32,772 indexed
CVECVE vulnerabilities
32,772 CVEs indexed — newest first. Filter by CVSS severity or CISA KEV listing; KEV-flagged entries surface a rose pill. Authored by Adam Lundqvist.
Showing 6,401–6,450 of 8,314 in Critical · page 129 of 167
| ID | Title | Summary |
|---|---|---|
| CVE-2025-28983 | CVE-2025-28983 CVSS 9.8 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ClickandPledge Click & Pledge Connect allows Privilege Es… |
| CVE-2025-28982 | CVE-2025-28982 CVSS 9.8 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ThimPress WP Pipes allows SQL Injection. This issue affec… |
| CVE-2025-28979 | CVE-2025-28979 CVSS 9.8 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThimPress WP Pipes allows PHP Local Fi… |
| CVE-2025-28970 | CVE-2025-28970 CVSS 9.8 | Deserialization of Untrusted Data vulnerability in pep.vn WP Optimize By xTraffic wp-optimize-by-xtraffic allows Object Injection.This issue affects WP Optimiz… |
| CVE-2025-28961 | CVE-2025-28961 CVSS 9.8 | Deserialization of Untrusted Data vulnerability in Md Yeasin Ul Haider URL Shortener exact-links allows Object Injection.This issue affects URL Shortener: from… |
| CVE-2025-28959 | CVE-2025-28959 CVSS 9.3 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Md Yeasin Ul Haider URL Shortener exact-links allows SQL … |
| CVE-2025-28951 | CVE-2025-28951 CVSS 9.1 | Unrestricted Upload of File with Dangerous Type vulnerability in CreedAlly Bulk Featured Image bulk-featured-image allows Upload a Web Shell to a Web Server.Th… |
| CVE-2025-28942 | CVE-2025-28942 CVSS 9.3 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Trust Payments Trust Payments Gateway for WooCommerce tru… |
| CVE-2025-28916 | CVE-2025-28916 CVSS 9.8 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Rashid Docpro docpro allows PHP Local … |
| CVE-2025-28915 | CVE-2025-28915 CVSS 9.1 | Unrestricted Upload of File with Dangerous Type vulnerability in Theme Egg ThemeEgg ToolKit themeegg-toolkit allows Upload a Web Shell to a Web Server.This iss… |
| CVE-2025-28904 | CVE-2025-28904 CVSS 9.3 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Shamalli Web Directory Free web-directory-free allows Bli… |
| CVE-2025-28898 | CVE-2025-28898 CVSS 9.3 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPExperts.io WP Multistore Locator wp-multi-store-locator… |
| CVE-2025-28893 | CVE-2025-28893 CVSS 9.9 | Improper Control of Generation of Code ('Code Injection') vulnerability in Govind Visual Text Editor visual-text-editor allows Remote Code Inclusion.This issue… |
| CVE-2025-28872 | CVE-2025-28872 CVSS 9.8 | Missing Authorization vulnerability in jwpegram Block Spam By Math Reloaded block-spam-by-math-reloaded allows Accessing Functionality Not Properly Constrained… |
| CVE-2025-2859 | CVE-2025-2859 CVSS 9.8 | An attacker with network access, could capture traffic and obtain user cookies, allowing the attacker to steal the active user session and make changes to the … |
| CVE-2025-2857 | CVE-2025-2857 CVSS 10.0 | Following the recent Chrome sandbox escape (CVE-2025-2783), various Firefox developers identified a similar pattern in our IPC code. A compromised child proces… |
| CVE-2025-2846 | CVE-2025-2846 CVSS 9.8 | A vulnerability classified as critical was found in SourceCodester Online Eyewear Shop 1.0. This vulnerability affects the function registration of the file /o… |
| CVE-2025-28413 | CVE-2025-28413 CVSS 9.8 | An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the SysDictTypeController component |
| CVE-2025-28412 | CVE-2025-28412 CVSS 9.8 | An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the /editSave method in SysNoticeController |
| CVE-2025-28411 | CVE-2025-28411 CVSS 9.8 | An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the editSave method in /tool/gen/editSave |
| CVE-2025-28410 | CVE-2025-28410 CVSS 9.8 | An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the cancelAuthUserAll method does not properly validate whether the requesting us… |
| CVE-2025-28408 | CVE-2025-28408 CVSS 9.8 | An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the selectDeptTree method of the /selectDeptTree/{deptId} endpoint does not prope… |
| CVE-2025-28406 | CVE-2025-28406 CVSS 9.8 | An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the jobLogId parameter |
| CVE-2025-28405 | CVE-2025-28405 CVSS 9.8 | An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the changeStatus method |
| CVE-2025-28402 | CVE-2025-28402 CVSS 9.8 | An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the jobId parameter |
| CVE-2025-28399 | CVE-2025-28399 CVSS 9.8 | An issue in Erick xmall v.1.1 and before allows a remote attacker to escalate privileges via the updateAddress method of the Address Controller class. |
| CVE-2025-28389 | CVE-2025-28389 CVSS 9.8 | Weak password requirements in OpenC3 COSMOS v6.0.0 allow attackers to bypass authentication via a brute force attack. |
| CVE-2025-28388 | CVE-2025-28388 CVSS 9.8 | OpenC3 COSMOS before v6.0.2 was discovered to contain hardcoded credentials for the Service Account. |
| CVE-2025-28386 | CVE-2025-28386 CVSS 9.8 | A remote code execution (RCE) vulnerability in the Plugin Management component of OpenC3 COSMOS v6.0.0 allows attackers to execute arbitrary code via uploading… |
| CVE-2025-28384 | CVE-2025-28384 CVSS 9.1 | An issue in the /script-api/scripts/ endpoint of OpenC3 COSMOS before 6.1.0 allows attackers to execute a directory traversal. |
| CVE-2025-2831 | CVE-2025-2831 CVSS 9.8 | A vulnerability has been found in mingyuefusu 明月复苏 tushuguanlixitong 图书管理系统 up to d4836f6b49cd0ac79a4021b15ce99ff7229d4694 and classified as critical. This vul… |
| CVE-2025-2828 | CVE-2025-2828 CVSS 10.0 | A Server-Side Request Forgery (SSRF) vulnerability exists in the RequestsToolkit component of the langchain-community package (specifically, langchain_communit… |
| CVE-2025-28256 | CVE-2025-28256 CVSS 9.8 | An issue in TOTOLINK A3100R V4.1.2cu.5247_B20211129 allows a remote attacker to execute arbitrary code via the setWebWlanIdx of the file /lib/cste_modules/wire… |
| CVE-2025-28242 | CVE-2025-28242 CVSS 9.8 | Improper session management in the /login_ok.htm endpoint of DAEnetIP4 METO v1.25 allows attackers to execute a session hijacking attack. |
| CVE-2025-28238 | CVE-2025-28238 CVSS 9.8 | Improper session management in Elber REBLE310 Firmware v5.5.1.R , Equipment Model: REBLE310/RX10/4ASI allows attackers to execute a session hijacking attack. |
| CVE-2025-28236 | CVE-2025-28236 CVSS 9.8 | Nautel VX Series transmitters VX SW v6.4.0 and below was discovered to contain a remote code execution (RCE) vulnerability in the firmware update process. This… |
| CVE-2025-28233 | CVE-2025-28233 CVSS 9.1 | Incorrect access control in BW Broadcast TX600 (14980), TX300 (32990) (31448), TX150, TX1000, TX30, and TX50 Hardware Version: 2, Software Version: 1.6.0, Cont… |
| CVE-2025-28232 | CVE-2025-28232 CVSS 9.1 | Incorrect access control in the HOME.php endpoint of JMBroadcast JMB0150 Firmware v1.0 allows attackers to access the Admin panel without authentication. |
| CVE-2025-28231 | CVE-2025-28231 CVSS 9.1 | Incorrect access control in Itel Electronics IP Stream v1.7.0.6 allows unauthorized attackers to execute arbitrary commands with Administrator privileges. |
| CVE-2025-28230 | CVE-2025-28230 CVSS 9.1 | Incorrect access control in JMBroadcast JMB0150 Firmware v1.0 allows attackers to access hardcoded administrator credentials. |
| CVE-2025-28229 | CVE-2025-28229 CVSS 9.8 | Incorrect access control in Orban OPTIMOD 5950 Firmware v1.0.0.2 and System v2.2.15 allows attackers to bypass authentication and gain Administrator privileges. |
| CVE-2025-28219 | CVE-2025-28219 CVSS 9.8 | Netgear DC112A V1.0.0.64 has an OS command injection vulnerability in the usb_adv.cgi, which allows remote attackers to execute arbitrary commands via paramete… |
| CVE-2025-28200 | CVE-2025-28200 CVSS 9.8 | Victure RX1800 EN_V1.0.0_r12_110933 was discovered to utilize a weak default password which includes the last 8 digits of the Mac address. |
| CVE-2025-28197 | CVE-2025-28197 CVSS 9.1 | Crawl4AI <=0.4.247 is vulnerable to SSRF in /crawl4ai/async_dispatcher.py. |
| CVE-2025-28168 | CVE-2025-28168 CVSS 9.8 | The Multiple File Upload add-on component 3.1.0 for OutSystems is vulnerable to Unrestricted File Upload. This occurs because file extension and size validatio… |
| CVE-2025-28146 | CVE-2025-28146 CVSS 9.8 | Edimax AC1200 Wave 2 Dual-Band Gigabit Router BR-6478AC V3 1.0.15 was discovered to contain a command injection vulnerability via fota_url in /boafrm/formLtefo… |
| CVE-2025-28138 | CVE-2025-28138 CVSS 9.8 | The TOTOLINK A800R V4.1.2cu.5137_B20200730 were found to contain a pre-auth remote command execution vulnerability in the setNoticeCfg function through the Not… |
| CVE-2025-28137 | CVE-2025-28137 CVSS 9.8 | The TOTOLINK A810R V4.1.2cu.5182_B20201026 were found to contain a pre-auth remote command execution vulnerability in the setNoticeCfg function through the Not… |
| CVE-2025-2812 | CVE-2025-2812 CVSS 9.8mydata | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mydata Informatics Ticket Sales Automation allows Blind S… |
| CVE-2025-28104 | CVE-2025-28104 CVSS 9.1 | Incorrect access control in laskBlog v2.6.1 allows attackers to access all usernames via a crafted input. |