Latest Critical CVEs

• CVE-2024-44065 - Cloudlog Blind SQL Injection

  CVE ID :CVE-2024-44065
  Published : Dec. 26, 2025, 5:15 p.m. | 4 hours, 50 minutes ago
  Description :Time-based blind SQL Injection vulnerability in Cloudlog v2.6.15 at the endpoint /index.php/logbookadvanced/search in the qsoresults parameter.
  Severity: 9.8 | CRITICAL
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-13158 - apidoc-core - prototype pollution in api_group.js, api_param_title.js, api_use.js, and api_permission.js worker

  CVE ID :CVE-2025-13158
  Published : Dec. 26, 2025, 4:15 p.m. | 5 hours, 50 minutes ago
  Description :Prototype pollution vulnerability in apidoc-core versions 0.2.0 and all subsequent versions allows remote attackers to modify JavaScript object prototypes via malformed data structures, including the “define” property processed by the application, potentially leading to denial of service or unintended behavior in applications relying on the integrity of prototype chains. This affects the preProcess() function in api_group.js, api_param_title.js, api_use.js, and api_permission.js worker modules.
  Severity: 9.3 | CRITICAL
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-13915 - Authentication bypass in IBM API Connect

  CVE ID :CVE-2025-13915
  Published : Dec. 26, 2025, 2:15 p.m. | 7 hours, 50 minutes ago
  Description :IBM API Connect 10.0.8.0 through 10.0.8.5, and 10.0.11.0 could allow a remote attacker to bypass authentication mechanisms and gain unauthorized access to the application.
  Severity: 9.8 | CRITICAL
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-59887 - Eaton UPS Companion Library File Authentication Bypass

  CVE ID :CVE-2025-59887
  Published : Dec. 26, 2025, 7:15 a.m. | 14 hours, 50 minutes ago
  Description :Improper authentication of library files in the Eaton UPS Companion software installer could lead to arbitrary code execution of an attacker with the access to the software package. This security issue has been fixed in the latest version of EUC which is available on the Eaton download center.
  Severity: 8.6 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-68939 - Gitea File Extension Bypass Vulnerability

  CVE ID :CVE-2025-68939
  Published : Dec. 26, 2025, 3:15 a.m. | 18 hours, 50 minutes ago
  Description :Gitea before 1.23.0 allows attackers to add attachments with forbidden file extensions by editing an attachment name via an attachment API.
  Severity: 8.2 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-15092 - UTT 进取 512W ConfigExceptMSN strcpy buffer overflow

  CVE ID :CVE-2025-15092
  Published : Dec. 26, 2025, 1:15 a.m. | 20 hours, 50 minutes ago
  Description :A vulnerability was identified in UTT 进取 512W up to 1.7.7-171114. Impacted is the function strcpy of the file /goform/ConfigExceptMSN. Such manipulation of the argument remark leads to buffer overflow. It is possible to launch the attack remotely. The exploit is publicly available and might be used.
  Severity: 9.0 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-68937 - Forgejo Symlink Destination Template Repository Write Access Vulnerability

  CVE ID :CVE-2025-68937
  Published : Dec. 26, 2025, 12:16 a.m. | 21 hours, 50 minutes ago
  Description :Forgejo before 13.0.2 allows attackers to write to unintended files, and possibly obtain server shell access, because of mishandling of out-of-repository symlink destinations for template repositories. This is also fixed for 11 LTS in 11.0.7 and later.
  Severity: 9.5 | CRITICAL
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-15091 - UTT 进取 512W formPictureUrl strcpy buffer overflow

  CVE ID :CVE-2025-15091
  Published : Dec. 26, 2025, 12:16 a.m. | 21 hours, 50 minutes ago
  Description :A vulnerability was determined in UTT 进取 512W up to 1.7.7-171114. This issue affects the function strcpy of the file /goform/formPictureUrl. This manipulation of the argument importpictureurl causes buffer overflow. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized.
  Severity: 9.0 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-15090 - UTT 进取 512W formConfigNoticeConfig strcpy buffer overflow

  CVE ID :CVE-2025-15090
  Published : Dec. 25, 2025, 11:15 p.m. | 22 hours, 50 minutes ago
  Description :A vulnerability was found in UTT 进取 512W up to 1.7.7-171114. This vulnerability affects the function strcpy of the file /goform/formConfigNoticeConfig. The manipulation of the argument timestart results in buffer overflow. The attack may be performed from remote. The exploit has been made public and could be used.
  Severity: 9.0 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-15089 - UTT 进取 512W APSecurity strcpy buffer overflow

  CVE ID :CVE-2025-15089
  Published : Dec. 25, 2025, 11:15 p.m. | 22 hours, 50 minutes ago
  Description :A vulnerability has been found in UTT 进取 512W up to 1.7.7-171114. This affects the function strcpy of the file /goform/APSecurity. The manipulation of the argument wepkey1 leads to buffer overflow. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used.
  Severity: 9.0 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-59683 - Pexip Infinity Improper Access Control Denial of Service

  CVE ID :CVE-2025-59683
  Published : Dec. 25, 2025, 5:16 a.m. | 1 day, 16 hours ago
  Description :Pexip Infinity 15.0 through 38.0 before 38.1 has Improper Access Control in the Secure Scheduler for Exchange service, when used with Office 365 Legacy Exchange Tokens. This allows a remote attacker to read potentially sensitive data and excessively consume resources, leading to a denial of service.
  Severity: 8.2 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-68920 - C-Kermit Remote File Overwrite/Vulnerable File Retrieval

  CVE ID :CVE-2025-68920
  Published : Dec. 24, 2025, 10:15 p.m. | 1 day, 23 hours ago
  Description :C-Kermit (aka ckermit) through 10.0 Beta.12 (aka 416-beta12) before 244644d allows a remote Kermit system to overwrite files on the local system, or retrieve arbitrary files from the local system.
  Severity: 8.9 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-8769 - MegaSys Computer Technologies Telenium Online Web Application Improper Input Validation

  CVE ID :CVE-2025-8769
  Published : Dec. 24, 2025, 9:16 p.m. | 2 days ago
  Description :Telenium Online Web Application is vulnerable due to a Perl script that is called to load the login page. Due to improper input validation, an attacker can inject arbitrary Perl code through a crafted HTTP request, leading to remote code execution on the server.
  Severity: 9.8 | CRITICAL
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-68916 - Riello UPS NetMan 208 Remote File Inclusion Vulnerability

  CVE ID :CVE-2025-68916
  Published : Dec. 24, 2025, 8:16 p.m. | 2 days, 1 hour ago
  Description :Riello UPS NetMan 208 Application before 1.12 allows cgi-bin/certsupload.cgi /../ directory traversal for file upload with resultant code execution.
  Severity: 9.1 | CRITICAL
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2019-25257 - LogicalDOC Enterprise 7.7.4 Authenticated Command Execution via Binary Path Manipulation

  CVE ID :CVE-2019-25257
  Published : Dec. 24, 2025, 8:15 p.m. | 2 days, 1 hour ago
  Description :LogicalDOC Enterprise 7.7.4 contains multiple authenticated OS command execution vulnerabilities that allow attackers to manipulate binary paths when changing system settings. Attackers can exploit these vulnerabilities by modifying configuration parameters like antivirus.command, ocr.Tesseract.path, and other system paths to execute arbitrary system commands with elevated privileges.
  Severity: 8.7 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2019-25255 - VideoFlow Digital Video Protection DVP 2.10 Authenticated Remote Code Execution

  CVE ID :CVE-2019-25255
  Published : Dec. 24, 2025, 8:15 p.m. | 2 days, 1 hour ago
  Description :VideoFlow Digital Video Protection DVP 2.10 contains an authenticated remote code execution vulnerability that allows attackers to execute system commands with root privileges. Attackers can exploit the vulnerability through a cross-site request forgery (CSRF) mechanism to gain unauthorized system access.
  Severity: 8.7 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2019-25249 - devolo dLAN 500 AV Wireless+ 3.1.0-1 Remote Code Execution via htmlmgr

  CVE ID :CVE-2019-25249
  Published : Dec. 24, 2025, 8:15 p.m. | 2 days, 1 hour ago
  Description :devolo dLAN 500 AV Wireless+ 3.1.0-1 contains an authentication bypass vulnerability that allows attackers to enable hidden services through the htmlmgr CGI script. Attackers can enable telnet and remote shell services, reboot the device, and gain root access without a password by manipulating system configuration parameters.
  Severity: 9.8 | CRITICAL
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2019-25248 - Beward N100 M2.1.6 Unauthenticated RTSP Video Stream Disclosure

  CVE ID :CVE-2019-25248
  Published : Dec. 24, 2025, 8:15 p.m. | 2 days, 1 hour ago
  Description :Beward N100 M2.1.6.04C014 contains an unauthenticated vulnerability that allows remote attackers to access live video streams without credentials. Attackers can directly retrieve the camera's RTSP stream by exploiting the lack of authentication in the video access mechanism.
  Severity: 8.7 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2019-25246 - Beward N100 H.264 VGA IP Camera M2.1.6 Authenticated File Disclosure

  CVE ID :CVE-2019-25246
  Published : Dec. 24, 2025, 8:15 p.m. | 2 days, 1 hour ago
  Description :Beward N100 H.264 VGA IP Camera M2.1.6 contains an authenticated file disclosure vulnerability that allows attackers to read arbitrary system files via the 'READ.filePath' parameter. Attackers can exploit the fileread script or SendCGICMD API to access sensitive files like /etc/passwd and /etc/issue by supplying absolute file paths.
  Severity: 8.8 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2019-25245 - Ross Video DashBoard 8.5.1 Privilege Escalation via Insecure Permissions

  CVE ID :CVE-2019-25245
  Published : Dec. 24, 2025, 8:15 p.m. | 2 days, 1 hour ago
  Description :Ross Video DashBoard 8.5.1 contains an elevation of privileges vulnerability that allows authenticated users to modify executable files due to improper permission settings. Attackers can exploit the 'M' or 'C' flags for 'Authenticated Users' group to replace the DashBoard.exe binary with a malicious executable.
  Severity: 8.8 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...