VYPR

CVEs

1,630 total · page 3 of 33

  • CVE-2025-8110KEVDec 10, 2025
    risk 0.11cvss epss 0.77

    Improper Symbolic link handling in the PutContents API in Gogs allows Local Execution of Code.

  • CVE-2025-59718CriKEVDec 9, 2025
    risk 0.77cvss 9.8epss 0.66

    A improper verification of cryptographic signature vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0.0 through 7.0.17, FortiProxy 7.6.0 through 7.6.3, FortiProxy 7.4.0 through 7.4.10, FortiProxy 7.2.0…

  • CVE-2025-62221KEVDec 9, 2025
    risk 0.12cvss epss 0.02

    Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally.

  • CVE-2025-48633KEVDec 8, 2025
    risk 0.12cvss epss 0.00

    In hasAccountsOnAnyUser of DevicePolicyManagerService.java, there is a possible way to add a Device Owner after provisioning due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not…

  • CVE-2025-48572KEVDec 8, 2025
    risk 0.12cvss epss 0.00

    In multiple locations, there is a possible way to launch activities from the background due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

  • CVE-2025-34291HigKEVDec 5, 2025
    risk 0.65cvss 8.8epss 0.79

    Langflow versions up to and including 1.6.9 contain a chained vulnerability that enables account takeover and remote code execution. An overly permissive CORS configuration (allow_origins='*' with allow_credentials=True) combined with a refresh token cookie configured as…

  • CVE-2025-66644KEVDec 5, 2025
    risk 0.12cvss epss 0.03

    Array Networks ArrayOS AG before 9.4.5.9 allows command injection, as exploited in the wild in August through December 2025.

  • CVE-2025-55182KEVDec 3, 2025
    risk 0.22cvss epss 1.00

    A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code…

  • CVE-2025-58360KEVNov 25, 2025
    risk 0.22cvss epss 0.67

    GeoServer is an open source server that allows users to share and edit geospatial data. From version 2.26.0 to before 2.26.2 and before 2.25.6, an XML External Entity (XXE) vulnerability was identified. The application accepts XML input through a specific endpoint /geoserver/wms…

  • CVE-2025-58034KEVNov 18, 2025
    risk 0.19cvss epss 0.54

    An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.10, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0…

  • CVE-2025-13223KEVNov 17, 2025
    risk 0.12cvss epss 0.05

    Type Confusion in V8 in Google Chrome prior to 142.0.7444.175 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

  • CVE-2025-64446KEVNov 14, 2025
    risk 0.22cvss epss 0.90

    A relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an attacker to execute administrative commands on the system via…

  • CVE-2025-60710HigKEVNov 11, 2025
    risk 0.64cvss 7.8epss 0.05

    Improper link resolution before file access ('link following') in Host Process for Windows Tasks allows an authorized attacker to elevate privileges locally.

  • CVE-2025-62215KEVNov 11, 2025
    risk 0.15cvss epss 0.06

    Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Kernel allows an authorized attacker to elevate privileges locally.

  • CVE-2025-12480KEVNov 10, 2025
    risk 0.18cvss epss 0.90

    Triofox versions prior to 16.7.10368.56560, are vulnerable to an Improper Access Control flaw that allows access to initial setup pages even after setup is complete.

  • CVE-2025-64328KEVNov 7, 2025
    risk 0.21cvss epss 0.84

    FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions 17.0.2.36 and above before 17.0.3, the filestore module within the Administrative interface is vulnerable to a post-authentication command injection by an authenticated known…

  • CVE-2023-43000KEVNov 5, 2025
    risk 0.12cvss epss 0.04

    A use-after-free issue was addressed with improved memory management. This issue is fixed in macOS Ventura 13.5, iOS 16.6 and iPadOS 16.6, Safari 16.6, iOS 15.8.7 and iPadOS 15.8.7. Processing maliciously crafted web content may lead to memory corruption.

  • CVE-2025-11953KEVNov 3, 2025
    risk 0.10cvss epss 0.62

    The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server…

  • CVE-2025-61757KEVOct 21, 2025
    risk 0.19cvss epss 0.88

    Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: REST WebServices). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to…

  • CVE-2025-61932KEVOct 20, 2025
    risk 0.12cvss epss 0.03

    Lanscope Endpoint Manager (On-Premises) (Client program (MR) and Detection agent (DA)) improperly verifies the origin of incoming requests, allowing an attacker to execute arbitrary code by sending specially crafted packets.

  • CVE-2025-53521CriKEVOct 15, 2025
    risk 0.76cvss 9.8epss 0.02

    When a BIG-IP APM access policy is configured on a virtual server, specific malicious traffic can lead to Remote Code Execution (RCE).   Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

  • CVE-2025-59287KEVOct 14, 2025
    risk 0.21cvss epss 1.00

    Deserialization of untrusted data in Windows Server Update Service allows an unauthorized attacker to execute code over a network.

  • CVE-2025-59230KEVOct 14, 2025
    risk 0.12cvss epss 0.03

    Improper access control in Windows Remote Access Connection Manager allows an authorized attacker to elevate privileges locally.

  • CVE-2025-24990KEVOct 14, 2025
    risk 0.12cvss epss 0.06

    Microsoft is aware of vulnerabilities in the third party Agere Modem driver that ships natively with supported Windows operating systems. This is an announcement of the upcoming removal of ltmdm64.sys driver. The driver has been removed in the October cumulative update. Fax…

  • CVE-2025-61884KEVOct 12, 2025
    risk 0.22cvss epss 0.98

    Vulnerability in the Oracle Configurator product of Oracle E-Business Suite (component: Runtime UI). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle…

  • CVE-2025-11371KEVOct 9, 2025
    risk 0.20cvss epss 0.92

    In the default installation and configuration of Gladinet CentreStack and TrioFox, there is an unauthenticated Local File Inclusion Flaw that allows unintended disclosure of system files. Exploitation of this vulnerability has been observed in the wild.  This issue impacts…

  • CVE-2025-61882KEVOct 5, 2025
    risk 0.28cvss epss 1.00

    Vulnerability in the Oracle Concurrent Processing product of Oracle E-Business Suite (component: BI Publisher Integration). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to…

  • CVE-2025-41244KEVSep 29, 2025
    risk 0.12cvss epss 0.08

    VMware Aria Operations and VMware Tools contain a local privilege escalation vulnerability. A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this…

  • CVE-2025-20362KEVSep 25, 2025
    risk 0.15cvss epss 0.86

    Update: On November 5, 2025, Cisco became aware of a new attack variant against devices running Cisco Secure ASA Software or Cisco Secure FTD Software releases that are affected by CVE-2025-20333 and CVE-2025-20362. This attack can cause unpatched devices to unexpectedly reload,…

  • CVE-2025-20333KEVSep 25, 2025
    risk 0.14cvss epss 0.40

    A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an authenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability…

  • CVE-2025-20352KEVSep 24, 2025
    risk 0.12cvss epss 0.38

    A vulnerability in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS Software and Cisco IOS XE Software could allow the following: An authenticated, remote attacker with low privileges could cause a denial of service (DoS) condition on an affected device…

  • CVE-2025-10585KEVSep 24, 2025
    risk 0.12cvss epss 0.05

    Type confusion in V8 in Google Chrome prior to 140.0.7339.185 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

  • CVE-2025-26399KEVSep 23, 2025
    risk 0.14cvss epss 0.88

    SolarWinds Web Help Desk was found to be susceptible to an unauthenticated AjaxProxy deserialization remote code execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. This vulnerability is a patch bypass of CVE-2024-28988, which…

  • CVE-2025-48703KEVSep 19, 2025
    risk 0.18cvss epss 1.00

    CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1205 allows unauthenticated remote code execution via shell metacharacters in the t_total parameter in a filemanager changePerm request. A valid non-root username must be known.

  • CVE-2025-59689KEVSep 19, 2025
    risk 0.13cvss epss 0.02

    Libraesva ESG 4.5 through 5.5.x before 5.5.7 allows command injection via a compressed e-mail attachment. For ESG 5.0 a fix has been released in 5.0.31. For ESG 5.1 a fix has been released in 5.1.20. For ESG 5.2 a fix has been released in 5.2.31. For ESG 5.4 a fix has been…

  • CVE-2025-10035KEVSep 18, 2025
    risk 0.23cvss epss 1.00

    A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.

  • CVE-2025-9242KEVSep 17, 2025
    risk 0.18cvss epss 0.86

    An Out-of-bounds Write vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to execute arbitrary code. This vulnerability affects both the Mobile User VPN with IKEv2 and the Branch Office VPN using IKEv2 when configured with a dynamic gateway…

  • CVE-2025-21043KEVSep 12, 2025
    risk 0.12cvss epss 0.01

    Out-of-bounds write in libimagecodec.quram.so prior to SMR Sep-2025 Release 1 allows remote attackers to execute arbitrary code.

  • CVE-2025-21042KEVSep 12, 2025
    risk 0.12cvss epss 0.12

    Out-of-bounds write in libimagecodec.quram.so prior to SMR Apr-2025 Release 1 allows remote attackers to execute arbitrary code.

  • CVE-2025-54236CriKEVSep 9, 2025
    risk 0.80cvss 9.1epss 0.97

    Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Improper Input Validation vulnerability. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity…

  • CVE-2025-48543KEVSep 4, 2025
    risk 0.12cvss epss 0.01

    In multiple locations, there is a possible way to escape chrome sandbox to attack android system_server due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

  • CVE-2025-53690KEVSep 3, 2025
    risk 0.12cvss epss 0.26

    Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Code Injection.This issue affects Experience Manager (XM): through 9.0; Experience Platform (XP): through 9.0.

  • CVE-2025-9377KEVAug 29, 2025
    risk 0.14cvss epss 0.12

    The authenticated remote command execution (RCE) vulnerability exists in the Parental Control page on TP-Link Archer C7(EU) V2 and TL-WR841N/ND(MS) V9. This issue affects Archer C7(EU) V2: before 241108 and TL-WR841N/ND(MS) V9: before 241108. Both products have reached the…

  • CVE-2025-55177KEVAug 29, 2025
    risk 0.12cvss epss 0.04

    Incomplete authorization of linked device synchronization messages in WhatsApp for iOS prior to v2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78 could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a…

  • CVE-2025-57819KEVAug 28, 2025
    risk 0.21cvss epss 0.93

    FreePBX is an open-source web-based graphical user interface. FreePBX 15, 16, and 17 endpoints are vulnerable due to insufficiently sanitized user-supplied data allowing unauthenticated access to FreePBX Administrator leading to arbitrary database manipulation and remote code…

  • CVE-2025-7775KEVAug 26, 2025
    risk 0.13cvss epss 0.19

    Memory overflow vulnerability leading to Remote Code Execution and/or Denial of Service in NetScaler ADC and NetScaler Gateway when NetScaler is configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server (OR) NetScaler ADC and NetScaler…

  • CVE-2025-43300CriKEVAug 21, 2025
    risk 0.77cvss 10.0epss 0.20

    An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 15.8.5 and iPadOS 15.8.5, iOS 16.7.12 and iPadOS 16.7.12, iOS 18.6.2 and iPadOS 18.6.2, iPadOS 17.7.10, macOS Sequoia 15.6.1, macOS Sonoma 14.7.8, macOS Ventura 13.7.8.…

  • CVE-2025-8875KEVAug 14, 2025
    risk 0.12cvss epss 0.02

    Deserialization of Untrusted Data vulnerability in N-able N-central allows Local Execution of Code.This issue affects N-central: before 2025.3.1.

  • CVE-2025-8876KEVAug 14, 2025
    risk 0.13cvss epss 0.03

    Improper Input Validation vulnerability in N-able N-central allows OS Command Injection.This issue affects N-central: before 2025.3.1.

  • CVE-2025-8088KEVAug 8, 2025
    risk 0.13cvss epss 0.86

    A path traversal vulnerability affecting the Windows version of WinRAR allows the attackers to execute arbitrary code by crafting malicious archive files. This vulnerability was exploited in the wild and was discovered by Anton Cherepanov, Peter Košinár, and Peter Strýček …