMNGIMage (in coders/p… | |||
| CVE-2025-55004 | unknown | — | — | 9mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-1, ImageMagick is vulnerable to heap-buffer overflow read around the handling of … | |||
| CVE-2025-68469 | unknown | — | — | 9mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.1-14, ImageMagick crashes when processing a crafted TIFF file. Version 7.1.1-14 fix… | |||
| CVE-2025-53019 | unknown | — | — | 9mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. In versions prior to 7.1.2-0 and 6.9.13-26, in ImageMagick's `magick stream` command, specifying multipl… | |||
| CVE-2025-53014 | unknown | — | — | 9mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Versions prior to 7.1.2-0 and 6.9.13-26 have a heap buffer overflow in the `InterpretImageFilename` func… | |||
| CVE-2025-53101 | unknown | — | — | 9mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. In versions prior to 7.1.2-0 and 6.9.13-26, in ImageMagick's `magick mogrify` command, specifying multip… | |||
| CVE-2025-26467 | unknown | — | — | 9mo ago | Apache Cassandra: User with MODIFY permission on ALL KEYSPACES can escalate privileges to superuser via unsafe actions (4.0.16 only) | |||
| CVE-2025-43765 | unknown | — | — | 9mo ago | Liferay Portal stored cross-site scripting in text field of the web content structure | |||
| CVE-2025-43766 | unknown | — | — | 9mo ago | Liferay Portal allows unrestricted upload of file in the style books component | |||
| CVE-2025-43767 | unknown | — | — | 9mo ago | Liferay Portal allows open redirect in /c/portal/edit_info_item parameter redirect | |||
| CVE-2025-43768 | unknown | — | — | 9mo ago | Liferay Portal JSONWS API endpoint shares sensitive information | |||
| CVE-2025-43770 | unknown | — | — | 9mo ago | Liferay Portal vulnerable to Reflected XSS with the referer and forward parameter | |||
| CVE-2025-43769 | unknown | — | — | 9mo ago | Liferay Portal vulnerable to Stored XSS in Components portlet | |||
| CVE-2025-43762 | unknown | — | — | 10mo ago | Liferay Portal users can upload an unlimited amount of files | |||
| CVE-2025-43758 | unknown | — | — | 10mo ago | Liferay Portal's unauthenticated users can access loaded files via URL before submitting the object entry | |||
| CVE-2025-43759 | unknown | — | — | 10mo ago | Liferay Portal users are able to add system admin portlets to pages | |||
| CVE-2025-43761 | unknown | — | — | 10mo ago | Liferay Portal Reflected XSS in CKeditor 4.21.0 endpoint | |||
| CVE-2025-43760 | unknown | — | — | 10mo ago | Liferay Portal Reflected Cross-Site Scripting Vulnerability via PortalUtil.escapeRedirect | |||
| CVE-2025-43751 | unknown | — | — | 10mo ago | Liferay Portal User Enumeration Vulnerability via the Create Account Page | |||
| CVE-2025-51825 | unknown | — | — | 10mo ago | JeecgBoot SQL Injection Vulnerability | |||
| CVE-2025-9340 | unknown | — | — | 10mo ago | Bouncy Castle for Java has Out-of-Bounds Write Vulnerability | |||
| CVE-2025-9341 | unknown | — | — | 10mo ago | Bouncy Castle for Java has Uncontrolled Resource Consumption Vulnerability | |||
| CVE-2025-43752 | unknown | — | — | 10mo ago | Liferay Portal's Unlimited File Upload Could Result in DoS | |||
| CVE-2025-43753 | unknown | — | — | 10mo ago | Liferay Portal Reflected Cross-Site Scripting Vulnerability via Form Container | |||
| CVE-2025-51606 | unknown | — | — | 10mo ago | hippo4j Includes Hard Coded Secret Key in JWT Creation | |||
| CVE-2025-43754 | unknown | — | — | 10mo ago | Liferay Portal Username Enumeration Vulnerability | |||
| CVE-2025-43756 | unknown | — | — | 10mo ago | Liferay Portal Reflected Cross-Site Scripting Vulnerability via snippet Parameter | |||
| CVE-2025-43755 | unknown | — | — | 10mo ago | Liferay Portal Stored Cross-Site Scripting Vulnerability via GroupPagesPortlet_type Parameter | |||
| CVE-2025-55743 | unknown | — | — | 10mo ago | UnoPim vulnerable to remote code execution through Arbitrary File upload | |||
| CVE-2025-54988 | unknown | — | — | 10mo ago | Apache Tika XXE Vulnerability via Crafted XFA File Inside a PDF | |||
| CVE-2025-43757 | unknown | — | — | 10mo ago | Liferay Portal Vulnerable to Cross-Site Scripting via DDMPortlet_definition Parameter | |||
| CVE-2025-43746 | unknown | — | — | 10mo ago | Liferay Portal Vulnerable to Cross-Site Scripting in Dynamic Data Mapping | |||
| CVE-2025-5115 | unknown | — | — | 10mo ago | Eclipse Jetty affected by MadeYouReset HTTP/2 vulnerability | |||
| CVE-2025-43748 | unknown | — | — | 10mo ago | Liferay Portal Vulnerable to Cross-Site Request Forgery | |||
| CVE-2025-43749 | unknown | — | — | 10mo ago | Liferay Portal Unauthenticated File Access via URL | |||
| CVE-2025-43750 | unknown | — | — | 10mo ago | Liferay Portal Unvalidated File Upload | |||
| CVE-2025-43742 | unknown | — | — | 10mo ago | Liferay Portal Vulnerable to Cross-Site Scripting through URLs | |||
| CVE-2025-43741 | unknown | — | — | 10mo ago | Liferay Portal Vulnerable to Cross-Site Scripting via assetTagNames Parameter | |||
| CVE-2025-43744 | unknown | — | — | 10mo ago | Liferay Portal Vulnerable to Cross-Site Scripting via DDM Structure Field Labels | |||
| CVE-2025-43743 | unknown | — | — | 10mo ago | Liferay Portal Enumeration Discrepancy in Calendars | |||
| CVE-2025-43745 | unknown | — | — | 10mo ago | Liferay Portal CSRF Vulnerability via Endpoint Parameter | |||
| CVE-2025-43737 | unknown | — | — | 10mo ago | Liferay Portal Vulnerable to Cross-Site Scripting via backURL Paramter | |||
| CVE-2025-43738 | unknown | — | — | 10mo ago | Liferay Portal Reflected Cross-Site Scripting Vulnerability in displayType Parameter | |||
| CVE-2025-43739 | unknown | — | — | 10mo ago | Liferay Portal Email Modification Vulnerability via Calendar Portlet | |||
| CVE-2025-43731 | unknown | — | — | 10mo ago | Liferay Portal Vulnerable to Cross-Site Scripting | |||
| CVE-2025-3639 | unknown | — | — | 10mo ago | Liferay Portal Login Bypass Vulnerability | |||
| CVE-2025-43732 | unknown | — | — | 10mo ago | Liferay Portal Vulnerable to Insecure Direct Object Reference | |||
| CVE-2025-43733 | unknown | — | — | 10mo ago | Liferay Portal Vulnerable to Cross-Site Scripting | |||
| CVE-2025-41242 | unknown | — | — | 10mo ago | Spring Framework MVC Applications Path Traversal Vulnerability |