Latest Critical CVEs

• CVE-2025-13008 - Session Token Disclosure in M-Files Web

  CVE ID :CVE-2025-13008
  Published : Dec. 19, 2025, 7:15 a.m. | 3 hours, 47 minutes ago
  Description :An information disclosure vulnerability in M-Files Server before versions 25.12.15491.7, 25.8 LTS SR3, 25.2 LTS SR3 and 24.8 LTS SR5 allows an authenticated attacker using M-Files Web to capture session tokens of other active users.
  Severity: 8.6 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-67843 - Mintlify Platform SSTI Vulnerability

  CVE ID :CVE-2025-67843
  Published : Dec. 19, 2025, 2:16 a.m. | 8 hours, 47 minutes ago
  Description :A Server-Side Template Injection (SSTI) vulnerability in the MDX Rendering Engine in Mintlify Platform before 2025-11-15 allows remote attackers to execute arbitrary code via inline JSX expressions in an MDX file.
  Severity: 8.3 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-52692 - Bypass Authentication

  CVE ID :CVE-2025-52692
  Published : Dec. 19, 2025, 2:16 a.m. | 8 hours, 47 minutes ago
  Description :Successful exploitation of the vulnerability could allow an attacker with local network access to send a specially crafted URL to access certain administration functions without login credentials.
  Severity: 8.8 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-13941 - Foxit PDF Reader Update Service Incorrect Permission Assignment Local Privilege Escalation Vulnerability

  CVE ID :CVE-2025-13941
  Published : Dec. 19, 2025, 2:16 a.m. | 8 hours, 47 minutes ago
  Description :A local privilege escalation vulnerability exists in the Foxit PDF Reader/Editor Update Service. During plugin installation, incorrect file system permissions are assigned to resources used by the update service. A local attacker with low privileges could modify or replace these resources, which are later executed by the service, resulting in execution of arbitrary code with SYSTEM privileges.
  Severity: 8.8 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-14733 - WatchGuard Firebox iked Out of Bounds Write Vulnerability

  CVE ID :CVE-2025-14733
  Published : Dec. 19, 2025, 1:16 a.m. | 9 hours, 47 minutes ago
  Description :An Out-of-bounds Write vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to execute arbitrary code. This vulnerability affects both the Mobile User VPN with IKEv2 and the Branch Office VPN using IKEv2 when configured with a dynamic gateway peer.This vulnerability affects Fireware OS 11.10.2 up to and including 11.12.4_Update1, 12.0 up to and including 12.11.5 and 2025.1 up to and including 2025.1.3.
  Severity: 9.3 | CRITICAL
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-11774 - Malicious Code Execution Vulnerability in the Software Keyboard Function of GENESIS64, ICONICS Suite, Mobile HMI, and MC Works64

  CVE ID :CVE-2025-11774
  Published : Dec. 19, 2025, 1:16 a.m. | 9 hours, 47 minutes ago
  Description :Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in the software keyboard function (hereinafter referred to as "keypad function") of Mitsubishi Electric GENESIS64 versions 10.97.2 CFR3 and prior, Mitsubishi Electric Iconics Digital Solutions GENESIS64 versions 10.97.2 CFR3 and prior, Mitsubishi Electric ICONICS Suite versions 10.97.2 CFR3 and prior, Mitsubishi Electric Iconics Digital Solutions ICONICS Suite versions 10.97.2 CFR3 and prior, Mitsubishi Electric MobileHMI versions 10.97.2 CFR3 and prior, Mitsubishi Electric Iconics Digital Solutions MobileHMI versions 10.97.2 CFR3 and prior, and Mitsubishi Electric MC Works64 all versions allows a local attacker to execute arbitrary executable files (EXE) when a legitimate user uses the keypad function by tampering with the configuration file for the function. This could allow the attacker to disclose, tamper with, delete, or destroy information stored on the PC where the affected product is installed, or cause a denial-of-service (DoS) condition on the system, through the execution of the EXE.
  Severity: 8.2 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-64675 - Azure Cosmos DB Spoofing Vulnerability

  CVE ID :CVE-2025-64675
  Published : Dec. 19, 2025, 12:15 a.m. | 10 hours, 47 minutes ago
  Description :Improper neutralization of input during web page generation ('cross-site scripting') in Azure Cosmos DB allows an unauthorized attacker to perform spoofing over a network.
  Severity: 8.3 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-68398 - Weblate has git config file overwrite vulnerability that leads to remote code execution

  CVE ID :CVE-2025-68398
  Published : Dec. 18, 2025, 11:15 p.m. | 11 hours, 47 minutes ago
  Description :Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to overwrite Git configuration remotely and override some of its behavior. Version 5.15.1 fixes the issue.
  Severity: 9.1 | CRITICAL
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-65041 - Microsoft Partner Center Elevation of Privilege Vulnerability

  CVE ID :CVE-2025-65041
  Published : Dec. 18, 2025, 10:16 p.m. | 12 hours, 47 minutes ago
  Description :Improper authorization in Microsoft Partner Center allows an unauthorized attacker to elevate privileges over a network.
  Severity: 10.0 | CRITICAL
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-65037 - Azure Container Apps Remote Code Execution Vulnerability

  CVE ID :CVE-2025-65037
  Published : Dec. 18, 2025, 10:16 p.m. | 12 hours, 47 minutes ago
  Description :Improper control of generation of code ('code injection') in Azure Container Apps allows an unauthorized attacker to execute code over a network.
  Severity: 10.0 | CRITICAL
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-64677 - Office Out-of-Box Experience Spoofing Vulnerability

  CVE ID :CVE-2025-64677
  Published : Dec. 18, 2025, 10:16 p.m. | 12 hours, 47 minutes ago
  Description :Improper neutralization of input during web page generation ('cross-site scripting') in Office Out-of-Box Experience allows an unauthorized attacker to perform spoofing over a network.
  Severity: 8.2 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-64663 - Custom Question Answering Elevation of Privilege Vulnerability

  CVE ID :CVE-2025-64663
  Published : Dec. 18, 2025, 10:16 p.m. | 12 hours, 47 minutes ago
  Description :Custom Question Answering Elevation of Privilege Vulnerability
  Severity: 9.9 | CRITICAL
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-34452 - Streama Subtitle Download Path Traversal and SSRF Leading to Arbitrary File Write

  CVE ID :CVE-2025-34452
  Published : Dec. 18, 2025, 10:15 p.m. | 12 hours, 47 minutes ago
  Description :Streama versions 1.10.0 through 1.10.5 and prior to commit b7c8767 contain a combination of path traversal and server-side request forgery (SSRF) vulnerabilities in that allow an authenticated attacker to write arbitrary files to the server filesystem. The issue exists in the subtitle download functionality, where user-controlled parameters are used to fetch remote content and construct file paths without proper validation. By supplying a crafted subtitle download URL and a path traversal sequence in the file name, an attacker can write files to arbitrary locations on the server, potentially leading to remote code execution.
  Severity: 8.7 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-62001 - BullWall Ransomware Containment hard-coded folder exclusions

  CVE ID :CVE-2025-62001
  Published : Dec. 18, 2025, 9:15 p.m. | 13 hours, 47 minutes ago
  Description :BullWall Ransomware Containment contains excluded file paths, such as '$recycle.bin' that are not monitored. An attacker with file write permissions could bypass detection by renaming a directory. Versions 4.6.0.0, 4.6.0.6, 4.6.0.7, and 4.6.1.4 were confirmed to be affected; other versions before and after may also be affected.
  Severity: 8.8 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-14850 - Advantech WebAccess/SCADA Improper Limitation of a Pathname to a Restricted Directory

  CVE ID :CVE-2025-14850
  Published : Dec. 18, 2025, 9:15 p.m. | 13 hours, 47 minutes ago
  Description :Advantech WebAccess/SCADA is vulnerable to directory traversal, which may allow an attacker to delete arbitrary files.
  Severity: 8.1 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-14849 - Advantech WebAccess/SCADA Unrestricted Upload of File with Dangerous Type

  CVE ID :CVE-2025-14849
  Published : Dec. 18, 2025, 9:15 p.m. | 13 hours, 47 minutes ago
  Description :Advantech WebAccess/SCADA  is vulnerable to unrestricted file upload, which may allow an attacker to remotely execute arbitrary code.
  Severity: 8.8 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2023-53942 - File Thingie 2.5.7 Authenticated Arbitrary File Upload Remote Code Execution

  CVE ID :CVE-2023-53942
  Published : Dec. 18, 2025, 8:15 p.m. | 14 hours, 47 minutes ago
  Description :File Thingie 2.5.7 contains an authenticated file upload vulnerability that allows remote attackers to upload malicious PHP zip archives to the web server. Attackers can create a custom PHP payload, upload and unzip it, and then execute arbitrary system commands through a crafted PHP script with a command parameter.
  Severity: 9.4 | CRITICAL
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2023-53941 - EasyPHP Webserver 14.1 Remote Code Execution

  CVE ID :CVE-2023-53941
  Published : Dec. 18, 2025, 8:15 p.m. | 14 hours, 47 minutes ago
  Description :EasyPHP Webserver 14.1 contains an OS command injection vulnerability that allows unauthenticated attackers to execute arbitrary system commands by injecting malicious payloads through the app_service_control parameter. Attackers can send POST requests to /index.php?zone=settings with crafted app_service_control values to execute commands with administrative privileges.
  Severity: 9.8 | CRITICAL
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2021-47711 - Kentico Xperience QL Injection

  CVE ID :CVE-2021-47711
  Published : Dec. 18, 2025, 8:15 p.m. | 14 hours, 47 minutes ago
  Description :A SQL injection vulnerability in Kentico Xperience allows authenticated editors to inject malicious SQL queries via online marketing macro method parameters. This enables unauthorized database access and potential data manipulation by exploiting macro method input validation weaknesses.
  Severity: 8.8 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2019-25229 - Kentico Xperience le Upload

  CVE ID :CVE-2019-25229
  Published : Dec. 18, 2025, 8:15 p.m. | 14 hours, 47 minutes ago
  Description :An unrestricted file upload vulnerability in Kentico Xperience allows authenticated users with 'Read data' permissions to upload arbitrary file types via MVC form file uploader components. Attackers can manipulate file names and upload potentially malicious files to the system, enabling unauthorized file uploads.
  Severity: 8.8 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...