CVEs from 2025
Total
8,841
critical
critical 1,314
high
high 1,956
medium
medium 1,966
low
low 200
% Critical
14.9%
% with KEV
2.1%
% with exploit
2.8%
Top vendors
- qualcomm 1,123
- fabian 285
- campcodes 232
- phpgurukul 189
- code-projects 121
- redhat 108
- microsoft 107
- portabilis 94
Top products
- i-educar 80
- office_long_term_servicing_channel 35
- office 34
- best_salon_management_system 33
- apartment_management_system 30
- gcp 29
- inventory_management_system 28
- online_learning_management_system 21
Top packages
- Go/github.com/mattermost/mattermost/server/v8 258
- Go/github.com/mattermost/mattermost-server 249
- Packagist/magento/community-edition 231
- Packagist/moodle/moodle 162
- Go/github.com/mattermost/mattermost-server/v5 99
- Go/github.com/mattermost/mattermost-server/v6 99
- Maven/com.liferay.portal:release.dxp.bom 61
- Maven/org.apache.tomcat.embed:tomcat-embed-core 53
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-49584 | unknown | — | — | 1y ago | XWiki makes title of inaccessible pages available through the class property values REST API | |||
| CVE-2025-49583 | unknown | — | — | 1y ago | XWiki provides no warning when granting XWiki.Notifications.Code.NotificationEmailRendererClass admin right | |||
| CVE-2025-49581 | unknown | — | — | 1y ago | XWiki allows remote code execution through default value of wiki macro wiki-type parameters | |||
| CVE-2025-49582 | unknown | — | — | 1y ago | XWiki's required right warnings for macros are incomplete | |||
| CVE-2025-49580 | unknown | — | — | 1y ago | XWiki allows privilege escalation through link refactoring | |||
| CVE-2025-46096 | unknown | — | — | 1y ago | Solon Vulnerable to Directory Traversal | |||
| CVE-2025-41234 | unknown | — | — | 1y ago | Spring Framework vulnerable to a reflected file download (RFD) | |||
| CVE-2025-49146 | unknown | — | — | 1y ago | pgjdbc Client Allows Fallback to Insecure Authentication Despite channelBinding=require Configuration | |||
| CVE-2025-30220 | unknown | — | — | 1y ago | [XBOW-025-068] XML External Entity (XXE) Processing Vulnerability in GeoServer WFS Service | |||
| CVE-2025-30145 | unknown | — | — | 1y ago | GeoServer Infinite Loop Vulnerability in Jiffle process | |||
| CVE-2025-27505 | unknown | — | — | 1y ago | GeoServer Missing Authorization on REST API Index | |||
| CVE-2025-27818 | unknown | — | — | 1y ago | Apache Kafka Deserialization of Untrusted Data vulnerability | |||
| CVE-2025-27817 | unknown | — | — | 1y ago | Apache Kafka Client Arbitrary File Read and Server Side Request Forgery Vulnerability | |||
| CVE-2025-27819 | unknown | — | — | 1y ago | Apache Kafka Deserialization of Untrusted Data vulnerability | |||
| CVE-2025-49128 | unknown | — | — | 1y ago | Jackson-core Vulnerable to Memory Disclosure via Source Snippet in JsonLocation | |||
| CVE-2025-49009 | unknown | — | — | 1y ago | Para Inserts Sensitive Information into Log File for Facebook authentication | |||
| CVE-2025-27531 | unknown | — | — | 1y ago | Apache InLong Deserialization of Untrusted Data Vulnerability | |||
| CVE-2025-5806 | unknown | — | — | 1y ago | Jenkins Gatling Plugin Vulnerable to Cross-Site Scripting (XSS) | |||
| CVE-2025-35036 | unknown | — | — | 1y ago | Hibernate Validator may interpolate user-supplied input in a constraint violation message with Expression Language | |||
| CVE-2025-46548 | unknown | — | — | 1y ago | Pekko Management may not properly apply authenticator when Basic Authentication is enabled | |||
| CVE-2025-45855 | unknown | — | — | 1y ago | Erupt Unrestricted Upload of File with Dangerous Type vulnerability | |||
| CVE-2025-48955 | unknown | — | — | 1y ago | Para Server Logs Sensitive Information | |||
| CVE-2025-41235 | unknown | — | — | 1y ago | Spring Cloud Gateway Server Forwards Headers from Untrusted Proxies | |||
| CVE-2025-48881 | unknown | — | — | 1y ago | Valtimo backend libraries allows objects in the object-api to be accessed and modified by unauthorized users | |||
| CVE-2025-27528 | unknown | — | — | 1y ago | Apache InLong: JDBC Vulnerability for Invisible Character Bypass Leading to Arbitrary File Read | |||
| CVE-2025-27526 | unknown | — | — | 1y ago | Apache InLong: JDBC Vulnerability For URLEncode and backspace bypass | |||
| CVE-2025-27522 | unknown | — | — | 1y ago | Apache InLong: JDBC Vulnerability during verification processing | |||
| CVE-2025-48382 | unknown | — | — | 1y ago | Fess has Insecure Temporary File Permissions | |||
| CVE-2025-4949 | unknown | — | — | 1y ago | Eclipse JGit XML External Entity (XXE) Vulnerability | |||
| CVE-2025-48063 | unknown | — | — | 1y ago | XWiki Platform Security Authorization Bridge allows users with just edit right can enforce required rights with programming right | |||
| CVE-2025-41232 | unknown | — | — | 1y ago | Spring Security authorization bypass for method security annotations on private methods | |||
| CVE-2025-22233 | unknown | — | — | 1y ago | Spring Framework DataBinder Case Sensitive Match Exception | |||
| CVE-2025-47279 | unknown | — | — | 1y ago | Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server … | |||
| CVE-2025-47886 | unknown | — | — | 1y ago | Jenkins Cadence vManager Plugin Vulnerable to Cross-Site Request Forgery | |||
| CVE-2025-47888 | unknown | — | — | 1y ago | Jenkins DingTalk Plugin Unconditionally Disables SSL/TLS Certificate and Hostname Validation | |||
| CVE-2025-47889 | unknown | — | — | 1y ago | Jenkins WSO2 Oauth Plugin Fails to Properly Authenticate User Credentials | |||
| CVE-2025-47885 | unknown | — | — | 1y ago | Jenkins Health Advisor by CloudBees Plugin Vulnerable to Cross-Site Scripting | |||
| CVE-2025-47884 | unknown | — | — | 1y ago | Jenkins OpenID Connect Provider Plugin Incorrectly Validates Crafted Build ID Tokens | |||
| CVE-2025-47887 | unknown | — | — | 1y ago | Jenkins Cadence vManager Plugin is Missing Permission Checks | |||
| CVE-2025-4641 | unknown | — | — | 1y ago | BoniGarcia WebDriverManager Affected By Improper Restriction of XML External Entity Reference | |||
| CVE-2025-26795 | unknown | — | — | 1y ago | Apache IoTDB JDBC Driver Discloses Sensitive Information via Log Files | |||
| CVE-2025-26864 | unknown | — | — | 1y ago | Apache IoTDB Discloses Sensitive Information via Log Files | |||
| CVE-2025-46392 | unknown | — | — | 1y ago | Apache Commons Configuration Uncontrolled Resource Consumption | |||
| CVE-2025-1948 | unknown | — | — | 1y ago | Eclipse Jetty HTTP/2 client can force the server to allocate a humongous byte buffer that may lead to OoM and subsequently the JVM to exit | |||
| CVE-2025-46827 | unknown | — | — | 1y ago | Graylog Allows Session Takeover via Insufficient HTML Sanitization | |||
| CVE-2025-46551 | unknown | — | — | 1y ago | JRuby-OpenSSL has hostname verification disabled by default | |||
| CVE-2025-2901 | unknown | — | — | 1y ago | HAL Cross Site Scripting (XSS) vulnerability of user input when storing it in a data store | |||
| CVE-2025-4388 | unknown | — | — | 1y ago | Liferay Portal Reflected XSS in marketplace-app-manager-web | |||
| CVE-2025-46762 | unknown | — | — | 1y ago | Apache Parquet Java: Potential malicious code execution from trusted packages in the parquet-avro module when reading an Avro schema from a Parquet file metadata | |||
| CVE-2025-45616 | unknown | — | — | 1y ago | BRCC Incorrect Access Control vulnerability | |||
| CVE-2025-2905 | unknown | — | — | 1y ago | WSO2 API Manager XML External Entity (XXE) vulnerability | |||
| CVE-2025-3910 | unknown | — | — | 1y ago | Keycloak vulnerable to two factor authentication bypass | |||
| CVE-2025-3501 | unknown | — | — | 1y ago | Keycloak hostname verification | |||
| CVE-2025-46558 | unknown | — | — | 1y ago | org.xwiki.contrib.markdown:syntax-markdown-commonmark12 vulnerable to XSS via Markdown content | |||
| CVE-2025-46557 | unknown | — | — | 1y ago | Any user with view access to the XWiki space can change the authenticator | |||
| CVE-2025-46554 | unknown | — | — | 1y ago | XWiki missing authorization when accessing the wiki level attachments list and metadata via REST API | |||
| CVE-2025-32974 | unknown | — | — | 1y ago | org.xwiki.platform:xwiki-platform-security-requiredrights-default required rights analysis doesn't consider TextAreas with default content type | |||
| CVE-2025-32973 | unknown | — | — | 1y ago | org.xwiki.platform:xwiki-platform-component-wiki provides no warning when granting XWiki.ComponentClass programming right | |||
| CVE-2025-32972 | unknown | — | — | 1y ago | The lesscss script service allows cache clearing without programming right | |||
| CVE-2025-32971 | unknown | — | — | 1y ago | Solr script service doesn't take dropped programming right into account | |||
| CVE-2025-32970 | unknown | — | — | 1y ago | org.xwiki.platform:xwiki-platform-wysiwyg-api Open Redirect vulnerability | |||
| CVE-2025-22235 | unknown | — | — | 1y ago | Spring Boot EndpointRequest.to() creates wrong matcher if actuator endpoint is not exposed | |||
| CVE-2025-3985 | unknown | — | — | 1y ago | Apereo CAS has inefficient regular expression complexity | |||
| CVE-2025-3986 | unknown | — | — | 1y ago | Apereo CAS has inefficient regular expression complexity | |||
| CVE-2025-3984 | unknown | — | — | 1y ago | Apereo CAS code injection vulnerability | |||
| CVE-2025-27820 | unknown | — | — | 1y ago | Apache HttpClient disables domain checks | |||
| CVE-2025-32969 | unknown | — | — | 1y ago | org.xwiki.platform:xwiki-platform-rest-server allows SQL injection in query endpoint of REST API | |||
| CVE-2025-32968 | unknown | — | — | 1y ago | org.xwiki.platform:xwiki-platform-oldcore allows SQL injection in short form select requests through the script query API | |||
| CVE-2025-32961 | unknown | — | — | 1y ago | XSS in the /download Endpoint of the JPA Web API | |||
| CVE-2025-32960 | unknown | — | — | 1y ago | XSS in the /files Endpoint of the Generic REST API | |||
| CVE-2025-32959 | unknown | — | — | 1y ago | Cuba has a DoS in the File Storage | |||
| CVE-2025-32952 | unknown | — | — | 1y ago | io.jmix.localfs:jmix-localfs affected by DoS in the Local File Storage | |||
| CVE-2025-32951 | unknown | — | — | 1y ago | io.jmix.rest:jmix-rest allows XSS in the /files Endpoint of the Generic REST API | |||
| CVE-2025-32950 | unknown | — | — | 1y ago | io.jmix.localfs:jmix-localfs has a Path Traversal in Local File Storage | |||
| CVE-2025-29287 | unknown | — | — | 1y ago | MCMS allows arbitrary file uploads in the ueditor component | |||
| CVE-2025-32434 | unknown | — | — | 1y ago | PyTorch is a Python package that provides tensor computation with strong GPU acceleration and deep neural networks built on a tape-based autograd system. In version 2.5.1 and prior, a Remote Command … | |||
| CVE-2025-3760 | unknown | — | — | 1y ago | Liferay Cross-site Scripting vulnerability | |||
| CVE-2025-3730 | unknown | — | — | 1y ago | A vulnerability, which was classified as problematic, was found in PyTorch 2.6.0. Affected is the function torch.nn.functional.ctc_loss of the file aten/src/ATen/native/LossCTC.cpp. The manipulation … | |||
| CVE-2025-22872 | unknown | — | — | 1y ago | The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly… | |||
| CVE-2025-32783 | unknown | — | — | 1y ago | Unregistered users can see "public" messages from a closed wiki via notifications from a different wiki | |||
| CVE-2025-30215 | unknown | — | — | 1y ago | NATS-Server is a High-Performance server for NATS.io, the cloud and edge native messaging system. In versions starting from 2.2.0 but prior to 2.10.27 and 2.11.1, the management of JetStream assets h… | |||
| CVE-2025-3573 | unknown | — | — | 1y ago | Versions of the package jquery-validation before 1.20.0 are vulnerable to Cross-site Scripting (XSS) in the showLabel() function, which may take input from a user-controlled placeholder value. This v… | |||
| CVE-2025-3588 | unknown | — | — | 1y ago | jsonschema2pojo has Improper Restriction of Operations within the Bounds of a Memory Buffer | |||
| CVE-2025-27391 | unknown | — | — | 1y ago | Apache ActiveMQ Artemis Vulnerable to Insertion of Sensitive Information into Log File | |||
| CVE-2025-31672 | unknown | — | — | 1y ago | Apache POI OOXML Vulnerable to Improper Input Validation in OOXML File Parsing | |||
| CVE-2025-30677 | unknown | — | — | 1y ago | Apache Pulsar Kafka Connector Logs Sensitive Information in Application Logs | |||
| CVE-2025-29480 | unknown | — | — | 1y ago | Buffer Overflow vulnerability in gdal 3.10.2 allows a local attacker to cause a denial of service via the OGRSpatialReference::Release function. NOTE: the Supplier indicates that the report is invali… | |||
| CVE-2025-30373 | unknown | — | — | 1y ago | Graylog's Authenticated HTTP inputs ingest message even if Authorization header is missing or has wrong value | |||
| CVE-2025-31487 | unknown | — | — | 1y ago | The XWiki JIRA extension allows data leak through an XXE attack by using a fake JIRA server | |||
| CVE-2025-3136 | unknown | — | — | 1y ago | A vulnerability, which was classified as problematic, has been found in PyTorch 2.6.0. This issue affects the function torch.cuda.memory.caching_allocator_delete of the file c10/cuda/CUDACachingAlloc… | |||
| CVE-2025-3121 | unknown | — | — | 1y ago | A vulnerability classified as problematic has been found in PyTorch 2.6.0. Affected is the function torch.jit.jit_module_from_flatbuffer. The manipulation leads to memory corruption. Local access is … | |||
| CVE-2025-29085 | unknown | — | — | 1y ago | Vipshop Saturn Console Vulnerable to SQL Injection via ClusterKey Component | |||
| CVE-2025-31726 | unknown | — | — | 1y ago | Jenkins Stack Hammer Plugin Stores API Keys Unencrypted in Job `config.xml` Files | |||
| CVE-2025-31722 | unknown | — | — | 1y ago | Jenkins Templating Engine Plugin Vulnerable to Arbitrary Code Execution | |||
| CVE-2025-31727 | unknown | — | — | 1y ago | Jenkins AsakusaSatellite Plugin Stores API Keys Unencrypted in Job `config.xml` Files | |||
| CVE-2025-31724 | unknown | — | — | 1y ago | Jenkins Cadence vManager Plugin Stores Verisium Manager vAPI keys Unencrypted | |||
| CVE-2025-31725 | unknown | — | — | 1y ago | Jenkins monitor-remote-job Plugin Stores Passwords Unencrypted | |||
| CVE-2025-31721 | unknown | — | — | 1y ago | Jenkins Missing Permission Check | |||
| CVE-2025-31728 | unknown | — | — | 1y ago | Jenkins AsakusaSatellite Plugin Does not Mask API Keys via Job Configuration Form | |||
| CVE-2025-31723 | unknown | — | — | 1y ago | Jenkins Simple Queue Plugin Cross-Site Request Forgery (CSRF) |