Skip to main content
CVE-2025-13633 HIGH PATCH This Week

Use after free in Digital Credentials in Google Chrome prior to 143.0.7499.41 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Google Denial Of Service Memory Corruption Use After Free Ubuntu +4
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-13720 HIGH PATCH This Week

Bad cast in Loader in Google Chrome prior to 143.0.7499.41 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)

Google Information Disclosure Ubuntu Debian Chrome +2
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-13630 HIGH PATCH This Week

Type Confusion in V8 in Google Chrome prior to 143.0.7499.41 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Google Information Disclosure Memory Corruption Ubuntu Debian +3
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-13631 HIGH PATCH This Week

Inappropriate implementation in Google Updater in Google Chrome on Mac prior to 143.0.7499.41 allowed a remote attacker to perform privilege escalation via a crafted file. (Chromium security severity: High)

Google Privilege Escalation Ubuntu Debian Chrome +1
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-13871 HIGH This Week

Cross-Site Request Forgery (CSRF) in the resource-management feature of ObjectPlanet Opinio 7.26 rev12562 allows to upload files on behalf of the connected users and then access such files without authentication.

CSRF Opinio
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-10971 HIGH This Week

Insecure Storage of Sensitive Information vulnerability in MeetMe on iOS, Android allows Retrieve Embedded Sensitive Data. This issue affects MeetMe: through v2.2.5.

Google Information Disclosure Android
NVD
CVSS 4.0
8.8
EPSS
0.0%
CVE-2025-12465 HIGH This Week

A Blind SQL injection vulnerability has been identified in QuickCMS. Improper neutralization of input provided by a high-privileged user into aFilesDelete allows for Blind SQL Injection attacks. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

SQLi
NVD
CVSS 4.0
8.6
EPSS
0.0%
CVE-2025-59704 MEDIUM POC This Month

Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow an attacker to gain access the the BIOS menu because is has no password.

Authentication Bypass Nshield Connect Xc Base Firmware Nshield 5c Firmware Nshield Connect Xc High Firmware Nshield Connect Xc Mid Firmware +1
NVD GitHub
CVSS 3.1
4.6
EPSS
0.0%
CVE-2025-34352 HIGH PATCH This Week

JumpCloud Remote Assist for Windows versions prior to 0.317.0 include an uninstaller that is invoked by the JumpCloud Windows Agent as NT AUTHORITY\SYSTEM during agent uninstall or update operations. The Remote Assist uninstaller performs privileged create, write, execute, and delete actions on predictable files inside a user-writable %TEMP% subdirectory without validating that the directory is trusted or resetting its ACLs when it already exists. A local, low-privileged attacker can pre-create the directory with weak permissions and leverage mount-point or symbolic-link redirection to (a) coerce arbitrary file writes to protected locations, leading to denial of service (e.g., by overwriting sensitive system files), or (b) win a race to redirect DeleteFileW() to attacker-chosen targets, enabling arbitrary file or folder deletion and local privilege escalation to SYSTEM. This issue is fixed in JumpCloud Remote Assist 0.317.0 and affects Windows systems where Remote Assist is installed and managed through the Agent lifecycle.

Privilege Escalation Denial Of Service Microsoft Windows
NVD
CVSS 4.0
8.5
EPSS
0.0%
CVE-2025-64298 HIGH PATCH This Week

NMIS/BioDose V22.02 and previous version installations where the embedded Microsoft SQLServer Express is used are exposed in the Windows share accessed by clients in networked installs. By default, this directory has insecure directory paths that allow access to the SQL Server database and configuration files, which can contain sensitive data.

Information Disclosure Microsoft Windows
NVD
CVSS 3.1
8.4
EPSS
0.0%
CVE-2024-45675 HIGH This Week

CVE-2024-45675 is a security vulnerability (CVSS 8.4) that allows a local user. High severity vulnerability requiring prompt remediation.

Information Disclosure IBM Informix Dynamic Server
NVD
CVSS 3.1
8.4
EPSS
0.0%
CVE-2025-62575 HIGH PATCH This Week

NMIS/BioDose V22.02 and previous versions rely on a Microsoft SQL Server database. The SQL user account 'nmdbuser' and other created accounts by default have the sysadmin role. This can lead to remote code execution through the use of certain built-in stored procedures.

RCE Microsoft
NVD
CVSS 3.1
8.3
EPSS
0.3%
CVE-2025-61940 HIGH PATCH This Week

CVE-2025-61940 is a security vulnerability (CVSS 8.3). High severity vulnerability requiring prompt remediation.

Information Disclosure Microsoft Windows
NVD
CVSS 3.1
8.3
EPSS
0.1%
CVE-2025-13516 HIGH This Week

The SureMail - SMTP and Email Logs Plugin for WordPress is vulnerable to Unrestricted Upload of File with Dangerous Type in versions up to and including 1.9.0. This is due to the plugin's save_file() function in inc/emails/handler/uploads.php which duplicates all email attachments to a web-accessible directory (wp-content/uploads/suremails/attachments/) without validating file extensions or content types. Files are saved with predictable names derived from MD5 hashes of their content. While the plugin attempts to protect this directory with an Apache .htaccess file to disable PHP execution, this protection is ineffective on nginx, IIS, and Lighttpd servers, or on misconfigured Apache installations. This makes it possible for unauthenticated attackers to achieve Remote Code Execution by uploading malicious PHP files through any public form that emails attachments, calculating the predictable filename, and directly accessing the file to execute arbitrary code granted they are exploiting a site running on an affected web server configuration.

WordPress File Upload Nginx Apache PHP +1
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-13639 HIGH PATCH This Week

Inappropriate implementation in WebRTC in Google Chrome prior to 143.0.7499.41 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: Low)

Google XSS Ubuntu Debian Chrome +2
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-13001 MEDIUM POC This Month

The donation WordPress plugin through 1.0 does not sanitize and escape a parameter before using it in a SQL statement, allowing high privilege users, such as admin to perform SQL injection attacks

SQLi WordPress Donations PHP
NVD WPScan
CVSS 3.1
4.1
EPSS
0.0%
CVE-2025-66416 HIGH POC PATCH GHSA This Week

CVE-2025-66416 is a security vulnerability (CVSS 8.1) that allows dns rebinding protection. High severity vulnerability requiring prompt remediation. Vendor patch is available.

Authentication Bypass Python Mcp Python Sdk Red Hat
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-66414 HIGH PATCH This Week

A security vulnerability in MCP TypeScript SDK (CVSS 8.1) that allows dns rebinding protection. High severity vulnerability requiring prompt remediation. Vendor patch is available.

Authentication Bypass Mcp Typescript Sdk
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-59701 MEDIUM POC This Month

Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a physically proximate attacker (with elevated privileges) to read and modify the Appliance SSD contents (because they are unencrypted).

Information Disclosure Nshield Hsmi Firmware Nshield Connect Xc High Firmware Nshield 5c Firmware Nshield Connect Xc Mid Firmware +1
NVD GitHub
CVSS 3.1
4.1
EPSS
0.0%
CVE-2025-64642 HIGH PATCH This Week

NMIS/BioDose V22.02 and previous versions' installation directory paths by default have insecure file permissions, which in certain deployment scenarios can enable users on client workstations to modify the program executables and libraries.

Information Disclosure
NVD
CVSS 3.1
8.0
EPSS
0.0%
CVE-2025-59700 LOW POC Monitor

Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a physically proximate attacker with root access to modify the Recovery Partition (because of a lack of integrity protection).

Information Disclosure
NVD GitHub
CVSS 3.1
3.9
EPSS
0.0%
CVE-2025-11781 HIGH This Week

Use of hardcoded cryptographic keys in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. The affected firmware contains a hardcoded static authentication key. An attacker with local access to the device can extract this key (e.g., by analysing the firmware image or memory dump) and create valid firmware update packages. This bypasses all intended access controls and grants full administrative privileges.

Authentication Bypass Sge Plc50 Firmware Sge Plc1000 Firmware
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-66476 HIGH PATCH This Week

Vim is an open source, command line text editor. Prior to version 9.1.1947, an uncontrolled search path vulnerability on Windows allows Vim to execute malicious executables placed in the current working directory for the current edited file. On Windows, when using cmd.exe as a shell, Vim resolves external commands by searching the current working directory before system paths. When Vim invokes tools such as findstr for :grep, external commands or filters via :!, or compiler/:make commands, it may inadvertently run a malicious executable present in the same directory as the file being edited. The issue affects Vim for Windows prior to version 9.1.1947.

Information Disclosure Microsoft Ubuntu Debian Vim +2
NVD GitHub
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-20768 HIGH This Week

In display, there is a possible out of bounds read due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10196993; Issue ID: MSV-4805.

Privilege Escalation Information Disclosure Buffer Overflow Android Google
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-20767 HIGH This Week

In display, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10196993; Issue ID: MSV-4807.

Memory Corruption Privilege Escalation Buffer Overflow Android Google
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-20766 HIGH This Week

CVE-2025-20766 is a security vulnerability (CVSS 7.8). High severity vulnerability requiring prompt remediation.

Privilege Escalation Buffer Overflow Android Google
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-20764 HIGH This Week

In smi, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10259774; Issue ID: MSV-5029.

Memory Corruption Privilege Escalation Buffer Overflow Android Google
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-20763 HIGH This Week

In mmdvfs, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10267218; Issue ID: MSV-5032.

Memory Corruption Privilege Escalation Buffer Overflow Android Google
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-66468 HIGH PATCH This Week

The Aimeos GrapesJS CMS extension provides page editor for creating content pages based on extensible components. Prior to 2021.10.8, 2022.10.8, 2023.10.8, 2024.10.8, and 2025.10.8, Javascript code can be injected by malicious editors for a stored XSS attack if the standard Content Security Policy is disabled. This vulnerability is fixed in 2021.10.8, 2022.10.8, 2023.10.8, 2024.10.8, and 2025.10.8.

XSS Grapesjs Cms
NVD GitHub
CVSS 3.1
7.6
EPSS
0.0%
CVE-2025-41015 HIGH PATCH This Week

User Enumeration Vulnerability in TCMAN GIM v11 version 20250304. This vulnerability allows an unauthenticated attacker to determine whether a user exists on the system. The vulnerability is exploitable through the 'pda:username' parameter with 'soapaction GetUserQuestionAndAnswer' in '/WS/PDAWebService.asmx'.

Information Disclosure Gim
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-41014 HIGH PATCH This Week

User Enumeration Vulnerability in TCMAN GIM v11 version 20250304. This vulnerability allows an unauthenticated attacker to determine whether a user exists on the system. The vulnerability is exploitable through the 'pda:username' parameter with 'soapaction GetLastDatePasswordChange' in '/WS/PDAWebService.asmx'.

Information Disclosure Gim
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-13721 HIGH PATCH This Week

Race in v8 in Google Chrome prior to 143.0.7499.41 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)

Google Information Disclosure Race Condition Ubuntu Debian +3
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-64460 HIGH PATCH This Week

An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. Algorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML `Deserializer`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.

Information Disclosure Python Ubuntu Debian Django +2
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-13724 HIGH This Week

The VikRentCar Car Rental Management System plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'month' parameter in all versions up to, and including, 1.4.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

SQLi WordPress PHP
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-65858 LOW POC Monitor

A Stored Cross-Site Scripting (XSS) vulnerability in Calibre-Web v0.6.25 allows attackers to inject malicious JavaScript into the 'username' field during user creation. The payload is stored unsanitized and later executed when the /ajax/listusers endpoint is accessed.

XSS Debian
NVD GitHub
CVSS 3.1
3.5
EPSS
0.0%
CVE-2025-11789 HIGH This Week

Out-of-bounds read vulnerability in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. The 'DownloadFile' function converts a parameter to an integer using 'atoi()' and then uses it as an index in the 'FilesDownload' array with '(&FilesDownload)[iVar2]'. If the parameter is too large, it will access memory beyond the limits.

Information Disclosure Buffer Overflow Sge Plc50 Firmware Sge Plc1000 Firmware
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-13295 HIGH PATCH This Week

Insertion of Sensitive Information Into Sent Data vulnerability in Argus Technology Inc. BILGER allows Choosing Message Identifier.This issue affects BILGER: before 2.4.9.

Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-61729 HIGH PATCH This Week

Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.

Information Disclosure Ubuntu Debian Go Red Hat +1
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-64778 HIGH PATCH This Week

NMIS/BioDose software V22.02 and previous versions contain executable binaries with plain text hard-coded passwords. These hard-coded passwords could allow unauthorized access to both the application and database.

Authentication Bypass
NVD
CVSS 3.1
7.3
EPSS
0.0%
CVE-2025-58482 HIGH This Week

A security vulnerability in MPLocalService of MotionPhoto (CVSS 7.3) that allows local attackers. High severity vulnerability requiring prompt remediation.

Information Disclosure Motionphoto
NVD
CVSS 3.1
7.3
EPSS
0.0%
CVE-2025-58481 HIGH This Week

A security vulnerability in MPRemoteService of MotionPhoto (CVSS 7.3) that allows local attackers. High severity vulnerability requiring prompt remediation.

Information Disclosure Motionphoto
NVD
CVSS 3.1
7.3
EPSS
0.0%
CVE-2025-13387 HIGH This Week

The Kadence WooCommerce Email Designer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the customer name in all versions up to, and including, 1.5.17 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS PHP
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-59696 LOW POC Monitor

CVE-2025-59696 is a security vulnerability (CVSS 3.2) that allows a physically proximate attacker. Risk factors: public PoC available.

Information Disclosure
NVD GitHub
CVSS 3.1
3.2
EPSS
0.0%
CVE-2025-20777 MEDIUM This Month

In display, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10184870; Issue ID: MSV-4752.

Memory Corruption Privilege Escalation Buffer Overflow Android Google
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2025-20776 MEDIUM This Month

In display, there is a possible out of bounds read due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10184297; Issue ID: MSV-4759.

Privilege Escalation Information Disclosure Buffer Overflow Android Google
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2025-20775 MEDIUM This Month

In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10182914; Issue ID: MSV-4795.

Denial Of Service Privilege Escalation Buffer Overflow Memory Corruption Use After Free +2
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2025-20774 MEDIUM This Month

In display, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10196993; Issue ID: MSV-4796.

Heap Overflow Privilege Escalation Buffer Overflow Android Google
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2025-20773 MEDIUM This Month

In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10196993; Issue ID: MSV-4797.

Denial Of Service Privilege Escalation Buffer Overflow Memory Corruption Use After Free +2
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2025-20772 MEDIUM This Month

In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10182914; Issue ID: MSV-4795.

Denial Of Service Privilege Escalation Buffer Overflow Memory Corruption Use After Free +2
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2025-20771 MEDIUM This Month

CVE-2025-20771 is a security vulnerability (CVSS 6.7). Remediation should follow standard vulnerability management procedures.

Privilege Escalation Android Google
NVD
CVSS 3.1
6.7
EPSS
0.0%
Prev Page 2 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy