Cybersecurity Help has compiled a list of TOP-100 vulnerabilities that are known to be exploited in the wild. This page is being updated in real time to reflect all changes in our vulnerability database.
# | EUVDB-ID | CVE-ID | Vendor | Software | Vulnerability type | Public exploit |
1 | #VU110708 External Control of File Name or Path |
CVE-2025-33053 | Microsoft |
Microsoft Internet Explorer
Web browsers |
CWE-73 External Control of File Name or Path |
Yes |
2 | #VU100528 OS Command Injection |
CVE-2024-9474 | Palo Alto Networks, Inc. |
Palo Alto PAN-OS
Operating system |
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
Yes |
3 | #VU100596 Improper authentication |
CVE-2024-0012 | Palo Alto Networks, Inc. |
Palo Alto PAN-OS
Operating system |
CWE-287 Improper Authentication |
Yes |
4 | #VU110003 Deserialization of Untrusted Data |
CVE-2025-49113 | Roundcube |
Roundcube
Webmail solutions |
CWE-502 Deserialization of Untrusted Data |
Yes |
5 | #VU102617 Heap-based buffer overflow |
CVE-2025-21333 | Microsoft |
Windows
Operating system |
CWE-122 Heap-based Buffer Overflow |
Yes |
6 | #VU108680 Code Injection |
CVE-2025-3248 | Langflow |
Langflow
Other software solutions |
CWE-94 Improper Control of Generation of Code ('Code Injection') |
Yes |
7 | #VU110698 Deserialization of Untrusted Data |
CVE-2025-24016 | Wazuh |
Wazuh
Server solutions for antivurus protection |
CWE-502 Deserialization of Untrusted Data |
Yes |
8 | #VU109101 Stack-based buffer overflow |
CVE-2025-32756 | Fortinet, Inc |
FortiVoice
Conferencing, Collaboration and VoIP solutions |
CWE-121 Stack-based buffer overflow |
Yes |
9 | #VU95292 Cross-site scripting |
CVE-2024-42009 | Roundcube |
Roundcube
Webmail solutions |
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
Yes |
10 | #VU107594 Missing Authentication for Critical Function |
CVE-2025-32433 | erlang |
otp
Other software solutions |
CWE-306 Missing Authentication for Critical Function |
Yes |
11 | #VU102473 Stack-based buffer overflow |
CVE-2025-0282 | Ivanti |
Ivanti Connect Secure (formerly Pulse Connect Secure)
Remote access servers, VPN |
CWE-121 Stack-based buffer overflow |
Yes |
12 | #VU71002 Permissions, Privileges, and Access Controls |
CVE-2023-21768 | Microsoft |
Windows
Operating system |
CWE-264 Permissions, Privileges, and Access Controls |
Yes |
13 | #VU111086 Input validation error |
CVE-2025-43200 | Apple Inc. |
Apple iOS
Operating system |
CWE-20 Improper input validation |
No |
14 | #VU111078 Input validation error |
CVE-2023-29492 | Novi Survey |
Novi Survey
Other software |
CWE-20 Improper input validation |
No |
15 | #VU109049 Type confusion |
CVE-2025-30397 | Microsoft |
Microsoft Internet Explorer
Web browsers |
CWE-843 Type confusion |
Yes |
16 | #VU106062 Missing authorization |
CVE-2025-2825 | CrushFTP |
CrushFTP
File servers (FTP/HTTP) |
CWE-862 Missing Authorization |
Yes |
17 | #VU106062 Missing authorization |
CVE-2025-31161 | CrushFTP |
CrushFTP
File servers (FTP/HTTP) |
CWE-862 Missing Authorization |
Yes |
18 | #VU107018 Code Injection |
CVE-2025-2945 | PlanGenius Admin |
pgAdmin
Remote management & hosting panels |
CWE-94 Improper Control of Generation of Code ('Code Injection') |
Yes |
19 | #VU109837 Improper protection of alternate path |
CVE-2025-48827 | vBulletin |
vBulletin
Forum & blogging software |
CWE-424 Improper Protection of Alternate Path |
Yes |
20 | #VU109187 Permissions, Privileges, and Access Controls |
CVE-2025-4664 |
Google Chromium
Web browsers |
CWE-264 Permissions, Privileges, and Access Controls |
Yes | |
21 | #VU80032 Path traversal |
CVE-2023-2915 | Rockwell Automation |
ThinManager
Other server solutions |
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
Yes |
22 | #VU80035 Path traversal |
CVE-2023-2917 | Rockwell Automation |
ThinManager
Other server solutions |
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
Yes |
23 | #VU77799 Path traversal |
CVE-2023-27856 | Rockwell Automation |
ThinManager
Other server solutions |
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
Yes |
24 | #VU77800 Path traversal |
CVE-2023-27855 | Rockwell Automation |
ThinManager
Other server solutions |
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
Yes |
25 | #VU109170 Code Injection |
CVE-2025-4428 | Ivanti |
Endpoint Manager Mobile (formerly MobileIron Core)
IDS/IPS systems, Firewalls and proxy servers |
CWE-94 Improper Control of Generation of Code ('Code Injection') |
Yes |
26 | #VU109035 Authentication bypass using an alternate path or channel |
CVE-2025-4427 | Ivanti |
Endpoint Manager Mobile (formerly MobileIron Core)
IDS/IPS systems, Firewalls and proxy servers |
CWE-288 Authentication Bypass Using an Alternate Path or Channel |
Yes |
27 | #VU110085 Input validation error |
CVE-2025-35939 | Pixel & Tonic, Inc. |
Craft CMS
CMS |
CWE-20 Improper input validation |
No |
28 | #VU110079 Out-of-bounds write |
CVE-2025-5419 |
Google Chromium
Web browsers |
CWE-787 Out-of-bounds write |
No | |
29 | #VU110036 Incorrect Authorization |
CVE-2025-21479 | Qualcomm |
SD855
Firmware |
CWE-863 Incorrect Authorization |
No |
30 | #VU110037 Incorrect Authorization |
CVE-2025-21480 | Qualcomm |
SD855
Firmware |
CWE-863 Incorrect Authorization |
No |
31 | #VU110045 Use After Free |
CVE-2025-27038 | Qualcomm |
QCA6391
Mobile firmware & hardware |
CWE-416 Use After Free |
No |
32 | #VU101835 Exposed dangerous method or function |
CVE-2024-56145 | Pixel & Tonic, Inc. |
Craft CMS
CMS |
CWE-749 Exposed Dangerous Method or Function |
Yes |
33 | #VU104127 Improper Authentication |
CVE-2021-32030 | Asus |
GT-AC2900
Firmware |
CWE-287 Improper Authentication |
No |
34 | #VU110022 Code Injection |
CVE-2025-48828 | vBulletin |
vBulletin
Forum & blogging software |
CWE-94 Improper Control of Generation of Code ('Code Injection') |
No |
35 | #VU105485 Input validation error |
CVE-2025-24813 | Apache Foundation |
Apache Tomcat
Web servers |
CWE-20 Improper input validation |
Yes |
36 | #VU106029 Input validation error |
CVE-2025-2783 |
Google Chromium
Web browsers |
CWE-20 Improper input validation |
Yes | |
37 | #VU105715 Out-of-bounds write |
CVE-2025-27363 | freetype.org |
FreeType
Libraries used by multiple products |
CWE-787 Out-of-bounds write |
Yes |
38 | #VU105556 External Control of File Name or Path |
CVE-2025-24054 | Microsoft |
Windows
Operating system |
CWE-73 External Control of File Name or Path |
Yes |
39 | #VU110000 SQL injection |
CVE-2025-2011 | averta |
Depicter - Modern Responsive Touch Slider
Modules and components for CMS |
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
Yes |
40 | #VU81040 Input validation error |
CVE-2023-41992 | Apple Inc. |
Apple iOS
Operating system |
CWE-20 Improper input validation |
Yes |
41 | #VU106969 Stack-based buffer overflow |
CVE-2025-22457 | Ivanti |
Ivanti Connect Secure (formerly Pulse Connect Secure)
Remote access servers, VPN |
CWE-121 Stack-based buffer overflow |
Yes |
42 | #VU85739 Missing Authorization |
CVE-2024-0204 | Fortra |
GoAnywhere MFT
Remote access servers, VPN |
CWE-862 Missing Authorization |
Yes |
43 | #VU109050 Use-after-free |
CVE-2025-30400 | Microsoft |
Windows
Operating system |
CWE-416 Use After Free |
Yes |
44 | #VU107322 Use of hard-coded cryptographic key |
CVE-2025-30406 | Gladinet |
CentreStack
File servers (FTP/HTTP) |
CWE-321 Use of Hard-coded Cryptographic Key |
Yes |
45 | #VU103330 Use-after-free |
CVE-2025-24085 | Apple Inc. |
Apple iOS
Operating system |
CWE-416 Use After Free |
No |
46 | #VU105846 SQL injection |
CVE-2025-24799 | glpi-project |
GLPI
CRM systems |
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
Yes |
47 | #VU71482 Use-after-free |
CVE-2023-0266 | Linux Foundation |
Linux kernel
Operating system |
CWE-416 Use After Free |
No |
48 | #VU88822 Buffer overflow |
CVE-2024-2961 | GNU |
Glibc
Libraries used by multiple products |
CWE-119 Memory corruption |
Yes |
49 | #VU96815 Cross-site scripting |
CVE-2024-27443 | Synacor Inc. |
Zimbra Collaboration
Webmail solutions |
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
No |
50 | #VU96085 Path traversal |
CVE-2024-7399 | Samsung |
MagicINFO 9 Server
Other server solutions |
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
Yes |
51 | #VU107159 Use-after-free |
CVE-2025-29824 | Microsoft |
Windows
Operating system |
CWE-416 Use After Free |
Yes |
52 | #VU109012 Deserialization of Untrusted Data |
CVE-2025-42999 | SAP |
SAP NetWeaver
Application servers |
CWE-502 Deserialization of Untrusted Data |
No |
53 | #VU109214 Stored cross-site scripting |
CVE-2024-11182 | Alt-N |
MDaemon
Mail servers |
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
No |
54 | #VU109052 Input validation error |
CVE-2025-32706 | Microsoft |
Windows
Operating system |
CWE-20 Improper input validation |
No |
55 | #VU109051 Use-after-free |
CVE-2025-32709 | Microsoft |
Windows
Operating system |
CWE-416 Use After Free |
No |
56 | #VU109047 Use-after-free |
CVE-2025-32701 | Microsoft |
Windows
Operating system |
CWE-416 Use After Free |
No |
57 | #VU109018 Path traversal |
CVE-2025-27920 | Srimax Software System |
Output Messenger
Conferencing, Collaboration and VoIP solutions |
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
No |
58 | #VU108659 Path traversal |
CVE-2025-34028 | Commvault |
Commvault
IDS/IPS systems, Firewalls and proxy servers |
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
Yes |
59 | #VU107961 Arbitrary file upload |
CVE-2025-31324 | SAP |
SAP NetWeaver
Application servers |
CWE-434 Unrestricted Upload of File with Dangerous Type |
Yes |
60 | #VU72753 Deserialization of Untrusted Data |
CVE-2023-27372 | spip.net |
SPIP
CMS |
CWE-502 Deserialization of Untrusted Data |
Yes |
61 | #VU105787 Path traversal |
CVE-2025-2264 | Santesoft |
PACS Server
Other server solutions |
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
Yes |
62 | #VU107991 Code Injection |
CVE-2025-32432 | Pixel & Tonic, Inc. |
Craft CMS
CMS |
CWE-94 Improper Control of Generation of Code ('Code Injection') |
Yes |
63 | #VU107997 Input validation error |
CVE-2025-3928 | Commvault |
Commvault
IDS/IPS systems, Firewalls and proxy servers |
CWE-20 Improper input validation |
No |
64 | #VU107992 Improper protection of alternate path |
CVE-2024-58136 | Yii Software |
Yii
CMS |
CWE-424 Improper Protection of Alternate Path |
No |
65 | #VU100611 Memory leak |
CVE-2024-50302 | Linux Foundation |
Linux kernel
Operating system |
CWE-401 Missing release of memory after effective lifetime |
No |
66 | #VU102090 Out-of-bounds write |
CVE-2024-53197 | Linux Foundation |
Linux kernel
Operating system |
CWE-787 Out-of-bounds write |
No |
67 | #VU96465 Use of hard-coded credentials |
CVE-2024-28987 | SolarWinds |
Web Help Desk
Other software |
CWE-798 Use of Hard-coded Credentials |
Yes |
68 | #VU107879 Stack-based buffer overflow |
CVE-2025-42599 | QUALITIA CO., LTD. |
Active! mail
Conferencing, Collaboration and VoIP solutions |
CWE-121 Stack-based buffer overflow |
No |
69 | #VU107642 Code Injection |
CVE-2025-1976 | Brocade |
Brocade Fabric OS
Operating system |
CWE-94 Improper Control of Generation of Code ('Code Injection') |
No |
70 | #VU103453 Path traversal |
CVE-2024-57727 | simple-help |
SimpleHelp
Other client software |
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
Yes |
71 | #VU96385 Type Confusion |
CVE-2024-7971 |
Google Chromium
Web browsers |
CWE-843 Type confusion |
Yes | |
72 | #VU82065 Improper Privilege Management |
CVE-2023-20198 | Cisco Systems, Inc |
Cisco IOS XE
Operating system |
CWE-269 Improper Privilege Management |
Yes |
73 | #VU107563 Improper authentication |
CVE-2025-31201 | Apple Inc. |
iPadOS
Operating system |
CWE-287 Improper Authentication |
No |
74 | #VU107562 Buffer overflow |
CVE-2025-31200 | Apple Inc. |
iPadOS
Operating system |
CWE-119 Memory corruption |
No |
75 | #VU105518 Input validation error |
CVE-2025-26633 | Microsoft |
Windows
Operating system |
CWE-20 Improper input validation |
Yes |
76 | #VU107382 OS Command Injection |
CVE-2024-50566 | Fortinet, Inc |
FortiManager
IDS/IPS systems, Firewalls and proxy servers |
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
No |
77 | #VU59699 Improper input validation |
CVE-2021-35587 | Oracle |
Oracle Access Manager
Directory software, identity management |
CWE-20 Improper input validation |
Yes |
78 | #VU78958 Inconsistent interpretation of HTTP requests |
CVE-2022-22536 | SAP |
SAP NetWeaver AS ABAP
Application servers |
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') |
Yes |
79 | #VU87917 Embedded malicious code (backdoor) |
CVE-2024-3094 | tukaani.org |
XZ Utils
Libraries used by multiple products |
CWE-506 Embedded Malicious Code |
Yes |
80 | #VU104042 Code Injection |
CVE-2023-35813 | Sitecore |
Sitecore Experience Platform
Forum & blogging software |
CWE-94 Improper Control of Generation of Code ('Code Injection') |
Yes |
81 | #VU86914 Code Injection |
CVE-2024-25600 | bricksbuilder.io |
Bricks Builder
Modules and components for CMS |
CWE-94 Improper Control of Generation of Code ('Code Injection') |
Yes |
82 | #VU96800 Use of hard-coded credentials |
CVE-2024-20439 | Cisco Systems, Inc |
Cisco Smart Licensing Utility
Other server solutions |
CWE-798 Use of Hard-coded Credentials |
No |
83 | #VU106284 Input validation error |
CVE-2025-30355 | Matrix.org |
Synapse
Conferencing, Collaboration and VoIP solutions |
CWE-20 Improper input validation |
No |
84 | #VU68307 Code Injection |
CVE-2022-42889 | Apache Foundation |
Apache Commons Text
Software for developers |
CWE-94 Improper Control of Generation of Code ('Code Injection') |
Yes |
85 | #VU105991 Embedded malicious code (backdoor) |
CVE-2025-30154 | reviewdog |
reviewdog
Software for developers |
CWE-506 Embedded Malicious Code |
No |
86 | #VU88869 External Control of File Name or Path |
CVE-2024-4040 | CrushFTP |
CrushFTP
File servers (FTP/HTTP) |
CWE-73 External Control of File Name or Path |
Yes |
87 | #VU91716 Heap-based buffer overflow |
CVE-2024-30085 | Microsoft |
Windows
Operating system |
CWE-122 Heap-based Buffer Overflow |
Yes |
88 | #VU105548 Out-of-bounds write |
CVE-2025-24201 | WebKitGTK |
WebKitGTK+
Frameworks for developing and running applications |
CWE-787 Out-of-bounds write |
No |
89 | #VU105882 Path traversal |
CVE-2024-48248 | NAKIVO |
Backup & Replication
File servers (FTP/HTTP) |
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
Yes |
90 | #VU105330 OS Command Injection |
CVE-2025-1316 | EDIMAX Technology |
IC-7100 IP Camera
Security hardware applicances |
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
No |
91 | #VU105851 Spoofing attack |
N/A | Microsoft |
Windows
Operating system |
CWE-451 User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing) |
No |
92 | #VU105790 Embedded malicious code (backdoor) |
CVE-2025-30066 | tj-actions |
changed-files
Other software solutions |
CWE-506 Embedded Malicious Code |
Yes |
93 | #VU91106 OS Command Injection |
CVE-2024-4577 | PHP Group |
PHP
Scripting languages |
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
Yes |
94 | #VU90703 Code Injection |
CVE-2024-25641 | The Cacti Group, Inc. |
Cacti
Other software |
CWE-94 Improper Control of Generation of Code ('Code Injection') |
Yes |
95 | #VU94758 Input validation error |
CVE-2024-4879 | ServiceNow |
ServiceNow
Other server solutions |
CWE-20 Improper input validation |
Yes |
96 | #VU82690 Deserialization of Untrusted Data |
CVE-2023-46604 | Apache Foundation |
ActiveMQ
Mail servers |
CWE-502 Deserialization of Untrusted Data |
Yes |
97 | #VU83960 Path traversal |
CVE-2023-50164 | Apache Foundation |
Apache Struts
Frameworks for developing and running applications |
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
Yes |
98 | #VU103970 Input validation error |
CVE-2025-1094 | PostgreSQL Global Development Group |
PostgreSQL
Database software |
CWE-20 Improper input validation |
Yes |
99 | #VU82544 Authentication bypass using an alternate path or channel |
CVE-2023-46747 | F5 Networks |
BIG-IP
Firmware |
CWE-288 Authentication Bypass Using an Alternate Path or Channel |
Yes |
100 | #VU105745 Server-Side Request Forgery (SSRF) |
N/A | OpenBMCS |
OpenBMCS
SCADA systems |
CWE-918 Server-Side Request Forgery (SSRF) |
Yes |