ACT NOW
CVE-2025-21043
8.8
Samsung libimagecodec.quram.so contains a second out-of-bounds write in the image codec library, a separate vulnerability from CVE-2025-21042 affecting Samsung devices.
|
ACT NOW
CVE-2025-21042
8.8
Samsung libimagecodec.quram.so contains an out-of-bounds write allowing remote code execution through crafted image files on Samsung Android devices.
|
ACT NOW
CVE-2025-54123
9.8
Hoverfly API simulation tool version 1.11.3 and prior contains a command injection vulnerability in the middleware management endpoint /api/v2/hoverfly/middleware. Insufficient validation of user input allows authenticated attackers to execute arbitrary commands on the Hoverfly server.
|
EMERGENCY
CVE-2025-54236
9.1
Session hijacking in Adobe Commerce (Magento) 2.4.x through 2.4.9-alpha2 allows remote unauthenticated attackers to take over active user sessions via improper input validation, confirmed actively exploited (CISA KEV). With 73.72% EPSS score (99th percentile) and public exploit code available, this represents a critical, widespread threat to e-commerce platforms. Attackers gain unauthorized access to user accounts including administrative sessions without requiring victim interaction.
|
ACT NOW
CVE-2025-8085
8.6
The Ditty WordPress plugin before 3.1.58 lacks authorization and authentication for requests to its displayItems endpoint, allowing unauthenticated visitors to make requests to arbitrary URLs. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 18.1%.
|
ACT NOW
CVE-2025-48543
8.8
Android Chrome sandbox contains a use-after-free enabling sandbox escape and local privilege escalation to attack the Android system_server process.
|
ACT NOW
CVE-2025-53690
9.0
Sitecore Experience Manager/Platform through version 9.0 contains a deserialization vulnerability enabling code injection through untrusted data processing.
|
ACT NOW
CVE-2025-9377
8.6
TP-Link Archer C7 and TL-WR841N routers contain an authenticated remote command execution vulnerability in the Parental Control page, affecting end-of-life devices with no patch available.
|
ACT NOW
CVE-2025-55177
5.4
Incomplete authorization of linked device synchronization messages in WhatsApp for iOS prior to v2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78 could have allowed. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Actively exploited in the wild (cisa kev) and no vendor patch available.
|
EMERGENCY
CVE-2025-57819
10.0
FreePBX 15, 16, and 17 contain SQL injection vulnerabilities enabling unauthenticated access to the administrator interface, leading to database manipulation and remote code execution.
|
ACT NOW
CVE-2025-7775
9.2
Citrix NetScaler ADC and Gateway contain a memory overflow vulnerability enabling remote code execution and denial of service when configured as VPN, AAA, or load balancing virtual servers.
|
EMERGENCY
CVE-2025-43300
10.0
Apple iOS/iPadOS contain an out-of-bounds write in image processing that allows code execution through malicious images, exploited in extremely sophisticated targeted attacks against specific individuals.
|
EMERGENCY
CVE-2025-7441
9.8
The StoryChief WordPress plugin through version 1.0.42 contains an unauthenticated arbitrary file upload via the /wp-json/storychief/webhook REST API endpoint. Insufficient file type validation allows attackers to upload executable PHP files, achieving remote code execution on the WordPress server.
|
EMERGENCY
CVE-2025-8876
9.4
N-able N-central before 2025.3.1 contains an OS command injection through improper input validation, companion vulnerability to CVE-2025-8875.
|
ACT NOW
CVE-2025-8875
9.4
N-able N-central before 2025.3.1 contains a deserialization vulnerability allowing local code execution through crafted serialized data.
|
ACT NOW
CVE-2025-8943
9.8
Flowise versions before 3.0.1 allow unauthenticated access to the Custom MCPs feature, which is designed to execute OS commands. The combination of no default authentication and the ability to spawn local processes via tools like npx enables unauthenticated remote code execution on any Flowise installation.
|
Today's Vulnerabilities Vulnerabilities
Daily vulnerability intelligence for defenders – fresh CVEs with exploitability signals, patch status, and action-oriented priorities from 17 sources.
CVEs published in review
Get CVEs that hit your stack — not 200/day
Pick your technologies, get a weekly digest by email. Free, no spam.
React
Python
Postgres
+200 more
React
Next.js
Python
Postgres
AWS
+200 more
Trending Now
See all
Critical Watch
See all
KEV
POC
CVSS
No critical watch entries today
Attack Technique Trend
Prediction based on ZDI Disclosures & CVE data
· 30 days
Vendor Today – Quick Filter
Techniques
POC
CISA KEV
PATCH
UNPATCHED
results
Sort:
Base Score
Vector String
Attack Vector (AV)
Attack Complexity (AC)
Privileges Required (PR)
User Interaction (UI)
Scope (S)
Confidentiality (C)
Integrity (I)
Availability (A)
0
|
3.9|
6.9|
8.9|
10
NONE
LOW
MEDIUM
HIGH
CRITICAL
CVSS Filter
– CVEs match
No CVEs match the selected criteria
Loading...
Incoming
20
Pre-NVD – not yet scored
No vulnerabilities found for this date.
Data may not have been fetched yet.
Live Feed
auto-refresh 60s
Track CVEs for your stack
Sign up free →