CVE Field Guide

Critical CVEs

CVE	Title	Updated	Score
CVE-2025-55182		03.12.2025	10
CVE-2025-13390	WP Directory Kit <= 1.4.4 - Authentication Bypass to Privilege Escalation via Account Takeover	03.12.2025	10
CVE-2025-13342	Frontend Admin by DynamiApps <= 3.28.20 - Unauthenticated Arbitrary Options Update	03.12.2025	9.8
CVE-2025-13486	Advanced Custom Fields: Extended 0.9.0.5 - 0.9.1.1 - Unauthenticated Remote Code Execution in prepare_form	03.12.2025	9.8
CVE-2025-13658	Industrial Video & Control Longwatch has a Code Injection vulnerability	02.12.2025	9.3
CVE-2025-13510	Iskra iHUB and iHUB Lite has a Missing Authentication for Critical Function vulnerabilitiy	02.12.2025	9.3
CVE-2025-13542	DesignThemes LMS <= 1.0.4 - Unauthenticated Privilege Escalation	02.12.2025	9.8
CVE-2025-13828	Mautic user without privileged access to the Marketplace can install and uninstall composer packages	02.12.2025	9
CVE-2025-11778	Stack-based buffer overflow vulnreability in Circutor SGE-PLC1000/SGE-PLC50	02.12.2025	10
CVE-2025-11779	Stack-based buffer overflow vulnreability in Circutor SGE-PLC1000/SGE-PLC50	02.12.2025	9.4
CVE-2025-41742	Sprecher Automation: SPRECON-E series has a critical vulnerability due to the use of static cryptographic keys in system components	02.12.2025	9.8
CVE-2025-41744	Sprecher Automation: SPRECON-E series has static default key material for TLS connections	02.12.2025	9.1
CVE-2025-66401	MCP Watch has a Critical Command Injection in cloneRepo allows Remote Code Execution (RCE) via malicious URL	02.12.2025	9.8
CVE-2025-3500	Integer Overflow in Avast Antiviurs 25.1.981.6 on Windows may result in privilege escalation	02.12.2025	9
CVE-2025-8351	Scanning a malformed file in Avast Antivirus 8.3.70.94 on MacOS may result in remote code execution	01.12.2025	9
CVE-2025-63532		01.12.2025	9.6
CVE-2025-63535		01.12.2025	9.6
CVE-2025-63525		01.12.2025	9.6
CVE-2025-63531		01.12.2025	10
CVE-2025-35028	HexStrike AI MCP Server Command Injection	01.12.2025	9.1
CVE-2025-13615	StreamTube Core <= 4.78 - Unauthenticated Arbitrary User Password Change	01.12.2025	9.8
CVE-2025-66224	OrangeHRM is Vulnerable to Code Execution Through Arbitrary File Write from Sendmail Parameter Injection	01.12.2025	9
CVE-2025-66216	AIS-catcher has a Buffer Overflow vulnerability in `AIS::Message` leading to DoS/RCE	01.12.2025	9.3
CVE-2025-65112	PubNet Critical Authentication Bypass Allows Unauthenticated Package Upload and Identity Spoofing	01.12.2025	9.4
CVE-2025-66385		28.11.2025	9.4
CVE-2025-64314		28.11.2025	9.3
CVE-2025-12421	Account Takeover via Code Exchange Endpoint	02.12.2025	9.9
CVE-2025-12419	Account takeover on OAuth/OpenID-enabled servers	02.12.2025	9.9
CVE-2025-12140	RCE in Wirtualna Uczelnia	28.11.2025	9.3
CVE-2025-8890	Authenticated RCE in SDMC NE6037 router	27.11.2025	9.3
CVE-2025-13538	FindAll Listing <= 1.0.5 - Unauthenticated Privilege Escalation	28.11.2025	9.8
CVE-2025-13539	FindAll Membership <= 1.0.4 - Authentication Bypass via Social Login	28.11.2025	9.8
CVE-2025-13540	Tiare Membership <= 1.2 - Unauthenticated Privilege Escalation	28.11.2025	9.8
CVE-2025-13675	Tiger <= 101.2.1 - Unauthenticated Privilege Escalation	28.11.2025	9.8
CVE-2024-5539	ALC WebCTRL Carrier i-Vu Access Control Bypass	28.11.2025	9.2

Latest Updates

CVE	Title	Updated	Score
CVE-2025-55182		03.12.2025	10
CVE-2025-57199		03.12.2025
CVE-2025-7044	Privilege Escalation in MAAS via Websocket Request Manipulation	03.12.2025	7.7
CVE-2025-57198		03.12.2025
CVE-2025-57201		03.12.2025
CVE-2025-57200		03.12.2025
CVE-2025-65267		03.12.2025
CVE-2025-53841		03.12.2025	7.8
CVE-2025-13948	opsre go-ldap-admin JWT docker-compose.yaml hard-coded key	03.12.2025
CVE-2025-13949	ProudMuBai GoFilm FileController.go SingleUpload unrestricted upload	03.12.2025
CVE-2025-13354	Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI <= 3.40.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Taxonomy Term Manipulation	03.12.2025	4.3
CVE-2025-13359	Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI <= 3.40.1 - Authenticated (Contributor+) SQL Injection	03.12.2025	6.5
CVE-2025-13390	WP Directory Kit <= 1.4.4 - Authentication Bypass to Privilege Escalation via Account Takeover	03.12.2025	10
CVE-2025-13401	Autoptimize <= 3.1.13 - Authenticated (Contributor+) Stored Cross-Site Scripting	03.12.2025	6.4
CVE-2025-13756	Fluent Booking – The Ultimate Appointments Scheduling, Events Booking, Events Calendar Solution <= 1.9.11 - Authenticated (Subscriber+) Missing Authorization to Calendar Import and Management	03.12.2025	4.3
CVE-2025-12358	ShopEngine <= 4.8.5 - Cross-Site Request Forgery to Wishlist Manipulation	03.12.2025	4.3
CVE-2025-12887	Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App <= 3.6.1 - Missing Authorization to Authenticated (Subscriber+) OAuth Token Update	03.12.2025	5.4
CVE-2025-13109	HUSKY – Products Filter Professional for WooCommerce <= 1.3.7.2 - Authenticated (Subscriber+) Insecure Direct Object Reference via 'woof_add_query/woof_remove_query'	03.12.2025	4.3
CVE-2025-13342	Frontend Admin by DynamiApps <= 3.28.20 - Unauthenticated Arbitrary Options Update	03.12.2025	9.8
CVE-2025-39665	Livestatus Injection in dynmaps	03.12.2025
CVE-2025-13947	Webkit: webkitgtk: remote user-assisted information disclosure via file drag-and-drop	03.12.2025
CVE-2025-13472	Missing authorization in BlazeMeter Jenkins Plugin	03.12.2025
CVE-2025-12744	Abrt: command-injection in abrt leading to local privilege escalation	03.12.2025
CVE-2025-29864		03.12.2025
CVE-2025-13945	Improperly Controlled Sequential Memory Allocation in Wireshark	03.12.2025	5.5
CVE-2025-13946	Loop with Unreachable Exit Condition ('Infinite Loop') in Wireshark	03.12.2025	5.5
CVE-2025-13486	Advanced Custom Fields: Extended 0.9.0.5 - 0.9.1.1 - Unauthenticated Remote Code Execution in prepare_form	03.12.2025	9.8
CVE-2025-12954	Timetable and Event Schedule by MotoPress < 2.4.16 - Contributor+ Event Disclosure via IDOR	03.12.2025
CVE-2025-10304	Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin <= 2.3.8 - Missing Authorization to Unauthenticated Backup Failure	03.12.2025	5.3
CVE-2025-12585	MxChat – AI Chatbot for WordPress <= 2.5.5 - Unauthenticated Information Exposure	03.12.2025	5.3
CVE-2025-13495	FluentCart A New Era of eCommerce <= 1.3.1 - Authenticated (Administrator+) SQL Injection via 'groupKey' Parameter	03.12.2025	4.9
CVE-2025-13448	CSSIgniter Shortcodes <= 2.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'element' Shortcode Attribute	03.12.2025	6.4
CVE-2025-13645	Modula 2.13.1 - 2.13.2 - Authenticated (Author+) Arbitrary File Deletion	03.12.2025	7.2
CVE-2025-13646	Modula 2.13.1 - 2.13.2 - Authenticated (Author+) Arbitrary File Upload via Race Condition	03.12.2025	7.5