THREAT ALERT

Daily vulnerability intelligence for defenders – fresh CVEs with exploitability signals, patch status, and action-oriented priorities from 17 sources.

CVEs published

Track vulnerabilities that matter to your stack

Personalized alerts, dashboards, and weekly digests – free.

Trending Now

Critical Watch

Attack Technique Trend

Prediction based on ZDI Disclosures & CVE data · 30 days

Analytics

Vendor Today – Quick Filter

Techniques

results

Sort:

Base Score

Vector String

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

0 | 3.9| 6.9| 8.9| 10

NONE LOW MEDIUM HIGH CRITICAL

CVSS Filter – CVEs match

No CVEs match the selected criteria

Browse older vulnerabilities in Archive

Live Feed auto-refresh 60s

Vulnerability Intelligence — September 24, 2025

132 CVEs tracked today. 12 Critical, 65 High, 38 Medium, 10 Low.

CVE-2025-57347 CRITICAL CVSS 9.8
A vulnerability exists in the 'dagre-d3-es' Node.js package version 7.0.9, specifically within the 'bk' module's addConflict function, which fails to properly sanitize user-supplied input during. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service RCE Prototype Pollution Node.js Dagre D3 Es
CVE-2025-57321 CRITICAL CVSS 9.8
A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions thru 1.2.10 allows attackers to inject properties on Object.prototype via supplying a crafted. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Prototype Pollution Magix Combine Ex
CVE-2025-20352 HIGH CVSS 7.7
A vulnerability in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS Software and Cisco IOS XE Software could allow the following: An authenticated, remote attacker with low. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. Actively exploited in the wild (cisa kev) and no vendor patch available.

Stack Overflow Buffer Overflow Apple RCE Denial Of Service
CVE-2025-10585 CRITICAL CVSS 9.8
Google Chrome V8 JavaScript engine contains a type confusion vulnerability enabling heap corruption through crafted HTML pages, exploited in the wild in June 2025.

Memory Corruption Google Information Disclosure Chrome Suse
CVE-2025-9054 CRITICAL CVSS 9.8
The MultiLoca - WooCommerce Multi Locations Inventory Management plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass WordPress Privilege Escalation PHP
CVE-2025-59827 CRITICAL CVSS 9.8
Flag Forge is a Capture The Flag (CTF) platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Privilege Escalation Flagforge
CVE-2025-56819 CRITICAL CVSS 9.8
An issue in Datart v.1.0.0-rc.3 allows a remote attacker to execute arbitrary code via the INIT connection parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection RCE Datart
CVE-2025-52906 CRITICAL CVSS 9.3
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in TOTOLINK X6000R allows OS Command Injection.4.0cu.1360_B20241207. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection X6000r Firmware TOTOLINK
CVE-2025-41715 CRITICAL CVSS 9.8
The database for the web application is exposed without authentication, allowing an unauthenticated remote attacker to gain unauthorized access and potentially compromise it. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
CVE-2025-27034 CRITICAL CVSS 9.8
Memory corruption while selecting the PLMN from SOR failed list. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Fastconnect 6900 Firmware Fastconnect 7800 Firmware Qca6174a Firmware Qca6391 Firmware
CVE-2025-21483 CRITICAL CVSS 9.8
Memory corruption when the UE receives an RTP packet from the network, during the reassembly of NALUs. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Apq8017 Firmware Apq8064au Firmware Aqt1000 Firmware Fastconnect 6200 Firmware
CVE-2025-10894 CRITICAL CVSS 9.6
Malicious code was inserted into the Nx (build system) package and several related plugins. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Node.js Redhat
CVE-2025-10890 CRITICAL CVSS 9.1
Side-channel information leakage in V8 in Google Chrome prior to 140.0.7339.207 allowed a remote attacker to leak cross-origin data via a crafted HTML page. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Information Disclosure Chrome Suse
CVE-2025-59833 HIGH CVSS 7.5
Flag Forge is a Capture The Flag (CTF) platform. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Flagforge
CVE-2025-59828 HIGH CVSS 7.7
Claude Code is an agentic coding tool. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Claude Code
CVE-2025-59525 HIGH CVSS 7.7
Horilla is a free and open source Human Resource Management System (HRMS). Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Horilla
CVE-2025-59524 HIGH CVSS 7.7
Horilla is a free and open source Human Resource Management System (HRMS). Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload XSS Horilla
CVE-2025-59343 HIGH CVSS 8.7
tar-fs provides filesystem bindings for tar-stream. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Redhat Suse
CVE-2025-59305 HIGH CVSS 7.6
Improper authorization in the background migration endpoints of Langfuse 3.1 before d67b317 allows any authenticated user to invoke migration control functions. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Denial Of Service Langfuse
CVE-2025-59251 HIGH CVSS 7.6
Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Stack Overflow Buffer Overflow Google Microsoft RCE
CVE-2025-58319 HIGH CVSS 7.8
Delta Electronics CNCSoft-G2 lacks proper validation of the user-supplied file. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Stack Overflow Cncsoft G2
CVE-2025-58317 HIGH CVSS 7.8
Delta Electronics CNCSoft-G2 lacks proper validation of the user-supplied file. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Stack Overflow Cncsoft G2
CVE-2025-57350 HIGH CVSS 8.6
The csvtojson package, a tool for converting CSV data to JSON with customizable parsing capabilities, contains a prototype pollution vulnerability in versions prior to 2.0.10. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Prototype Pollution Csvtojson Redhat
CVE-2025-57349 HIGH CVSS 7.5
The messageformat package, an implementation of the Unicode MessageFormat 2 specification for JavaScript, is vulnerable to prototype pollution due to improper handling of message key paths in. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Prototype Pollution Messageformat
CVE-2025-57330 HIGH CVSS 7.5
The web3-core-subscriptions is a package designed to manages web3 subscriptions. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Prototype Pollution Web3 Core Subscriptions
CVE-2025-57329 HIGH CVSS 7.5
web3-core-method is a package designed to creates the methods on the web3 modules. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Prototype Pollution Web3 Core Method
CVE-2025-57328 HIGH CVSS 7.5
toggle-array is a package designed to enables a property on the object at the specified index, while disabling the property on all other objects. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Prototype Pollution Toggle Array
CVE-2025-57327 HIGH CVSS 7.5
spmrc is a package that provides the rc manager for spm. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Prototype Pollution Spmrc
CVE-2025-57326 HIGH CVSS 7.5
A Prototype Pollution vulnerability in the byGroupAndType function of sassdoc-extras v2.5.1 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload,. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Prototype Pollution Sassdoc Extras
CVE-2025-57325 HIGH CVSS 7.5
rollbar is a package designed to effortlessly track and debug errors in JavaScript applications. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Prototype Pollution Rollbar
CVE-2025-57323 HIGH CVSS 7.5
mpregular is a package that provides a small program development framework based on RegularJS. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Prototype Pollution Mpregular
CVE-2025-57319 HIGH CVSS 7.5
fast-redact is a package that provides do very fast object redaction. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Redhat
CVE-2025-57318 HIGH CVSS 7.5
A Prototype Pollution vulnerability in the toCsv function of csvjson versions thru 5.1.0 allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Prototype Pollution Csvjson
CVE-2025-56816 HIGH CVSS 8.8
Datart 1.0.0-rc.3 is vulnerable to Directory Traversal. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Deserialization Path Traversal Datart
CVE-2025-56815 HIGH CVSS 7.1
Datart 1.0.0-rc.3 is vulnerable to Directory Traversal in the POST /viz/image interface, since the server directly uses MultipartFile.transferTo() to save the uploaded file to a path controllable by. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Datart
CVE-2025-56241 HIGH CVSS 7.5
Aztech DSL5005EN firmware 1.00.AZ_2013-05-10 and possibly other versions allows unauthenticated attackers to change the administrator password via a crafted POST request to sysAccess.asp. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass
CVE-2025-55322 HIGH CVSS 7.3
Binding to an unrestricted ip address in GitHub allows an unauthorized attacker to execute code over a network. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Omniparser
CVE-2025-54520 HIGH CVSS 8.6
Improper Protection Against Voltage and Clock Glitches in FPGA devices, could allow an attacker with physical access to undervolt the platform resulting in a loss of confidentiality. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
CVE-2025-52907 HIGH CVSS 7.3
Improper Input Validation vulnerability in TOTOLINK X6000R allows Command Injection, File Manipulation.4.0cu.1360_B20241207. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Command Injection X6000r Firmware TOTOLINK
CVE-2025-48869 HIGH CVSS 7.5
Horilla is a free and open source Human Resource Management System (HRMS). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Horilla
CVE-2025-48868 HIGH CVSS 7.2
Horilla is a free and open source Human Resource Management System (HRMS). Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Python RCE Code Injection Horilla
CVE-2025-48392 HIGH CVSS 7.5
A vulnerability in Apache IoTDB.3.3 through 1.3.4, from 2.0.1-beta through 2.0.4. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Apache Iotdb
CVE-2025-47329 HIGH CVSS 7.8
Memory corruption while handling invalid inputs in application info setup. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Buffer Overflow Fastconnect 7800 Firmware Qam8255p Firmware Qam8775p Firmware Qca6574 Firmware
CVE-2025-47328 HIGH CVSS 7.5
Transient DOS while processing power control requests with invalid antenna or stream values. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Fastconnect 7800 Firmware Immersive Home 3210 Platform Firmware Immersive Home 326 Platform Firmware Ipq5300 Firmware
CVE-2025-47327 HIGH CVSS 7.8
Memory corruption while encoding the image data. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Memory Corruption Buffer Overflow Use After Free Aqt1000 Firmware Fastconnect 6200 Firmware
CVE-2025-47326 HIGH CVSS 7.5
Transient DOS while handling command data during power control processing. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Ar8035 Firmware Csr8811 Firmware Fastconnect 6900 Firmware Fastconnect 7800 Firmware
CVE-2025-47318 HIGH CVSS 7.5
Transient DOS while parsing the EPTM test control message to get the test pattern. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Apq8017 Firmware Apq8064au Firmware Aqt1000 Firmware Ar8031 Firmware
CVE-2025-47317 HIGH CVSS 7.8
Memory corruption due to global buffer overflow when a test command uses an invalid payload type. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Buffer Overflow Fastconnect 6200 Firmware Fastconnect 6700 Firmware Fastconnect 7800 Firmware Qcc5161 Firmware
CVE-2025-47316 HIGH CVSS 7.8
Memory corruption due to double free when multiple threads race to set the timestamp store. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Buffer Overflow Aqt1000 Firmware Fastconnect 6200 Firmware Fastconnect 6700 Firmware Fastconnect 6800 Firmware
CVE-2025-47315 HIGH CVSS 7.8
Memory corruption while handling repeated memory unmap requests from guest VM. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Memory Corruption Buffer Overflow Use After Free Qam8255p Firmware Qam8295p Firmware
CVE-2025-47314 HIGH CVSS 7.8
Memory corruption while processing data sent by FE driver. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Buffer Overflow Qam8255p Firmware Qam8295p Firmware Qam8620p Firmware Qam8650p Firmware
CVE-2025-39889 HIGH CVSS 8.1
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: l2cap: Check encryption key size on incoming connection This is required for passing GAP/SEC/SEM/BI-04-C PTS test case:. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Information Disclosure Linux Redhat Suse
CVE-2025-27077 HIGH CVSS 7.8
Memory corruption while processing message in guest VM. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Memory Corruption Buffer Overflow Use After Free Qam8255p Firmware Qam8295p Firmware
CVE-2025-27037 HIGH CVSS 7.8
Memory corruption while processing config_dev IOCTL when camera kernel driver drops its reference to CPU buffers. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Memory Corruption Buffer Overflow Use After Free Fastconnect 6800 Firmware Fastconnect 6900 Firmware
CVE-2025-27032 HIGH CVSS 7.8
memory corruption while loading a PIL authenticated VM, when authenticated VM image is loaded without maintaining cache coherency. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Buffer Overflow Aqt1000 Firmware Ar8035 Firmware Fastconnect 6200 Firmware Fastconnect 6700 Firmware
CVE-2025-23354 HIGH CVSS 7.8
NVIDIA Megatron-LM for all platforms contains a vulnerability in the ensemble_classifer script where malicious data created by an attacker may cause an injection. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

RCE Nvidia Code Injection Information Disclosure Megatron Lm
CVE-2025-23353 HIGH CVSS 7.8
NVIDIA Megatron-LM for all platforms contains a vulnerability in the msdp preprocessing script where malicious data created by an attacker may cause an injection. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

RCE Nvidia Code Injection Information Disclosure Megatron Lm
CVE-2025-23349 HIGH CVSS 7.8
NVIDIA Megatron-LM for all platforms contains a vulnerability in the tasks/orqa/unsupervised/nq.py component, where an attacker may cause a code injection. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

RCE Nvidia Code Injection Information Disclosure Megatron Lm
CVE-2025-23348 HIGH CVSS 7.8
NVIDIA Megatron-LM for all platforms contains a vulnerability in the pretrain_gpt script, where malicious data created by an attacker may cause a code injection issue. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

RCE Nvidia Code Injection Information Disclosure Megatron Lm
CVE-2025-21488 HIGH CVSS 8.2
Information disclosure while decoding this RTP packet headers received by UE from the network when the padding bit is set. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Information Disclosure Fastconnect 6200 Firmware Fastconnect 6700 Firmware Fastconnect 6900 Firmware
CVE-2025-21487 HIGH CVSS 8.2
Information disclosure while decoding RTP packet received by UE from the network, when payload length mentioned is greater than the available buffer length. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Information Disclosure Apq8017 Firmware Apq8064au Firmware Aqt1000 Firmware
CVE-2025-21484 HIGH CVSS 8.2
Information disclosure when UE receives the RTP packet from the network, while decoding and reassembling the fragments from RTP packet. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Information Disclosure Sm8750 Firmware Sm8750p Firmware Sm8850 Firmware
CVE-2025-21482 HIGH CVSS 7.1
Cryptographic issue while performing RSA PKCS padding decoding. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure 315 5g Iot Modem Firmware 9205 Lte Modem Firmware 9206 Lte Modem Firmware 9207 Lte Modem Firmware
CVE-2025-21481 HIGH CVSS 7.8
Memory corruption while performing private key encryption in trusted application. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Buffer Overflow 315 5g Iot Modem Firmware Aqt1000 Firmware Ar8031 Firmware Ar8035 Firmware
CVE-2025-21476 HIGH CVSS 7.8
Memory corruption when passing parameters to the Trusted Virtual Machine during the handshake. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Buffer Overflow Qcs6490 Firmware Qcs8550 Firmware Qcs9100 Firmware Sg8275 Firmware
CVE-2025-20334 HIGH CVSS 8.8
A vulnerability in the HTTP API subsystem of Cisco IOS XE Software could allow a remote attacker to inject commands that will execute with root privileges into the underlying operating system. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Cisco Command Injection Apple
CVE-2025-20327 HIGH CVSS 7.7
A vulnerability in the web UI of Cisco IOS Software could allow an authenticated, remote attacker with low privileges to cause a denial of service (DoS) condition on an affected device. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Cisco Apple
CVE-2025-20315 HIGH CVSS 8.6
A vulnerability in the Network-Based Application Recognition (NBAR) feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload, causing a. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Cisco Apple
CVE-2025-20312 HIGH CVSS 7.7
A vulnerability in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS XE Software could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Apple Cisco
CVE-2025-20311 HIGH CVSS 7.4
A vulnerability in the handling of certain Ethernet frames in Cisco IOS XE Software for Catalyst 9000 Series Switches could allow an unauthenticated, adjacent attacker to cause an egress port to. Rated high severity (CVSS 7.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Cisco Apple
CVE-2025-20160 HIGH CVSS 8.1
A vulnerability in the implementation of the TACACS+ protocol in Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to view sensitive data or bypass. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Authentication Bypass Cisco Apple Information Disclosure
CVE-2025-10906 HIGH CVSS 8.6
A flaw has been found in Magnetism Studios Endurance up to 3.3.0 on macOS. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Apple macOS iOS
CVE-2025-10892 HIGH CVSS 8.8
Integer overflow in V8 in Google Chrome prior to 140.0.7339.207 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Google Chrome Suse
CVE-2025-10891 HIGH CVSS 8.8
Integer overflow in V8 in Google Chrome prior to 140.0.7339.207 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Google Chrome Suse
CVE-2025-10502 HIGH CVSS 8.8
Heap buffer overflow in ANGLE in Google Chrome prior to 140.0.7339.185 allowed a remote attacker to potentially exploit heap corruption via malicious network traffic. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Heap Overflow Buffer Overflow Google Chrome Suse
CVE-2025-10501 HIGH CVSS 8.8
Use after free in WebRTC in Google Chrome prior to 140.0.7339.185 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption Google Denial Of Service Use After Free Chrome
CVE-2025-10500 HIGH CVSS 8.8
Use after free in Dawn in Google Chrome prior to 140.0.7339.185 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption Google Denial Of Service Use After Free Chrome
CVE-2025-60020 MEDIUM CVSS 6.4
nncp before 8.12.0 allows path traversal (for reading or writing) during freqing and file saving via a crafted path in packet data. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal
CVE-2025-58457 MEDIUM CVSS 4.3
Improper permission check in ZooKeeper AdminServer lets authorized clients to run snapshot and restore command with insufficient permissions.9.0 before 3.9.4. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Apache Zookeeper Redhat
CVE-2025-57354 MEDIUM CVSS 6.5
A vulnerability exists in the 'counterpart' library for Node.js and the browser due to insufficient sanitization of user-controlled input in translation key processing. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Prototype Pollution Node.js
CVE-2025-57353 MEDIUM CVSS 5.3
The Runtime components of messageformat package for Node.js before 3.0.2 contain a prototype pollution vulnerability. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Prototype Pollution Node.js
CVE-2025-57352 MEDIUM CVSS 5.3
A vulnerability exists in the 'min-document' package prior to version 2.19.0, stemming from improper handling of namespace operations in the removeAttributeNS method. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service RCE Prototype Pollution Redhat
CVE-2025-57351 MEDIUM CVSS 6.5
A prototype pollution vulnerability exists in the ts-fns package versions prior to 13.0.7, where insufficient validation of user-provided keys in the assign function allows attackers to manipulate. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Prototype Pollution
CVE-2025-57348 MEDIUM CVSS 6.5
The node-cube package (prior to version 5.0.0) contains a vulnerability in its handling of prototype chain initialization, which could allow an attacker to inject properties into the prototype of. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service RCE Prototype Pollution Node Cube
CVE-2025-57324 MEDIUM CVSS 6.5
parse is a package designed to parse JavaScript SDK. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Prototype Pollution Parse Javascript Sdk
CVE-2025-57320 MEDIUM CVSS 6.5
json-schema-editor-visual is a package that provides jsonschema editor. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Prototype Pollution Json Schema Editor Visual
CVE-2025-55178 MEDIUM CVSS 5.3
Llama Stack prior to version v0.2.20 accepted unverified parameters in the resolve_ast_by_type function which could potentially allow for remote code execution. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Redhat
CVE-2025-48867 MEDIUM CVSS 4.8
Horilla is a free and open source Human Resource Management System (HRMS). Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Horilla
CVE-2025-48459 MEDIUM CVSS 5.3
Deserialization of Untrusted Data vulnerability in Apache IoTDB.0.0 before 2.0.5. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Apache Iotdb
CVE-2025-43819 MEDIUM CVSS 5.3
A Insufficient Session Expiration vulnerability in the Liferay Portal 7.4.3.121 through 7.3.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.3, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Digital Experience Platform Liferay Portal
CVE-2025-43779 MEDIUM CVSS 6.9
A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.112, and Liferay DXP 2024.Q1.1 through 2024.Q1.18 and 7.4 GA through update 92 allows a remote. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Digital Experience Platform Liferay Portal
CVE-2025-41716 MEDIUM CVSS 5.3
The web application allows an unauthenticated remote attacker to learn information about existing user accounts with their corresponding role due to missing authentication for critical function. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
CVE-2025-39890 MEDIUM CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix memory leak in ath12k_service_ready_ext_event Currently, in ath12k_service_ready_ext_event(),. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Information Disclosure Linux Linux Kernel Redhat Suse
CVE-2025-27036 MEDIUM CVSS 6.1
Information disclosure when Video engine escape input data is less than expected minimum size. Rated medium severity (CVSS 6.1), this vulnerability is low attack complexity. No vendor patch available.

Buffer Overflow Information Disclosure Fastconnect 6700 Firmware Fastconnect 6900 Firmware Fastconnect 7800 Firmware
CVE-2025-27033 MEDIUM CVSS 6.1
Information disclosure while running video usecase having rogue firmware. Rated medium severity (CVSS 6.1), this vulnerability is low attack complexity. No vendor patch available.

Buffer Overflow Information Disclosure Qcm5430 Firmware Qcm6490 Firmware Qcs5430 Firmware
CVE-2025-27030 MEDIUM CVSS 6.1
information disclosure while invoking calibration data from user space to update firmware size. Rated medium severity (CVSS 6.1), this vulnerability is low attack complexity. No vendor patch available.

Buffer Overflow Information Disclosure C V2x 9150 Firmware Qam8295p Firmware Qca6574au Firmware
CVE-2025-23275 MEDIUM CVSS 4.2
NVIDIA CUDA Toolkit for all platforms contains a vulnerability in nvJPEG where a local authenticated user may cause a GPU out-of-bounds write by providing certain image dimensions. Rated medium severity (CVSS 4.2). No vendor patch available.

Nvidia Memory Corruption Buffer Overflow Denial Of Service Information Disclosure
CVE-2025-23274 MEDIUM CVSS 4.5
NVIDIA nvJPEG contains a vulnerability in jpeg encoding where a user may cause an out-of-bounds read by providing a maliciously crafted input image with dimensions that cause integer overflows in. Rated medium severity (CVSS 4.5). No vendor patch available.

Denial Of Service Buffer Overflow Nvidia Information Disclosure
CVE-2025-23272 MEDIUM CVSS 5.7
NVIDIA nvJPEG library contains a vulnerability where an attacker can cause an out-of-bounds read by means of a specially crafted JPEG file. Rated medium severity (CVSS 5.7), this vulnerability is no authentication required. No vendor patch available.

Denial Of Service Buffer Overflow Nvidia Information Disclosure
CVE-2025-20365 MEDIUM CVSS 4.3
A vulnerability in the IPv6 Router Advertisement (RA) packet processing of Cisco Access Point Software could allow an unauthenticated, adjacent attacker to modify the IPv6 gateway on an affected. Rated medium severity (CVSS 4.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Cisco Information Disclosure
CVE-2025-20364 MEDIUM CVSS 4.3
A vulnerability in the Device Analytics action frame processing of Cisco Wireless Access Point (AP) Software could allow an unauthenticated, adjacent attacker to inject wireless 802.11 action frames. Rated medium severity (CVSS 4.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Cisco Code Injection
CVE-2025-20339 MEDIUM CVSS 5.8
A vulnerability in the access control list (ACL) processing of IPv4 packets of Cisco SD-WAN vEdge Software could allow an unauthenticated, remote attacker to bypass a configured ACL. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Cisco
CVE-2025-20338 MEDIUM CVSS 6.0
A vulnerability in the CLI of Cisco IOS XE Software could allow an authenticated, local attacker with administrative privileges to execute arbitrary commands as root on the underlying operating. Rated medium severity (CVSS 6.0), this vulnerability is low attack complexity. No vendor patch available.

Cisco Apple Information Disclosure Ios Xe
CVE-2025-20316 MEDIUM CVSS 5.3
A vulnerability in the access control list (ACL) programming of Cisco IOS XE Software for Cisco Catalyst 9500X and 9600X Series Switches could allow an unauthenticated, remote attacker to bypass a. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Cisco Apple
CVE-2025-20314 MEDIUM CVSS 6.7
A vulnerability in Cisco IOS XE Software could allow an authenticated, local attacker with level-15 privileges or an unauthenticated attacker with physical access to an affected device to execute. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass Cisco Apple
CVE-2025-20313 MEDIUM CVSS 6.7
Multiple vulnerabilities in Cisco IOS XE Software of could allow an authenticated, local attacker with level-15 privileges or an unauthenticated attacker with physical access to the device to execute. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.

Cisco Apple Path Traversal
CVE-2025-20293 MEDIUM CVSS 5.3
A vulnerability in the Day One setup process of Cisco IOS XE Software for Catalyst 9800 Series Wireless Controllers for Cloud (9800-CL) could allow an unauthenticated, remote attacker to access the. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Cisco Apple Information Disclosure
CVE-2025-20240 MEDIUM CVSS 6.1
A vulnerability in the Web Authentication feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting attack (XSS) on an affected. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Cisco Apple XSS
CVE-2025-20149 MEDIUM CVSS 6.5
A vulnerability in the CLI of Cisco IOS Software and Cisco IOS XE Software could allow an authenticated, local attacker to cause an affected device to reload unexpectedly, resulting in a denial of. Rated medium severity (CVSS 6.5), this vulnerability is low attack complexity. No vendor patch available.

Denial Of Service Cisco Buffer Overflow Apple
CVE-2025-10909 MEDIUM CVSS 4.8
A security flaw has been discovered in Mangati NovoSGA up to 2.2.9. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-10360 MEDIUM CVSS 6.9
In Puppet Enterprise versions 2025.4.0 and 2025.5, the encryption key used for encrypting content in the Infra Assistant database was not excluded from the files gathered by Puppet backup. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure
CVE-2025-9353 MEDIUM CVSS 6.4
The Themify Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in all versions up to, and including, 7.6.9 due to insufficient input sanitization and. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS PHP
CVE-2025-9031 MEDIUM CVSS 4.3
Observable Timing Discrepancy vulnerability in DivvyDrive Information Technologies Inc. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure
CVE-2025-8869 MEDIUM CVSS 5.9
When extracting a tar archive pip may not check symbolic links point into the extraction directory if the tarfile module doesn't implement PEP 706. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python Information Disclosure Redhat Suse
CVE-2024-58241 MEDIUM CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_core: Disable works on hci_unregister_dev This make use of disable_work_* on hci_unregister_dev since the hci_dev is. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Information Disclosure Linux Linux Kernel Redhat Suse
CVE-2025-59930 None
Rejected reason: Not used. No vendor patch available.

Information Disclosure
CVE-2025-59929 None
Rejected reason: Not used. No vendor patch available.

Information Disclosure
CVE-2025-59928 None
Rejected reason: Not used. No vendor patch available.

Information Disclosure
CVE-2025-59927 None
Rejected reason: Not used. No vendor patch available.

Information Disclosure
CVE-2025-59926 None
Rejected reason: Not used. No vendor patch available.

Information Disclosure
CVE-2025-59925 None
Rejected reason: Not used. No vendor patch available.

Information Disclosure
CVE-2025-59924 None
Rejected reason: Not used. No vendor patch available.

Information Disclosure
CVE-2025-59824 LOW CVSS 0.5
Omni manages Kubernetes on bare metal, virtual machines, or in a cloud. Rated low severity (CVSS 0.5), this vulnerability is remotely exploitable. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.

Authentication Bypass Kubernetes Omni
CVE-2025-23346 LOW CVSS 3.3
NVIDIA CUDA Toolkit contains a vulnerability in cuobjdump, where an unprivileged user can cause a NULL pointer dereference. Rated low severity (CVSS 3.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Null Pointer Dereference Nvidia Cuda Toolkit
CVE-2025-23340 LOW CVSS 3.3
NVIDIA CUDA Toolkit for all platforms contains a vulnerability in the nvdisasm binary where a user may cause an out-of-bounds read by passing a malformed ELF file to nvdisasm. Rated low severity (CVSS 3.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Buffer Overflow Nvidia Information Disclosure Cuda Toolkit
CVE-2025-23339 LOW CVSS 3.3
NVIDIA CUDA Toolkit for all platforms contains a vulnerability in cuobjdump where an attacker may cause a stack-based buffer overflow by getting the user to run cuobjdump on a malicious ELF file. Rated low severity (CVSS 3.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Nvidia Stack Overflow RCE Cuda Toolkit
CVE-2025-23338 LOW CVSS 3.3
NVIDIA CUDA Toolkit for all platforms contains a vulnerability in nvdisasm where a user may cause an out-of-bounds write by running nvdisasm on a malicious ELF file. Rated low severity (CVSS 3.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Buffer Overflow Nvidia Cuda Toolkit
CVE-2025-23308 LOW CVSS 3.3
NVIDIA CUDA Toolkit for all platforms contains a vulnerability in nvdisasm where an attacker may cause a heap-based buffer overflow by getting the user to run nvdisasm on a malicious ELF file. Rated low severity (CVSS 3.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Heap Overflow Buffer Overflow Nvidia RCE Cuda Toolkit
CVE-2025-23273 LOW CVSS 2.5
NVIDIA CUDA Toolkit for all platforms contains a vulnerability in nvJPEG where a local authenticated user may cause a divide by zero error by submitting a specially crafted JPEG file. Rated low severity (CVSS 2.5). No vendor patch available.

Denial Of Service Nvidia Cuda Toolkit Nvjpeg
CVE-2025-23271 LOW CVSS 3.3
NVIDIA CUDA Toolkit for all platforms contains a vulnerability in the nvdisasm binary where a user may cause an out-of-bounds read by passing a malformed ELF file to nvdisasm. Rated low severity (CVSS 3.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Buffer Overflow Nvidia Information Disclosure Cuda Toolkit
CVE-2025-23255 LOW CVSS 3.3
NVIDIA CUDA Toolkit for all platforms contains a vulnerability in the cuobjdump binary where a user may cause an out-of-bounds read by passing a malformed ELF file to cuobjdump. Rated low severity (CVSS 3.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Buffer Overflow Nvidia Information Disclosure Cuda Toolkit
CVE-2025-23248 LOW CVSS 3.3
NVIDIA CUDA Toolkit for all platforms contains a vulnerability in the nvdisasm binary where a user may cause an out-of-bounds read by passing a malformed ELF file to nvdisasm. Rated low severity (CVSS 3.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Buffer Overflow Nvidia Information Disclosure Cuda Toolkit

Today's Vulnerabilities Vulnerabilities