33,486 indexed
CVECVE vulnerabilities
33,486 CVEs indexed — newest first. Filter by CVSS severity or CISA KEV listing; KEV-flagged entries surface a rose pill. Authored by Adam Lundqvist.
Showing 6,751–6,800 of 8,314 in Critical · page 136 of 167
| ID | Title | Summary |
|---|---|---|
| CVE-2025-25565 | CVE-2025-25565 CVSS 9.8 | SoftEther VPN 5.02.5187 is vulnerable to Buffer Overflow in the Command.c file via the PtMakeCert and PtMakeCert2048 functions. NOTE: the Supplier disputes thi… |
| CVE-2025-25535 | CVE-2025-25535 CVSS 9.8 | HTTP Response Manipulation in SCRIPT CASE v.1.0.002 Build7 allows a remote attacker to escalate privileges via a crafted request. |
| CVE-2025-25530 | CVE-2025-25530 CVSS 9.8 | Buffer overflow vulnerability in Digital China DCBI-Netlog-LAB Gateway 1.0 due to the lack of length verification, which is related to saving parental control … |
| CVE-2025-25521 | CVE-2025-25521 CVSS 9.8 | Seacms <=13.3 is vulnerable to SQL Injection in admin_type_news.php. |
| CVE-2025-25520 | CVE-2025-25520 CVSS 9.8 | Seacms <13.3 is vulnerable to SQL Injection in admin_pay.php. |
| CVE-2025-25519 | CVE-2025-25519 CVSS 9.8 | Seacms <=13.3 is vulnerable to SQL Injection in admin_zyk.php. |
| CVE-2025-25517 | CVE-2025-25517 CVSS 9.8 | Seacms <=13.3 is vulnerable to SQL Injection in admin_reslib.php. |
| CVE-2025-25516 | CVE-2025-25516 CVSS 9.8 | Seacms <=13.3 is vulnerable to SQL Injection in admin_paylog.php. |
| CVE-2025-25513 | CVE-2025-25513 CVSS 9.8 | Seacms <=13.3 is vulnerable to SQL Injection in admin_members.php. |
| CVE-2025-25467 | CVE-2025-25467 CVSS 9.8 | Insufficient tracking and releasing of allocated used memory in libx264 git master allows attackers to execute arbitrary code via creating a crafted AAC file. |
| CVE-2025-25456 | CVE-2025-25456 CVSS 9.8 | Tenda AC10 V4.0si_V16.03.10.20 is vulnerable to Buffer Overflow in AdvSetMacMtuWan via mac2. |
| CVE-2025-25403 | CVE-2025-25403 CVSS 9.8 | Slims (Senayan Library Management Systems) 9 Bulian V9.6.1 is vulnerable to SQL Injection in admin/modules/master_file/coll_type.php. |
| CVE-2025-25389 | CVE-2025-25389 CVSS 9.8 | A SQL Injection vulnerability was found in /admin/forgot-password.php in Phpgurukul Land Record System v1.0, which allows remote attackers to execute arbitrary… |
| CVE-2025-25388 | CVE-2025-25388 CVSS 9.8 | A SQL Injection vulnerability was found in /admin/edit-propertytype.php in PHPGurukul Land Record System v1.0, which allows remote attackers to execute arbitra… |
| CVE-2025-2538 | CVE-2025-2538 CVSS 9.8 | A hardcoded credential vulnerability exists in a specific deployment pattern for Esri Portal for ArcGIS versions 11.4 and below that may allow a remote unauthe… |
| CVE-2025-25379 | CVE-2025-25379 CVSS 9.6 | Cross Site Request Forgery vulnerability in 07FLYCMS v.1.3.9 allows a remote attacker to execute arbitrary code via the id parameter of the del.html component. |
| CVE-2025-25373 | CVE-2025-25373 CVSS 9.8 | The Memory Management Module of NASA cFS (Core Flight System) Aquila has insecure permissions, which can be exploited to gain an RCE on the platform. |
| CVE-2025-25362 | CVE-2025-25362 CVSS 9.8 | A Server-Side Template Injection (SSTI) vulnerability in Spacy-LLM v0.7.2 allows attackers to execute arbitrary code via injecting a crafted payload into the t… |
| CVE-2025-25361 | CVE-2025-25361 CVSS 9.8 | An arbitrary file upload vulnerability in the component /cms/CmsWebFileAdminController.java of PublicCMS v4.0.202406 allows attackers to execute arbitrary code… |
| CVE-2025-25351 | CVE-2025-25351 CVSS 9.8 | PHPGurukul Daily Expense Tracker System v1.1 is vulnerable to SQL Injection in /dets/add-expense.php via the dateexpense parameter. |
| CVE-2025-25349 | CVE-2025-25349 CVSS 9.8 | PHPGurukul Daily Expense Tracker System v1.1 is vulnerable to SQL Injection in /dets/add-expense.php via the costitem parameter. |
| CVE-2025-25343 | CVE-2025-25343 CVSS 9.8 | Tenda AC6 V15.03.05.16 firmware has a buffer overflow vulnerability in the formexeCommand function. |
| CVE-2025-25306 | CVE-2025-25306 CVSS 9.3 | Misskey is an open source, federated social media platform. The patch for CVE-2024-52591 did not sufficiently validate the relation between the `id` and `url` … |
| CVE-2025-25292 | CVE-2025-25292 CVSS 9.8 | ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior… |
| CVE-2025-25291 | CVE-2025-25291 CVSS 9.8 | ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior… |
| CVE-2025-25286 | CVE-2025-25286 CVSS 9.8 | Crayfish is a collection of Islandora 8 microservices, one of which, Homarus, provides FFmpeg as a microservice. Prior to Crayfish version 4.1.0, remote code e… |
| CVE-2025-25270 | CVE-2025-25270 CVSS 9.8 | An unauthenticated remote attacker can alter the device configuration in a way to get remote code execution as root with specific configurations. |
| CVE-2025-25257 | Fortinet FortiWeb SQL Injection Vulnerability KEVCVSS 9.8Fortinet | Fortinet FortiWeb contains a SQL injection vulnerability that may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HT… |
| CVE-2025-25256 | CVE-2025-25256 CVSS 9.8 | An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in Fortinet FortiSIEM version 7.3.0 throug… |
| CVE-2025-25249 | CVE-2025-25249 CVSS 8.1fortinet | A heap-based buffer overflow vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0.0 th… |
| CVE-2025-2523 | CVE-2025-2523 CVSS 9.4 | The Honeywell Experion PKS and OneWireless WDM contains an Integer Underflow vulnerability in the component Control Data Access (CDA). An attacker cou… |
| CVE-2025-25226 | CVE-2025-25226 CVSS 9.8 | Improper handling of identifiers lead to a SQL injection vulnerability in the quoteNameStr method of the database package. Please note: the affected method is … |
| CVE-2025-25222 | CVE-2025-25222 CVSS 9.8 | The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains an SQL injection vulnerability in retrieve.php. If this v… |
| CVE-2025-25221 | CVE-2025-25221 CVSS 9.8 | The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains an SQL injection vulnerability in pdf.php. If this vulner… |
| CVE-2025-25211 | CVE-2025-25211 CVSS 9.8 | Weak password requirements issue exists in CHOCO TEI WATCHER mini (IB-MCT001) all versions. If this issue is exploited, a brute-force attack may allow an attac… |
| CVE-2025-25196 | CVE-2025-25196 CVSS 9.8 | OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA < v1.8.4 (Helm chart <… |
| CVE-2025-25182 | CVE-2025-25182 CVSS 9.4 | Stroom is a data processing, storage and analysis platform. A vulnerability exists starting in version 7.2-beta.53 and prior to versions 7.2.24, 7.3-beta.22, 7… |
| CVE-2025-25176 | CVE-2025-25176 CVSS 9.1 | Intermediate register values of secure workloads can be exfiltrated in workloads scheduled from applications running in the non-secure environment of a platfor… |
| CVE-2025-25174 | CVE-2025-25174 CVSS 10.0 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in beeteam368 BeeTeam368 Extensions beete… |
| CVE-2025-25167 | CVE-2025-25167 CVSS 9.8 | Missing Authorization vulnerability in Black and White BookPress – For Book Authors book-press allows Exploiting Incorrectly Configured Access Control Security… |
| CVE-2025-25163 | CVE-2025-25163 CVSS 9.8 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Zach Swetz Plugin A/B Image Optimizer images-optimizer allows P… |
| CVE-2025-25150 | CVE-2025-25150 CVSS 9.3 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Stylemix uListing ulisting allows Blind SQL Injection.Thi… |
| CVE-2025-2512 | CVE-2025-2512 CVSS 9.8 | The File Away plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check and missing file type validation in the upload() f… |
| CVE-2025-25107 | CVE-2025-25107 CVSS 9.6 | Cross-Site Request Forgery (CSRF) vulnerability in sainwp OneStore Sites onestore-sites allows Cross Site Request Forgery.This issue affects OneStore Sites: fr… |
| CVE-2025-25106 | CVE-2025-25106 CVSS 9.6 | Cross-Site Request Forgery (CSRF) vulnerability in FancyWP Starter Templates by FancyWP starter-templates allows Cross Site Request Forgery.This issue affects … |
| CVE-2025-25101 | CVE-2025-25101 CVSS 9.6 | Cross-Site Request Forgery (CSRF) vulnerability in MetricThemes Munk Sites munk-sites allows Cross Site Request Forgery.This issue affects Munk Sites: from n/a… |
| CVE-2025-25067 | CVE-2025-25067 CVSS 9.8 | mySCADA myPRO Manager is vulnerable to an OS command injection which could allow a remote attacker to execute arbitrary OS commands. |
| CVE-2025-2505 | CVE-2025-2505 CVSS 9.8 | The Age Gate plugin for WordPress is vulnerable to Local PHP File Inclusion in all versions up to, and including, 3.5.3 via the 'lang' parameter. This makes it… |
| CVE-2025-25038 | CVE-2025-25038 CVSS 9.8 | An OS command injection vulnerability exists in MiniDVBLinux version 5.4 and earlier. The system’s web-based management interface fails to properly sanitize us… |
| CVE-2025-25015 | CVE-2025-25015 CVSS 9.9 | Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specifically crafted HTTP requests. In Kibana versions >= 8.15.0 … |