| CVE | KEV | CVSS | EPSS | Priority | ATT&CK | Description |
|---|---|---|---|---|---|---|
| CVE-2025-61882 | KEV | 9.8 | 0.00% | 8.36 | — | Vulnerability in the Oracle Concurrent Processing product of Oracle E-Business Suite (component: BI Publisher Integration). Supported versi |
| CVE-2025-59287 | KEV | 9.8 | 0.00% | 8.36 | T1190 | Deserialization of untrusted data in Windows Server Update Service allows an unauthorized attacker to execute code over a network. |
| CVE-2025-3450 | 10.0 | 0.00% | 7.0 | — | An Improper Resource Locking vulnerability in the SDM component of B&R Automation Runtime versions before 6.3 and before Q4.93 may allow an | |
| CVE-2025-62168 | 10.0 | 0.00% | 7.0 | — | Squid is a caching proxy for the Web. In Squid versions prior to 7.2, a failure to redact HTTP authentication credentials in error handling | |
| CVE-2025-24990 | KEV | 7.8 | 0.00% | 6.96 | — | Microsoft is aware of vulnerabilities in the third party Agere Modem driver that ships natively with supported Windows operating systems. T |
| CVE-2025-59230 | KEV | 7.8 | 0.00% | 6.96 | — | Improper access control in Windows Remote Access Connection Manager allows an authorized attacker to elevate privileges locally. |
| CVE-2025-60957 | 9.9 | 0.00% | 6.93 | T1059.004 | OS Command Injection vulnerability in EndRun Technologies Sonoma D12 Network Time Server (GPS) F/W 6010-0071-000 Ver 4.00 allows attackers t | |
| CVE-2025-44823 | 9.9 | 0.00% | 6.93 | — | Nagios Log Server before 2024R1.3.2 allows authenticated users to retrieve cleartext administrative API keys via a /nagioslogserver/index.ph | |
| CVE-2025-61913 | 9.9 | 0.00% | 6.93 | T1105 | Flowise is a drag & drop user interface to build a customized large language model flow. In versions prior to 3.0.8, WriteFileTool and ReadF | |
| CVE-2025-11539 | 9.9 | 0.00% | 6.93 | T1203 | Grafana Image Renderer is vulnerable to remote code execution due to an arbitrary file write vulnerability. This is due to the fact that the | |
| CVE-2025-60306 | 9.9 | 0.00% | 6.93 | — | code-projects Simple Car Rental System 1.0 has a permission bypass issue where low privilege users can forge high privilege sessions and per | |
| CVE-2025-49708 | 9.9 | 0.00% | 6.93 | — | Use after free in Microsoft Graphics Component allows an authorized attacker to elevate privileges over a network. | |
| CVE-2025-55315 | 9.9 | 0.00% | 6.93 | — | Inconsistent interpretation of http requests ('http request/response smuggling') in ASP.NET Core allows an authorized attacker to bypass a s | |
| CVE-2025-34267 | 9.9 | 0.00% | 6.93 | — | Flowise v3.0.1 < 3.0.8 and all versions after with 'ALLOW_BUILTIN_DEP' enabled contain an authenticated remote code execution vulnerability | |
| CVE-2025-62645 | 9.9 | 0.00% | 6.93 | — | The Restaurant Brands International (RBI) assistant platform through 2025-09-06 allows a remote authenticated attacker to obtain a token wit | |
| CVE-2025-9485 | 9.8 | 0.00% | 6.86 | — | The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress is vulnerable to Improper Verification of Cryptographic Signature in vers | |
| CVE-2023-49886 | 9.8 | 0.00% | 6.86 | T1190 | IBM Standards Processing Engine 10.0.1.10 could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe java de | |
| CVE-2025-57515 | 9.8 | 0.00% | 6.86 | T1059.005, T1190 | A SQL injection vulnerability has been identified in Uniclare Student Portal v2. This flaw allows remote attackers to inject arbitrary SQL c | |
| CVE-2025-0603 | 9.8 | 0.00% | 6.86 | T1059.005, T1190 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Callvision Healthcare Callvision Emerg | |
| CVE-2025-52021 | 9.8 | 0.00% | 6.86 | T1059.005, T1190 | A SQL Injection vulnerability exists in the edit_product.php file of PuneethReddyHC Online Shopping System Advanced 1.0. The product_id GET | |
| CVE-2025-11418 | 9.8 | 0.00% | 6.86 | T1068 | A security vulnerability has been detected in Tenda CH22 up to 1.0.0.1. This issue affects the function formWrlsafeset of the file /goform/A | |
| CVE-2025-11423 | 9.8 | 0.00% | 6.86 | — | A vulnerability was found in Tenda CH22 1.0.0.1. This affects the function formSafeEmailFilter of the file /goform/SafeEmailFilter. Performi | |
| CVE-2025-10587 | 9.8 | 0.00% | 6.86 | T1059.005, T1190 | The Community Events plugin for WordPress is vulnerable to SQL Injection via the event_category parameter in all versions up to, and includi | |
| CVE-2025-10586 | 9.8 | 0.00% | 6.86 | T1059.005, T1190 | The Community Events plugin for WordPress is vulnerable to SQL Injection via the ‘event_venue’ parameter in all versions up to, and includin | |
| CVE-2025-7526 | 9.8 | 0.00% | 6.86 | T1105 | The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to arbitrary file deletion (via renam | |
| CVE-2025-7634 | 9.8 | 0.00% | 6.86 | — | The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to Local File Inclusion in all versio | |
| CVE-2025-11522 | 9.8 | 0.00% | 6.86 | — | The Search & Go - Directory WordPress Theme theme for WordPress is vulnerable to Authentication Bypass via account takeover in all versions | |
| CVE-2025-35050 | 9.8 | 0.00% | 6.86 | T1190 | Newforma Info Exchange (NIX) accepts serialized .NET data via the '/remoteweb/remote.rem' endpoint, allowing a remote, unauthenticated attac | |
| CVE-2025-35051 | 9.8 | 0.00% | 6.86 | T1190 | Newforma Project Center Server (NPCS) accepts serialized .NET data via the '/ProjectCenter.rem' endpoint on 9003/tcp, allowing a remote, una | |
| CVE-2025-59246 | 9.8 | 0.00% | 6.86 | — | Azure Entra ID Elevation of Privilege Vulnerability |
Priority = 1.5×KEV + 0.7×CVSS + 1.2×EPSS. ATT&CK entries are heuristic hints.