Cut the noise.
Know which vulnerabilities demand action.

Monitor and prioritize what really matters — the 1% of vulnerabilities that can cause real impact.

Analytics

EPSS Trending (30d)

Threat Indicators

829
CISA KEV
244
Exploits
493
Proof-of-Concept
13.3%
Average EPSS

EPSS Hot Zone

|
Sort by:
KEV Prediction — Top%
EPSS Percentile — Top%

Emerging Vulnerabilities

30 Jun/26
CVE-2026-48282
CRITICAL

This vulnerability is a path traversal flaw caused by insufficient validation of user-supplied file path inputs within Adobe ColdFusion. The affected component improperly restricts pathname access, allowing attackers to traverse directories outside intended boundaries. This weakness occurs in ColdFusion versions 2023 and earlier, impacting the file handling mechanisms responsible for directory access control.

CVSS 10.0
EPSS 28.6%
KEV Pred in 20d
Product Adobe ColdFusion adobe
CVSS v3.1 KEV CWE-22 PoC RANSOMWARE
29 Jun/26
CVE-2026-56290
CRITICAL

This vulnerability is an unauthenticated arbitrary file upload flaw in the JoomlaCK.fr Page Builder CK extension for Joomla. The root cause lies in insufficient validation and filtering of uploaded files within the extension's file upload functionality. The affected component is the file upload handler that processes incoming files without proper authentication or content-type restrictions, enabling malicious payloads to be uploaded.

CVSS 9.8
EPSS 2.9%
KEV Pred in 19d
Product JoomlaCK.fr Page Builder CK extension for Joomla joomlack.fr
CVSS v3.1 CVSS v4.0 KEV CWE-434 PoC
23 Jun/26
CVE-2026-55255
HIGH

The vulnerability is an Insecure Direct Object Reference (IDOR) affecting the /api/v1/responses endpoint of the langflow-ai langflow product. The root cause is insufficient authorization validation allowing authenticated users to specify arbitrary flow IDs belonging to other users. This flaw resides in the API's access control mechanism for flow execution requests prior to version 1.9.1.

CVSS 8.4
EPSS 0.5%
KEV Pred in 13d
Product langflow-ai langflow langflow-ai
CVSS v3.1 KEV CWE-639 PoC
20 Jun/26
CVE-2026-48908
CRITICAL

This vulnerability is an unrestricted file upload flaw in the SP Page Builder extension for Joomla. The root cause is insufficient validation and sanitization of uploaded files, allowing unauthenticated users to upload arbitrary files, including executable PHP scripts. The affected component is the file upload functionality within the SP Page Builder extension.

CVSS 9.8
EPSS 1.6%
KEV Pred in 10d
Product joomshaper.net SP Page Builder extension for Joomla joomshaper.net
CVSS v3.1 CVSS v4.0 KEV CWE-434 PoC
15 Jun/26
CVE-2026-20262
MEDIUM

This vulnerability is a path traversal flaw (CWE-22) in the file upload functionality of Cisco Catalyst SD-WAN Manager's web UI. The root cause is improper validation of user-supplied input during the file upload process, allowing crafted input to manipulate file paths. The affected component is the API endpoint handling file uploads within the web management interface.

CVSS 6.5
EPSS 7.7%
KEV Pred in 5d
Product Cisco Catalyst SD-WAN Manager cisco
CVSS v3.1 KEV CWE-22 PoC
14 Jun/26
CVE-2026-54420
HIGH

This vulnerability is a symbolic link (symlink) traversal issue in the LiteSpeed cPanel plugin and LiteSpeed WHM plugin components. The root cause lies in improper validation and handling of user-supplied symlink paths within the plugin's file management routines. Specifically, the plugin fails to correctly restrict symlink resolution for users with FTP or web shell access on shared hosting environments using CloudLinux/CageFS, enabling unauthorized access to filesystem locations outside intended boundaries.

CVSS 8.5
EPSS 1.3%
KEV Pred in 4d
Product LiteSpeed Technologies cPanel Plugin litespeed
CVSS v3.1 KEV CWE-61 PoC
12 Jun/26
CVE-2026-48558
CRITICAL

This vulnerability is an authentication bypass caused by improper validation of OIDC identity tokens within SimpleHelp's authentication flow. The flaw arises because the system accepts identity tokens without verifying their cryptographic signatures. The affected component is the OIDC authentication mechanism in SimpleHelp versions 5.5.15 and earlier, as well as 6.0 pre-release versions.

CVSS 10.0
EPSS 1.2%
KEV Pred in 2d
Product SimpleHelp simplehelp
CVSS v3.1 CVSS v4.0 KEV CWE-347 PoC RANSOMWARE
08 Jun/26
CVE-2026-11645
HIGH

This vulnerability is an out-of-bounds read and write flaw occurring within the V8 JavaScript engine of Google Chrome. The root cause lies in improper bounds checking during memory operations, allowing access beyond allocated buffer limits. The affected component is the V8 engine, which handles JavaScript execution within the browser sandbox environment.

CVSS 8.8
EPSS 1.7%
KEV Pred 58%
Product Google Chrome google
CVSS v3.1 KEV CWE-125 PoC
05 Jun/26
CVE-2026-7473
MEDIUM

This vulnerability is a protocol decapsulation validation flaw affecting Arista Networks EOS tunnel processing components. Specifically, the switch fails to verify the tunnel protocol type when decapsulating packets on VXLAN, decap-groups, or GRE tunnel interfaces. This improper validation causes the device to incorrectly process tunneled packets with a destination IP matching its configured decapsulation IP regardless of the actual tunnel protocol, leading to unintended packet forwarding behavior.

CVSS 5.8
EPSS 0.8%
KEV Pred 64%
Product Arista Networks EOS arista
CVSS v3.1 CVSS v4.0 KEV CWE-1023 PoC
04 Jun/26
CVE-2026-28318
HIGH

This vulnerability is a denial-of-service condition caused by improper handling of HTTP POST requests with Content-Encoding set to deflate. The root cause lies in the Serv-U service's inability to correctly process specially crafted compressed payloads, leading to resource exhaustion or crash. The affected component is the Serv-U FTP server's HTTP request parsing logic, which does not require authentication to be triggered.

CVSS 7.5
EPSS 10.7%
KEV Pred 70%
Product SolarWinds Serv-U solarwinds
CVSS v3.1 KEV CWE-400 PoC
03 Jun/26
CVE-2026-20230
HIGH

This vulnerability is a server-side request forgery (SSRF) arising from improper input validation of specific HTTP requests in Cisco Unified Communications Manager and its Session Management Edition. The flaw exists within the WebDialer service component, which processes HTTP requests without sufficient sanitization, allowing crafted requests to manipulate internal server behavior. The root cause is the lack of validation on input parameters that control file operations on the underlying operating system.

CVSS 8.6
EPSS 41.7%
KEV Pred 76%
Product Cisco Unified Communications Manager cisco
CVSS v3.1 KEV CWE-918 PoC
26 May/26
CVE-2026-45247
CRITICAL

This vulnerability is a PHP object injection caused by the unsafe use of PHP's native unserialize() function on user-controlled input. Specifically, the CacheWarmer cookie in Mirasvit Full Page Cache Warmer for Magento 2 versions prior to 1.11.12 is processed without validation, allowing deserialization of crafted serialized PHP objects. The flaw resides in the cache warming component responsible for handling cache refresh requests and related cookie data.

CVSS 9.8
EPSS 27.5%
KEV Pred 61%
Product Mirasvit Full Page Cache Warmer for Magento 2 mirasvit
CVSS v3.1 CVSS v4.0 KEV CWE-502 PoC
22 May/26
CVE-2026-45659
HIGH

This vulnerability is a deserialization flaw in Microsoft Office SharePoint Enterprise Server 2016. It arises from improper handling of untrusted serialized data within SharePoint's data processing components, allowing maliciously crafted input to be deserialized. The affected component is the SharePoint server's deserialization mechanism responsible for processing serialized objects received over the network from authorized users.

CVSS 8.8
EPSS 3.2%
KEV Pred 69%
Product Microsoft SharePoint Enterprise Server 2016 microsoft
CVSS v3.1 KEV CWE-502 PoC RANSOMWARE
22 May/26
CVE-2026-34908
CRITICAL

This vulnerability is an Improper Access Control flaw affecting Ubiquiti UniFi OS Server and related firmware components. The root cause lies in insufficient enforcement of authorization checks within system management interfaces, allowing unauthorized network actors to interact with privileged functions. The affected components include UniFi OS devices and various UniFi Dream Machine firmware variants, where control mechanisms fail to restrict access to critical configuration endpoints.

CVSS 10.0
EPSS 2.5%
KEV Pred 72%
Product Ubiquiti Inc UniFi OS Server ubiquiti
CVSS v3.1 KEV CWE-284 PoC
21 May/26
CVE-2026-48172
CRITICAL

This vulnerability is a privilege escalation flaw rooted in improper handling of Redis enable/disable features within the LiteSpeed User-End cPanel Plugin. The affected component mismanages internal API calls related to the "cpanel_jsonapi_func=redisAble" parameter, allowing unauthorized elevation of privileges. The flaw resides in the plugin's logic that controls Redis functionality toggling, leading to escalation beyond intended permission boundaries.

CVSS 9.8
EPSS 18.9%
KEV Pred 67%
Product LiteSpeed Technologies cPanel Plugin litespeed
CVSS v3.1 CVSS v4.0 KEV CWE-266 PoC RANSOMWARE
14 May/26
CVE-2026-42897
MEDIUM

The vulnerability is a cross-site scripting (XSS) flaw caused by improper neutralization of user-supplied input during web page generation in Microsoft Exchange Server 2016 Cumulative Update 23. This occurs due to insufficient sanitization of input data processed by the web interface, allowing malicious scripts to be injected into dynamically generated pages. The affected component is the web-based management interface of Microsoft Exchange Server 2016 CU23.

CVSS 6.1
EPSS 5.6%
KEV Pred 84%
Product Microsoft Exchange Server 2016 Cumulative Update 23 microsoft
CVSS v3.1 KEV CWE-79 PoC RANSOMWARE
12 May/26
CVE-2026-45321
CRITICAL

This vulnerability is a supply chain compromise involving a chained exploitation of misconfigurations and memory extraction vulnerabilities within GitHub Actions workflows. The root cause includes a pull_request_target misconfiguration allowing elevated access, cache poisoning across fork-to-base trust boundaries, and runtime memory extraction of OIDC tokens from the Actions runner process. The affected component is the npm publishing process for @tanstack/* packages, specifically the trusted-publisher binding in GitHub Actions for TanStack/router, which enabled unauthorized publishing of malicious package versions.

CVSS 9.6
EPSS 2.3%
KEV Pred 73%
Product @tanstack arktype-adapter @tanstack
CVSS v3.1 KEV CWE-506 PoC RANSOMWARE
06 May/26
CVE-2026-0300
CRITICAL

This vulnerability is a buffer overflow caused by improper bounds checking in the User-ID™ Authentication Portal (Captive Portal) service of Palo Alto Networks PAN-OS software. The flaw arises when the service processes specially crafted network packets, leading to memory corruption. The affected component is the User-ID™ Authentication Portal running on PA-Series and VM-Series firewalls within PAN-OS versions 10.2.0 through 10.2.4.

CVSS 9.8
EPSS 32.1%
KEV Pred 64%
Product Palo Alto Networks Cloud NGFW palo
CVSS v3.1 CVSS v4.0 KEV CWE-787 PoC
14 Apr/26
CVE-2026-32201
MEDIUM

This vulnerability is an improper input validation flaw affecting Microsoft Office SharePoint components within the SharePoint Enterprise Server 2016 environment. The root cause lies in insufficient sanitization of network-originated input data, enabling maliciously crafted requests to bypass validation controls. The affected feature is the SharePoint server's handling of input parameters used in network communication, which fails to enforce strict validation rules, leading to potential spoofing attacks.

CVSS 6.5
EPSS 24.2%
KEV Pred 72%
Product Microsoft SharePoint Enterprise Server 2016 microsoft
CVSS v3.1 KEV CWE-20 PoC RANSOMWARE
01 Apr/26
CVE-2026-5281
HIGH

This vulnerability is a use-after-free condition occurring within the Dawn graphics component of Google Chrome. The flaw arises due to improper management of memory lifecycle for objects in the renderer process, leading to dereferencing of freed memory. The affected component is the Dawn WebGPU implementation used for rendering operations in Chrome versions prior to 146.0.7680.178.

CVSS 8.8
EPSS 5.0%
KEV Pred 70%
Product Google Chrome google
CVSS v3.1 KEV CWE-416 PoC
30 Mar/26
CVE-2026-3502
HIGH

The vulnerability in TrueConf Client is an insecure update mechanism classified under CWE-494 (Download of Code Without Integrity Check). The client downloads and applies update code without verifying its authenticity or integrity, affecting the update delivery component. This lack of verification allows substitution of the update payload during transmission.

CVSS 7.8
EPSS 5.8%
KEV Pred 60%
Product TrueConf Client trueconf
CVSS v3.1 KEV CWE-494 PoC
12 Mar/26
CVE-2026-3910
HIGH

This vulnerability is a code injection flaw rooted in improper handling of script evaluation within the V8 JavaScript engine used by Google Chrome. Specifically, the issue arises from unsafe execution of dynamically generated code inside the sandbox environment, allowing crafted HTML content to trigger arbitrary code execution. The affected component is the V8 engine prior to version 146.0.7680.75, which fails to adequately sanitize or restrict the execution context of injected scripts.

CVSS 8.8
EPSS 2.0%
KEV Pred 68%
Product Google Chrome google
CVSS v3.1 KEV CWE-94 PoC
12 Mar/26
CVE-2026-3909
HIGH

This vulnerability is an out-of-bounds write occurring within the Skia graphics library component of Google Chrome. The root cause is improper bounds checking during memory operations, leading to memory corruption when processing crafted graphical data. The flaw specifically affects versions of Google Chrome prior to 146.0.7680.75, impacting the rendering engine's handling of certain HTML content.

CVSS 8.8
EPSS 1.6%
KEV Pred 71%
Product Google Chrome google
CVSS v3.1 KEV CWE-787 PoC
11 Mar/26
CVE-2025-67038
CRITICAL

This vulnerability is a command injection flaw rooted in improper input sanitization within the HTTP RPC module of Lantronix EDS5000 firmware version 2.1.0.0R3. Specifically, the username parameter used during authentication failure handling is concatenated directly into a shell command without validation or escaping. This unsafe string concatenation occurs in the log-writing function, enabling injection of arbitrary operating system commands executed with root privileges.

CVSS 9.8
EPSS 0.9%
KEV Pred 70%
Product N/A
CVSS v3.1 KEV CWE-94 PoC
04 Mar/26
CVE-2026-20131
CRITICAL

This vulnerability is an insecure deserialization flaw in the web-based management interface of Cisco Secure Firewall Management Center (FMC). It arises from the unsafe processing of user-supplied serialized Java byte streams, allowing manipulation of the deserialization process. The affected component is the Java deserialization mechanism within the FMC's management interface, which improperly validates incoming serialized objects.

CVSS 10.0
EPSS 27.6%
KEV Pred 78%
Product Cisco Secure Firewall Management Center (FMC) cisco
CVSS v3.1 KEV CWE-502 PoC RANSOMWARE
13 Feb/26
CVE-2026-2441
HIGH

This vulnerability is a use-after-free condition within the CSS processing component of Google Chrome. The flaw arises from improper memory management when handling CSS objects, leading to dereferencing of freed memory. The affected component is the CSS engine in versions of Google Chrome prior to 145.0.7632.75, which fails to maintain valid references during CSS parsing and rendering.

CVSS 8.8
EPSS 22.0%
KEV Pred 71%
Product Google Chrome google
CVSS v3.1 KEV CWE-416 PoC
10 Feb/26
CVE-2026-21510
HIGH

This vulnerability is a protection mechanism failure within the Windows Shell component of Microsoft Windows 10 versions 1607, 1809, and 21H2. The root cause lies in inadequate enforcement of a security feature designed to restrict unauthorized access during shell operations. This flaw allows bypassing of built-in security controls when processing certain network-originated requests, affecting the integrity of the shell's protection mechanisms.

CVSS 8.8
EPSS 25.8%
KEV Pred 75%
Product Microsoft Windows 10 Version 1607 microsoft
CVSS v3.1 KEV CWE-693 PoC RANSOMWARE
03 Feb/26
CVE-2025-15556
HIGH

This vulnerability is an update integrity verification flaw in the WinGUp updater component of Notepad++ prior to version 8.8.9. The root cause is the absence of cryptographic verification for downloaded update metadata and installer files, allowing tampered or malicious update packages to be accepted and executed. The affected feature is the automatic update mechanism responsible for fetching and applying software updates.

CVSS 7.5
EPSS 1.3%
KEV Pred 71%
Product notepad-plus-plus notepad-plus-plus
CVSS v3.1 CVSS v4.0 KEV CWE-494 PoC
21 Jan/26
CVE-2026-20045
CRITICAL

This vulnerability is a command injection flaw caused by improper validation of user-supplied input within HTTP requests processed by the web-based management interface of Cisco Unified Communications Manager and related components. The root cause lies in the failure to sanitize or restrict input parameters, allowing crafted HTTP requests to invoke unauthorized command execution on the underlying operating system. Affected components include Unified Communications Manager, Session Management Edition, IM & Presence Service, Unity Connection, and Webex Calling Dedicated Instance.

CVSS 9.8
EPSS 4.3%
KEV Pred 74%
Product Cisco Unified Communications Manager cisco
CVSS v3.1 KEV CWE-94 PoC RANSOMWARE
13 Jan/26
CVE-2026-20963
CRITICAL

This vulnerability is a deserialization flaw occurring in Microsoft Office SharePoint Enterprise Server 2016. The root cause lies in improper handling of untrusted serialized data, which allows malicious input to be deserialized without sufficient validation. The affected component is the SharePoint server's deserialization mechanism responsible for processing incoming serialized objects over the network.

CVSS 9.8
EPSS 31.1%
KEV Pred 78%
Product Microsoft SharePoint Enterprise Server 2016 microsoft
CVSS v3.1 KEV CWE-502 PoC RANSOMWARE
22 Dec/25
CVE-2025-68645
HIGH

This vulnerability is a Local File Inclusion (LFI) flaw caused by improper validation and sanitization of user-supplied parameters within the RestFilter servlet of the Webmail Classic UI in Zimbra Collaboration Suite versions 10.0 and 10.1. The servlet fails to correctly handle request parameters, allowing manipulation of internal request dispatching logic. This flaw affects the /h/rest endpoint, enabling unauthorized access to internal file inclusion mechanisms within the WebRoot directory.

CVSS 8.8
EPSS 31.8%
KEV Pred 78%
Product Synacor Zimbra Collaboration Suite (ZCS) synacor
CVSS v3.1 KEV CWE-98 PoC
19 Dec/25
CVE-2025-14733
CRITICAL

This vulnerability is an out-of-bounds write in the WatchGuard Fireware OS VPN components. The root cause lies in improper bounds checking when processing IKEv2 packets for Mobile User VPN and Branch Office VPN configured with dynamic gateway peers. The flaw occurs within the Fireware OS VPN protocol handling code, leading to memory corruption due to writing outside allocated buffers.

CVSS 9.8
EPSS 18.0%
KEV Pred 80%
Product WatchGuard Fireware OS watchguard
CVSS v3.1 CVSS v4.0 KEV CWE-787 PoC
18 Dec/25
CVE-2025-40602
MEDIUM

This vulnerability is a local privilege escalation caused by insufficient authorization checks within the SonicWall SMA1000 appliance management console (AMC). The flaw arises from improper enforcement of access control mechanisms, allowing users with limited privileges to perform actions reserved for higher privilege levels. The affected component is the AMC interface responsible for managing device configurations and operations.

CVSS 6.6
EPSS 1.9%
KEV Pred 79%
Product SonicWall SMA1000 sonicwall
CVSS v3.1 KEV CWE-250 PoC
18 Dec/25
CVE-2025-68461
MEDIUM

This vulnerability is a Cross-Site Scripting (XSS) flaw rooted in improper sanitization of SVG documents, specifically within the animate tag. The Roundcube Webmail rendering engine fails to correctly validate or escape user-supplied SVG content, allowing malicious scripts to be injected and executed. The affected component is the SVG handling functionality in Roundcube Webmail versions prior to 1.5.12 and 1.6.12.

CVSS 6.1
EPSS 19.8%
KEV Pred 80%
Product Roundcube Webmail roundcube
CVSS v3.1 KEV CWE-79 PoC
17 Dec/25
CVE-2025-43529
HIGH

This vulnerability is a use-after-free flaw arising from improper memory management within the Apple Safari web content processing engine. Specifically, the issue occurs when handling certain crafted web content, leading to the premature release of memory objects that are subsequently accessed. The affected components include Safari browser and WebKit-based rendering on multiple Apple operating systems such as iOS, iPadOS, macOS, tvOS, visionOS, and watchOS.

CVSS 8.8
EPSS 8.4%
KEV Pred 78%
Product Apple Safari apple
CVSS v3.1 KEV CWE-416 PoC
17 Dec/25
CVE-2025-20393
CRITICAL

This vulnerability is a command injection flaw caused by insufficient validation of HTTP requests processed by the Spam Quarantine feature in Cisco AsyncOS Software. The root cause lies in the improper sanitization of input parameters within the HTTP request handling logic, allowing crafted requests to reach system-level command execution functions. The affected component is the Spam Quarantine feature of Cisco Secure Email Gateway and Cisco Secure Email and Web Manager running AsyncOS.

CVSS 10.0
EPSS 29.1%
KEV Pred 72%
Product Cisco Secure Email cisco
CVSS v3.1 KEV CWE-20 PoC RANSOMWARE
12 Dec/25
CVE-2025-14174
HIGH

This vulnerability is an out-of-bounds memory access flaw rooted in improper bounds checking within the ANGLE graphics engine component of Google Chrome on macOS. Specifically, malformed HTML content triggers the flaw during the processing of graphics rendering commands, causing memory reads or writes beyond allocated buffers. The affected component is ANGLE, a graphics abstraction layer used by Chrome to translate OpenGL ES calls to native APIs.

CVSS 8.8
EPSS 22.4%
KEV Pred 84%
Product Google Chrome google
CVSS v3.1 KEV CWE-787 PoC
25 Sep/25
CVE-2025-20333
CRITICAL

This vulnerability is a buffer overflow (CWE-120) caused by improper validation of user-supplied input within the VPN web server component of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software. Specifically, crafted HTTP(S) requests containing malicious payloads are not correctly sanitized, leading to memory corruption in the web VPN interface. The flaw resides in the handling of HTTP requests processed by the VPN web server module.

CVSS 9.9
EPSS 40.4%
KEV Pred 72%
Product Cisco Secure Firewall Adaptive Security Appliance (ASA) Software cisco
CVSS v3.1 KEV CWE-120 PoC RANSOMWARE
24 Sep/25
CVE-2025-20352
HIGH

This vulnerability is a stack-based buffer overflow in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS and IOS XE software. The flaw arises from improper handling of SNMP packets, specifically when processing SNMPv1, SNMPv2c, or SNMPv3 community strings or user credentials. The affected component is the SNMP service implementation, which fails to properly validate input size, leading to memory corruption within the SNMP processing stack.

CVSS 7.7
EPSS 37.6%
KEV Pred 79%
Product Cisco IOS cisco
CVSS v3.1 KEV CWE-121 PoC
24 Sep/25
CVE-2025-10585
CRITICAL

This vulnerability is a type confusion flaw within the V8 JavaScript engine component of Google Chrome. The root cause lies in improper type handling during object manipulation, which leads to heap corruption. Specifically, crafted inputs to the V8 engine cause the engine to misinterpret data types, affecting memory safety in the JavaScript execution environment.

CVSS 9.8
EPSS 5.4%
KEV Pred 77%
Product Google Chrome google
CVSS v3.1 KEV CWE-843 PoC
12 Sep/25
CVE-2025-21042
CRITICAL

This vulnerability is an out-of-bounds write occurring within the libimagecodec.quram.so library component of Samsung Mobile Devices. The root cause involves improper boundary checking when processing image codec data, leading to memory corruption. The flaw affects multiple Samsung Android 13.0 firmware versions prior to the April 2025 Security Maintenance Release (SMR).

CVSS 9.8
EPSS 11.6%
KEV Pred 83%
Product Samsung Mobile Devices samsung
CVSS v3.1 KEV CWE-787 PoC
03 Sep/25
CVE-2025-53690
CRITICAL

This vulnerability is a deserialization of untrusted data flaw within Sitecore Experience Manager (XM) and Experience Platform (XP) components. The root cause lies in the improper handling of serialized objects received from untrusted sources, allowing malicious input to be deserialized without sufficient validation. This affects the deserialization routines in versions through 9.0 of Sitecore XM and XP, enabling injection of arbitrary code during the deserialization process.

CVSS 9.0
EPSS 30.8%
KEV Pred 85%
Product Sitecore Experience Manager (XM) sitecore
CVSS v3.1 KEV CWE-502 PoC
29 Aug/25
CVE-2025-55177
MEDIUM

This vulnerability is an incomplete authorization flaw in the linked device synchronization message handling within WhatsApp for iOS and Mac clients. The root cause lies in insufficient validation of synchronization messages originating from linked devices, allowing unauthorized processing of content URLs. The affected component is the message synchronization subsystem in WhatsApp Desktop for Mac and iOS versions prior to 2.25.21.78 and 2.25.21.73 respectively.

CVSS 5.4
EPSS 4.1%
KEV Pred 72%
Product Facebook WhatsApp Desktop for Mac facebook
CVSS v3.1 KEV CWE-863 PoC
26 Aug/25
CVE-2025-7775
CRITICAL

This vulnerability is a memory overflow flaw classified under CWE-119, affecting the NetScaler ADC and NetScaler Gateway components. It arises from improper handling of memory buffers in specific virtual server configurations, including Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy), AAA virtual servers, and load balancing (LB) virtual servers bound with IPv6 services or service groups. The root cause is a buffer overflow condition triggered by malformed network traffic targeting these configured virtual servers, leading to memory corruption in the affected software modules.

CVSS 9.8
EPSS 19.0%
KEV Pred 78%
Product NetScaler ADC netscaler
CVSS v3.1 CVSS v4.0 KEV CWE-119 PoC
21 Aug/25
CVE-2025-43300
CRITICAL

This vulnerability is an out-of-bounds write occurring due to insufficient bounds checking during the processing of image files. The flaw resides in the image parsing component of Apple iOS and iPadOS, where improper validation of input data allows memory to be overwritten beyond allocated buffers. This memory corruption arises specifically when handling crafted malicious image files, affecting multiple Apple operating systems including iOS, iPadOS, and macOS variants.

CVSS 10.0
EPSS 20.0%
KEV Pred 73%
Product Apple iOS and iPadOS apple
CVSS v3.1 KEV CWE-787 PoC
29 Jul/25
CVE-2025-31277
HIGH

This vulnerability is a memory corruption flaw rooted in improper memory handling within the web content processing component of Apple Safari and related Apple operating systems. Specifically, the flaw arises from insecure management of memory buffers when parsing or rendering maliciously crafted web content. The affected components include the Safari browser engine and its integration across iOS, iPadOS, macOS, tvOS, visionOS, and watchOS platforms.

CVSS 8.8
EPSS 1.5%
KEV Pred 67%
Product Apple Safari apple
CVSS v3.1 KEV CWE-119 PoC
19 Jul/25
CVE-2025-54313
HIGH

This vulnerability is a supply chain compromise involving malicious code embedded within specific versions of the eslint-config-prettier npm package. The root cause is the inclusion of a malicious install.js script that executes automatically during package installation. This script triggers execution of a node-gyp.dll malware payload on Windows environments, affecting the package's installation process and the integrity of the affected component.

CVSS 7.5
EPSS 4.1%
KEV Pred 82%
Product prettier eslint-config-prettier prettier
CVSS v3.1 KEV CWE-506 PoC
15 Jul/25
CVE-2025-6558
HIGH

This vulnerability is a type of input validation flaw classified under CWE-20, occurring within the ANGLE and GPU components of Google Chrome. The root cause is insufficient validation of untrusted input data processed by these graphics-related subsystems, which handle rendering tasks. This flaw affects the rendering pipeline that processes HTML content, specifically in versions of Google Chrome prior to 138.0.7204.157.

CVSS 8.8
EPSS 9.2%
KEV Pred 76%
Product Google Chrome google
CVSS v3.1 KEV CWE-20 PoC
08 Jul/25
CVE-2025-48384
HIGH

This vulnerability is a path manipulation and symbolic link (symlink) exploitation issue in Git's submodule initialization process. The root cause lies in improper handling of trailing carriage return (CR) characters in configuration values and submodule paths, where CR characters are stripped or lost during reading and writing operations. This affects the submodule path resolution component, allowing altered paths with trailing CRs to be processed incorrectly, leading to potential execution of unintended scripts.

CVSS 8.0
EPSS 2.8%
KEV Pred 82%
Product git git
CVSS v3.1 KEV CWE-59 PoC
30 Jun/25
CVE-2025-6554
HIGH

This vulnerability is a type confusion flaw within the V8 JavaScript engine component of Google Chrome. The root cause stems from improper handling of object types during internal operations, leading to misinterpretation of data structures. It specifically affects versions of Google Chrome prior to 138.0.7204.96, compromising the memory management logic in V8's execution environment.

CVSS 8.1
EPSS 6.6%
KEV Pred 73%
Product Google Chrome google
CVSS v3.1 KEV CWE-843 PoC
Page 1 of 3 (117 total)