CVEs from 2025
Total
8,835
critical
critical 1,313
high
high 1,951
medium
medium 1,966
low
low 200
% Critical
14.9%
% with KEV
2.1%
% with exploit
2.8%
Top vendors
- qualcomm 1,123
- fabian 285
- campcodes 232
- phpgurukul 189
- code-projects 121
- redhat 108
- microsoft 107
- portabilis 94
Top products
- i-educar 80
- office_long_term_servicing_channel 35
- office 34
- best_salon_management_system 33
- apartment_management_system 30
- gcp 29
- inventory_management_system 28
- online_learning_management_system 21
Top packages
- Go/github.com/mattermost/mattermost/server/v8 258
- Go/github.com/mattermost/mattermost-server 249
- Packagist/magento/community-edition 231
- Packagist/moodle/moodle 162
- Go/github.com/mattermost/mattermost-server/v5 99
- Go/github.com/mattermost/mattermost-server/v6 99
- Maven/com.liferay.portal:release.dxp.bom 61
- Maven/org.apache.tomcat.embed:tomcat-embed-core 53
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-41242 | unknown | — | — | 10mo ago | Spring Framework MVC Applications Path Traversal Vulnerability | |||
| CVE-2025-9092 | unknown | — | — | 10mo ago | Bouncy Castle for Java Uncontrolled Resource Consumption Vulnerability | |||
| CVE-2025-55163 | unknown | — | — | 10mo ago | Netty affected by MadeYouReset HTTP/2 DDoS vulnerability | |||
| CVE-2025-43734 | unknown | — | — | 10mo ago | Liferay Portal 7.4.0 and Liferay DXP have a reflected cross-site scripting (XSS) vulnerability | |||
| CVE-2025-8747 | unknown | — | — | 10mo ago | Keras vulnerable to CVE-2025-1550 bypass via reuse of internal functionality | |||
| CVE-2025-8885 | unknown | — | — | 10mo ago | Bouncy Castle for Java on All (API modules) allows Excessive Allocation | |||
| CVE-2025-43736 | unknown | — | — | 10mo ago | Liferay Portal and Liferay DXP have a Denial Of Service via File Upload (DOS) vulnerability | |||
| CVE-2025-55159 | unknown | — | — | 10mo ago | slab is a pre-allocated storage for a uniform data type. In version 0.4.10, the get_disjoint_mut method incorrectly checked if indices were within the slab's capacity instead of its length, allowing … | |||
| CVE-2025-4581 | unknown | — | — | 10mo ago | Liferay Portal and Liferay DXP vulnerable to Server-Side Request Forgery | |||
| CVE-2025-4576 | unknown | — | — | 10mo ago | Liferay Portal Reflected XSS in blogs-web | |||
| CVE-2025-53606 | unknown | — | — | 10mo ago | Apache Seata: Deserialization of untrusted Data in Apache Seata Server | |||
| CVE-2025-48913 | unknown | — | — | 10mo ago | Apache CXF: Untrusted JMS configuration can lead to RCE | |||
| CVE-2025-54368 | unknown | — | — | 10mo ago | uv is a Python package and project manager written in Rust. In versions 0.8.5 and earlier, remote ZIP archives were handled in a streamwise fashion, and file entries were not reconciled against the a… | |||
| CVE-2025-54125 | unknown | — | — | 10mo ago | XWiki exposes passwords and emails stored in fields not named password/email in xml.vm | |||
| CVE-2025-54124 | unknown | — | — | 10mo ago | XWiki leaks password hashes and other accessible password properties | |||
| CVE-2025-32430 | unknown | — | — | 10mo ago | XWiki allows Reflected XSS in two templates | |||
| CVE-2025-4604 | unknown | — | — | 10mo ago | Liferay Portal CAPTCHA Bypass for Gogo Shell | |||
| CVE-2025-24854 | unknown | — | — | 10mo ago | Apache JSPWiki Cross-Site Scripting (XSS) Vulnerability in the Image Plugin | |||
| CVE-2025-24853 | unknown | — | — | 10mo ago | Apache JSPWiki Cross-Site Scripting (XSS) Vulnerability via Header Link Rendering | |||
| CVE-2025-54656 | unknown | — | — | 10mo ago | Apache Struts Extras Before 2 has an Improper Output Neutralization for Logs Vulnerability | |||
| CVE-2025-54410 | unknown | — | — | 10mo ago | Moby is an open source container framework developed by Docker Inc. that is distributed as Docker Engine, Mirantis Container Runtime, and various other downstream projects/products. A firewalld vulne… | |||
| CVE-2025-54388 | unknown | — | — | 10mo ago | Moby is an open source container framework developed by Docker Inc. that is distributed as Docker Engine, Mirantis Container Runtime, and various other downstream projects/products. In versions 28.2.… | |||
| CVE-2025-54380 | unknown | — | — | 10mo ago | Opencast still publishes global system account credentials | |||
| CVE-2025-54385 | unknown | — | — | 10mo ago | XWiki Platform vulnerable to SQL injection through XWiki#searchDocuments API | |||
| CVE-2025-53015 | unknown | — | — | 11mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. In versions prior to 7.1.2-0, infinite lines occur when writing during a specific XMP file conversion co… | |||
| CVE-2025-51481 | unknown | — | — | 11mo ago | Local File Inclusion in dagster._grpc.impl.get_notebook_data in Dagster 1.10.14 allows attackers with access to the gRPC server to read arbitrary files by supplying path traversal sequences in the no… | |||
| CVE-2025-54121 | unknown | — | — | 11mo ago | Starlette is a lightweight ASGI (Asynchronous Server Gateway Interface) framework/toolkit, designed for building async web services in Python. In versions 0.47.1 and below, when parsing a multi-part … | |||
| CVE-2025-7962 | unknown | — | — | 11mo ago | Jakarta Mail vulnerable to SMTP Injection | |||
| CVE-2025-49656 | unknown | — | — | 11mo ago | Apache Jena allows users with administrator access to create databases files outside the files area of the Fuseki server | |||
| CVE-2025-50151 | unknown | — | — | 11mo ago | Apache Jena doesn't validate file access paths in configuration files uploaded by users with administrator access | |||
| CVE-2025-22227 | unknown | — | — | 11mo ago | Reactor Netty HTTP is vulnerable to credential leaks during chained redirects | |||
| CVE-2025-53622 | unknown | — | — | 11mo ago | DSpace is vulnerable to Path Traversal attacks when importing packages using Simple Archive Format | |||
| CVE-2025-53621 | unknown | — | — | 11mo ago | DSpace is vulnerable to XML External Entity injection during archive imports | |||
| CVE-2025-48795 | unknown | — | — | 11mo ago | Apache CXF is vulnerable to DoS attacks as entire files are read into memory and logged | |||
| CVE-2025-53836 | unknown | — | — | 11mo ago | XWiki Rendering is vulnerable to RCE attacks when processing nested macros | |||
| CVE-2025-53835 | unknown | — | — | 11mo ago | XWiki Rendering is vulnerable to XSS attacks through insecure XHTML syntax | |||
| CVE-2025-53643 | unknown | — | — | 11mo ago | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.12.14, the Python parser is vulnerable to a request smuggling vulnerability due to not parsing trail… | |||
| CVE-2025-53689 | unknown | — | — | 11mo ago | Apache Jackrabbit vulnerable to blind XXE attack due to insecure document build | |||
| CVE-2025-48924 | unknown | — | — | 11mo ago | Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.… | |||
| CVE-2025-53864 | unknown | — | — | 11mo ago | Nimbus JOSE + JWT is vulnerable to DoS attacks when processing deeply nested JSON | |||
| CVE-2025-53678 | unknown | — | — | 11mo ago | Jenkins User1st uTester Plugin vulnerability exposes unencrypted token to authenticated users | |||
| CVE-2025-53669 | unknown | — | — | 11mo ago | Jenkins VAddy Plugin vulnerability exposes plaintext keys on its job configuration form | |||
| CVE-2025-53742 | unknown | — | — | 11mo ago | Jenkins Applitools Eyes Plugin vulnerability exposes unencrypted keys to certain authenticated users | |||
| CVE-2025-53675 | unknown | — | — | 11mo ago | Jenkins Warrior Framework Plugin vulnerability exposes unencrypted passwords to certain authenticated users | |||
| CVE-2025-53676 | unknown | — | — | 11mo ago | Jenkins Xooa Plugin vulnerability exposes unencrypted tokens to authenticated users | |||
| CVE-2025-53743 | unknown | — | — | 11mo ago | Jenkins Applitools Eyes Plugin vulnerability does not mask API keys on its job configuration form | |||
| CVE-2025-53663 | unknown | — | — | 11mo ago | Jenkins IBM Cloud DevOps Plugin vulnerability exposes SonarQube authentication tokens | |||
| CVE-2025-53667 | unknown | — | — | 11mo ago | Jenkins Dead Man's Snitch Plugin vulnerability does not mask tokens | |||
| CVE-2025-53660 | unknown | — | — | 11mo ago | Jenkins QMetry Test Management Plugin vulnerability exposes API keys | |||
| CVE-2025-53666 | unknown | — | — | 11mo ago | Jenkins Dead Man's Snitch Plugin vulnerability stores tokens in plain text | |||
| CVE-2025-53662 | unknown | — | — | 11mo ago | Jenkins IFTTT Build Notifier Plugin vulnerability exposes IFTTT Maker Channel Keys | |||
| CVE-2025-53661 | unknown | — | — | 11mo ago | Jenkins Testsigma Test Plan vulnerability exposes API keys via job configuration form | |||
| CVE-2025-53673 | unknown | — | — | 11mo ago | Jenkins Sensedia API Platform Plugin vulnerability exposes unencrypted tokens in its global configuration file | |||
| CVE-2025-53671 | unknown | — | — | 11mo ago | Jenkins Nouvola DiveCloud Plugin vulnerability does not mask keys on its job configuration form | |||
| CVE-2025-53655 | unknown | — | — | 11mo ago | Jenkins Statistics Gatherer Plugin does not mask AWS Secret Key | |||
| CVE-2025-53670 | unknown | — | — | 11mo ago | Jenkins Nouvola DiveCloud Plugin vulnerability stores unencrypted credentials | |||
| CVE-2025-53674 | unknown | — | — | 11mo ago | Jenkins Sensedia API Platform Plugin vulnerability exposes unencrypted tokens | |||
| CVE-2025-53672 | unknown | — | — | 11mo ago | Jenkins Kryptowire Plugin vulnerability stores unencrypted Kryptowire API key | |||
| CVE-2025-53659 | unknown | — | — | 11mo ago | Jenkins QMetry Test Management Plugin stores unencrypted API keys | |||
| CVE-2025-53664 | unknown | — | — | 11mo ago | Jenkins Apica Loadtest Plugin vulnerability exposes authentication tokens | |||
| CVE-2025-53658 | unknown | — | — | 11mo ago | Jenkins Applitools Eyes Plugin vulnerable to XSS through its Build page | |||
| CVE-2025-53656 | unknown | — | — | 11mo ago | Jenkins ReadyAPI Functional Testing Plugin vulnerability stores unencrypted authentication credentials | |||
| CVE-2025-53657 | unknown | — | — | 11mo ago | Jenkins ReadyAPI Functional Testing Plugin vulnerability exposes secrets | |||
| CVE-2025-53668 | unknown | — | — | 11mo ago | Jenkins VAddy Plugin vulnerability exposes unencrypted keys to certain authenticated users | |||
| CVE-2025-53665 | unknown | — | — | 11mo ago | Jenkins Apica Loadtest Plugin vulnerability exposes authentication tokens | |||
| CVE-2025-53653 | unknown | — | — | 11mo ago | Jenkins Aqua Security Scanner Plugin vulnerability exposes scanner tokens | |||
| CVE-2025-53654 | unknown | — | — | 11mo ago | Jenkins Statistics Gatherer Plugin vulnerability exposes AWS Secret Key | |||
| CVE-2025-53651 | unknown | — | — | 11mo ago | Jenkins HTML Publisher Plugin vulnerability displays controller file system information in its logs | |||
| CVE-2025-53652 | unknown | — | — | 11mo ago | Jenkins Git Parameter Plugin vulnerable to code injection due to inexhaustive parameter check | |||
| CVE-2025-53650 | unknown | — | — | 11mo ago | Jenkins Credentials Binding Plugin vulnerability can expose sensitive information in logger messages | |||
| CVE-2025-53602 | unknown | — | — | 11mo ago | Zipkin Server vulnerable to Insecure Resource Initialization through its /heapdump endpoint | |||
| CVE-2025-53103 | unknown | — | — | 11mo ago | junit-platform-reporting can leak Git credentials through its OpenTestReportGeneratingListener | |||
| CVE-2025-53106 | unknown | — | — | 11mo ago | Graylog vulnerable to privilege escalation through API tokens | |||
| CVE-2025-26074 | unknown | — | — | 11mo ago | Conductor vulnerable to OS command injection through unrestricted access to Java classes | |||
| CVE-2025-53003 | unknown | — | — | 11mo ago | Janssen Config API returns results without scope verification | |||
| CVE-2025-53393 | unknown | — | — | 11mo ago | akka-cluster-metrics uses Java serialization for cluster metrics | |||
| CVE-2025-32897 | unknown | — | — | 11mo ago | Apache Seata Vulnerable to Deserialization of Untrusted Data | |||
| CVE-2025-5731 | unknown | — | — | 11mo ago | Infinispan CLI vulnerable to Generation of Error Message Containing Sensitive Information | |||
| CVE-2025-52890 | unknown | — | — | 11mo ago | Incus is a system container and virtual machine manager. When using an ACL on a device connected to a bridge, Incus versions 6.12 and 6.13generates nftables rules that partially bypass security optio… | |||
| CVE-2025-52889 | unknown | — | — | 11mo ago | Incus is a system container and virtual machine manager. When using an ACL on a device connected to a bridge, Incus version 6.12 and 6.13 generates nftables rules for local services (DHCP, DNS...) th… | |||
| CVE-2025-52888 | unknown | — | — | 11mo ago | Allure Report allows Improper XXE Restriction via DocumentBuilderFactory | |||
| CVE-2025-49574 | unknown | — | — | 1y ago | Quarkus potentially leaks data when duplicating a duplicated context | |||
| CVE-2025-6384 | unknown | — | — | 1y ago | Crafter Studio Groovy Sandbox Bypass | |||
| CVE-2025-48059 | unknown | — | — | 1y ago | PowSyBl Core Contains a Polynomial ReDoS in RegexCriterion | |||
| CVE-2025-48058 | unknown | — | — | 1y ago | PowSyBl Core contains Polynomial REDoS’es | |||
| CVE-2025-47771 | unknown | — | — | 1y ago | PowSyBl Core allows deserialization of untrusted SparseMatrix data | |||
| CVE-2025-47293 | unknown | — | — | 1y ago | PowSyBl Core XML Reader allows XXE and SSRF | |||
| CVE-2025-32896 | unknown | — | — | 1y ago | Apache SeaTunnel: Unauthenticated insecure access | |||
| CVE-2025-3526 | unknown | — | — | 1y ago | Liferay Portal SessionClicks does not restrict the saving of request parameters in the HTTP session | |||
| CVE-2025-3594 | unknown | — | — | 1y ago | Liferay Portal path traversal vulnerability with the downloading and installation of Xuggler | |||
| CVE-2025-49124 | unknown | — | — | 1y ago | Untrusted Search Path vulnerability in Apache Tomcat installer for Windows. During installation, the Tomcat installer for Windows used icacls.exe without specifying a full path. This issue affects A… | |||
| CVE-2025-3602 | unknown | — | — | 1y ago | Liferay Portal does not limit the depth of a GraphQL queries | |||
| CVE-2025-49585 | unknown | — | — | 1y ago | XWiki does not require right warnings for XClass definitions | |||
| CVE-2025-49586 | unknown | — | — | 1y ago | XWiki allows remote code execution through preview of XClass changes in AWM editor | |||
| CVE-2025-49587 | unknown | — | — | 1y ago | XWiki does not require right warnings for notification displayer objects | |||
| CVE-2025-49584 | unknown | — | — | 1y ago | XWiki makes title of inaccessible pages available through the class property values REST API | |||
| CVE-2025-49583 | unknown | — | — | 1y ago | XWiki provides no warning when granting XWiki.Notifications.Code.NotificationEmailRendererClass admin right | |||
| CVE-2025-49581 | unknown | — | — | 1y ago | XWiki allows remote code execution through default value of wiki macro wiki-type parameters | |||
| CVE-2025-49582 | unknown | — | — | 1y ago | XWiki's required right warnings for macros are incomplete | |||
| CVE-2025-49580 | unknown | — | — | 1y ago | XWiki allows privilege escalation through link refactoring |