Detections
Analytics

CVEs

Tenable maintains a list of Common Vulnerabilities and Exposures (CVEs) and their affected products. Tenable augments the data to include related Tenable Plugins that detect each vulnerability. 320164 CVEs are indexed from NVD.

RSS Feeds

Search

Vulnerability Watch ›

  • CVE-2025-58034
    highVulnerability of Interest

    Exploitation of this Fortinet FortiWeb vulnerability has been observed. Patches have been released and should be applied as soon as possible.

  • CVE-2025-64446
    criticalVulnerability of Interest

    Exploitation of this Fortinet FortiWeb vulnerability has been observed. Patches have been released and should be applied as soon as possible.

  • CVE-2025-61757
    criticalVulnerability of Interest

    Exploitation of this Oracle Identity Manager remote code execution vulnerability has been observed. Immediate patching is recommended.

  • CVE-2025-20362
    highVulnerability of Interest

    CISA has released updated patch guidance and urges immediate patching for these Cisco vulnerabilities which have been exploited in the wild.

  • CVE-2025-20333
    criticalVulnerability of Interest

    CISA has released updated patch guidance and urges immediate patching for these Cisco vulnerabilities which have been exploited in the wild.

  • CVE-2025-41115
    criticalVulnerability Being Monitored

    This maximum severity flaw affecting Grafana could allow for privilege escalation. Immediate patching is recommended.

  • CVE-2025-60673
    mediumVulnerability Being Monitored

    While these D-Link flaws have not been exploited, they impact end of life devices. No patches will be released and affected models should be replaced with supported devices

  • CVE-2025-60672
    mediumVulnerability Being Monitored

    While these D-Link flaws have not been exploited, they impact end of life devices. No patches will be released and affected models should be replaced with supported devices

Newest ›

  • CVE-2025-63735
    medium

    A reflected Cross site scripting (XSS) vulnerability in Ruckus Unleashed 200.13.6.1.319 via the name parameter to the the captive-portal endpoint selfguestpass/guestAccessSubmit.jsp.

  • CVE-2025-62703
    high

    Fugue is a unified interface for distributed computing that lets users execute Python, Pandas, and SQL code on Spark, Dask, and Ray with minimal rewrites. In version 0.9.2 and prior, there is a remote code execution vulnerability by pickle deserialization via FlaskRPCServer. The Fugue framework implements an RPC server system for distributed computing operations. In the core functionality of the RPC server implementation, I found that the _decode() function in fugue/rpc/flask.py directly uses cloudpickle.loads() to deserialize data without any sanitization. This creates a remote code execution vulnerability when malicious pickle data is processed by the RPC server. The vulnerability exists in the RPC communication mechanism where the client can send arbitrary serialized Python objects that will be deserialized on the server side, allowing attackers to execute arbitrary code on the victim's machine. This issue has been patched via commit 6f25326.

  • CVE-2025-21621
    medium

    GeoServer is an open source server that allows users to share and edit geospatial data. Prior to version 2.25.0, a reflected cross-site scripting (XSS) vulnerability exists in the WMS GetFeatureInfo HTML output format that enables a remote attacker to execute arbitrary JavaScript code in a victim's browser through specially crafted SLD_BODY parameters. This issue has been patched in version 2.25.0.

  • CVE-2025-58360
    high

    GeoServer is an open source server that allows users to share and edit geospatial data. From version 2.26.0 to before 2.26.2 and before 2.25.6, an XML External Entity (XXE) vulnerability was identified. The application accepts XML input through a specific endpoint /geoserver/wms operation GetMap. However, this input is not sufficiently sanitized or restricted, allowing an attacker to define external entities within the XML request. This issue has been patched in GeoServer 2.25.6, GeoServer 2.26.3, and GeoServer 2.27.0.

  • CVE-2025-51746
    critical

    An issue was discovered in jishenghua JSH_ERP 2.3.1. The /serialNumber/addSerialNumber endpoint is vulnerable to fastjson deserialization attacks.

  • CVE-2025-51745
    critical

    An issue was discovered in jishenghua JSH_ERP 2.3.1. The /role/addcan endpoint is vulnerable to fastjson deserialization attacks.

  • CVE-2025-51744
    critical

    An issue was discovered in jishenghua JSH_ERP 2.3.1. The /user/addUser endpoint is vulnerable to fastjson deserialization attacks.

  • CVE-2025-51743
    critical

    An issue was discovered in jishenghua JSH_ERP 2.3.1. The /materialCategory/addMaterialCategory endpoint is vulnerable to fastjson deserialization attacks.

  • CVE-2025-51741
    high

    An issue was discovered in Veal98 Echo Open-Source Community System 2.2 thru 2.3 allowing an unauthenticated attacker to cause the server to send email verification messages to arbitrary users via the /sendEmailCodeForResetPwd endpoint potentially causing a denial of service to the server or the downstream users.

  • CVE-2025-9624
    high

    A vulnerability in OpenSearch allows attackers to cause Denial of Service (DoS) by submitting complex query_string inputs. This issue affects all OpenSearch versions below 3.2.0.

Updated ›

  • CVE-2025-9803
    critical

    lunary-ai/lunary version 1.9.34 is vulnerable to an account takeover due to improper authentication in the Google OAuth integration. The application fails to verify the 'aud' (audience) field in the access token issued by Google, which is crucial for ensuring the token is intended for the application. This oversight allows attackers to use tokens issued to malicious applications to gain unauthorized access to user accounts. The issue is resolved in version 1.9.35.

  • CVE-2025-9624
    high

    A vulnerability in OpenSearch allows attackers to cause Denial of Service (DoS) by submitting complex query_string inputs. This issue affects all OpenSearch versions below 3.2.0.

  • CVE-2025-7402
    high

    The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to time-based SQL Injection via the ‘site_id’ parameter in all versions up to, and including, 4.95 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

  • CVE-2025-6741
    high

    Improper access control in secure message component in Devolutions Server allows an authenticated user to steal unauthorized entries via the secure message entry attachment feature This issue affects the following versions : * Devolutions Server 2025.2.2.0 through 2025.2.4.0 * Devolutions Server 2025.1.11.0 and earlier

  • CVE-2025-66187
    No Score

    Rejected reason: Not used

  • CVE-2025-66186
    No Score

    Rejected reason: Not used

  • CVE-2025-66185
    No Score

    Rejected reason: Not used

  • CVE-2025-66184
    No Score

    Rejected reason: Not used

  • CVE-2025-66183
    No Score

    Rejected reason: Not used

  • CVE-2025-66182
    No Score

    Rejected reason: Not used