Critical
CVE-2024-0769
D-Link · DIR-859 Router
Added Jun 25, 2025
D-Link DIR-859 Router Path Traversal Vulnerability
D-Link DIR-859 routers contain a path traversal vulnerability in the file /hedwig.cgi of the component HTTP POST Request Handler. Manipulation of the argument service with the input ../../../../htdocs/webinc/getcfg/DHCPS6.BRIDGE-1.xml allows for the leakage of session data potentially enabling privilege escalation and unauthorized control of the device. This vulnerability affects legacy D-Link products. All associated hardware revisions have reached their end-of-life (EOL) or end-of-service (EOS) life cycle and should be retired and replaced per vendor instructions.
Critical
CVE-2024-54085
AMI · MegaRAC SPx
Added Jun 25, 2025
AMI MegaRAC SPx Authentication Bypass by Spoofing Vulnerability
AMI MegaRAC SPx contains an authentication bypass by spoofing vulnerability in the Redfish Host Interface. A successful exploitation of this vulnerability may lead to a loss of confidentiality, integrity, and/or availability.
Critical
CVE-2023-0386
Linux · Kernel
Added Jun 17, 2025
Linux Kernel Improper Ownership Management Vulnerability
Linux Kernel contains an improper ownership management vulnerability, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount. This uid mapping bug allows a local user to escalate their privileges on the system.
Critical
CVE-2023-33538
TP-Link · Multiple Routers
Added Jun 16, 2025
TP-Link Multiple Routers Command Injection Vulnerability
TP-Link TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2 contain a command injection vulnerability via the component /userRpm/WlanNetworkRpm. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.
Critical
CVE-2025-43200
Apple · Multiple Products
Added Jun 16, 2025
Apple Multiple Products Unspecified Vulnerability
Apple iOS, iPadOS, macOS, watchOS, and visionOS, contain an unspecified vulnerability when processing a maliciously crafted photo or video shared via an iCloud Link.
Critical
CVE-2025-33053
Microsoft · Windows
Added Jun 10, 2025
Microsoft Windows External Control of File Name or Path Vulnerability
Microsoft Windows contains an external control of file name or path vulnerability that could allow an attacker to execute code from a remote WebDAV location specified by the WorkingDirectory attribute of Internet Shortcut files.
Critical
CVE-2025-24016
Wazuh · Wazuh Server
Added Jun 10, 2025
Wazuh Server Deserialization of Untrusted Data Vulnerability
Wazuh contains a deserialization of untrusted data vulnerability that allows for remote code execution on Wazuh servers.
Critical
CVE-2024-42009
Roundcube · Webmail
Added Jun 9, 2025
RoundCube Webmail Cross-Site Scripting Vulnerability
RoundCube Webmail contains a cross-site scripting vulnerability. This vulnerability could allow a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php.
Critical
CVE-2025-32433
Erlang · Erlang/OTP
Added Jun 9, 2025
Erlang Erlang/OTP SSH Server Missing Authentication for Critical Function Vulnerability
Erlang Erlang/OTP SSH server contains a missing authentication for critical function vulnerability. This could allow an attacker to execute arbitrary commands without valid credentials, potentially leading to unauthenticated remote code execution (RCE). By exploiting a flaw in how SSH protocol messages are handled, a malicious actor could gain unauthorized access to affected systems. This vulnerability could affect various products that implement Erlang/OTP SSH server, including—but not limited to—Cisco, NetApp, and SUSE.
Critical
CVE-2025-5419
Google · Chromium V8
Added Jun 5, 2025
Google Chromium V8 Out-of-Bounds Read and Write Vulnerability
Google Chromium V8 contains an out-of-bounds read and write vulnerability that could allow a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
Critical
CVE-2025-21479
Qualcomm · Multiple Chipsets
Added Jun 3, 2025
Qualcomm Multiple Chipsets Incorrect Authorization Vulnerability
Multiple Qualcomm chipsets contain an incorrect authorization vulnerability. This vulnerability allows for memory corruption due to unauthorized command execution in GPU micronode while executing specific sequence of commands.
Critical
CVE-2025-21480
Qualcomm · Multiple Chipsets
Added Jun 3, 2025
Qualcomm Multiple Chipsets Incorrect Authorization Vulnerability
Multiple Qualcomm chipsets contain an incorrect authorization vulnerability. This vulnerability allows for memory corruption due to unauthorized command execution in GPU micronode while executing specific sequence of commands.
Critical
CVE-2025-27038
Qualcomm · Multiple Chipsets
Added Jun 3, 2025
Qualcomm Multiple Chipsets Use-After-Free Vulnerability
Multiple Qualcomm chipsets contain a use-after-free vulnerability. This vulnerability allows for memory corruption while rendering graphics using Adreno GPU drivers in Chrome.
Critical
CVE-2021-32030
ASUS · Routers
Added Jun 2, 2025
ASUS Routers Improper Authentication Vulnerability
ASUS Lyra Mini and ASUS GT-AC2900 devices contain an improper authentication vulnerability that allows an attacker to gain unauthorized access to the administrative interface. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.
Critical
CVE-2025-3935
ConnectWise · ScreenConnect
Added Jun 2, 2025
ConnectWise ScreenConnect Improper Authentication Vulnerability
ConnectWise ScreenConnect contains an improper authentication vulnerability. This vulnerability could allow a ViewState code injection attack, which could allow remote code execution if machine keys are compromised.
Critical
CVE-2025-35939
Craft CMS · Craft CMS
Added Jun 2, 2025
Craft CMS External Control of Assumed-Immutable Web Parameter Vulnerability
Craft CMS contains an external control of assumed-immutable web parameter vulnerability. This vulnerability could allow an unauthenticated client to introduce arbitrary values, such as PHP code, to a known local file location on the server. This vulnerability could be chained with CVE-2024-58136 as represented by CVE-2025-32432.
Critical
CVE-2024-56145
Craft CMS · Craft CMS
Added Jun 2, 2025
Craft CMS Code Injection Vulnerability
Craft CMS contains a code injection vulnerability. Users with affected versions are vulnerable to remote code execution if their php.ini configuration has `register_argc_argv` enabled.
Critical
CVE-2023-39780
ASUS · RT-AX55 Routers
Added Jun 2, 2025
ASUS RT-AX55 Routers OS Command Injection Vulnerability
ASUS RT-AX55 devices contain an OS command injection vulnerability that could allow a remote, authenticated attacker to execute arbitrary commands. As represented by CVE-2023-41346.
Critical
CVE-2025-4632
Samsung · MagicINFO 9 Server
Added May 22, 2025
Samsung MagicINFO 9 Server Path Traversal Vulnerability
Samsung MagicINFO 9 Server contains a path traversal vulnerability that allows an attacker to write arbitrary file as system authority.
Critical
CVE-2025-4427
Ivanti · Endpoint Manager Mobile (EPMM)
Added May 19, 2025
Ivanti Endpoint Manager Mobile (EPMM) Authentication Bypass Vulnerability
Ivanti Endpoint Manager Mobile (EPMM) contains an authentication bypass vulnerability in the API component that allows an attacker to access protected resources without proper credentials via crafted API requests. This vulnerability results from an insecure implementation of the Spring Framework open-source library.
Critical
CVE-2025-4428
Ivanti · Endpoint Manager Mobile (EPMM)
Added May 19, 2025
Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability
Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability in the API component that allows an authenticated attacker to remotely execute arbitrary code via crafted API requests. This vulnerability results from an insecure implementation of the Hibernate Validator open-source library, as represented by CVE-2025-35036.
Critical
CVE-2024-11182
MDaemon · Email Server
Added May 19, 2025
MDaemon Email Server Cross-Site Scripting (XSS) Vulnerability
MDaemon Email Server contains a cross-site scripting (XSS) vulnerability that allows a remote attacker to load arbitrary JavaScript code via an HTML e-mail message.
Critical
CVE-2024-27443
Synacor · Zimbra Collaboration Suite (ZCS)
Added May 19, 2025
Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability
Zimbra Collaboration contains a cross-site scripting (XSS) vulnerability in the CalendarInvite feature of the Zimbra webmail classic user interface. An attacker can exploit this vulnerability via an email message containing a crafted calendar header, leading to the execution of arbitrary JavaScript code.
Critical
CVE-2025-27920
Srimax · Output Messenger
Added May 19, 2025
Srimax Output Messenger Directory Traversal Vulnerability
Srimax Output Messenger contains a directory traversal vulnerability that allows an attacker to access sensitive files outside the intended directory, potentially leading to configuration leakage or arbitrary file access.
Critical
CVE-2023-38950
ZKTeco · BioTime
Added May 19, 2025
ZKTeco BioTime Path Traversal Vulnerability
ZKTeco BioTime contains a path traversal vulnerability in the iclock API that allows an unauthenticated attacker to read arbitrary files via supplying a crafted payload.
