THREAT ALERT

ACT NOW CVE-2025-41244 7.8 VMware Aria Operations and VMware Tools contain a local privilege escalation vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available. | ACT NOW CVE-2025-20362 6.5 Update: On November 5, 2025, Cisco became aware of a new attack variant against devices running Cisco Secure ASA Software or Cisco Secure FTD Software releases that are affected by CVE-2025-20333 and. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and EPSS exploitation probability 43.6%. | ACT NOW CVE-2025-20333 9.9 A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an authenticated, remote. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. Actively exploited in the wild (cisa kev) and EPSS exploitation probability 18.8%. | ACT NOW CVE-2025-20352 7.7 A vulnerability in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS Software and Cisco IOS XE Software could allow the following: An authenticated, remote attacker with low. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. Actively exploited in the wild (cisa kev) and no vendor patch available. | ACT NOW CVE-2025-10585 9.8 Google Chrome V8 JavaScript engine contains a type confusion vulnerability enabling heap corruption through crafted HTML pages, exploited in the wild in June 2025. | ACT NOW CVE-2025-26399 9.8 SolarWinds Web Help Desk contains an unauthenticated deserialization RCE via AjaxProxy, a patch bypass of both CVE-2024-28988 and CVE-2024-28986, the third iteration of this vulnerability. | EMERGENCY CVE-2025-59528 10.0 Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig parameter is parsed unsafely, allowing attackers to inject arbitrary system commands through the MCP server configuration that are executed when Flowise spawns the MCP server process. | ACT NOW CVE-2025-59689 6.1 Libraesva ESG 4.5 through 5.5.x before 5.5.7 allows command injection via a compressed e-mail attachment. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and no vendor patch available. | ACT NOW CVE-2025-48703 9.0 CentOS Web Panel (CWP) allows unauthenticated remote code execution through OS command injection in the filemanager changePerm request's t_total parameter. | ACT NOW CVE-2025-10035 10.0 Fortra GoAnywhere MFT contains a deserialization vulnerability in the License Servlet allowing command injection through crafted license response signatures. | EMERGENCY CVE-2025-9242 9.3 WatchGuard Fireware OS contains an out-of-bounds write in IKEv2 VPN handling enabling unauthenticated remote code execution on WatchGuard firewalls. | EMERGENCY CVE-2025-52053 9.8 TOTOLINK X6000R router firmware V9.4.0cu.1360_B20241207 contains an unauthenticated command injection in the sub_417D74 function via the file_name parameter. Remote attackers can execute arbitrary commands on the router without authentication through crafted HTTP requests. | ACT NOW CVE-2025-21043 8.8 Samsung libimagecodec.quram.so contains a second out-of-bounds write in the image codec library, a separate vulnerability from CVE-2025-21042 affecting Samsung devices. | ACT NOW CVE-2025-21042 8.8 Samsung libimagecodec.quram.so contains an out-of-bounds write allowing remote code execution through crafted image files on Samsung Android devices. | ACT NOW CVE-2025-54123 9.8 Hoverfly API simulation tool version 1.11.3 and prior contains a command injection vulnerability in the middleware management endpoint /api/v2/hoverfly/middleware. Insufficient validation of user input allows authenticated attackers to execute arbitrary commands on the Hoverfly server. | EMERGENCY CVE-2025-54236 9.1 Adobe Commerce (Magento) contains an improper input validation vulnerability (CVE-2025-54236, CVSS 9.1) that enables unauthenticated session takeover with high confidentiality and integrity impact. KEV-listed with EPSS 73.7% and public PoC, this vulnerability threatens every Adobe Commerce storefront, potentially exposing customer payment data, order information, and administrative access to thousands of e-commerce sites. | ACT NOW CVE-2025-8085 8.6 The Ditty WordPress plugin before 3.1.58 lacks authorization and authentication for requests to its displayItems endpoint, allowing unauthenticated visitors to make requests to arbitrary URLs. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 18.1%. | ACT NOW CVE-2025-48543 8.8 Android Chrome sandbox contains a use-after-free enabling sandbox escape and local privilege escalation to attack the Android system_server process. | ACT NOW CVE-2025-53690 9.0 Sitecore Experience Manager/Platform through version 9.0 contains a deserialization vulnerability enabling code injection through untrusted data processing. |

Daily vulnerability intelligence for defenders – fresh CVEs with exploitability signals, patch status, and action-oriented priorities from 17 sources.

CVEs published

Track vulnerabilities that matter to your stack

Personalized alerts, dashboards, and weekly digests – free.

Trending Now

Critical Watch

Attack Technique Trend

Prediction based on ZDI Disclosures & CVE data · 30 days

Analytics

Vendor Today – Quick Filter

Techniques

results

Sort:

Base Score

Vector String

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

0 | 3.9| 6.9| 8.9| 10

NONE LOW MEDIUM HIGH CRITICAL

CVSS Filter – CVEs match

No CVEs match the selected criteria

Browse older vulnerabilities in Archive

Live Feed auto-refresh 60s

Vulnerability Intelligence — September 29, 2025

115 CVEs tracked today. 18 Critical, 32 High, 62 Medium, 2 Low.

CVE-2025-56795 CRITICAL CVSS 9.0
Mealie 3.0.1 and earlier is vulnerable to Stored Cross-Site Scripting (XSS) in the recipe creation functionality. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Mealie
CVE-2025-54875 CRITICAL CVSS 9.8
FreshRSS is a free, self-hostable RSS aggregator. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass Freshrss
CVE-2025-41244 HIGH CVSS 7.8
VMware Aria Operations and VMware Tools contain a local privilege escalation vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available.

Privilege Escalation VMware Aria Operations Cloud Foundation Cloud Foundation Operations
CVE-2025-34235 CRITICAL CVSS 9.5
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (Windows client deployments) contain a registry key that can be. Rated critical severity (CVSS 9.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Microsoft Privilege Escalation Virtual Appliance Application Virtual Appliance Host
CVE-2025-34234 CRITICAL CVSS 9.2
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (VA/SaaS deployments) contain two hardcoded private keys that are. Rated critical severity (CVSS 9.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Docker Information Disclosure Virtual Appliance Application Virtual Appliance Host
CVE-2025-34224 CRITICAL CVSS 10.0
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.1049 and Application prior to version 20.0.2786 (VA/SaaS deployments) expose a set of PHP scripts under the. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass PHP Virtual Appliance Application Virtual Appliance Host
CVE-2025-34223 CRITICAL CVSS 10.0
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.1049 and Application prior to version 20.0.2786 (VA/SaaS deployments) contain a default admin account and an. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass PHP Virtual Appliance Application Virtual Appliance Host
CVE-2025-34222 CRITICAL CVSS 10.0
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.1049 and Application prior to version 20.0.2786 (VA/SaaS deployments) expose four admin routes -. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Docker Hp PHP Virtual Appliance Application
CVE-2025-34221 CRITICAL CVSS 10.0
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 25.2.1518 (VA/SaaS deployments) expose every internal Docker container to the. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Docker RCE Virtual Appliance Application Virtual Appliance Host
CVE-2025-34218 CRITICAL CVSS 10.0
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.1049 and Application prior to version 20.0.2786 (VA/SaaS deployments) expose internal Docker containers through the. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Docker Privilege Escalation Information Disclosure Virtual Appliance Application
CVE-2025-34216 CRITICAL CVSS 10.0
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.1026 and Application prior to version 20.0.2702 (VA deployments only) expose a set of unauthenticated REST API. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass RCE Virtual Appliance Application Virtual Appliance Host
CVE-2025-34215 CRITICAL CVSS 9.4
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.1026 and Application prior to version 20.0.2702 (only VA deployments) expose an unauthenticated firmware-upload flow:. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Docker RCE Virtual Appliance Application Virtual Appliance Host
CVE-2025-34211 CRITICAL CVSS 9.3
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.1049 and Application prior to version 20.0.2786 (VA and SaaS deployments) contain a private SSL key and matching. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Virtual Appliance Application Virtual Appliance Host
CVE-2025-34209 CRITICAL CVSS 9.4
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to 22.0.862 and Application prior to 20.0.2014 (VA and SaaS deployments) contain Docker images with the private GPG key and. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Docker Virtual Appliance Application Virtual Appliance Host
CVE-2025-34196 CRITICAL CVSS 9.3
Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 25.1.102 and Application prior to 25.1.1413 (Windows client deployments) contain a hardcoded private key for the. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Microsoft Virtual Appliance Application Virtual Appliance Host Windows
CVE-2025-57266 CRITICAL CVSS 9.8
An issue was discovered in file AssistantController.java in ThriveX Blogging Framework 2.5.9 thru 3.1.3 allowing unauthenticated attackers to gain sensitive information such as API Keys via the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Java
CVE-2025-30247 CRITICAL CVSS 9.3
An OS command injection vulnerability in user interface in Western Digital My Cloud firmware prior to 5.31.108 on NAS platforms allows remote attackers to execute arbitrary system commands via a. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection
CVE-2025-8868 CRITICAL CVSS 9.8
In Progress Chef Automate, versions earlier than 4.13.295, on Linux x86 platform, an authenticated attacker can gain access to Chef Automate restricted functionality in the compliance service via. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 17.3%.

SQLi Automate
CVE-2024-13150 CRITICAL CVSS 9.8
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Fayton Software and Consulting Services fayton.Pro ERP allows SQL Injection.Pro ERP: through. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi
CVE-2025-59942 HIGH CVSS 7.5
go-f3 is a Golang implementation of Fast Finality for Filecoin (F3). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Integer Overflow Go F3 Suse
CVE-2025-59937 HIGH CVSS 8.2
go-mail is a comprehensive library for sending mails with Go. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Go Mail Suse
CVE-2025-57516 HIGH CVSS 8.2
OS Command injection vulnerability in PublicCMS PublicCMS-V5.202506.a, and PublicCMS-V5.202506.b allowing attackers to execute arbitrary commands via crafted DATABASE, USERNAME, or PASSWORD variables. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Publiccms
CVE-2025-57483 HIGH CVSS 8.1
A reflected cross-site scripting (XSS) vulnerability in tawk.to chatbox widget v4 allows attackers to execute arbitrary Javascript in the context of the user's browser via injecting a crafted payload. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-57424 HIGH CVSS 7.3
A stored cross-site scripting (XSS) vulnerability exists in the MyCourts v3 application within the LTA number profile field. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-56449 HIGH CVSS 8.2
A security vulnerability was identified in Obsidian Scheduler's REST API 5.0.0 thru 6.3.0. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
CVE-2025-56234 HIGH CVSS 7.5
AT_NA2000 from Nanda Automation Technology vendor has a denial-of-service vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service
CVE-2025-56233 HIGH CVSS 7.5
Openindiana, kernel SunOS 5.11 has a denial of service vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service
CVE-2025-54592 HIGH CVSS 8.8
FreshRSS is a free, self-hostable RSS aggregator. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Freshrss
CVE-2025-54591 HIGH CVSS 7.5
FreshRSS is a free, self-hostable RSS aggregator. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass Freshrss
CVE-2025-51495 HIGH CVSS 7.5
An integer overflow vulnerability exists in the WebSocket component of Mongoose 7.5 thru 7.17. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Buffer Overflow Integer Overflow Mongoose Redhat
CVE-2025-48006 HIGH CVSS 8.8
Improper restriction of XML external entity reference issue exists in DataSpider Servista 4.4 and earlier. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Dataspider Servista
CVE-2025-45376 HIGH CVSS 7.5
Dell Repository Manager (DRM), versions 3.4.7 and 3.4.8, contains an Improper Handling of Insufficient Permissions or Privileges vulnerability. Rated high severity (CVSS 7.5). No vendor patch available.

Dell Information Disclosure Repository Manager
CVE-2025-41252 HIGH CVSS 7.5
Description: VMware NSX contains a username enumeration vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass VMware
CVE-2025-41251 HIGH CVSS 8.1
VMware NSX contains a weak password recovery mechanism vulnerability. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure VMware
CVE-2025-41250 HIGH CVSS 8.5
VMware vCenter contains an SMTP header injection vulnerability. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection VMware
CVE-2025-41246 HIGH CVSS 7.6
VMware Tools for Windows contains an improper authorisation vulnerability due to the way it handles user access controls. Rated high severity (CVSS 7.6). No vendor patch available.

Authentication Bypass Microsoft VMware Windows
CVE-2025-36245 HIGH CVSS 8.8
IBM InfoSphere 11.7.0.0 through 11.7.1.6 Information Server could allow an authenticated user to execute arbitrary commands with elevated privileges on the system due to improper validation of user. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection IBM Infosphere Information Server
CVE-2025-35030 HIGH CVSS 8.6
Medical Informatics Engineering Enterprise Health has a cross site request forgery vulnerability that allows an unauthenticated attacker to trick administrative users into clicking a crafted URL and. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Enterprise Health
CVE-2025-34233 HIGH CVSS 8.5
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (VA/SaaS deployments) contain a protection mechanism failure. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Virtual Appliance Application Virtual Appliance Host
CVE-2025-34231 HIGH CVSS 8.8
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (VA/SaaS deployments) contain a blind and non-blind server-side. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass PHP Hp SSRF Virtual Appliance Application
CVE-2025-34228 HIGH CVSS 8.8
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (VA/SaaS deployments) contain a server-side request forgery (SSRF). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass PHP SSRF Virtual Appliance Application Virtual Appliance Host
CVE-2025-34225 HIGH CVSS 8.8
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (VA/SaaS deployments) contain a server-side request forgery (SSRF). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass PHP SSRF Virtual Appliance Application Virtual Appliance Host
CVE-2025-34212 HIGH CVSS 8.7
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.843 and Application prior to version 20.0.1923 (VA/SaaS deployments) possess CI/CD weaknesses: the build pulls an. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Jenkins Virtual Appliance Application Virtual Appliance Host
CVE-2025-34207 HIGH CVSS 7.9
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to 22.0.1049 and Application prior to 20.0.2786 (VA and SaaS deployments) configure the SSH client within Docker instances with the. Rated high severity (CVSS 7.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Docker Virtual Appliance Application Virtual Appliance Host
CVE-2025-11130 HIGH CVSS 8.6
A weakness has been identified in iHongRen pptp-vpn 1.0/1.0.1 on macOS.m of the component XPC Service. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Apple macOS
CVE-2025-11126 HIGH CVSS 8.9
A security flaw has been discovered in Apeman ID71 218.53.203.117. Rated high severity (CVSS 8.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
CVE-2025-9648 HIGH CVSS 8.7
A vulnerability in the CivetWeb library's function mg_handle_form_request allows remote attackers to trigger a denial of service (DoS) condition. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Redhat Suse
CVE-2025-7104 HIGH CVSS 7.5
A mass assignment vulnerability exists in danny-avila/librechat, affecting all versions. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Librechat
CVE-2025-6724 HIGH CVSS 8.8
In Progress Chef Automate, versions earlier than 4.13.295, on Linux x86 platform, an authenticated attacker can gain access to Chef Automate restricted functionality in multiple services via. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This SQL Injection vulnerability could allow attackers to execute arbitrary SQL commands against the database.

SQLi Automate
CVE-2024-57412 HIGH CVSS 7.5
An issue in SunOS Omnios v5.11 allows attackers to cause a Denial of Service (DoS) via repeatedly sending crafted TCP packets. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service
CVE-2025-61659 MEDIUM CVSS 6.8
bash-git-prompt 2.6.1 through 2.7.1 insecurely uses the /tmp/git-index-private$$ file, which has a predictable name. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Suse
CVE-2025-59948 MEDIUM CVSS 6.7
FreshRSS is a free, self-hostable RSS aggregator. Rated medium severity (CVSS 6.7), this vulnerability is remotely exploitable. Public exploit code available.

PHP XSS Freshrss
CVE-2025-59941 MEDIUM CVSS 5.9
go-f3 is a Golang implementation of Fast Finality for Filecoin (F3). Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable.

Authentication Bypass Go F3 Suse
CVE-2025-59940 MEDIUM CVSS 6.5
mkdocs-include-markdown-plugin is an Mkdocs Markdown includer plugin. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Redhat
CVE-2025-59933 MEDIUM CVSS 5.1
libvips is a demand-driven, horizontally threaded image processing library. Rated medium severity (CVSS 5.1), this vulnerability is no authentication required, low attack complexity.

Buffer Overflow Libvips Suse
CVE-2025-57879 MEDIUM CVSS 6.1
There is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote, unauthenticated attacker to craft a URL that could redirect a victim to an arbitrary. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Open Redirect vulnerability could allow attackers to redirect users to malicious websites via URL manipulation.

Open Redirect Portal For Arcgis
CVE-2025-57878 MEDIUM CVSS 6.1
There is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote, unauthenticated attacker to craft a URL that could redirect a victim to an arbitrary. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Open Redirect vulnerability could allow attackers to redirect users to malicious websites via URL manipulation.

Open Redirect Portal For Arcgis
CVE-2025-57877 MEDIUM CVSS 4.8
There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Portal For Arcgis
CVE-2025-57876 MEDIUM CVSS 4.8
There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote, authenticated attacker to inject malicious a file with an embedded xss script. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Portal For Arcgis
CVE-2025-57875 MEDIUM CVSS 4.8
There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Portal For Arcgis
CVE-2025-57874 MEDIUM CVSS 4.8
There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Portal For Arcgis
CVE-2025-57873 MEDIUM CVSS 4.8
There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Portal For Arcgis
CVE-2025-57872 MEDIUM CVSS 6.1
There is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote, unauthenticated attacker to craft a URL that could redirect a victim to an arbitrary. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Open Redirect vulnerability could allow attackers to redirect users to malicious websites via URL manipulation.

Open Redirect Portal For Arcgis
CVE-2025-57871 MEDIUM CVSS 4.8
There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Portal For Arcgis
CVE-2025-57769 MEDIUM CVSS 5.3
FreshRSS is a free, self-hostable RSS aggregator. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Privilege Escalation XSS Freshrss
CVE-2025-57428 MEDIUM CVSS 6.5
Default credentials in Each Italy Wireless Mini Router WIRELESS-N 300M v28K.MiniRouter.20190211 allows attackers to gain access to the debug shell exposed via Telnet on Port 23 and execute. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
CVE-2025-57197 MEDIUM CVSS 6.0
In the Payeer Android application 2.5.0, an improper access control vulnerability exists in the authentication flow for the PIN change feature. Rated medium severity (CVSS 6.0), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass Google Android
CVE-2025-56807 MEDIUM CVSS 6.1
A cross-site scripting (XSS) vulnerability in FairSketch RISE Ultimate Project Manager & CRM 3.9.4 allows an administrator to store a JavaScript payload using the file explorer in the admin dashboard. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Rise Ultimate Project Manager
CVE-2025-56764 MEDIUM CVSS 5.3
Trivision NC-227WF firmware 5.80 (build 20141010) login mechanism reveals whether a username exists or not by returning different error messages ("Unknown user" vs. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Trivision Nc 227Wf Firmware
CVE-2025-43820 MEDIUM CVSS 4.8
Multiple cross-site scripting (XSS) vulnerabilities in the Calendar widget when inviting users to a event in Liferay Portal 7.4.3.35 through 7.4.3.110, and Liferay DXP 2023.Q4.0 through 2023.Q4.4,. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Digital Experience Platform Liferay Portal
CVE-2025-43818 MEDIUM CVSS 4.8
Cross-site scripting (XSS) vulnerability in the Calendar widget in Liferay Portal 7.4.3.35 through 7.4.3.110, and Liferay DXP 2023.Q4.0 through 2023.Q4.4, 2023.Q3.1 through 2023.Q3.6, 7.4 update 35. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Digital Experience Platform Liferay Portal
CVE-2025-43817 MEDIUM CVSS 4.8
Multiple reflected cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.4.3.74 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.6, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 74. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Digital Experience Platform Liferay Portal
CVE-2025-43815 MEDIUM CVSS 5.1
Reflected cross-site scripting (XSS) vulnerability on the page configuration page in Liferay Portal 7.4.3.102 through 7.4.3.110, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, and 2023.Q3.5 allows. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Digital Experience Platform Liferay Portal
CVE-2025-43813 MEDIUM CVSS 6.9
Possible path traversal vulnerability and denial-of-service in the ComboServlet in Liferay Portal 7.4.0 through 7.4.3.107, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.4,. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Digital Experience Platform Liferay Portal
CVE-2025-43812 MEDIUM CVSS 4.8
Cross-site scripting (XSS) vulnerability in web content template in Liferay Portal 7.4.3.4 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.4, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Digital Experience Platform Liferay Portal
CVE-2025-43811 MEDIUM CVSS 4.8
Multiple stored cross-site scripting (XSS) vulnerability in the related asset selector in Liferay Portal 7.4.3.50 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.4, 2023.Q3.1 through. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Digital Experience Platform Liferay Portal
CVE-2025-43400 MEDIUM CVSS 6.3
An out-of-bounds write issue was addressed with improved bounds checking. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption Buffer Overflow Apple
CVE-2025-41245 MEDIUM CVSS 4.9
VMware Aria Operations contains an information disclosure vulnerability. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure VMware
CVE-2025-36352 MEDIUM CVSS 6.4
IBM License Metric Tool 9.2.0 through 9.2.40 is vulnerable to stored cross-site scripting. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

IBM XSS License Metric Tool
CVE-2025-36351 MEDIUM CVSS 4.3
IBM License Metric Tool 9.2.0 through 9.2.40 could allow an authenticated user to bypass access controls in the REST API interface and perform unauthorized actions. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass IBM License Metric Tool
CVE-2025-36099 MEDIUM CVSS 4.9
IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to a denial of service, caused by sending a specially-crafted request. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service IBM Websphere Application Server
CVE-2025-35034 MEDIUM CVSS 5.1
Medical Informatics Engineering Enterprise Health has a reflected cross site scripting vulnerability in the 'portlet_user_id' URL parameter. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Enterprise Health
CVE-2025-35033 MEDIUM CVSS 6.3
Medical Informatics Engineering Enterprise Health has a CSV injection vulnerability that allows a remote, authenticated attacker to inject macros in downloadable CSV files. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection Enterprise Health
CVE-2025-35032 MEDIUM CVSS 6.2
Medical Informatics Engineering Enterprise Health allows authenticated users to upload arbitrary files. Rated medium severity (CVSS 6.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload Enterprise Health
CVE-2025-35031 MEDIUM CVSS 4.6
Medical Informatics Engineering Enterprise Health includes the user's current session token in debug output. Rated medium severity (CVSS 4.6), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Enterprise Health
CVE-2025-34232 MEDIUM CVSS 6.9
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (VA/SaaS deployments) contain a blind server-side request forgery. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass PHP SSRF Virtual Appliance Application Virtual Appliance Host
CVE-2025-34230 MEDIUM CVSS 6.9
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (VA/SaaS deployments) contain a blind server-side request forgery. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass PHP Hp SSRF Virtual Appliance Application
CVE-2025-34229 MEDIUM CVSS 6.9
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (VA/SaaS deployments) contain a blind server-side request forgery. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass PHP Hp SSRF Virtual Appliance Application
CVE-2025-34220 MEDIUM CVSS 6.9
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (VA/SaaS deployments) contains a /api-gateway/identity/search-groups. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Microsoft Information Disclosure Virtual Appliance Application Virtual Appliance Host
CVE-2025-11155 MEDIUM CVSS 6.8
The credentials required to access the device's web server are sent in base64 within the HTTP headers. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
CVE-2025-11147 MEDIUM CVSS 5.1
Reflected cross-site scripting (XSS) in Apt-Cacher-NG v3.2.1. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Apt Cacher Ng
CVE-2025-11146 MEDIUM CVSS 5.1
Reflected Cross-site scripting (XSS) in Apt-Cacher-NG v3.2.1. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Apt Cacher Ng
CVE-2025-11141 MEDIUM CVSS 5.1
A security flaw has been discovered in Ruijie NBR2100G-E up to 20250919. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection PHP
CVE-2025-11140 MEDIUM CVSS 6.9
A vulnerability was identified in Bjskzy Zhiyou ERP up to 11.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE Zhiyou Erp
CVE-2025-11139 MEDIUM CVSS 5.3
A vulnerability was determined in Bjskzy Zhiyou ERP up to 11.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Zhiyou Erp
CVE-2025-11138 MEDIUM CVSS 5.3
A vulnerability was found in mirweiye wenkucms up to 3.4. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection PHP Wenkucms
CVE-2025-11137 MEDIUM CVSS 5.1
A vulnerability has been found in Gstarsoft GstarCAD up to 9.4.0. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-11136 MEDIUM CVSS 5.1
A flaw has been found in YiFang CMS up to 2.0.2. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass PHP File Upload Yifang
CVE-2025-11135 MEDIUM CVSS 6.9
A vulnerability was detected in pmTicket Project-Management-Software up to 2ef379da2075f4761a2c9029cf91d073474e7486. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP Deserialization
CVE-2025-11134 MEDIUM CVSS 4.8
A security vulnerability has been detected in Cudy TR1200 1.16.3-20230804-164635. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-11125 MEDIUM CVSS 5.3
A vulnerability was found in langleyfcu Online Banking System up to 57437e6400ce0ae240e692c24e6346b8d0c17d7a. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP XSS
CVE-2025-10504 MEDIUM CVSS 6.9
Heap-based Buffer Overflow vulnerability in ABB Terra AC wallbox.8.33. Rated medium severity (CVSS 6.9), this vulnerability is low attack complexity. No vendor patch available.

Heap Overflow Buffer Overflow Abb
CVE-2025-10346 MEDIUM CVSS 5.3
HTML injection vulnerability in Perfex CRM v3.2.1 consisting of a stored HTML injection due to lack of proper validation of user input by sending a POST request in the parameters 'subject' at the. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Perfex Crm
CVE-2025-10345 MEDIUM CVSS 5.3
HTML injection vulnerability in Perfex CRM v3.2.1 consisting of a stored HTML injection due to lack of proper validation of user input by sending a POST request in the parameters 'name' and 'address'. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Perfex Crm
CVE-2025-10344 MEDIUM CVSS 5.3
HTML injection vulnerability in Perfex CRM v3.2.1 consisting of a stored HTML injection due to lack of proper validation of user input by sending a POST request in the parameters 'name' and. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Perfex Crm
CVE-2025-10343 MEDIUM CVSS 5.3
HTML injection vulnerability in Perfex CRM v3.2.1 consisting of a stored HTML injection due to lack of proper validation of user input by sending a POST request in the parameter 'expense_name' at the. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Perfex Crm
CVE-2025-10342 MEDIUM CVSS 5.3
HTML injection vulnerability in Perfex CRM v3.2.1 consisting of a stored HTML injection due to lack of proper validation of user input by sending a POST request in the parameter 'name' at the. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Perfex Crm
CVE-2025-10341 MEDIUM CVSS 5.3
HTML injection vulnerability in Perfex CRM v3.2.1 consisting of a stored HTML injection due to lack of proper validation of user input by sending a POST request in the parameter 'company' at the. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Perfex Crm
CVE-2025-9904 MEDIUM CVSS 5.3
CVE-2025-9904 is a security vulnerability (CVSS 5.3). Remediation should follow standard vulnerability management procedures.

Information Disclosure
CVE-2025-9903 MEDIUM CVSS 5.9
Out-of-bounds write vulnerabilities exist in the print processing functionality of multiple Canon printer drivers, including Generic Plus variants (PCL6, UFR II, LIPS4, LIPSLX, PS) and standalone drivers (UFRII LT, CARPS2, Generic FAX, LIPS4, LIPSLX, UFR II, PS, PCL6). An attacker can exploit these memory corruption flaws via a malicious print job to corrupt memory, potentially leading to code execution or denial of service. The EPSS score of 0.04% (13th percentile) suggests low exploitation probability in the wild, and no active KEV status has been reported, indicating this is not currently being exploited at scale.

Buffer Overflow Hp Denial Of Service
CVE-2025-7698 MEDIUM CVSS 5.9
Out-of-bounds read vulnerabilities exist in the print processing functionality of multiple Canon printer driver families, including Generic Plus PCL6, UFR II, LIPS4, LIPSLX, PS, PCL6, CARPS2, and related variants. These vulnerabilities allow remote attackers to read sensitive memory contents (information disclosure) and potentially cause application crashes, requiring user interaction (opening a malicious print job) to trigger. With an EPSS score of 0.05% and no evidence of active exploitation in the wild, this represents a low real-world risk despite moderate CVSS scoring.

Buffer Overflow Information Disclosure Hp
CVE-2024-5200 MEDIUM CVSS 4.8
The Postie WordPress plugin before 1.9.71 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS
CVE-2025-59163 LOW CVSS 2.1
vet is an open source software supply chain security tool. Rated low severity (CVSS 2.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure
CVE-2025-55795 LOW CVSS 3.5
The openml/openml.org web application version v2.0.20241110 uses incremental user IDs and insufficient email ownership verification during email update workflows. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Authentication Bypass Denial Of Service Openml Org
CVE-2025-11150 None
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. No vendor patch available.

Information Disclosure

Today's Vulnerabilities Vulnerabilities