31,594 indexed
CVECVE vulnerabilities
31,594 CVEs indexed — newest first. Filter by CVSS severity or CISA KEV listing; KEV-flagged entries surface a rose pill. Authored by Adam Lundqvist.
Showing 3,501–3,550 of 8,314 in Critical · page 71 of 167
| ID | Title | Summary |
|---|---|---|
| CVE-2025-65482 | CVE-2025-65482 CVSS 9.8 | An XML External Entity (XXE) vulnerability in opensagres XDocReport v0.9.2 to v2.0.3 allows attackers to execute arbitrary code via uploading a crafted .docx f… |
| CVE-2025-65474 | CVE-2025-65474 CVSS 9.8 | An arbitrary file rename vulnerability in the /admin/manager.php component of EasyImages 2.0 v2.8.6 and below allows attackers to execute arbitrary code via re… |
| CVE-2025-65473 | CVE-2025-65473 CVSS 9.1 | An arbitrary file rename vulnerability in the /admin/filer.php component of EasyImages 2.0 v2.8.6 and below allows attackers with Administrator privileges to e… |
| CVE-2025-6544 | CVE-2025-6544 CVSS 9.8 | A deserialization vulnerability exists in h2oai/h2o-3 versions <= 3.46.0.8, allowing attackers to read arbitrary system files and execute arbitrary code. The v… |
| CVE-2025-6543 | Citrix NetScaler ADC and Gateway Buffer Overflow Vulnerability KEVCVSS 9.8Citrix | Citrix NetScaler ADC and Gateway contain a buffer overflow vulnerability leading to unintended control flow and Denial of Service. NetScaler must be configured… |
| CVE-2025-6542 | CVE-2025-6542 CVSS 9.8 | An arbitrary OS command may be executed on the product by a remote unauthenticated attacker. |
| CVE-2025-65358 | CVE-2025-65358 CVSS 9.8 | Edoc-doctor-appointment-system v1.0.1 was discovered to contain SQl injection vulnerability via the 'docid' parameter at /admin/appointment.php. |
| CVE-2025-65354 | CVE-2025-65354 CVSS 9.8 | Improper input handling in /Grocery/search_products_itname.php inPuneethReddyHC event-management 1.0 permits SQL injection via the sitem_name POST parameter. C… |
| CVE-2025-65346 | CVE-2025-65346 CVSS 9.1 | alexusmai laravel-file-manager 3.3.1 and below is vulnerable to Directory Traversal. The unzip/extraction functionality improperly allows archive contents to b… |
| CVE-2025-65319 | CVE-2025-65319 CVSS 9.1 | When using the attachment interaction functionality, Blue Mail 1.140.103 and below saves documents to a file system without a Mark-of-the-Web tag, which allows… |
| CVE-2025-65318 | CVE-2025-65318 CVSS 9.1 | When using the attachment interaction functionality, Canary Mail 5.1.40 and below saves documents to a file system without a Mark-of-the-Web tag, which allows … |
| CVE-2025-65294 | CVE-2025-65294 CVSS 9.8 | Aqara Hub devices including Camera Hub G3 4.1.9_0027, Hub M2 4.3.6_0027, and Hub M3 4.3.6_0025 contain an undocumented remote access mechanism enabling unrestr… |
| CVE-2025-65276 | CVE-2025-65276 CVSS 9.8 | An unauthenticated administrative access vulnerability exists in the open-source HashTech project (https://github.com/henzljw/hashtech) 1.0 thru commit 5919dec… |
| CVE-2025-65267 | CVE-2025-65267 CVSS 9.0 | In ERPNext v15.83.2 and Frappe Framework v15.86.0, improper validation of uploaded SVG avatar images allows attackers to embed malicious JavaScript. The payloa… |
| CVE-2025-65236 | CVE-2025-65236 CVSS 9.8 | OpenCode Systems USSD Gateway OC Release: 5 was discovered to contain a SQL injection vulnerability via the Session ID parameter in the /occontrolpanel/index.p… |
| CVE-2025-65235 | CVE-2025-65235 CVSS 9.8 | OpenCode Systems USSD Gateway OC Release: 5 Version 6.13.11 was discovered to contain a SQL injection vulnerability via the ID parameter in the getSubUsersByPr… |
| CVE-2025-65213 | CVE-2025-65213 CVSS 9.8 | MooreThreads torch_musa through all versions contains an unsafe deserialization vulnerability in torch_musa.utils.compare_tool. The compare_for_single_op() and… |
| CVE-2025-65212 | CVE-2025-65212 CVSS 9.8 | An issue was discovered in NJHYST HY511 POE core before 2.1 and plugins before 0.1. The vulnerability stems from the device's insufficient cookie verification,… |
| CVE-2025-6520 | CVE-2025-6520 CVSS 9.8 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Abis Technology BAPSIS allows Blind SQL Injection. This … |
| CVE-2025-6519 | CVE-2025-6519 CVSS 9.8 | E3 Site Supervisor (firmware version < 2.31F01) has a default admin user "ONEDAY" with a daily generated password. An attacker can predictably generate the pas… |
| CVE-2025-6517 | CVE-2025-6517 CVSS 9.8 | A vulnerability was found in Dromara MaxKey up to 4.1.7 and classified as critical. This issue affects the function Add of the file maxkey-webs\maxkey-web-mgt\… |
| CVE-2025-6514 | CVE-2025-6514 CVSS 9.6 | mcp-remote is exposed to OS command injection when connecting to untrusted MCP servers due to crafted input from the authorization_endpoint response URL |
| CVE-2025-65135 | CVE-2025-65135 CVSS 9.8 | In manikandan580 School-management-system 1.0, a time-based blind SQL injection vulnerability exists in /studentms/admin/between-date-reprtsdetails.php through… |
| CVE-2025-65133 | CVE-2025-65133 CVSS 9.8 | A SQL injection vulnerability exists in the School Management System (version 1.0) by manikandan580. An unauthenticated or authenticated remote attacker can su… |
| CVE-2025-6513 | CVE-2025-6513 CVSS 9.3 | Standard Windows users can access the configuration file for database access of the BRAIN2 application and decrypt it. |
| CVE-2025-65125 | CVE-2025-65125 CVSS 9.8 | SQL injection in gosaliajainam/online-movie-booking 5.5 in movie_details.php allows attackers to gain sensitive information. |
| CVE-2025-6512 | CVE-2025-6512 CVSS 10.0 | On a client with a non-admin user, a script can be integrated into a report. The reports could later be executed on the BRAIN2 server with administrator rights. |
| CVE-2025-65115 | CVE-2025-65115 CVSS 9.8 | Remote Code Execution Vulnerability in JP1/IT Desktop Management 2 - Manager on Windows, JP1/IT Desktop Management 2 - Operations Director on Windows, Job Mana… |
| CVE-2025-65112 | CVE-2025-65112 CVSS 9.8 | PubNet is a self-hosted Dart & Flutter package service. Prior to version 1.1.3, the /api/storage/upload endpoint in PubNet allows unauthenticated users to uplo… |
| CVE-2025-65110 | CVE-2025-65110 CVSS 9.3 | Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. Prior to versions 6.1.2 and 5.6.3, a… |
| CVE-2025-65108 | CVE-2025-65108 CVSS 10.0 | md-to-pdf is a CLI tool for converting Markdown files to PDF using Node.js and headless Chrome. Prior to version 5.2.5, a Markdown front-matter block that cont… |
| CVE-2025-65099 | CVE-2025-65099 CVSS 9.8 | Claude Code is an agentic coding tool. Prior to version 1.0.39, when running on a machine with Yarn 3.0 or above, Claude Code could have been tricked to execut… |
| CVE-2025-65091 | CVE-2025-65091 CVSS 10.0 | XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.5, users with the right to view the Calendar.JSONService page (i… |
| CVE-2025-65085 | CVE-2025-65085 CVSS 9.8 | A Heap-based Buffer Overflow vulnerability is present in Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions 12.6.1204.216 and prior that co… |
| CVE-2025-65084 | CVE-2025-65084 CVSS 9.8 | An Out-of-Bounds Write vulnerability is present in Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions 12.6.1204.216 and prior that could al… |
| CVE-2025-6507 | CVE-2025-6507 CVSS 9.8 | A vulnerability in the h2oai/h2o-3 repository allows attackers to exploit deserialization of untrusted data, potentially leading to arbitrary code execution an… |
| CVE-2025-65041 | CVE-2025-65041 CVSS 9.8 | Improper authorization in Microsoft Partner Center allows an unauthorized attacker to elevate privileges over a network. |
| CVE-2025-65037 | CVE-2025-65037 CVSS 10.0 | Improper control of generation of code ('code injection') in Azure Container Apps allows an unauthorized attacker to execute code over a network. |
| CVE-2025-6503 | CVE-2025-6503 CVSS 9.8 | A vulnerability was found in code-projects Inventory Management System 1.0 and classified as critical. This issue affects some unknown processing of the file /… |
| CVE-2025-65026 | CVE-2025-65026 CVSS 9.6 | esm.sh is a nobuild content delivery network(CDN) for modern web development. Prior to version 136, The esm.sh CDN service contains a Template Literal Injectio… |
| CVE-2025-65025 | CVE-2025-65025 CVSS 9.8 | esm.sh is a nobuild content delivery network(CDN) for modern web development. Prior to version 136, the esm.sh CDN service is vulnerable to path traversal duri… |
| CVE-2025-65021 | CVE-2025-65021 CVSS 9.1 | Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an Insecure Direct Object Reference (IDOR) vulnerability exists in the poll… |
| CVE-2025-6502 | CVE-2025-6502 CVSS 9.8 | A vulnerability has been found in code-projects Inventory Management System 1.0 and classified as critical. This vulnerability affects unknown code of the file… |
| CVE-2025-6501 | CVE-2025-6501 CVSS 9.8 | A vulnerability, which was classified as critical, was found in code-projects Inventory Management System 1.0. This affects an unknown part of the file /php_ac… |
| CVE-2025-6500 | CVE-2025-6500 CVSS 9.8 | A vulnerability, which was classified as critical, has been found in code-projects Inventory Management System 1.0. Affected by this issue is some unknown func… |
| CVE-2025-6489 | CVE-2025-6489 CVSS 9.8 | A vulnerability has been found in itsourcecode Agri-Trading Online Shopping System 1.0 and classified as critical. This vulnerability affects unknown code of t… |
| CVE-2025-6483 | CVE-2025-6483 CVSS 9.8 | A vulnerability has been found in code-projects Simple Pizza Ordering System 1.0 and classified as critical. Affected by this vulnerability is an unknown funct… |
| CVE-2025-6482 | CVE-2025-6482 CVSS 9.8 | A vulnerability, which was classified as critical, was found in code-projects Simple Pizza Ordering System 1.0. Affected is an unknown function of the file /ed… |
| CVE-2025-6481 | CVE-2025-6481 CVSS 9.8 | A vulnerability, which was classified as critical, has been found in code-projects Simple Pizza Ordering System 1.0. This issue affects some unknown processing… |
| CVE-2025-6480 | CVE-2025-6480 CVSS 9.8 | A vulnerability classified as critical was found in code-projects Simple Pizza Ordering System 1.0. This vulnerability affects unknown code of the file /addcat… |