CVE Tracker

CVE ID	Severity	EPSS	Vendor	Description	Date	Status
CVE-2025-48703	High	46.4%	CWPControl Web Panel	CWP Control Web Panel (formerly CentOS Web Panel) contains an OS command Injection vulnerability that allows unauthenticated remote code execution via shell metacharacters in the t_total parameter in a filemanager changePerm request. A valid non-root username must be known.	Nov 4, 2025	KEV
CVE-2025-24893(1)	High	94.2%	XWikiPlatform	XWiki Platform contains an eval injection vulnerability that could allow any guest to perform arbitrary remote code execution through a request to SolrSearch.	Oct 30, 2025	KEV
CVE-2025-41244	High	0.5%	BroadcomVMware Aria Operations and VMware Tools	Broadcom VMware Aria Operations and VMware Tools contain a privilege defined with unsafe actions vulnerability. A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate privileges to root on the same VM.	Oct 30, 2025	KEV
CVE-2025-6205	High	49.5%	Dassault SystèmesDELMIA Apriso	Dassault Systèmes DELMIA Apriso contains a missing authorization vulnerability that could allow an attacker to gain privileged access to the application.	Oct 28, 2025	KEV
CVE-2025-6204	High	8.8%	Dassault SystèmesDELMIA Apriso	Dassault Systèmes DELMIA Apriso contains a code injection vulnerability that could allow an attacker to execute arbitrary code.	Oct 28, 2025	KEV
CVE-2025-59287	High	73.0%	MicrosoftWindows	Microsoft Windows Server Update Service (WSUS) contains a deserialization of untrusted data vulnerability that allows for remote code execution.	Oct 24, 2025	KEV
CVE-2025-54236	High	73.7%	AdobeCommerce and Magento	Adobe Commerce and Magento Open Source contain an improper input validation vulnerability that could allow an attacker to take over customer accounts through the Commerce REST API.	Oct 24, 2025	KEV
CVE-2025-61932	High	3.7%	MotexLANSCOPE Endpoint Manager	Motex LANSCOPE Endpoint Manager contains an improper verification of source of a communication channel vulnerability allowing an attacker to execute arbitrary code by sending specially crafted packets.	Oct 22, 2025	KEV
CVE-2025-61884	High	30.3%	OracleE-Business Suite	Oracle E-Business Suite contains a server-side request forgery (SSRF) vulnerability in the Runtime component of Oracle Configurator. This vulnerability is remotely exploitable without authentication.	Oct 20, 2025	KEV
CVE-2025-2747	High	88.9%	KenticoXperience CMS	Kentico Xperience CMS contains an authentication bypass using an alternate path or channel vulnerability that could allow an attacker to control administrative objects.	Oct 20, 2025	KEV
CVE-2022-48503(1)	High	0.3%	AppleMultiple Products	Apple macOS, iOS, tvOS, Safari, and watchOS contain an unspecified vulnerability in JavaScriptCore that when processing web content may lead to arbitrary code execution. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.	Oct 20, 2025	KEV
CVE-2025-33073	High	54.2%	MicrosoftWindows	Microsoft Windows SMB Client contains an improper access control vulnerability that could allow for privilege escalation. An attacker could execute a specially crafted malicious script to coerce the victim machine to connect back to the attack system using SMB and authenticate.	Oct 20, 2025	KEV
CVE-2025-2746	High	86.1%	KenticoXperience CMS	Kentico Xperience CMS contains an authentication bypass using an alternate path or channel vulnerability that could allow an attacker to control administrative objects.	Oct 20, 2025	KEV
CVE-2025-54253	High	28.7%	AdobeExperience Manager (AEM) Forms	Adobe Experience Manager Forms in JEE contains an unspecified vulnerability that allows for arbitrary code execution.	Oct 15, 2025	KEV
CVE-2025-24990	High	4.3%	MicrosoftWindows	Microsoft Windows Agere Modem Driver contains an untrusted pointer dereference vulnerability that allows for privilege escalation. An attacker who successfully exploited this vulnerability could gain administrator privileges.	Oct 14, 2025	KEV
CVE-2025-47827	High	1.8%	IGELIGEL OS	IGEL OS contains a use of a key past its expiration date vulnerability that allows for Secure Boot bypass. The igel-flash-driver module improperly verifies a cryptographic signature. Ultimately, a crafted root filesystem can be mounted from an unverified SquashFS image.	Oct 14, 2025	KEV
CVE-2016-7836	High	53.2%	SKYSEAClient View	SKYSEA Client View contains an improper authentication vulnerability that allows remote code execution via a flaw in processing authentication on the TCP connection with the management console program.	Oct 14, 2025	KEV
CVE-2025-59230	High	5.6%	MicrosoftWindows	Microsoft Windows contains an improper access control vulnerability in Windows Remote Access Connection Manager which could allow an authorized attacker to elevate privileges locally.	Oct 14, 2025	KEV
CVE-2021-43798	High	94.4%	Grafana LabsGrafana	Grafana contains a path traversal vulnerability that could allow access to local files.	Oct 9, 2025	KEV
CVE-2025-27915(1)	High	24.9%	SynacorZimbra Collaboration Suite (ZCS)	Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability that exists in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. When a user views an e-mail message containing a malicious ICS entry, its embedded JavaScript executes via an ontoggle event inside a tag. This allows an attacker to run arbitrary JavaScript within the victim's session, potentially leading to unauthorized actions such as setting e-mail filters to redirect messages to an attacker-controlled address. As a result, an attacker can perform unauthorized actions on the victim's account, including e-mail redirection and data exfiltration.	Oct 7, 2025	KEV

CVE-2025-48703KEV

High

CWP Control Web Panel (formerly CentOS Web Panel) contains an OS command Injection vulnerability that allows unauthenticated remote code execution via shell metacharacters in the t_total parameter in a filemanager changePerm request. A valid non-root username must be known.

CWPEPSS 46.4%

CVE-2025-24893KEV

High

XWiki Platform contains an eval injection vulnerability that could allow any guest to perform arbitrary remote code execution through a request to SolrSearch.

XWikiEPSS 94.2%

CVE-2025-41244KEV

High

Broadcom VMware Aria Operations and VMware Tools contain a privilege defined with unsafe actions vulnerability. A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate privileges to root on the same VM.

BroadcomEPSS 0.5%

CVE-2025-6205KEV

High

Dassault Systèmes DELMIA Apriso contains a missing authorization vulnerability that could allow an attacker to gain privileged access to the application.

Dassault SystèmesEPSS 49.5%

CVE-2025-6204KEV

High

Dassault Systèmes DELMIA Apriso contains a code injection vulnerability that could allow an attacker to execute arbitrary code.

Dassault SystèmesEPSS 8.8%

CVE-2025-59287KEV

High

Microsoft Windows Server Update Service (WSUS) contains a deserialization of untrusted data vulnerability that allows for remote code execution.

MicrosoftEPSS 73.0%

CVE-2025-54236KEV

High

Adobe Commerce and Magento Open Source contain an improper input validation vulnerability that could allow an attacker to take over customer accounts through the Commerce REST API.

AdobeEPSS 73.7%

CVE-2025-61932KEV

High

Motex LANSCOPE Endpoint Manager contains an improper verification of source of a communication channel vulnerability allowing an attacker to execute arbitrary code by sending specially crafted packets.

MotexEPSS 3.7%

CVE-2025-61884KEV

High

Oracle E-Business Suite contains a server-side request forgery (SSRF) vulnerability in the Runtime component of Oracle Configurator. This vulnerability is remotely exploitable without authentication.

OracleEPSS 30.3%

CVE-2025-2747KEV

High

Kentico Xperience CMS contains an authentication bypass using an alternate path or channel vulnerability that could allow an attacker to control administrative objects.

KenticoEPSS 88.9%

CVE-2022-48503KEV

High

Apple macOS, iOS, tvOS, Safari, and watchOS contain an unspecified vulnerability in JavaScriptCore that when processing web content may lead to arbitrary code execution. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.

AppleEPSS 0.3%

CVE-2025-33073KEV

High

Microsoft Windows SMB Client contains an improper access control vulnerability that could allow for privilege escalation. An attacker could execute a specially crafted malicious script to coerce the victim machine to connect back to the attack system using SMB and authenticate.

MicrosoftEPSS 54.2%

CVE-2025-2746KEV

High

Kentico Xperience CMS contains an authentication bypass using an alternate path or channel vulnerability that could allow an attacker to control administrative objects.

KenticoEPSS 86.1%

CVE-2025-54253KEV

High

Adobe Experience Manager Forms in JEE contains an unspecified vulnerability that allows for arbitrary code execution.

AdobeEPSS 28.7%

CVE-2025-24990KEV

High

Microsoft Windows Agere Modem Driver contains an untrusted pointer dereference vulnerability that allows for privilege escalation. An attacker who successfully exploited this vulnerability could gain administrator privileges.

MicrosoftEPSS 4.3%

CVE-2025-47827KEV

High

IGEL OS contains a use of a key past its expiration date vulnerability that allows for Secure Boot bypass. The igel-flash-driver module improperly verifies a cryptographic signature. Ultimately, a crafted root filesystem can be mounted from an unverified SquashFS image.

IGELEPSS 1.8%

CVE-2016-7836KEV

High

SKYSEA Client View contains an improper authentication vulnerability that allows remote code execution via a flaw in processing authentication on the TCP connection with the management console program.

SKYSEAEPSS 53.2%

CVE-2025-59230KEV

High

Microsoft Windows contains an improper access control vulnerability in Windows Remote Access Connection Manager which could allow an authorized attacker to elevate privileges locally.

MicrosoftEPSS 5.6%

CVE-2021-43798KEV

High

Grafana contains a path traversal vulnerability that could allow access to local files.

Grafana LabsEPSS 94.4%

CVE-2025-27915KEV

High

Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability that exists in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. When a user views an e-mail message containing a malicious ICS entry, its embedded JavaScript executes via an ontoggle event inside a tag. This allows an attacker to run arbitrary JavaScript within the victim's session, potentially leading to unauthorized actions such as setting e-mail filters to redirect messages to an attacker-controlled address. As a result, an attacker can perform unauthorized actions on the victim's account, including e-mail redirection and data exfiltration.

SynacorEPSS 24.9%

37 38 39 40 41 42 43