Latest Critical CVEs

• CVE-2025-13970 - OpenPLC_V3 Cross-Site Request Forgery

  CVE ID :CVE-2025-13970
  Published : Dec. 13, 2025, 12:03 a.m. | 1 hour, 16 minutes ago
  Description :OpenPLC_V3 is vulnerable to a cross-site request forgery (CSRF) attack due to the absence of proper CSRF validation. This issue allows an unauthenticated attacker to trick a logged-in administrator into visiting a maliciously crafted link, potentially enabling unauthorized modification of PLC settings or the upload of malicious programs which could lead to significant disruption or damage to connected systems.
  Severity: 8.0 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-67750 - Lightning Flow Scanner is Vulnerable to Code Injection via Unsafe Use of new Function() in APIVersion Rule

  CVE ID :CVE-2025-67750
  Published : Dec. 12, 2025, 9:15 p.m. | 4 hours, 4 minutes ago
  Description :Lightning Flow Scanner provides a A CLI plugin, VS Code Extension and GitHub Action for analysis and optimization of Salesforce Flows. Versions 6.10.5 and below allow a maliciously crafted flow metadata file to cause arbitrary JavaScript execution during scanning. The APIVersion rule uses new Function() to evaluate expression strings, enabling an attacker to supply a malicious expression within rule configuration or crafted flow metadata. This could compromise developer machines, CI runners, or editor environments. This issue is fixed in version 6.10.6.
  Severity: 8.4 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2024-58316 - Online Shopping System Advanced 1.0 SQL Injection via Payment Success Parameter

  CVE ID :CVE-2024-58316
  Published : Dec. 12, 2025, 9:15 p.m. | 4 hours, 4 minutes ago
  Description :Online Shopping System Advanced 1.0 contains a SQL injection vulnerability in the payment_success.php script that allows attackers to inject malicious SQL through the unfiltered 'cm' parameter. Attackers can exploit the vulnerability by sending crafted SQL queries to retrieve sensitive database information by manipulating the user ID parameter.
  Severity: 8.7 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-8083 - Vuetify Prototype Pollution via Preset options

  CVE ID :CVE-2025-8083
  Published : Dec. 12, 2025, 8:15 p.m. | 5 hours, 4 minutes ago
  Description :The Preset configuration https://v2.vuetifyjs.com/en/features/presets  feature of Vuetify is vulnerable to Prototype Pollution https://cheatsheetseries.owasp.org/cheatsheets/Prototype_Pollution_Prevention_Cheat_Sheet.html  due to the internal 'mergeDeep' utility function used to merge options with defaults. Using a specially-crafted, malicious preset can result in polluting all JavaScript objects with arbitrary properties, which can further negatively affect all aspects of the application's behavior. This can lead to a wide range of security issues, including resource exhaustion/denial of service or unauthorized access to data. If the application utilizes Server-Side Rendering (SSR), this vulnerability could affect the whole server process. This issue affects Vuetify versions greater than or equal to 2.2.0-beta.2 and less than 3.0.0-alpha.10. Note: Version 2.x of Vuetify is End-of-Life and will not receive any updates to address this issue. For more information see here https://v2.vuetifyjs.com/en/about/eol/ .
  Severity: 8.6 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-14572 - UTT 进取 512W formWebAuthGlobalConfig memory corruption

  CVE ID :CVE-2025-14572
  Published : Dec. 12, 2025, 8:15 p.m. | 5 hours, 4 minutes ago
  Description :A vulnerability was found in UTT 进取 512W up to 1.7.7-171114. This affects an unknown part of the file /goform/formWebAuthGlobalConfig. Performing manipulation of the argument hidcontact results in memory corruption. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
  Severity: 9.0 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-14373 - Google Chrome Android Domain Spoofing Vulnerability

  CVE ID :CVE-2025-14373
  Published : Dec. 12, 2025, 8:15 p.m. | 5 hours, 4 minutes ago
  Description :Inappropriate implementation in Toolbar in Google Chrome on Android prior to 143.0.7499.110 allowed a remote attacker to perform domain spoofing via a crafted HTML page. (Chromium security severity: Medium)
  Severity: 9.8 | CRITICAL
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-14174 - Google Chromium Out of Bounds Memory Access Vulnerability - [Actively Exploited]

  CVE ID :CVE-2025-14174
  Published : Dec. 12, 2025, 8:15 p.m. | 5 hours, 4 minutes ago
  Description :Out of bounds memory access in ANGLE in Google Chrome on Mac prior to 143.0.7499.110 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)
  Severity: 8.8 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2024-58314 - Atcom 2.7.x.x Authenticated Command Injection via Web Configuration CGI

  CVE ID :CVE-2024-58314
  Published : Dec. 12, 2025, 8:15 p.m. | 5 hours, 4 minutes ago
  Description :Atcom 100M IP Phones firmware version 2.7.x.x contains an authenticated command injection vulnerability in the web configuration CGI script that allows attackers to execute arbitrary system commands. Attackers can inject shell commands through the 'cmd' parameter in web_cgi_main.cgi, enabling remote code execution with administrative credentials.
  Severity: 8.8 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2024-58311 - Dormakaba Saflok System 6000 Key Generation Cryptographic Weakness

  CVE ID :CVE-2024-58311
  Published : Dec. 12, 2025, 8:15 p.m. | 5 hours, 4 minutes ago
  Description :Dormakaba Saflok System 6000 contains a predictable key generation algorithm that allows attackers to derive card access keys from a 32-bit unique identifier. Attackers can exploit the deterministic key generation process by calculating valid access keys using a simple mathematical transformation of the card's unique identifier.
  Severity: 9.8 | CRITICAL
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2024-58305 - WonderCMS 4.3.2 Cross-Site Scripting Remote Code Execution via Module Installation

  CVE ID :CVE-2024-58305
  Published : Dec. 12, 2025, 8:15 p.m. | 5 hours, 4 minutes ago
  Description :WonderCMS 4.3.2 contains a cross-site scripting vulnerability that allows attackers to inject malicious JavaScript through the module installation endpoint. Attackers can craft a specially designed XSS payload to install a reverse shell module and execute remote commands by tricking an authenticated administrator into accessing a malicious link.
  Severity: 8.8 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2024-58299 - PCMan FTP Server 2.0 Remote Buffer Overflow via 'pwd' Command

  CVE ID :CVE-2024-58299
  Published : Dec. 12, 2025, 8:15 p.m. | 5 hours, 4 minutes ago
  Description :PCMan FTP Server 2.0 contains a buffer overflow vulnerability in the 'pwd' command that allows remote attackers to execute arbitrary code. Attackers can send a specially crafted payload during the FTP login process to overwrite memory and potentially gain system access.
  Severity: 9.8 | CRITICAL
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2024-14010 - Typora 1.7.4 OS Command Injection via Export PDF Preferences

  CVE ID :CVE-2024-14010
  Published : Dec. 12, 2025, 8:15 p.m. | 5 hours, 4 minutes ago
  Description :Typora 1.7.4 contains a command injection vulnerability in the PDF export preferences that allows attackers to execute arbitrary system commands. Attackers can inject malicious commands into the 'run command' input field during PDF export to achieve remote code execution.
  Severity: 9.8 | CRITICAL
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-66430 - "Plesk Authentication Bypass"

  CVE ID :CVE-2025-66430
  Published : Dec. 12, 2025, 4:15 p.m. | 9 hours, 4 minutes ago
  Description :Plesk 18.0 has Incorrect Access Control.
  Severity: 9.1 | CRITICAL
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-65854 - MineAdmin Command Injection Vulnerability

  CVE ID :CVE-2025-65854
  Published : Dec. 12, 2025, 4:15 p.m. | 9 hours, 4 minutes ago
  Description :Insecure permissions in the scheduled tasks feature of MineAdmin v3.x allows attackers to execute arbitrary commands and execute a full account takeover.
  Severity: 9.8 | CRITICAL
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-65530 - CloudLinux ai-bolit Remote File Overwrite Vulnerability

  CVE ID :CVE-2025-65530
  Published : Dec. 12, 2025, 4:15 p.m. | 9 hours, 4 minutes ago
  Description :An eval injection in the malware de-obfuscation routines of CloudLinux ai-bolit before v32.7.4 allows attackers to overwrite arbitrary files as root via scanning a crafted file.
  Severity: 8.8 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-13733 - BuhoNTFS 1.3.2 - Local Privilege Escalation

  CVE ID :CVE-2025-13733
  Published : Dec. 12, 2025, 4:15 p.m. | 9 hours, 4 minutes ago
  Description :BuhoNTFS contains an insecure XPC service that allows local, unprivileged users to escalate their privileges to root via insecure functions.This issue affects BuhoNTFS: 1.3.2.
  Severity: 8.4 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-36745 - SolarEdge SE3680H contains Linux Kernel vulnerabilities

  CVE ID :CVE-2025-36745
  Published : Dec. 12, 2025, 3:15 p.m. | 10 hours, 4 minutes ago
  Description :SolarEdge SE3680H  ships with an outdated Linux kernel containing unpatched vulnerabilities in core subsystems. An attacker with network or local access can exploit these flaws to achieve remote code execution, privilege escalation, or disclosure of sensitive information.
  Severity: 8.6 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-36743 - SolarEdge SE3680H - Exposed Debug interface

  CVE ID :CVE-2025-36743
  Published : Dec. 12, 2025, 3:15 p.m. | 10 hours, 4 minutes ago
  Description :SolarEdge SE3680H has an exposed debug/test interface accessible to unauthenticated actors, allowing disclosure of system internals and execution of debug commands.
  Severity: 8.6 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-13506 - Improper Authorization in Nebim Neyir's Nebim V3 ERP

  CVE ID :CVE-2025-13506
  Published : Dec. 12, 2025, 1:15 p.m. | 12 hours, 4 minutes ago
  Description :Execution with Unnecessary Privileges vulnerability in Nebim Neyir Computer Industry and Services Inc. Nebim V3 ERP allows Expanding Control over the Operating System from the Database.This issue affects Nebim V3 ERP: from 2.0.59 before 3.0.1.
  Severity: 8.8 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-58137 - Apache Fineract: IDOR via self-service API

  CVE ID :CVE-2025-58137
  Published : Dec. 12, 2025, 10:15 a.m. | 15 hours, 4 minutes ago
  Description :Authorization Bypass Through User-Controlled Key vulnerability in Apache Fineract. This issue affects Apache Fineract: through 1.11.0. The issue is fixed in version 1.12.1. Users are encouraged to upgrade to version 1.13.0, the latest release.
  Severity: 8.1 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...