32,772 indexed
CVECVE vulnerabilities
32,772 CVEs indexed — newest first. Filter by CVSS severity or CISA KEV listing; KEV-flagged entries surface a rose pill. Authored by Adam Lundqvist.
Showing 5,851–5,900 of 8,314 in Critical · page 118 of 167
| ID | Title | Summary |
|---|---|---|
| CVE-2025-3653 | CVE-2025-3653 CVSS 9.8 | Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an improper access control vulnerability that allows unauthorized device manipulation by acce… |
| CVE-2025-36418 | CVE-2025-36418 CVSS 9.8 | IBM ApplinX 11.1 is vulnerable due to a privilege escalation vulnerability due to improper verification of JWT tokens. An attacker may be able to craft or modi… |
| CVE-2025-36386 | CVE-2025-36386 CVSS 9.8 | IBM Maximo Application Suite 9.0.0 through 9.0.15 and 9.1.0 through 9.1.4 could allow a remote attacker to bypass authentication mechanisms and gain unauthoriz… |
| CVE-2025-36356 | CVE-2025-36356 CVSS 9.3 | IBM Security Verify Access and IBM Security Verify Access Docker 10.0.0.0 through 10.0.9.0 and 11.0.0.0 through 11.0.1.0 could allow a locally authenticated us… |
| CVE-2025-3626 | CVE-2025-3626 CVSS 9.1 | A remote attacker with administrator account can gain full control of the device due to improper neutralization of special elements used in an OS Command ('OS … |
| CVE-2025-36251 | CVE-2025-36251 CVSS 9.8 | IBM AIX 7.2, and 7.3 and IBM VIOS 3.1, and 4.1 nimsh service SSL/TLS implementations could allow a remote attacker to execute arbitrary commands due to imprope… |
| CVE-2025-36250 | CVE-2025-36250 CVSS 9.8 | IBM AIX 7.2, and 7.3 and IBM VIOS 3.1, and 4.1 NIM server (formerly known as NIM master) service (nimesis) could allow a remote attacker to execute arbitrary c… |
| CVE-2025-36236 | CVE-2025-36236 CVSS 9.1 | IBM AIX 7.2, and 7.3 and IBM VIOS 3.1, and 4.1 NIM server (formerly known as NIM master) service (nimesis) could allow a remote attacker to traverse directorie… |
| CVE-2025-3623 | CVE-2025-3623 CVSS 9.1 | The Uncanny Automator plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.4.0.1 via deserialization of untrusted… |
| CVE-2025-36222 | CVE-2025-36222 CVSS 9.8 | IBM Fusion 2.2.0 through 2.10.1, IBM Fusion HCI 2.2.0 through 2.10.0, and IBM Fusion HCI for watsonx 2.8.2 through 2.10.0 uses insecure default configurations … |
| CVE-2025-3621 | CVE-2025-3621 CVSS 9.6 | Vulnerabilities* in ActADUR local server product, developed and maintained by ProTNS, allows Remote Code Inclusion on host systems. * vulnerabilities: * … |
| CVE-2025-36157 | CVE-2025-36157 CVSS 9.1 | IBM Jazz Foundation 7.0.2 to 7.0.2 iFix035, 7.0.3 to 7.0.3 iFix018, and 7.1.0 to 7.1.0 iFix004 could allow an unauthenticated remote attacker to update server … |
| CVE-2025-36087 | CVE-2025-36087 CVSS 9.8 | IBM Security Verify Access 10.0.0 through 10.0.9, 11.0.0, IBM Verify Identity Access Container 10.0.0 through 10.0.9, and 11.0.0, under certain configurations,… |
| CVE-2025-3605 | CVE-2025-3605 CVSS 9.8 | The Frontend Login and Registration Blocks plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including… |
| CVE-2025-36041 | CVE-2025-36041 CVSS 9.8 | IBM MQ Operator LTS 2.0.0 through 2.0.29, MQ Operator CD 3.0.0, 3.0.1, 3.1.0 through 3.1.3, 3.3.0, 3.4.0, 3.4.1, 3.5.0, 3.5.1 through 3.5.3, and MQ Operator SC… |
| CVE-2025-3604 | CVE-2025-3604 CVSS 9.8 | The Flynax Bridge plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.2.0. This is due to t… |
| CVE-2025-36038 | CVE-2025-36038 CVSS 9.8 | IBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to execute arbitrary code on the system with a specially crafted sequence of seriali… |
| CVE-2025-3603 | CVE-2025-3603 CVSS 9.8 | The Flynax Bridge plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.2.0. This is due to t… |
| CVE-2025-35996 | CVE-2025-35996 CVSS 9.0 | KUNBUS PiCtory version 2.11.1 and earlier are vulnerable when an authenticated remote attacker crafts a special filename that can be stored by API endpoints. T… |
| CVE-2025-3594 | CVE-2025-3594 CVSS 9.8 | Path traversal vulnerability with the downloading and installation of Xuggler in Liferay Portal 7.0.0 through 7.4.3.4, and Liferay DXP 7.4 GA, 7.3 GA through u… |
| CVE-2025-3593 | CVE-2025-3593 CVSS 9.8 | A vulnerability was found in ZHENFENG13/code-projects My-Blog-layui 1.0. It has been declared as critical. This vulnerability affects the function Upload of th… |
| CVE-2025-3589 | CVE-2025-3589 CVSS 9.8 | A vulnerability, which was classified as critical, was found in SourceCodester Music Class Enrollment System 1.0. Affected is an unknown function of the file /… |
| CVE-2025-3559 | CVE-2025-3559 CVSS 9.8 | A vulnerability has been found in ghostxbh uzy-ssm-mall 1.0.0 and classified as critical. This vulnerability affects the function ForeProductListController of … |
| CVE-2025-3558 | CVE-2025-3558 CVSS 9.8 | A vulnerability, which was classified as critical, was found in ghostxbh uzy-ssm-mall 1.0.0. This affects an unknown part of the file /mall/user/uploadUserHead… |
| CVE-2025-3553 | CVE-2025-3553 CVSS 9.8 | A vulnerability was found in phpshe 1.8. It has been declared as critical. This vulnerability affects the function pe_delete of the file /admin.php?mod=brand&a… |
| CVE-2025-35452 | CVE-2025-35452 CVSS 9.8 | PTZOptics and possibly other ValueHD-based pan-tilt-zoom cameras use default, shared credentials for the administrative web interface. |
| CVE-2025-35451 | CVE-2025-35451 CVSS 9.8 | PTZOptics and possibly other ValueHD-based pan-tilt-zoom cameras use hard-coded, default administrative credentials. The passwords can readily be cracked. Many… |
| CVE-2025-35434 | CVE-2025-35434 CVSS 9.8 | CISA Thorium does not validate TLS certificates when connecting to Elasticsearch. An unauthenticated attacker with access to a Thorium cluster could impersonat… |
| CVE-2025-3515 | CVE-2025-3515 CVSS 9.8 | The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation… |
| CVE-2025-35062 | CVE-2025-35062 CVSS 9.8 | Newforma Info Exchange (NIX) before version 2023.1 by default allows anonymous authentication which allows an unauthenticated attacker to exploit additional vu… |
| CVE-2025-35051 | CVE-2025-35051 CVSS 9.8 | Newforma Project Center Server (NPCS) accepts serialized .NET data via the '/ProjectCenter.rem' endpoint on 9003/tcp, allowing a remote, unauthenticated attack… |
| CVE-2025-35050 | CVE-2025-35050 CVSS 9.8 | Newforma Info Exchange (NIX) accepts serialized .NET data via the '/remoteweb/remote.rem' endpoint, allowing a remote, unauthenticated attacker to execute arbi… |
| CVE-2025-35042 | CVE-2025-35042 CVSS 9.8 | Airship AI Acropolis includes a default administrative account that uses the same credentials on every installation. Instances of Airship AI that do not change… |
| CVE-2025-35032 | CVE-2025-35032 CVSS 9.9 | Medical Informatics Engineering Enterprise Health allows authenticated users to upload arbitrary files. The impact of this behavior depends on how files are ac… |
| CVE-2025-35028 | CVE-2025-35028 CVSS 9.1 | By providing a command-line argument starting with a semi-colon ; to an API endpoint created by the EnhancedCommandExecutor class of the HexStrike AI MCP serve… |
| CVE-2025-35003 | CVE-2025-35003 CVSS 9.8 | Improper Restriction of Operations within the Bounds of a Memory Buffer and Stack-based Buffer Overflow vulnerabilities were discovered in Apache NuttX RTOS Bl… |
| CVE-2025-3500 | CVE-2025-3500 CVSS 9.8 | Integer Overflow or Wraparound vulnerability in Avast Antivirus (25.1.981.6) on Windows allows Privilege Escalation.This issue affects Antivirus: from 25.1.981… |
| CVE-2025-3499 | CVE-2025-3499 CVSS 10.0 | The device has two web servers that expose unauthenticated REST APIs on the management network (TCP ports 8084 and 8086). Exploiting OS command injection throu… |
| CVE-2025-3498 | CVE-2025-3498 CVSS 9.9 | An unauthenticated user with management network access can get and modify the Radiflow iSAP Smart Collector (CentOS 7 - VSAP 1.20) configuration. The device … |
| CVE-2025-3495 | CVE-2025-3495 CVSS 9.8 | Delta Electronics COMMGR v1 and v2 uses insufficiently randomized values to generate session IDs (CWE-338). An attacker could easily brute force a session ID a… |
| CVE-2025-3484 | CVE-2025-3484 CVSS 9.8 | MedDream PACS Server DICOM File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute … |
| CVE-2025-3472 | CVE-2025-3472 CVSS 9.8 | The Ocean Extra plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.4.6. This is due to the software al… |
| CVE-2025-3461 | CVE-2025-3461 CVSS 9.8 | The Quantenna Wi-Fi chips ship with an unauthenticated telnet interface by default. This is an instance of CWE-306, "Missing Authentication for Critical Functi… |
| CVE-2025-34523 | CVE-2025-34523 CVSS 9.8 | A heap-based buffer overflow vulnerability exists in the network-facing input handling routines of Arcserve Unified Data Protection (UDP). This flaw is reachab… |
| CVE-2025-34522 | CVE-2025-34522 CVSS 9.8 | A heap-based buffer overflow vulnerability exists in the input parsing logic of Arcserve Unified Data Protection (UDP). This flaw can be triggered without auth… |
| CVE-2025-34520 | CVE-2025-34520 CVSS 9.8 | An authentication bypass vulnerability in Arcserve Unified Data Protection (UDP) allows unauthenticated attackers to gain unauthorized access to protected func… |
| CVE-2025-34516 | CVE-2025-34516 CVSS 9.8 | Ilevia EVE X1 Server firmware versions ≤ 4.7.18.0.eden contain a use of default credentials vulnerability that allows an unauthenticated attacker to obtain rem… |
| CVE-2025-34515 | CVE-2025-34515 CVSS 9.8 | Ilevia EVE X1 Server firmware versions ≤ 4.7.18.0.eden contain an execution with unnecessary privileges vulnerability in sync_project.sh that allows an attacke… |
| CVE-2025-34513 | CVE-2025-34513 CVSS 9.8 | Ilevia EVE X1 Server firmware versions ≤ 4.7.18.0.eden contain an OS command injection vulnerability in mbus_build_from_csv.php that allows an unauthenticated … |
| CVE-2025-3450 | CVE-2025-3450 CVSS 10.0 | An Improper Resource Locking vulnerability in the SDM component of B&R Automation Runtime versions before 6.3 and before Q4.93 may allow an unauthenticated net… |