32,772 indexed
CVECVE vulnerabilities
32,772 CVEs indexed — newest first. Filter by CVSS severity or CISA KEV listing; KEV-flagged entries surface a rose pill. Authored by Adam Lundqvist.
Showing 6,301–6,350 of 8,314 in Critical · page 127 of 167
| ID | Title | Summary |
|---|---|---|
| CVE-2025-30159 | CVE-2025-30159 CVSS 9.1 | Kirby is an open-source content management system. A vulnerability in versions prior to 3.9.8.3, 3.10.1.2, and 4.7.1 affects all Kirby sites that use the `snip… |
| CVE-2025-30139 | CVE-2025-30139 CVSS 9.8 | An issue was discovered on G-Net Dashcam BB GONX devices. Default credentials for SSID cannot be changed. It broadcasts a fixed SSID with default credentials t… |
| CVE-2025-30137 | CVE-2025-30137 CVSS 9.8 | An issue was discovered in the G-Net GNET APK 2.6.2. Hardcoded credentials exist in in APK for ports 9091 and 9092. The GNET mobile application contains hardco… |
| CVE-2025-30135 | CVE-2025-30135 CVSS 9.4 | An issue was discovered on IROAD Dashcam FX2 devices. Dumping Files Over HTTP and RTSP Without Authentication can occur. It lacks authentication controls on it… |
| CVE-2025-30133 | CVE-2025-30133 CVSS 9.8 | An issue was discovered on IROAD Dashcam FX2 devices. Bypass of Device Pairing/Registration can occur. It requires device registration via the "IROAD X View" a… |
| CVE-2025-30132 | CVE-2025-30132 CVSS 9.1 | An issue was discovered on IROAD Dashcam V devices. It uses an unregistered public domain name as an internal domain, creating a security risk. During analysis… |
| CVE-2025-30131 | CVE-2025-30131 CVSS 9.8 | An issue was discovered on IROAD Dashcam FX2 devices. An unauthenticated file upload endpoint can be leveraged to execute arbitrary commands by uploading a CGI… |
| CVE-2025-30127 | CVE-2025-30127 CVSS 9.8 | An issue was discovered on Marbella KR8s Dashcam FF 2.0.8 devices. Once access is gained either by default, common, or cracked passwords, the video recordings … |
| CVE-2025-30125 | CVE-2025-30125 CVSS 9.8 | An issue was discovered on Marbella KR8s Dashcam FF 2.0.8 devices. All dashcams were shipped with the same default credentials of 12345678, which creates an in… |
| CVE-2025-30124 | CVE-2025-30124 CVSS 9.8 | An issue was discovered on Marbella KR8s Dashcam FF 2.0.8 devices. When a new SD card is inserted into the dashcam, the existing password is written onto the S… |
| CVE-2025-30123 | CVE-2025-30123 CVSS 9.8 | An issue was discovered on ROADCAM X3 devices. The mobile app APK (Viidure) contains hardcoded FTP credentials for the FTPX user account, enabling attackers to… |
| CVE-2025-30122 | CVE-2025-30122 CVSS 9.8 | An issue was discovered on ROADCAM X3 devices. It has a uniform default credential set that cannot be modified by users, making it easy for attackers to gain u… |
| CVE-2025-30115 | CVE-2025-30115 CVSS 9.8 | An issue was discovered on the Forvia Hella HELLA Driving Recorder DR 820. Default Credentials Cannot Be Changed. It uses a fixed default SSID and password ("q… |
| CVE-2025-30114 | CVE-2025-30114 CVSS 9.1 | An issue was discovered on the Forvia Hella HELLA Driving Recorder DR 820. Bypassing of Device Pairing can occur. The pairing mechanism relies solely on the co… |
| CVE-2025-30113 | CVE-2025-30113 CVSS 9.8 | An issue was discovered on the Forvia Hella HELLA Driving Recorder DR 820. Hardcoded Credentials exist in the APK for Ports 9091 and 9092. The dashcam's Androi… |
| CVE-2025-3011 | CVE-2025-3011 CVSS 9.8 | SOOP-CLM from PiExtract has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and dele… |
| CVE-2025-30095 | CVE-2025-30095 CVSS 9.0 | VyOS 1.3 through 1.5 (fixed in 1.4.2) or any Debian-based system using dropbear in combination with live-build has the same Dropbear private host keys across d… |
| CVE-2025-30065 | CVE-2025-30065 CVSS 9.8 | Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code Users are recommended to… |
| CVE-2025-3006 | CVE-2025-3006 CVSS 9.8 | A vulnerability was found in PHPGurukul e-Diary Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /e… |
| CVE-2025-30026 | CVE-2025-30026 CVSS 9.8 | The AXIS Camera Station Server had a flaw that allowed to bypass authentication that is normally required. |
| CVE-2025-30023 | CVE-2025-30023 CVSS 9.0 | The communication protocol used between client and server had a flaw that could lead to an authenticated user performing a remote code execution attack. |
| CVE-2025-30016 | CVE-2025-30016 CVSS 9.8 | SAP Financial Consolidation allows an unauthenticated attacker to gain unauthorized access to the Admin account. The vulnerability arises due to improper authe… |
| CVE-2025-30012 | CVE-2025-30012 CVSS 9.8 | The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component, which allows an unauthenticated attacker to sen… |
| CVE-2025-29980 | CVE-2025-29980 CVSS 9.8 | A SQL injection issue has been discovered in eTRAKiT.net release 3.2.1.77. Due to improper input validation, a remote unauthenticated attacker can run arbitrar… |
| CVE-2025-29972 | CVE-2025-29972 CVSS 9.8 | Server-side request forgery (ssrf) in Azure Storage Resource Provider allows an authorized attacker to perform spoofing over a network. |
| CVE-2025-29953 | CVE-2025-29953 CVSS 9.8 | Deserialization of Untrusted Data vulnerability in Apache ActiveMQ NMS OpenWire Client. This issue affects Apache ActiveMQ NMS OpenWire Client before 2.1.1 wh… |
| CVE-2025-29927 | CVE-2025-29927 CVSS 9.1 | Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it… |
| CVE-2025-29926 | CVE-2025-29926 CVSS 9.8 | XWiki Platform is a generic wiki platform. Prior to 15.10.15, 16.4.6, and 16.10.0, any user can exploit the WikiManager REST API to create a new wiki, where th… |
| CVE-2025-29922 | CVE-2025-29922 CVSS 9.6 | kcp is a Kubernetes-like control plane for form-factors and use-cases beyond Kubernetes and container workloads. Prior to 0.26.3, the identified vulnerability … |
| CVE-2025-29913 | CVE-2025-29913 CVSS 9.8 | CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between … |
| CVE-2025-29912 | CVE-2025-29912 CVSS 9.8 | CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between … |
| CVE-2025-29911 | CVE-2025-29911 CVSS 9.8 | CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between … |
| CVE-2025-29909 | CVE-2025-29909 CVSS 9.8 | CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between … |
| CVE-2025-29902 | CVE-2025-29902 CVSS 10.0 | Remote code execution that allows unauthorized users to execute arbitrary code on the server machine. |
| CVE-2025-29813 | CVE-2025-29813 CVSS 9.8 | Authentication bypass by assumed-immutable data in Azure DevOps allows an unauthorized attacker to elevate privileges over a network. |
| CVE-2025-29783 | CVE-2025-29783 CVSS 9.0 | vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. When vLLM is configured to use Mooncake, unsafe deserialization exposed d… |
| CVE-2025-2978 | CVE-2025-2978 CVSS 9.8 | A vulnerability was found in WCMS 11. It has been rated as critical. Affected by this issue is some unknown functionality of the file /index.php?articleadmin/u… |
| CVE-2025-2973 | CVE-2025-2973 CVSS 9.8 | A vulnerability, which was classified as critical, was found in code-projects College Management System 1.0. This affects an unknown part of the file /Admin/st… |
| CVE-2025-29709 | CVE-2025-29709 CVSS 9.8 | SourceCodester Company Website CMS 1.0 has a File upload vulnerability via the "Create portfolio" file /dashboard/portfolio. |
| CVE-2025-29708 | CVE-2025-29708 CVSS 9.8 | SourceCodester Company Website CMS 1.0 contains a file upload vulnerability via the "Create Services" file /dashboard/Services. |
| CVE-2025-29662 | CVE-2025-29662 CVSS 9.8 | A RCE vulnerability in the core application in LandChat 3.25.12.18 allows an unauthenticated attacker to execute system code via remote network access. |
| CVE-2025-29660 | CVE-2025-29660 CVSS 9.8 | A vulnerability exists in the daemon process of the Yi IOT XY-3820 v6.0.24.10, which exposes a TCP service on port 6789. This service lacks proper input valida… |
| CVE-2025-29659 | CVE-2025-29659 CVSS 9.8 | Yi IOT XY-3820 6.0.24.10 is vulnerable to Remote Command Execution via the "cmd_listen" function located in the "cmd" binary. |
| CVE-2025-29647 | CVE-2025-29647 CVSS 9.8 | SeaCMS v13.3 has a SQL injection vulnerability in the component admin_tempvideo.php. |
| CVE-2025-29631 | CVE-2025-29631 CVSS 9.8 | Gardyn Home Kit firmware before master.619, Home Kit Mobile Application before 2.11.0, and Home Kit Cloud API before 2.12.2026 allow command injection through … |
| CVE-2025-29629 | CVE-2025-29629 CVSS 9.1 | Gardyn Home Kit firmware before master.619, Home Kit Mobile Application before 2.11.0, and Home Kit Cloud API before 2.12.2026 use weak default credentials for… |
| CVE-2025-29628 | CVE-2025-29628 CVSS 9.4 | A Gardyn Azure IoT Hub connection string is downloaded over an insecure HTTP connection in Gardyn Home Kit firmware before master.619, Home Kit Mobile Applicat… |
| CVE-2025-2952 | CVE-2025-2952 CVSS 9.8 | A vulnerability classified as critical was found in Bluestar Micro Mall 1.0. Affected by this vulnerability is an unknown functionality of the file /api/api.ph… |
| CVE-2025-29515 | CVE-2025-29515 CVSS 9.8 | Incorrect access control in the DELT_file.xgi endpoint of D-Link DSL-7740C with firmware DSL7740C.V6.TR069.20211230 allows attackers to modify arbitrary settin… |
| CVE-2025-29514 | CVE-2025-29514 CVSS 9.8 | Incorrect access control in the config.xgi function of D-Link DSL-7740C with firmware DSL7740C.V6.TR069.20211230 allows attackers to download the configuration… |