31,594 indexed
CVECVE vulnerabilities
31,594 CVEs indexed — newest first. Filter by CVSS severity or CISA KEV listing; KEV-flagged entries surface a rose pill. Authored by Adam Lundqvist.
Showing 3,401–3,450 of 8,314 in Critical · page 69 of 167
| ID | Title | Summary |
|---|---|---|
| CVE-2025-66630 | CVE-2025-66630 CVSS 9.4 | Fiber is an Express inspired web framework written in Go. Before 2.52.11, on Go versions prior to 1.24, the underlying crypto/rand implementation can return an… |
| CVE-2025-66614 | CVE-2025-66614 CVSS 9.1 | Improper Input Validation vulnerability. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from 10.1.0-M1 through 10.1.49, from 9.0.0-M1 throu… |
| CVE-2025-66606 | CVE-2025-66606 CVSS 9.6 | A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corporation. This product does not properly encode URLs. An attacker could tamper… |
| CVE-2025-66603 | CVE-2025-66603 CVSS 9.8 | A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corporation. The web server accepts the OPTIONS method. An attacker could potenti… |
| CVE-2025-66602 | CVE-2025-66602 CVSS 9.8 | A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corporation. The web server accepts access by IP address. When a worm that random… |
| CVE-2025-66590 | CVE-2025-66590 CVSS 7.8azeotech | In AzeoTech DAQFactory release 20.7 (Build 2555), an out-of-bounds write vulnerability can be exploited by an attacker to cause the program to write data past … |
| CVE-2025-66589 | CVE-2025-66589 CVSS 9.1 | In AzeoTech DAQFactory release 20.7 (Build 2555), an Out-of-bounds Read vulnerability can be exploited by an attacker to cause the program to read data past th… |
| CVE-2025-66588 | CVE-2025-66588 CVSS 7.8azeotech | In AzeoTech DAQFactory release 20.7 (Build 2555), an access of uninitialized pointer vulnerability can be exploited by an attacker which can lead to arbitrary … |
| CVE-2025-66580 | CVE-2025-66580 CVSS 9.6 | Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. A critical Stored Cross-Site Scripting (XSS) vulnerabi… |
| CVE-2025-66576 | CVE-2025-66576 CVSS 9.8 | Remote Keyboard Desktop 1.0.1 enables remote attackers to execute system commands via the rundll32.exe exported function export, allowing unauthenticated code … |
| CVE-2025-66570 | CVE-2025-66570 CVSS 9.8 | cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.27.0, a vulnerability allows attacker-controlled HTTP headers to i… |
| CVE-2025-66568 | CVE-2025-66568 CVSS 9.1 | The ruby-saml library implements the client side of an SAML authorization. Versions up to and including 1.12.4, are vulnerable to authentication bypass through… |
| CVE-2025-66567 | CVE-2025-66567 CVSS 9.1 | The ruby-saml library is for implementing the client side of a SAML authorization. ruby-saml versions up to and including 1.12.4 contain an authentication bypa… |
| CVE-2025-66565 | CVE-2025-66565 CVSS 9.8 | Fiber Utils is a collection of common functions created for Fiber. In versions 2.0.0-rc.3 and below, when the system's cryptographic random number generator (c… |
| CVE-2025-66562 | CVE-2025-66562 CVSS 9.6 | TUUI is a desktop MCP client designed as a tool unitary utility integration. Prior to 1.3.4, a critical Remote Code Execution (RCE) vulnerability exists in Tuu… |
| CVE-2025-66516 | CVE-2025-66516 CVSS 9.8 | Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to… |
| CVE-2025-66509 | CVE-2025-66509 CVSS 9.8 | LaraDashboard is an all-In-one solution to start a Laravel Application. In 2.3.0 and earlier, the password reset flow trusts the Host header, allowing attacker… |
| CVE-2025-66489 | CVE-2025-66489 CVSS 9.8 | Cal.com is open-source scheduling software. Prior to 5.9.8, A flaw in the login credentials provider allows an attacker to bypass password verification when a … |
| CVE-2025-66481 | CVE-2025-66481 CVSS 9.6 | DeepChat is an open-source AI chat platform that supports cloud models and LLMs. Versions 0.5.1 and below are vulnerable to XSS attacks through improperly sani… |
| CVE-2025-66480 | CVE-2025-66480 CVSS 9.8 | Wildfire IM is an instant messaging and real-time audio/video solution. Prior to 1.4.3, a critical vulnerability exists in the im-server component related to t… |
| CVE-2025-66456 | CVE-2025-66456 CVSS 9.8 | Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. Versions 1.4.0 through 1.4.16 c… |
| CVE-2025-66430 | CVE-2025-66430 CVSS 9.1 | Plesk 18.0 has Incorrect Access Control. |
| CVE-2025-66419 | CVE-2025-66419 CVSS 10.0 | MaxKB is an open-source AI assistant for enterprise. In versions 2.3.1 and below, the tool module allows an attacker to escape the sandbox environment and esca… |
| CVE-2025-66417 | CVE-2025-66417 CVSS 9.8 | GLPI is a free asset and IT management software package. From 11.0.0, < 11.0.3, an unauthenticated user can perform a SQL injection through the inventory endpo… |
| CVE-2025-66410 | CVE-2025-66410 CVSS 9.1 | Gin-vue-admin is a backstage management system based on vue and gin. In 2.8.6 and earlier, attackers can delete any file on the server at will, causing damage … |
| CVE-2025-66409 | CVE-2025-66409 CVSS 9.1 | ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In 5.5.1, 5.4.3, 5.3.4, 5.2.6, 5.1.6, and earlier, when AVRCP is enabled on ESP32, rec… |
| CVE-2025-66405 | CVE-2025-66405 CVSS 9.8 | Portkey.ai Gateway is a blazing fast AI Gateway with integrated guardrails. Prior to 1.14.0, the gateway determined the destination baseURL by prioritizing the… |
| CVE-2025-66401 | CVE-2025-66401 CVSS 9.8 | MCP Watch is a comprehensive security scanner for Model Context Protocol (MCP) servers. In 0.1.2 and earlier, the MCPScanner class contains a critical Command … |
| CVE-2025-66301 | CVE-2025-66301 CVSS 9.6 | Grav is a file-based Web platform. Prior to 1.8.0-beta.27, due to improper authorization checks when modifying critical fields on a POST request to /admin/page… |
| CVE-2025-66277 | CVE-2025-66277 CVSS 9.8 | A link following vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to t… |
| CVE-2025-66262 | CVE-2025-66262 CVSS 9.8 | Arbitrary File Overwrite via Tar Extraction Path Traversal in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 100… |
| CVE-2025-66261 | CVE-2025-66261 CVSS 9.8 | Unauthenticated OS Command Injection (restore_settings.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 10… |
| CVE-2025-66259 | CVE-2025-66259 CVSS 9.8 | Authenticated Root Remote Code Execution via improrer user input filtering in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 10… |
| CVE-2025-66257 | CVE-2025-66257 CVSS 9.1 | Unauthenticated Arbitrary File Deletion (patch_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1… |
| CVE-2025-66256 | CVE-2025-66256 CVSS 9.8 | Unauthenticated Arbitrary File Upload (patch_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 100… |
| CVE-2025-66255 | CVE-2025-66255 CVSS 9.8 | Unauthenticated Arbitrary File Upload (upgrade_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1… |
| CVE-2025-66254 | CVE-2025-66254 CVSS 9.1 | Unauthenticated Arbitrary File Deletion (upgrade_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500,… |
| CVE-2025-66253 | CVE-2025-66253 CVSS 9.8 | Unauthenticated OS Command Injection (start_upgrade.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000,… |
| CVE-2025-66251 | CVE-2025-66251 CVSS 9.1 | Unauthenticated Path Traversal with Arbitrary File Deletion in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 10… |
| CVE-2025-66250 | CVE-2025-66250 CVSS 9.8 | Unauthenticated Arbitrary File Upload (status_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 10… |
| CVE-2025-66222 | CVE-2025-66222 CVSS 9.6 | DeepChat is a smart assistant uses artificial intelligence. In 0.5.0 and earlier, there is a Stored Cross-Site Scripting (XSS) vulnerability in the Mermaid dia… |
| CVE-2025-66219 | CVE-2025-66219 CVSS 9.8 | willitmerge is a command line tool to check if pull requests are mergeable. In versions 0.2.1 and prior, there is a command Injection vulnerability in willitme… |
| CVE-2025-66216 | CVE-2025-66216 CVSS 9.8 | AIS-catcher is a multi-platform AIS receiver. Prior to version 0.64, a heap buffer overflow vulnerability has been identified in the AIS::Message class of AIS-… |
| CVE-2025-6621 | CVE-2025-6621 CVSS 9.8 | A vulnerability classified as critical has been found in TOTOLINK CA300-PoE 6.2c.884. This affects the function QuickSetting of the file ap.so. The manipulatio… |
| CVE-2025-66208 | CVE-2025-66208 CVSS 9.8 | Collabora Online - Built-in CODE Server (richdocumentscode) provides a built-in server with all of the document editing features of Collabora Online. In versio… |
| CVE-2025-66205 | CVE-2025-66205 CVSS 9.8 | Frappe is a full-stack web application framework. Prior to 15.86.0 and 14.99.2, a certain endpoint was vulnerable to error-based SQL injection due to lack of v… |
| CVE-2025-66203 | CVE-2025-66203 CVSS 9.1 | StreamVault is a video download integration solution. Prior to version 251126, a Remote Code Execution (RCE) vulnerability exists in the stream-vault applicati… |
| CVE-2025-6620 | CVE-2025-6620 CVSS 9.8 | A vulnerability was found in TOTOLINK CA300-PoE 6.2c.884. It has been rated as critical. Affected by this issue is the function setUpgradeUboot of the file upg… |
| CVE-2025-6619 | CVE-2025-6619 CVSS 9.8 | A vulnerability was found in TOTOLINK CA300-PoE 6.2c.884. It has been declared as critical. Affected by this vulnerability is the function setUpgradeFW of the … |
| CVE-2025-6618 | CVE-2025-6618 CVSS 9.8 | A vulnerability was found in TOTOLINK CA300-PoE 6.2c.884. It has been classified as critical. Affected is the function SetWLanApcliSettings of the file wps.so.… |