CVEs from 2025
Total
8,841
critical
critical 1,314
high
high 1,955
medium
medium 1,967
low
low 200
% Critical
14.9%
% with KEV
2.1%
% with exploit
2.8%
Top vendors
- qualcomm 1,123
- fabian 285
- campcodes 232
- phpgurukul 189
- code-projects 121
- redhat 108
- microsoft 107
- portabilis 94
Top products
- i-educar 80
- office_long_term_servicing_channel 35
- office 34
- best_salon_management_system 33
- apartment_management_system 30
- gcp 29
- inventory_management_system 28
- online_learning_management_system 21
Top packages
- Go/github.com/mattermost/mattermost/server/v8 258
- Go/github.com/mattermost/mattermost-server 249
- Packagist/magento/community-edition 231
- Packagist/moodle/moodle 162
- Go/github.com/mattermost/mattermost-server/v5 99
- Go/github.com/mattermost/mattermost-server/v6 99
- Maven/com.liferay.portal:release.dxp.bom 61
- Maven/org.apache.tomcat.embed:tomcat-embed-core 53
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-31726 | unknown | — | — | 1y ago | Jenkins Stack Hammer Plugin Stores API Keys Unencrypted in Job `config.xml` Files | |||
| CVE-2025-31129 | unknown | — | — | 1y ago | jooby-pac4j: deserialization of untrusted data | |||
| CVE-2025-30177 | unknown | — | — | 1y ago | Apache Camel Missing Header Out Filter Leads to Potential Bypass/Injection Vulnerability | |||
| CVE-2025-30065 | unknown | — | — | 1y ago | Apache Parquet Avro Module Vulnerable to Arbitrary Code Execution | |||
| CVE-2025-27427 | unknown | — | — | 1y ago | Apache ActiveMQ Artemis User Without Create Address Permissions can Modify Address Routing-Type | |||
| CVE-2025-29908 | unknown | — | — | 1y ago | Netty QUIC hash collision DoS attack | |||
| CVE-2025-3001 | unknown | — | — | 1y ago | A vulnerability classified as critical was found in PyTorch 2.6.0. This vulnerability affects the function torch.lstm_cell. The manipulation leads to memory corruption. The attack needs to be approac… | |||
| CVE-2025-3000 | unknown | — | — | 1y ago | A vulnerability classified as critical has been found in PyTorch 2.6.0. This affects the function torch.jit.script. The manipulation leads to memory corruption. It is possible to launch the attack on… | |||
| CVE-2025-2999 | unknown | — | — | 1y ago | A vulnerability was found in PyTorch 2.6.0. It has been rated as critical. Affected by this issue is the function torch.nn.utils.rnn.unpack_sequence. The manipulation leads to memory corruption. Atta… | |||
| CVE-2025-2998 | unknown | — | — | 1y ago | A vulnerability was found in PyTorch 2.6.0. It has been declared as critical. Affected by this vulnerability is the function torch.nn.utils.rnn.pad_packed_sequence. The manipulation leads to memory c… | |||
| CVE-2025-2961 | unknown | — | — | 1y ago | Solon Vulnerable to Path Traversal | |||
| CVE-2025-2953 | unknown | — | — | 1y ago | A vulnerability, which was classified as problematic, has been found in PyTorch 2.6.0+cu124. Affected by this issue is the function torch.mkldnn_max_pool2d. The manipulation leads to denial of servic… | |||
| CVE-2025-30067 | unknown | — | — | 1y ago | Apache Kylin Code Injection via JDBC Configuration Alteration | |||
| CVE-2025-29314 | unknown | — | — | 1y ago | OpenDaylight SFC Insecure Shiro Cookie Configuration | |||
| CVE-2025-29313 | unknown | — | — | 1y ago | OpenDaylight SFC Denial of Service (DoS) | |||
| CVE-2025-29315 | unknown | — | — | 1y ago | OpenDaylight SFC Allows Unauthorized Privileged Execution via Crafted Request | |||
| CVE-2025-22223 | unknown | — | — | 1y ago | Spring Security Vulnerable to Authorization Bypass via Security Annotations | |||
| CVE-2025-27553 | unknown | — | — | 1y ago | Apache Commons VFS Has Relative Path Traversal Vulnerability | |||
| CVE-2025-30474 | unknown | — | — | 1y ago | Apache Commons VFS Exposure of Sensitive Information to an Unauthorized Actor | |||
| CVE-2025-2622 | unknown | — | — | 1y ago | aizuda snail-job Vulnerable to Deserialization via `nodeExpression` Argument | |||
| CVE-2025-26796 | unknown | — | — | 1y ago | Apache Oozie Cross-Site Scripting (XSS) | |||
| CVE-2025-2565 | unknown | — | — | 1y ago | Liferay Portal and Liferay DXP Reveals Data via Forms | |||
| CVE-2025-27888 | unknown | — | — | 1y ago | Apache Druid vulnerable to Server-Side Request Forgery, Cross-site Scripting, Open Redirect | |||
| CVE-2025-22228 | unknown | — | — | 1y ago | Spring Security Does Not Enforce Password Length | |||
| CVE-2025-2536 | unknown | — | — | 1y ago | Liferay Portal and Liferay DXP Vulnerable to Cross-Site Scripting (XSS) | |||
| CVE-2025-29926 | unknown | — | — | 1y ago | The WikiManager REST API allows any user to create wikis | |||
| CVE-2025-29924 | unknown | — | — | 1y ago | XWiki uses the wrong wiki reference in AuthorizationManager | |||
| CVE-2025-30197 | unknown | — | — | 1y ago | Jenkins Zoho QEngine Plugin Displays Unmasked API Keys | |||
| CVE-2025-30196 | unknown | — | — | 1y ago | Jenkins AnchorChain Plugin Has a Cross-Site Scripting (XSS) Vulnerability | |||
| CVE-2025-27496 | unknown | — | — | 1y ago | Snowflake JDBC Driver client-side encryption key in DEBUG logs | |||
| CVE-2025-27017 | unknown | — | — | 1y ago | Apache NiFi: Potential Insertion of MongoDB Password in Provenance Record | |||
| CVE-2025-27867 | unknown | — | — | 1y ago | Apache Felix HTTP Webconsole Plugin: XSS in HTTP Webconsole Plugin | |||
| CVE-2025-2240 | unknown | — | — | 1y ago | SmallRye Fault Tolerance out-of-memory (OOM) issue | |||
| CVE-2025-29891 | unknown | — | — | 1y ago | Apache Camel Message Header Injection through request parameters | |||
| CVE-2025-0604 | unknown | — | — | 1y ago | Authentication Bypass Due to Missing LDAP Bind After Password Reset in Keycloak | |||
| CVE-2025-27136 | unknown | — | — | 1y ago | LocalS3 CreateBucketConfiguration Endpoint XML External Entity (XXE) Injection | |||
| CVE-2025-2149 | unknown | — | — | 1y ago | A vulnerability was found in PyTorch 2.6.0+cu124. It has been rated as problematic. Affected by this issue is the function nnq_Sigmoid of the component Quantized Sigmoid Module. The manipulation of t… | |||
| CVE-2025-2148 | unknown | — | — | 1y ago | A vulnerability was found in PyTorch 2.6.0+cu124. It has been declared as critical. Affected by this vulnerability is the function torch.ops.profiler._call_end_callbacks_on_jit_fut of the component T… | |||
| CVE-2025-27636 | unknown | — | — | 1y ago | Apache Camel: Camel Message Header Injection via Improper Filtering | |||
| CVE-2025-27604 | unknown | — | — | 1y ago | com.xwiki.confluencepro:application-confluence-migrator-pro-ui's application homepage is public | |||
| CVE-2025-27603 | unknown | — | — | 1y ago | com.xwiki.confluencepro:application-confluence-migrator-pro-ui Remote Code Execution via unescaped translations | |||
| CVE-2025-27623 | unknown | — | — | 1y ago | Jenkins reveals encrypted values of secrets stored in agent configuration to users with Agent/Extended Read permission | |||
| CVE-2025-27622 | unknown | — | — | 1y ago | Jenkins reveals encrypted values of secrets stored in agent configuration to users with Agent/Extended Read permission | |||
| CVE-2025-27625 | unknown | — | — | 1y ago | Jenkins Open Redirect vulnerability | |||
| CVE-2025-27624 | unknown | — | — | 1y ago | Jenkins cross-site request forgery (CSRF) vulnerability | |||
| CVE-2025-4432 | unknown | — | — | 1y ago | Ring: some aes functions may panic when overflow checking is enabled in ring in github.com/briansmith/ring | |||
| CVE-2025-27508 | unknown | — | — | 1y ago | Emissary May Use a Broken or Risky Cryptographic Algorithm | |||
| CVE-2025-27497 | unknown | — | — | 1y ago | OpenDJ Denial of Service (DoS) using alias loop | |||
| CVE-2025-1634 | unknown | — | — | 1y ago | io.quarkus:quarkus-resteasy: Memory Leak in Quarkus RESTEasy Classic When Client Requests Timeout | |||
| CVE-2025-1584 | unknown | — | — | 1y ago | Solon Path Traversal | |||
| CVE-2025-23020 | unknown | — | — | 1y ago | Kwik hash collision vulnerability | |||
| CVE-2025-26791 | unknown | — | — | 1y ago | DOMPurify before 3.2.4 has an incorrect template literal regular expression, sometimes leading to mutation cross-site scripting (mXSS). | |||
| CVE-2025-26511 | unknown | — | — | 1y ago | Instaclustr Cassandra-Lucene-Index allows bypass of Cassandra RBAC | |||
| CVE-2025-1247 | unknown | — | — | 1y ago | Quarkus REST Endpoint Request Parameter Leakage Due to Shared Instance | |||
| CVE-2025-25193 | unknown | — | — | 1y ago | Denial of Service attack on windows app using Netty | |||
| CVE-2025-25188 | unknown | — | — | 1y ago | Hickory DNS is a Rust based DNS client, server, and resolver. A vulnerability present starting in version 0.8.0 and prior to versions 0.24.3 and 0.25.0-alpha.5 impacts Hickory DNS users relying on DN… | |||
| CVE-2025-24970 | unknown | — | — | 1y ago | SslHandler doesn't correctly validate packets which can lead to native crash when using native SSLEngine | |||
| CVE-2025-25247 | unknown | — | — | 1y ago | Apache Felix Webconsole: XSS in services console | |||
| CVE-2025-24860 | unknown | — | — | 1y ago | Apache Cassandra: CassandraNetworkAuthorizer and CassandraCIDRAuthorizer can be bypassed allowing access to different network regions | |||
| CVE-2025-23015 | unknown | — | — | 1y ago | Apache Cassandra: User with MODIFY permission on ALL KEYSPACES can escalate privileges to superuser via unsafe actions | |||
| CVE-2025-0148 | unknown | — | — | 1y ago | Jenkins Zoom Plugin is Missing Password Field Masking | |||
| CVE-2025-24961 | unknown | — | — | 1y ago | S3Proxy allows insecure path traversal in filesystem and filesystem-nio2 storage backends | |||
| CVE-2025-23367 | unknown | — | — | 1y ago | WildFly improper RBAC permission | |||
| CVE-2025-23215 | unknown | — | — | 1y ago | PMD Designer's release key passphrase (GPG) available on Maven Central in cleartext | |||
| CVE-2025-0142 | unknown | — | — | 1y ago | Jenkins Zoom Plugin Stores Sensitive Information in Cleartext | |||
| CVE-2025-0851 | unknown | — | — | 1y ago | Deep Java Library path traversal issue | |||
| CVE-2025-24790 | unknown | — | — | 1y ago | Snowflake JDBC uses insecure temporary credential cache file permissions | |||
| CVE-2025-24789 | unknown | — | — | 1y ago | Snowflake JDBC allows an untrusted search path on Windows | |||
| CVE-2025-24374 | unknown | — | — | 1y ago | Twig is a template language for PHP. When using the ?? operator, output escaping was missing for the expression on the left side of the operator. This vulnerability is fixed in 3.19.0. | |||
| CVE-2025-24138 | unknown | — | — | 1y ago | This issue was addressed through improved state management. This issue is fixed in macOS Sequoia 15.3, macOS Sonoma 14.7.3, macOS Ventura 13.7.3. A malicious application may be able to leak sensitive… | |||
| CVE-2025-24118 | unknown | — | — | 1y ago | The issue was addressed with improved memory handling. This issue is fixed in iPadOS 17.7.4, macOS Sequoia 15.3, macOS Sonoma 14.7.3. An app may be able to cause unexpected system termination or writ… | |||
| CVE-2025-24159 | unknown | — | — | 1y ago | A validation issue was addressed with improved logic. This issue is fixed in iOS 18.3 and iPadOS 18.3, iPadOS 17.7.4, macOS Sequoia 15.3, macOS Sonoma 14.7.3, tvOS 18.3, visionOS 2.3, watchOS 11.3. A… | |||
| CVE-2025-24122 | unknown | — | — | 1y ago | A downgrade issue affecting Intel-based Mac computers was addressed with additional code-signing restrictions. This issue is fixed in macOS Sequoia 15.3, macOS Sonoma 14.7.3, macOS Ventura 13.7.3. An… | |||
| CVE-2025-24163 | unknown | — | — | 1y ago | The issue was addressed with improved checks. This issue is fixed in iOS 18.3 and iPadOS 18.3, iOS 18.4 and iPadOS 18.4, iPadOS 17.7.4, macOS Sequoia 15.3, macOS Sequoia 15.4, macOS Sonoma 14.7.3, tv… | |||
| CVE-2025-24123 | unknown | — | — | 1y ago | The issue was addressed with improved checks. This issue is fixed in iOS 18.3 and iPadOS 18.3, iPadOS 17.7.4, macOS Sequoia 15.3, macOS Sonoma 14.7.3, macOS Ventura 13.7.3, tvOS 18.3, visionOS 2.3, w… | |||
| CVE-2025-24174 | unknown | — | — | 1y ago | The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.3, macOS Sonoma 14.7.3, macOS Ventura 13.7.3. An app may be able to bypass Privacy preferences. | |||
| CVE-2025-24783 | unknown | — | — | 1y ago | Apache Cocoon vulnerable to Incorrect Usage of Seeds in Pseudo-Random Number Generator | |||
| CVE-2025-24814 | unknown | — | — | 1y ago | Apache Solr vulnerable to Execution with Unnecessary Privileges | |||
| CVE-2025-24363 | unknown | — | — | 1y ago | HL7 FHIR IG Publisher potentially exposes GitHub repo user and credential information | |||
| CVE-2025-24401 | unknown | — | — | 1y ago | Disabled permissions can be granted by Folder-based in Jenkins Authorization Strategy Plugin | |||
| CVE-2025-24403 | unknown | — | — | 1y ago | Missing permission checks in Jenkins Azure Service Fabric Plugin | |||
| CVE-2025-24402 | unknown | — | — | 1y ago | CSRF vulnerability in Jenkins Azure Service Fabric Plugin | |||
| CVE-2025-24398 | unknown | — | — | 1y ago | Bitbucket Server Integration Plugin allows bypassing CSRF protection for any URL | |||
| CVE-2025-24400 | unknown | — | — | 1y ago | Cache confusion in Jenkins Eiffel Broadcaster Plugin | |||
| CVE-2025-24397 | unknown | — | — | 1y ago | Incorrect permission check in Jenkins GitLab Plugin allows enumerating credentials IDs | |||
| CVE-2025-24399 | unknown | — | — | 1y ago | Improper handling of case sensitivity in Jenkins OpenId Connect Authentication Plugin | |||
| CVE-2025-23184 | unknown | — | — | 1y ago | Apache CXF: Denial of Service vulnerability with temporary files | |||
| CVE-2025-23025 | unknown | — | — | 1y ago | XWiki Realtime WYSIWYG Editor extension allows privilege escalation (PR) through realtime WYSIWYG editing | |||
| CVE-2025-23026 | unknown | — | — | 1y ago | jte's HTML templates containing Javascript template strings are subject to XSS |