33,486 indexed
CVECVE vulnerabilities
33,486 CVEs indexed — newest first. Filter by CVSS severity or CISA KEV listing; KEV-flagged entries surface a rose pill. Authored by Adam Lundqvist.
Showing 6,801–6,850 of 8,314 in Critical · page 137 of 167
| ID | Title | Summary |
|---|---|---|
| CVE-2025-25014 | CVE-2025-25014 CVSS 9.8 | A Prototype pollution vulnerability in Kibana leads to arbitrary code execution via crafted HTTP requests to machine learning and reporting endpoints. |
| CVE-2025-24989 | Microsoft Power Pages Improper Access Control Vulnerability KEVCVSS 9.8Microsoft | Microsoft Power Pages contains an improper access control vulnerability that allows an unauthorized attacker to elevate privileges over a network potentially b… |
| CVE-2025-24981 | CVE-2025-24981 CVSS 9.3 | MDC is a tool to take regular Markdown and write documents interacting deeply with a Vue component. In affected versions unsafe parsing logic of the URL from m… |
| CVE-2025-24977 | CVE-2025-24977 CVSS 9.1 | OpenCTI is an open cyber threat intelligence (CTI) platform. Prior to version 6.4.11 any user with the capability `manage customizations` can execute commands … |
| CVE-2025-24973 | CVE-2025-24973 CVSS 9.3 | Concorde, formerly know as Nexkey, is a fork of the federated microblogging platform Misskey. Prior to version 12.25Q1.1, due to an improper implementation of … |
| CVE-2025-24957 | CVE-2025-24957 CVSS 9.8 | WeGIA is a Web Manager for Charitable Institutions. A SQL Injection vulnerability was discovered in the WeGIA application, `get_detalhes_socio.php` endpoint. T… |
| CVE-2025-24956 | CVE-2025-24956 CVSS 9.8 | A vulnerability has been identified in OpenV2G (All versions < V0.9.6). The OpenV2G EXI parsing feature is missing a length check when parsing X509 serial numb… |
| CVE-2025-2494 | CVE-2025-2494 CVSS 9.8 | Unrestricted file upload to Softdial Contact Center of Sytel Ltd. This vulnerability could allow an attacker to upload files to the server via the ‘/softdial/p… |
| CVE-2025-24937 | CVE-2025-24937 CVSS 9.0 | File contents could be read from the local file system by an attacker. Additionally, malicious code could be inserted in the file, leading to a full compromise… |
| CVE-2025-24936 | CVE-2025-24936 CVSS 9.0 | The web application allows user input to pass unfiltered to a command executed on the underlying operating system. The vulnerable component is bound to the net… |
| CVE-2025-24924 | CVE-2025-24924 CVSS 9.8 | Certain functionality within GMOD Apollo does not require authentication when passed with an administrative username |
| CVE-2025-24906 | CVE-2025-24906 CVSS 9.8 | WeGIA is a Web Manager for Charitable Institutions. A SQL Injection vulnerability was discovered in the WeGIA application, `get_detalhes_cobranca.php` endpoint… |
| CVE-2025-24905 | CVE-2025-24905 CVSS 9.8 | WeGIA is a Web Manager for Charitable Institutions. A SQL Injection vulnerability was discovered in the WeGIA application, `get_codigobarras_cobranca.php` endp… |
| CVE-2025-24895 | CVE-2025-24895 CVSS 9.1 | CIE.AspNetCore.Authentication is an AspNetCore Remote Authenticator for CIE 3.0. Authentication using Spid and CIE is based on the SAML2 standard which provide… |
| CVE-2025-24894 | CVE-2025-24894 CVSS 9.1 | SPID.AspNetCore.Authentication is an AspNetCore Remote Authenticator for SPID. Authentication using Spid and CIE is based on the SAML2 standard which provides … |
| CVE-2025-24893 | XWiki Platform Eval Injection Vulnerability KEVCVSS 9.8XWiki | XWiki Platform contains an eval injection vulnerability that could allow any guest to perform arbitrary remote code execution through a request to SolrSearch. |
| CVE-2025-24891 | CVE-2025-24891 CVSS 9.6 | Dumb Drop is a file upload application. Users with permission to upload to the service are able to exploit a path traversal vulnerability to overwrite arbitrar… |
| CVE-2025-24865 | CVE-2025-24865 CVSS 9.8 | The administrative web interface of mySCADA myPRO Manager can be accessed without authentication which could allow an unauthorized attacker to retrieve sens… |
| CVE-2025-24861 | CVE-2025-24861 CVSS 9.8 | An attacker may inject commands via specially-crafted post requests. |
| CVE-2025-24813 | Apache Tomcat Path Equivalence Vulnerability KEVCVSS 9.8Apache | Apache Tomcat contains a path equivalence vulnerability that allows a remote attacker to execute code, disclose information, or inject malicious content via a … |
| CVE-2025-24799 | CVE-2025-24799 CVSS 9.8 | GLPI is a free asset and IT management software package. An unauthenticated user can perform a SQL injection through the inventory endpoint. This vulnerability… |
| CVE-2025-24797 | CVE-2025-24797 CVSS 9.8 | Meshtastic is an open source mesh networking solution. A fault in the handling of mesh packets containing invalid protobuf data can result in an attacker-contr… |
| CVE-2025-24786 | CVE-2025-24786 CVSS 9.1 | WhoDB is an open source database management tool. While the application only displays Sqlite3 databases present in the directory `/db`, there is no path traver… |
| CVE-2025-24775 | CVE-2025-24775 CVSS 9.9 | Unrestricted Upload of File with Dangerous Type vulnerability in Made I.T. Forms forms-by-made-it allows Upload a Web Shell to a Web Server.This issue affects … |
| CVE-2025-24773 | CVE-2025-24773 CVSS 9.3 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mojoomla WPCRM - CRM for Contact form CF7 & WooCommerce w… |
| CVE-2025-24767 | CVE-2025-24767 CVSS 9.3 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in facturaone TicketBAI Facturas para WooCommerce wp-ticketb… |
| CVE-2025-24759 | CVE-2025-24759 CVSS 9.3 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CMSJunkie - WordPress Business Directory Plugins WP-Busin… |
| CVE-2025-2474 | CVE-2025-2474 CVSS 9.8 | Out-of-bounds write in the PCX image codec in QNX SDP versions 8.0, 7.1 and 7.0 could allow an unauthenticated attacker to cause a denial-of-service condition … |
| CVE-2025-2473 | CVE-2025-2473 CVSS 9.8 | A vulnerability was found in PHPGurukul Company Visitor Management System 2.0 and classified as critical. Affected by this issue is some unknown functionality … |
| CVE-2025-2472 | CVE-2025-2472 CVSS 9.8 | A vulnerability has been found in PHPGurukul Apartment Visitors Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown … |
| CVE-2025-2470 | CVE-2025-2470 CVSS 9.8 | The Service Finder Bookings plugin for WordPress, used by the Service Finder - Directory and Job Board WordPress Theme, is vulnerable to privilege escalation i… |
| CVE-2025-24677 | CVE-2025-24677 CVSS 9.9 | Improper Control of Generation of Code ('Code Injection') vulnerability in wpspin Post/Page Copying Tool postpage-import-export-with-custom-fields-taxonomies a… |
| CVE-2025-24671 | CVE-2025-24671 CVSS 9.8 | Deserialization of Untrusted Data vulnerability in Pdfcrowd Dev Team Save as PDF save-as-pdf-by-pdfcrowd allows Object Injection.This issue affects Save as PDF… |
| CVE-2025-24667 | CVE-2025-24667 CVSS 9.3 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in enituretechnology Small Package Quotes – Worldwide Expres… |
| CVE-2025-24665 | CVE-2025-24665 CVSS 9.3 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in enituretechnology Small Package Quotes – Unishippers Edit… |
| CVE-2025-24664 | CVE-2025-24664 CVSS 9.3 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in enituretechnology LTL Freight Quotes – Worldwide Express … |
| CVE-2025-24650 | CVE-2025-24650 CVSS 9.1 | Unrestricted Upload of File with Dangerous Type vulnerability in Themefic Tourfic tourfic allows Upload a Web Shell to a Web Server.This issue affects Tourfic:… |
| CVE-2025-24612 | CVE-2025-24612 CVSS 9.3 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ihor Kit Shipping for Nova Poshta nova-poshta-ttn allows … |
| CVE-2025-24607 | CVE-2025-24607 CVSS 9.8 | Missing Authorization vulnerability in Northern Beaches Websites IdeaPush ideapush allows Exploiting Incorrectly Configured Access Control Security Levels.This… |
| CVE-2025-24601 | CVE-2025-24601 CVSS 9.8 | Deserialization of Untrusted Data vulnerability in ThimPress FundPress fundpress allows Object Injection.This issue affects FundPress: from n/a through <= 2.0.… |
| CVE-2025-24596 | CVE-2025-24596 CVSS 9.8 | Missing Authorization vulnerability in WC Product Table WooCommerce Product Table Lite wc-product-table-lite allows Exploiting Incorrectly Configured Access Co… |
| CVE-2025-24577 | CVE-2025-24577 CVSS 9.8 | Missing Authorization vulnerability in Ays Pro Poll Maker poll-maker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects… |
| CVE-2025-24522 | CVE-2025-24522 CVSS 10.0 | KUNBUS Revolution Pi OS Bookworm 01/2025 is vulnerable because authentication is not configured by default for the Node-RED server. This can give an unauthenti… |
| CVE-2025-24447 | CVE-2025-24447 CVSS 9.1 | ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code … |
| CVE-2025-24446 | CVE-2025-24446 CVSS 9.1 | ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code executi… |
| CVE-2025-24434 | CVE-2025-24434 CVSS 9.1 | Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Incorrect Authorization vulnerability that could r… |
| CVE-2025-24383 | CVE-2025-24383 CVSS 9.1 | Dell Unity, version(s) 5.4 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A… |
| CVE-2025-24322 | CVE-2025-24322 CVSS 9.8 | An unsafe default authentication vulnerability exists in the Initial Setup Authentication functionality of Tenda AC6 V5.0 V02.03.01.110. A specially crafted ne… |
| CVE-2025-24297 | CVE-2025-24297 CVSS 9.8 | Due to lack of server-side input validation, attackers can inject malicious JavaScript code into users personal spaces of the web portal. |
| CVE-2025-24290 | CVE-2025-24290 CVSS 9.9 | Multiple Authenticated SQL Injection vulnerabilities found in UISP Application (Version 2.4.206 and earlier) could allow a malicious actor with low privileges … |