CVEs from 2025
Total
12,202
critical
critical 1,301
high
high 1,894
medium
medium 1,908
low
low 193
% Critical
10.7%
% with KEV
1.5%
% with exploit
1.5%
Top vendors
- fabian 285
- campcodes 232
- phpgurukul 189
- code-projects 121
- microsoft 107
- redhat 106
- portabilis 94
- mayurik 79
Top products
- i-educar 80
- office_long_term_servicing_channel 35
- office 34
- best_salon_management_system 33
- apartment_management_system 30
- inventory_management_system 28
- gcp 23
- online_learning_management_system 21
Top packages
- Go/github.com/mattermost/mattermost/server/v8 258
- Go/github.com/mattermost/mattermost-server 249
- Packagist/magento/community-edition 231
- Packagist/moodle/moodle 162
- Go/github.com/mattermost/mattermost-server/v5 99
- Go/github.com/mattermost/mattermost-server/v6 99
- Maven/com.liferay.portal:release.dxp.bom 61
- Maven/org.apache.tomcat.embed:tomcat-embed-core 53
| CVE | Severity | CVSS | Risk | Published | Description | Impact |
|---|---|---|---|---|---|---|
| CVE-2025-29635 | unknown | — | 1.5 | 1mo ago | D-Link DIR-823X contains a command injection vulnerability that allows an authorized attacker to execute arbitrary commands on remote devices by sending a POST request to /goform/set_prohibiting via … | |
| CVE-2025-2749 | unknown | — | 1.5 | 1mo ago | Kentico Xperience contains a path traversal vulnerability that could allow an authenticated user's Staging Sync Server to upload arbitrary data to path relative locations. | |
| CVE-2025-32975 | unknown | — | 1.5 | 1mo ago | Quest KACE Systems Management Appliance (SMA) contains an improper authentication vulnerability that could allow attackers to impersonate legitimate users without valid credentials. | |
| CVE-2025-48700 | unknown | — | 1.5 | 1mo ago | Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability that could allow attackers to execute arbitrary JavaScript within the user's session, potentially leading to una… | |
| CVE-2025-60710 | unknown | — | 1.5 | 2mo ago | Microsoft Windows contains a link following vulnerability that allows for privilege escalation | |
| CVE-2025-53521 | unknown | — | 1.5 | 2mo ago | F5 BIG-IP APM contains a stack-based buffer overflow vulnerability that could allow a threat actor to achieve remote code execution. | |
| CVE-2025-43510 | unknown | — | 1.5 | 2mo ago | Apple watchOS, iOS, iPadOS, macOS, visionOS, and tvOS contain an improper locking vulnerability that could allow a malicious application to cause unexpected changes in memory shared between processes. | |
| CVE-2025-43520 | unknown | — | 1.5 | 2mo ago | Apple watchOS, iOS, iPadOS, macOS, visionOS, and tvOS contain a classic buffer overflow vulnerability which could allow a malicious application to cause unexpected system termination or write kernel … | |
| CVE-2025-66376 | unknown | — | 1.5 | 2mo ago | Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability in the Classic UI where attackers could abuse Cascading Style Sheets (CSS) @import directives in email HTML. | |
| CVE-2025-47813 | unknown | — | 1.5 | 2mo ago | Wing FTP Server contains a generation of error message containing sensitive information vulnerability when using a long value in the UID cookie. | |
| CVE-2025-26399 | unknown | — | 1.5 | 3mo ago | SolarWinds Web Help Desk contain a deserialization of untrusted data vulnerability in AjaxProxy that could allow an attacker to run commands on the host machine. | |
| CVE-2025-68461 | unknown | — | 1.5 | 3mo ago | Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document. | |
| CVE-2025-40536 | unknown | — | 1.5 | 4mo ago | SolarWinds Web Help Desk contains a security control bypass vulnerability that could allow an unauthenticated attacker to gain access to certain restricted functionality. | |
| CVE-2025-15556 | unknown | — | 1.5 | 4mo ago | Notepad++ when using the WinGUp updater, contains a download of code without integrity check vulnerability that could allow an attacker to intercept or redirect update traffic to download and execute… | |
| CVE-2025-40551 | unknown | — | 1.5 | 4mo ago | SolarWinds Web Help Desk contains a deserialization of untrusted data vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This c… | |
| CVE-2025-64328 | unknown | — | 1.5 | 4mo ago | Sangoma FreePBX Endpoint Manager contains an OS command injection vulnerability that could allow for a post-authentication command injection by an authenticated known user via the testconnection -> c… | |
| CVE-2025-52691 | unknown | — | 1.5 | 4mo ago | SmarterTools SmarterMail contains an unrestricted upload of file with dangerous type vulnerability that could allow an unauthenticated attacker to upload arbitrary files to any location on the mail s… | |
| CVE-2025-34026 | unknown | — | 1.5 | 4mo ago | Versa Concerto SD-WAN orchestration platform contains an improper authentication vulnerability in the Traefik reverse proxy configuration, allowing at attacker to access administrative endpoints. The… | |
| CVE-2025-68645 | unknown | — | 1.5 | 4mo ago | Synacor Zimbra Collaboration Suite (ZCS) contains a PHP remote file inclusion vulnerability that could allow for remote attackers to craft requests to the /h/rest endpoint to influence internal reque… | |
| CVE-2025-37164 | unknown | — | 1.5 | 5mo ago | Hewlett Packard Enterprise (HPE) OneView contains a code injection vulnerability that allows a remote unauthenticated user to perform remote code execution. | |
| CVE-2025-14847 | unknown | — | 1.5 | 5mo ago | MongoDB Server contains an improper handling of length parameter inconsistency vulnerability in Zlib compressed protocol headers. This vulnerability may allow a read of uninitialized heap memory by a… | |
| CVE-2025-68613 | unknown | — | 1.5 | 5mo ago | n8n contains an improper control of dynamically managed code resources vulnerability in its workflow expression evaluation system that allows for remote code execution. | |
| CVE-2025-14733 | unknown | — | 1.5 | 5mo ago | WatchGuard Fireware OS iked process contains an out of bounds write vulnerability in the OS iked process. This vulnerability may allow a remote unauthenticated attacker to execute arbitrary code and … | |
| CVE-2025-59374 | unknown | — | 1.5 | 5mo ago | ASUS Live Update contains an embedded malicious code vulnerability client were distributed with unauthorized modifications introduced through a supply chain compromise. The modified builds could caus… | |
| CVE-2025-20393 | unknown | — | 1.5 | 5mo ago | Cisco Secure Email Gateway, Secure Email, AsyncOS Software, and Web Manager appliances contains an improper input validation vulnerability that allows threat actors to execute arbitrary commands with… | |
| CVE-2025-40602 | unknown | — | 1.5 | 5mo ago | SonicWall SMA1000 contains a missing authorization vulnerability that could allow for privilege escalation appliance management console (AMC) of affected devices. | |
| CVE-2025-59718 | unknown | — | 1.5 | 5mo ago | Fortinet FortiOS, FortiSwitchMaster, FortiProxy, and FortiWeb contain an improper verification of cryptographic signature vulnerability that may allow an unauthenticated attacker to bypass the FortiC… | |
| CVE-2025-14611 | unknown | — | 1.5 | 5mo ago | Gladinet CentreStack and TrioFox contain a hardcoded cryptographic keys vulnerability for their implementation of the AES cryptoscheme. This vulnerability degrades security for public exposed endpoin… | |
| CVE-2025-8110 | unknown | — | 1.5 | 6mo ago | Gogs contains a path traversal vulnerability affecting improper Symbolic link handling in the PutContents API that could allow for code execution. | |
| CVE-2025-62221 | unknown | — | 1.5 | 6mo ago | Microsoft Windows Cloud Files Mini Filter Driver contains a use after free vulnerability that can allow an authorized attacker to elevate privileges locally. | |
| CVE-2025-6218 | unknown | — | 1.5 | 6mo ago | RARLAB WinRAR contains a path traversal vulnerability allowing an attacker to execute code in the context of the current user. | |
| CVE-2025-66644 | unknown | — | 1.5 | 6mo ago | Array Networks ArrayOS AG contains an OS command injection vulnerability that could allow an attacker to execute arbitrary commands. | |
| CVE-2025-55182 | unknown | — | 1.5 | 6mo ago | Meta React Server Components contains a remote code execution vulnerability that could allow unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Ser… | |
| CVE-2025-48633 | unknown | — | 1.5 | 6mo ago | Android Framework contains an unspecified vulnerability that allows for information disclosure. | |
| CVE-2025-48572 | unknown | — | 1.5 | 6mo ago | Android Framework contains an unspecified vulnerability that allows for privilege escalation. | |
| CVE-2025-58360 | unknown | — | 1.5 | 6mo ago | OSGeo GeoServer contains an improper restriction of XML external entity reference vulnerability that occurs when the application accepts XML input through a specific endpoint /geoserver/wms operation… | |
| CVE-2025-61757 | unknown | — | 1.5 | 6mo ago | Oracle Fusion Middleware contains a missing authentication for critical function vulnerability, allowing unauthenticated remote attackers to take over Identity Manager. | |
| CVE-2025-13223 | unknown | — | 1.5 | 6mo ago | Google Chromium V8 contains a type confusion vulnerability that allows for heap corruption. | |
| CVE-2025-58034 | unknown | — | 1.5 | 6mo ago | Fortinet FortiWeb contains an OS command Injection vulnerability that may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests or CLI comman… | |
| CVE-2025-64446 | unknown | — | 1.5 | 7mo ago | Fortinet FortiWeb contains a relative path traversal vulnerability that may allow an unauthenticated attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests. | |
| CVE-2025-9242 | unknown | — | 1.5 | 7mo ago | WatchGuard Firebox contains an out-of-bounds write vulnerability in the OS iked process that may allow a remote unauthenticated attacker to execute arbitrary code. | |
| CVE-2025-12480 | unknown | — | 1.5 | 7mo ago | Gladinet Triofox contains an improper access control vulnerability that allows access to initial setup pages even after setup is complete. | |
| CVE-2025-62215 | unknown | — | 1.5 | 7mo ago | Microsoft Windows Kernel contains a race condition vulnerability that allows a local attacker with low-level privileges to escalate privileges. Successful exploitation of this vulnerability could ena… | |
| CVE-2025-21042 | unknown | — | 1.5 | 7mo ago | Samsung mobile devices contain an out-of-bounds write vulnerability in libimagecodec.quram.so. This vulnerability could allow remote attackers to execute arbitrary code. | |
| CVE-2025-11371 | unknown | — | 1.5 | 7mo ago | Gladinet CentreStack and Triofox contains a files or directories accessible to external parties vulnerability that allows unintended disclosure of system files. | |
| CVE-2025-48703 | unknown | — | 1.5 | 7mo ago | CWP Control Web Panel (formerly CentOS Web Panel) contains an OS command Injection vulnerability that allows unauthenticated remote code execution via shell metacharacters in the t_total parameter in… | |
| CVE-2025-11953 | unknown | — | 1.5 | 7mo ago | React Native Community CLI contains an OS command injection vulnerability which could allow unauthenticated network attackers to send POST requests to the Metro Development Server and run arbitrary e… | |
| CVE-2025-6204 | unknown | — | 1.5 | 7mo ago | Dassault Systèmes DELMIA Apriso contains a code injection vulnerability that could allow an attacker to execute arbitrary code. | |
| CVE-2025-6205 | unknown | — | 1.5 | 7mo ago | Dassault Systèmes DELMIA Apriso contains a missing authorization vulnerability that could allow an attacker to gain privileged access to the application. | |
| CVE-2025-59287 | unknown | — | 1.5 | 7mo ago | Microsoft Windows Server Update Service (WSUS) contains a deserialization of untrusted data vulnerability that allows for remote code execution. | |
| CVE-2025-61932 | unknown | — | 1.5 | 7mo ago | Motex LANSCOPE Endpoint Manager contains an improper verification of source of a communication channel vulnerability allowing an attacker to execute arbitrary code by sending specially crafted packet… | |
| CVE-2025-2746 | unknown | — | 1.5 | 7mo ago | Kentico Xperience CMS contains an authentication bypass using an alternate path or channel vulnerability that could allow an attacker to control administrative objects. | |
| CVE-2025-33073 | unknown | — | 1.5 | 7mo ago | Microsoft Windows SMB Client contains an improper access control vulnerability that could allow for privilege escalation. An attacker could execute a specially crafted malicious script to coerce the … | |
| CVE-2025-2747 | unknown | — | 1.5 | 7mo ago | Kentico Xperience CMS contains an authentication bypass using an alternate path or channel vulnerability that could allow an attacker to control administrative objects. | |
| CVE-2025-61884 | unknown | — | 1.5 | 7mo ago | Oracle E-Business Suite contains a server-side request forgery (SSRF) vulnerability in the Runtime component of Oracle Configurator. This vulnerability is remotely exploitable without authentication. | |
| CVE-2025-54253 | unknown | — | 1.5 | 8mo ago | Adobe Experience Manager Forms in JEE contains an unspecified vulnerability that allows for arbitrary code execution. | |
| CVE-2025-47827 | unknown | — | 1.5 | 8mo ago | IGEL OS contains a use of a key past its expiration date vulnerability that allows for Secure Boot bypass. The igel-flash-driver module improperly verifies a cryptographic signature. Ultimately, a cr… | |
| CVE-2025-59230 | unknown | — | 1.5 | 8mo ago | Microsoft Windows contains an improper access control vulnerability in Windows Remote Access Connection Manager which could allow an authorized attacker to elevate privileges locally. | |
| CVE-2025-24990 | unknown | — | 1.5 | 8mo ago | Microsoft Windows Agere Modem Driver contains an untrusted pointer dereference vulnerability that allows for privilege escalation. An attacker who successfully exploited this vulnerability could gain… | |
| CVE-2025-27915 | unknown | — | 1.5 | 8mo ago | Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability that exists in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. When a user… | |
| CVE-2025-61882 | unknown | — | 1.5 | 8mo ago | Oracle E-Business Suite contains an unspecified vulnerability in the BI Publisher Integration component. The vulnerability allows unauthenticated attacker with network access via HTTP to compromise O… | |
| CVE-2025-21043 | unknown | — | 1.5 | 8mo ago | Samsung mobile devices contain an out-of-bounds write vulnerability in libimagecodec.quram.so which allows remote attackers to execute arbitrary code. | |
| CVE-2025-4008 | unknown | — | 1.5 | 8mo ago | Smartbedded Meteobridge contains a command injection vulnerability that could allow remote unauthenticated attackers to gain arbitrary command execution with elevated privileges (root) on affected de… | |
| CVE-2025-20352 | unknown | — | 1.5 | 8mo ago | Cisco IOS and IOS XE contains a stack-based buffer overflow vulnerability in the Simple Network Management Protocol (SNMP) subsystem that could allow for denial of service or remote code execution. A… | |
| CVE-2025-59689 | unknown | — | 1.5 | 8mo ago | Libraesva Email Security Gateway (ESG) contains a command injection vulnerability which allows command injection via a compressed e-mail attachment. | |
| CVE-2025-10035 | unknown | — | 1.5 | 8mo ago | Fortra GoAnywhere MFT contains a deserialization of untrusted data vulnerability allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, … | |
| CVE-2025-32463 | unknown | — | 1.5 | 8mo ago | Sudo contains an inclusion of functionality from untrusted control sphere vulnerability. This vulnerability could allow local attacker to leverage sudo’s -R (--chroot) option to run arbitrary command… | |
| CVE-2025-20333 | unknown | — | 1.5 | 8mo ago | Cisco Secure Firewall Adaptive Security (ASA) Appliance and Secure Firewall Threat Defense (FTD) Software VPN Web Server contain a buffer overflow vulnerability that allows for remote code execution.… | |
| CVE-2025-20362 | unknown | — | 1.5 | 8mo ago | Cisco Secure Firewall Adaptive Security (ASA) Appliance and Secure Firewall Threat Defense (FTD) Software VPN Web Server contain a missing authorization vulnerability. This vulnerability could be cha… | |
| CVE-2025-10585 | unknown | — | 1.5 | 8mo ago | Google Chromium contains a type confusion vulnerability in the V8 JavaScript and WebAssembly engine. | |
| CVE-2025-5086 | unknown | — | 1.5 | 9mo ago | Dassault Systèmes DELMIA Apriso contains a deserialization of untrusted data vulnerability that could lead to a remote code execution. | |
| CVE-2025-48543 | unknown | — | 1.5 | 9mo ago | Android Runtime contains a use-after-free vulnerability potentially allowing a chrome sandbox escape leading to local privilege escalation. | |
| CVE-2025-53690 | unknown | — | 1.5 | 9mo ago | Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud contain a deserialization of untrusted data vulnerability involving the use of default machine … | |
| CVE-2025-9377 | unknown | — | 1.5 | 9mo ago | TP-Link Archer C7(EU) and TL-WR841N/ND(MS) contain an OS command injection vulnerability that exists in the Parental Control page. The impacted products could be end-of-life (EoL) and/or end-of-servi… | |
| CVE-2025-55177 | unknown | — | 1.5 | 9mo ago | Meta Platforms WhatsApp contains an incorrect authorization vulnerability due to an incomplete authorization of linked device synchronization messages. This vulnerability could allow an unrelated use… | |
| CVE-2025-57819 | unknown | — | 1.5 | 9mo ago | Sangoma FreePBX contains an authentication bypass vulnerability due to insufficiently sanitized user-supplied data allows unauthenticated access to FreePBX Administrator leading to arbitrary database… | |
| CVE-2025-7775 | unknown | — | 1.5 | 9mo ago | Citrix NetScaler ADC and NetScaler Gateway contain a memory overflow vulnerability that could allow for remote code execution and/or denial of service. | |
| CVE-2025-43300 | unknown | — | 1.5 | 9mo ago | Apple iOS, iPadOS, and macOS contain an out-of-bounds write vulnerability in the Image I/O framework. | |
| CVE-2025-54948 | unknown | — | 1.5 | 9mo ago | Trend Micro Apex One Management Console (on-premise) contains an OS command injection vulnerability that could allow a pre-authenticated remote attacker to upload malicious code and execute commands … | |
| CVE-2025-8875 | unknown | — | 1.5 | 10mo ago | N-able N-Central contains an insecure deserialization vulnerability that could lead to command execution. | |
| CVE-2025-8876 | unknown | — | 1.5 | 10mo ago | N-able N-Central contains a command injection vulnerability via improper sanitization of user input. | |
| CVE-2025-8088 | unknown | — | 1.5 | 10mo ago | RARLAB WinRAR contains a path traversal vulnerability affecting the Windows version of WinRAR. This vulnerability could allow an attacker to execute arbitrary code by crafting malicious archive files. | |
| CVE-2025-20281 | unknown | — | 1.5 | 10mo ago | Cisco Identity Services Engine contains an injection vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC due to insufficient validation of user-supplied input allowing an attacker to explo… | |
| CVE-2025-20337 | unknown | — | 1.5 | 10mo ago | Cisco Identity Services Engine contains an injection vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC due to insufficient validation of user-supplied input allowing an attacker to explo… | |
| CVE-2025-49706 | unknown | — | 1.5 | 10mo ago | Microsoft SharePoint contains an improper authentication vulnerability that allows an authorized attacker to perform spoofing over a network. Successfully exploitation could allow an attacker to view… | |
| CVE-2025-2775 | unknown | — | 1.5 | 10mo ago | SysAid On-Prem contains an improper restriction of XML external entity reference vulnerability in the Checkin processing functionality, allowing for administrator account takeover and file read primi… | |
| CVE-2025-54309 | unknown | — | 1.5 | 10mo ago | CrushFTP contains an unprotected alternate channel vulnerability. When the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via… | |
| CVE-2025-2776 | unknown | — | 1.5 | 10mo ago | SysAid On-Prem contains an improper restriction of XML external entity reference vulnerability in the Server URL processing functionality, allowing for administrator account takeover and file read pr… | |
| CVE-2025-49704 | unknown | — | 1.5 | 10mo ago | Microsoft SharePoint contains a code injection vulnerability that could allow an authorized attacker to execute code over a network. This vulnerability could be chained with CVE-2025-49706. CVE-2025-… | |
| CVE-2025-53770 | unknown | — | 1.5 | 10mo ago | Microsoft SharePoint Server on-premises contains a deserialization of untrusted data vulnerability that could allow an unauthorized attacker to execute code over a network. This vulnerability could b… | |
| CVE-2025-54313 | unknown | — | 1.5 | 10mo ago | Prettier eslint-config-prettier contains an embedded malicious code vulnerability. Installing an affected package executes an install.js file that launches the node-gyp.dll malware on Windows. | |
| CVE-2025-25257 | unknown | — | 1.5 | 10mo ago | Fortinet FortiWeb contains a SQL injection vulnerability that may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests. | |
| CVE-2025-54068 | unknown | — | 1.5 | 10mo ago | Laravel Livewire contain a code injection vulnerability that could allow unauthenticated attackers to achieve remote command execution in specific scenarios. | |
| CVE-2025-47812 | unknown | — | 1.5 | 11mo ago | Wing FTP Server contains an improper neutralization of null byte or NUL character vulnerability that can allow injection of arbitrary Lua code into user session files. This can be used to execute arb… | |
| CVE-2025-5777 | unknown | — | 1.5 | 11mo ago | Citrix NetScaler ADC and Gateway contain an out-of-bounds read vulnerability due to insufficient input validation. This vulnerability can lead to memory overread when the NetScaler is configured as a… | |
| CVE-2025-6554 | unknown | — | 1.5 | 11mo ago | Google Chromium V8 contains a type confusion vulnerability that could allow a remote attacker to perform arbitrary read/write via a crafted HTML page. This vulnerability could affect multiple web bro… | |
| CVE-2025-48928 | unknown | — | 1.5 | 11mo ago | TeleMessage TM SGNL contains an exposure of core dump file to an unauthorized control sphere Vulnerability. This vulnerability is based on a JSP application in which the heap content is roughly equiv… | |
| CVE-2025-48927 | unknown | — | 1.5 | 11mo ago | TeleMessage TM SGNL contains an initialization of a resource with an insecure default vulnerability. This vulnerability relies on how the Spring Boot Actuator is configured with an exposed heap dump … | |
| CVE-2025-6543 | unknown | — | 1.5 | 11mo ago | Citrix NetScaler ADC and Gateway contain a buffer overflow vulnerability leading to unintended control flow and Denial of Service. NetScaler must be configured as Gateway (VPN virtual server, ICA Pro… | |
| CVE-2025-3248 | unknown | — | 1.5 | 11mo ago | Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary co… |