Search
31,027 CVEs · Critical severity
CVEs (31,027, showing first 500)
Only the first 500 CVEs (by current sort) are shown when searching without a keyword. Add a search term above to narrow the results.
Showing 101–125 of 31,027 (capped at 500)
| CVE ID | Severity | Patch | CVSS ↑ | Published | Description |
|---|---|---|---|---|---|
| CVE-2025-59978 | CRITICAL | Patched | 9.0 | 2025-10-09 | An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Juniper Networks Junos Space allows an attacker to store script tag… |
| CVE-2025-56795 | CRITICAL | Patched | 9.0 | 2025-09-29 | Mealie 3.0.1 and earlier is vulnerable to Stored Cross-Site Scripting (XSS) in the recipe creation functionality. Unsanitized user input in the "note" and "text" fields of … |
| CVE-2025-20363 | CRITICAL | Patched | 9.0 | 2025-09-25 | A vulnerability in the web services of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software, Cisco Secure Firewall Threat Defense (FTD) Software, Cisco IOS Soft… |
| CVE-2025-59545 | CRITICAL | Patched | 9.0 | 2025-09-23 | DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.1.0, the Prompt module allows execution of… |
| CVE-2025-48703 | CRITICAL | Patched | 9.0 | 2025-09-19 | CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1205 allows unauthenticated remote code execution via shell metacharacters in the t_total parameter in a filema… |
| CVE-2025-58766 | CRITICAL | Patched | 9.0 | 2025-09-17 | Dyad is a local AI app builder. A critical security vulnerability has been discovered that affected Dyad v0.19.0 and earlier versions that allows attackers to execute arbit… |
| CVE-2025-55113 | CRITICAL | Patched | 9.0 | 2025-09-16 | If the Access Control List is enforced by the Control-M/Agent and the C router is in use (default in Out-of-support Control-M/Agent versions 9.0.18 to 9.0.20 and potentiall… |
| CVE-2025-55109 | CRITICAL | Patched | 9.0 | 2025-09-16 | An authentication bypass vulnerability exists in the out-of-support Control-M/Agent versions 9.0.18 to 9.0.20 and potentially earlier unsupported versions when using an emp… |
| CVE-2025-58746 | CRITICAL | 9.0 | 2025-09-08 | The Volkov Labs Business Links panel for Grafana provides an interface to navigate using external links, internal dashboards, time pickers, and dropdown menus. Prior to ver… | |
| CVE-2025-55244 | CRITICAL | 9.0 | 2025-09-04 | Azure Bot Service Elevation of Privilege Vulnerability | |
| CVE-2025-53690 | CRITICAL | Patched | 9.0 | 2025-09-03 | Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Code Injection.This issue affects Experience M… |
| CVE-2025-34157 | CRITICAL | Patched | 9.0 | 2025-08-27 | Coolify versions prior to v4.0.0-beta.420.6 are vulnerable to a stored cross-site scripting (XSS) attack in the project creation workflow. An authenticated user with low pr… |
| CVE-2025-55205 | CRITICAL | Patched | 9.0 | 2025-08-18 | Capsule is a multi-tenancy and policy-based framework for Kubernetes. A namespace label injection vulnerability in Capsule v0.10.3 and earlier allows authenticated tenant u… |
| CVE-2025-54117 | CRITICAL | Patched | 9.0 | 2025-08-18 | NamelessMC is a free, easy to use & powerful website software for Minecraft servers. Cross-site scripting (XSS) vulnerability in NamelessMC before 2.2.3 allows remote authe… |
| CVE-2025-44963 | CRITICAL | Patched | 9.0 | 2025-08-04 | RUCKUS Network Director (RND) before 4.5 allows spoofing of an administrator JWT by an attacker who knows the hardcoded value of a certain secret key. |
| CVE-2025-44954 | CRITICAL | Patched | 9.0 | 2025-08-04 | RUCKUS SmartZone (SZ) before 6.1.2p3 Refresh Build has a hardcoded SSH private key for a root-equivalent user account. |
| CVE-2025-8264 | CRITICAL | Patched | 9.0 | 2025-07-29 | Versions of the package z-push/z-push-dev before 2.7.6 are vulnerable to SQL Injection due to unparameterized queries in the IMAP backend. An attacker can inject malicious … |
| CVE-2025-53084 | CRITICAL | 9.0 | 2025-07-24 | A cross-site scripting (xss) vulnerability exists in the videosList page parameter functionality of WWBN AVideo 14.4 and dev master commit 8a8954ff. A specially crafted HTT… | |
| CVE-2025-24937 | CRITICAL | 9.0 | 2025-07-21 | File contents could be read from the local file system by an attacker. Additionally, malicious code could be inserted in the file, leading to a full compromise of the web a… | |
| CVE-2025-24936 | CRITICAL | 9.0 | 2025-07-21 | The web application allows user input to pass unfiltered to a command executed on the underlying operating system. The vulnerable component is bound to the network stack an… | |
| CVE-2025-54309 | CRITICAL | Patched | 9.0 | 2025-07-18 | CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admi… |
| CVE-2025-47158 | CRITICAL | 9.0 | 2025-07-18 | Authentication bypass by assumed-immutable data in Azure DevOps allows an unauthorized attacker to elevate privileges over a network. | |
| CVE-2025-23266 | CRITICAL | 9.0 | 2025-07-17 | NVIDIA Container Toolkit for all platforms contains a vulnerability in some hooks used to initialize the container, where an attacker could execute arbitrary code with elev… | |
| CVE-2025-50067 | CRITICAL | 9.0 | 2025-07-15 | Vulnerability in Oracle Application Express (component: Strategic Planner Starter App). Supported versions that are affected are 24.2.4 and 24.2.5. Easily exploitable vul… | |
| CVE-2025-53835 | CRITICAL | Patched | 9.0 | 2025-07-14 | XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Starting in version 5… |