TOP-100 known vulnerabilities exploited in the wild (KEV)

Cybersecurity Help has compiled a list of TOP-100 vulnerabilities that are known to be exploited in the wild. This page is being updated in real time to reflect all changes in our vulnerability database.

Updated: 1 day ago

# EUVDB-ID CVE-ID Vendor Software Vulnerability type Public exploit
1 #VU112907
Input validation error
CVE-2025-6558 Google Google Chromium
Web browsers
CWE-20
Improper input validation
No
2 #VU111237
Out-of-bounds read
CVE-2025-5777 Citrix Citrix Netscaler ADC
Software for system administration
CWE-125
Out-of-bounds read
Yes
3 #VU110708
External Control of File Name or Path
CVE-2025-33053 Microsoft Microsoft Internet Explorer
Web browsers
CWE-73
External Control of File Name or Path
Yes
4 #VU112272
Input validation error
CVE-2025-47812 Wing FTP Server Wing FTP Server
File servers (FTP/HTTP)
CWE-20
Improper input validation
Yes
5 #VU109187
Permissions, Privileges, and Access Controls
CVE-2025-4664 Google Google Chromium
Web browsers
CWE-264
Permissions, Privileges, and Access Controls
Yes
6 #VU105485
Input validation error
CVE-2025-24813 Apache Foundation Apache Tomcat
Web servers
CWE-20
Improper input validation
Yes
7 #VU110079
Out-of-bounds write
CVE-2025-5419 Google Google Chromium
Web browsers
CWE-787
Out-of-bounds write
Yes
8 #VU108680
Code Injection
CVE-2025-3248 Langflow Langflow
Other software solutions
CWE-94
Improper Control of Generation of Code ('Code Injection')
Yes
9 #VU112062
Type confusion
CVE-2025-6554 Google Google Chromium
Web browsers
CWE-843
Type confusion
No
10 #VU109837
Improper protection of alternate path
CVE-2025-48827 vBulletin vBulletin
Forum & blogging software
CWE-424
Improper Protection of Alternate Path
Yes
11 #VU110022
Code Injection
CVE-2025-48828 vBulletin vBulletin
Forum & blogging software
CWE-94
Improper Control of Generation of Code ('Code Injection')
Yes
12 #VU110003
Deserialization of Untrusted Data
CVE-2025-49113 Roundcube Roundcube
Webmail solutions
CWE-502
Deserialization of Untrusted Data
Yes
13 #VU110698
Deserialization of Untrusted Data
CVE-2025-24016 Wazuh Wazuh
Server solutions for antivurus protection
CWE-502
Deserialization of Untrusted Data
Yes
14 #VU111164
OS Command Injection
CVE-2023-33538 TP-Link TL-WR940N
Routers for home users
CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Yes
15 #VU111952
Buffer overflow
CVE-2025-6543 Citrix Citrix NetScaler Gateway
Application servers
CWE-119
Memory corruption
No
16 #VU109821
Authentication Bypass by Spoofing
CVE-2024-54085 Siemens SIMATIC IPC RS-828A
Other software solutions
CWE-290
Authentication Bypass by Spoofing
No
17 #VU106029
Input validation error
CVE-2025-2783 Google Google Chromium
Web browsers
CWE-20
Improper input validation
Yes
18 #VU107594
Missing Authentication for Critical Function
CVE-2025-32433 erlang otp
Other software solutions
CWE-306
Missing Authentication for Critical Function
Yes
19 #VU105556
External Control of File Name or Path
CVE-2025-24054 Microsoft Windows
Operating system
CWE-73
External Control of File Name or Path
Yes
20 #VU70998
Permissions, Privileges, and Access Controls
CVE-2023-21746 Microsoft Windows
Operating system
CWE-264
Permissions, Privileges, and Access Controls
Yes
21 #VU106062
Missing authorization
CVE-2025-2825 CrushFTP CrushFTP
File servers (FTP/HTTP)
CWE-862
Missing Authorization
Yes
22 #VU106062
Missing authorization
CVE-2025-31161 CrushFTP CrushFTP
File servers (FTP/HTTP)
CWE-862
Missing Authorization
Yes
23 #VU82690
Deserialization of Untrusted Data
CVE-2023-46604 Apache Foundation ActiveMQ
Mail servers
CWE-502
Deserialization of Untrusted Data
Yes
24 #VU103970
Input validation error
CVE-2025-1094 PostgreSQL Global Development Group PostgreSQL
Database software
CWE-20
Improper input validation
Yes
25 #VU107991
Code Injection
CVE-2025-32432 Pixel & Tonic, Inc. Craft CMS
CMS
CWE-94
Improper Control of Generation of Code ('Code Injection')
Yes
26 #VU110036
Incorrect Authorization
CVE-2025-21479 Qualcomm SD855
Firmware
CWE-863
Incorrect Authorization
Yes
27 #VU103926
Missing Authentication for Critical Function
CVE-2025-0108 Palo Alto Networks, Inc. Palo Alto PAN-OS
Operating system
CWE-306
Missing Authentication for Critical Function
Yes
28 #VU74410
Permissions, Privileges, and Access Controls
CVE-2023-0386 Linux Foundation Linux kernel
Operating system
CWE-264
Permissions, Privileges, and Access Controls
Yes
29 #VU100528
OS Command Injection
CVE-2024-9474 Palo Alto Networks, Inc. Palo Alto PAN-OS
Operating system
CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Yes
30 #VU100596
Improper authentication
CVE-2024-0012 Palo Alto Networks, Inc. Palo Alto PAN-OS
Operating system
CWE-287
Improper Authentication
Yes
31 #VU102617
Heap-based buffer overflow
CVE-2025-21333 Microsoft Windows
Operating system
CWE-122
Heap-based Buffer Overflow
Yes
32 #VU109101
Stack-based buffer overflow
CVE-2025-32756 Fortinet, Inc FortiVoice
Conferencing, Collaboration and VoIP solutions
CWE-121
Stack-based buffer overflow
Yes
33 #VU95292
Cross-site scripting
CVE-2024-42009 Roundcube Roundcube
Webmail solutions
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Yes
34 #VU102473
Stack-based buffer overflow
CVE-2025-0282 Ivanti Ivanti Connect Secure (formerly Pulse Connect Secure)
Remote access servers, VPN
CWE-121
Stack-based buffer overflow
Yes
35 #VU71002
Permissions, Privileges, and Access Controls
CVE-2023-21768 Microsoft Windows
Operating system
CWE-264
Permissions, Privileges, and Access Controls
Yes
36 #VU111086
Input validation error
CVE-2025-43200 Apple Inc. Apple iOS
Operating system
CWE-20
Improper input validation
No
37 #VU111078
Input validation error
CVE-2023-29492 Novi Survey Novi Survey
Other software
CWE-20
Improper input validation
No
38 #VU109049
Type confusion
CVE-2025-30397 Microsoft Microsoft Internet Explorer
Web browsers
CWE-843
Type confusion
Yes
39 #VU107018
Code Injection
CVE-2025-2945 PlanGenius Admin pgAdmin
Remote management & hosting panels
CWE-94
Improper Control of Generation of Code ('Code Injection')
Yes
40 #VU80032
Path traversal
CVE-2023-2915 Rockwell Automation ThinManager
Other server solutions
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Yes
41 #VU80035
Path traversal
CVE-2023-2917 Rockwell Automation ThinManager
Other server solutions
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Yes
42 #VU77799
Path traversal
CVE-2023-27856 Rockwell Automation ThinManager
Other server solutions
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Yes
43 #VU77800
Path traversal
CVE-2023-27855 Rockwell Automation ThinManager
Other server solutions
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Yes
44 #VU109035
Authentication bypass using an alternate path or channel
CVE-2025-4427 Ivanti Endpoint Manager Mobile (formerly MobileIron Core)
IDS/IPS systems, Firewalls and proxy servers
CWE-288
Authentication Bypass Using an Alternate Path or Channel
Yes
45 #VU109170
Code Injection
CVE-2025-4428 Ivanti Endpoint Manager Mobile (formerly MobileIron Core)
IDS/IPS systems, Firewalls and proxy servers
CWE-94
Improper Control of Generation of Code ('Code Injection')
Yes
46 #VU110085
Input validation error
CVE-2025-35939 Pixel & Tonic, Inc. Craft CMS
CMS
CWE-20
Improper input validation
No
47 #VU110037
Incorrect Authorization
CVE-2025-21480 Qualcomm SD855
Firmware
CWE-863
Incorrect Authorization
No
48 #VU110045
Use After Free
CVE-2025-27038 Qualcomm QCA6391
Mobile firmware & hardware
CWE-416
Use After Free
No
49 #VU104127
Improper Authentication
CVE-2021-32030 Asus GT-AC2900
Firmware
CWE-287
Improper Authentication
No
50 #VU101835
Exposed dangerous method or function
CVE-2024-56145 Pixel & Tonic, Inc. Craft CMS
CMS
CWE-749
Exposed Dangerous Method or Function
Yes
51 #VU105715
Out-of-bounds write
CVE-2025-27363 freetype.org FreeType
Libraries used by multiple products
CWE-787
Out-of-bounds write
Yes
52 #VU110000
SQL injection
CVE-2025-2011 averta Depicter - Modern Responsive Touch Slider
Modules and components for CMS
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Yes
53 #VU81040
Input validation error
CVE-2023-41992 Apple Inc. Apple iOS
Operating system
CWE-20
Improper input validation
Yes
54 #VU106969
Stack-based buffer overflow
CVE-2025-22457 Ivanti Ivanti Connect Secure (formerly Pulse Connect Secure)
Remote access servers, VPN
CWE-121
Stack-based buffer overflow
Yes
55 #VU85739
Missing Authorization
CVE-2024-0204 Fortra GoAnywhere MFT
Remote access servers, VPN
CWE-862
Missing Authorization
Yes
56 #VU109050
Use-after-free
CVE-2025-30400 Microsoft Windows
Operating system
CWE-416
Use After Free
Yes
57 #VU107322
Use of hard-coded cryptographic key
CVE-2025-30406 Gladinet CentreStack
File servers (FTP/HTTP)
CWE-321
Use of Hard-coded Cryptographic Key
Yes
58 #VU103330
Use-after-free
CVE-2025-24085 Apple Inc. Apple iOS
Operating system
CWE-416
Use After Free
No
59 #VU105846
SQL injection
CVE-2025-24799 glpi-project GLPI
CRM systems
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Yes
60 #VU71482
Use-after-free
CVE-2023-0266 Linux Foundation Linux kernel
Operating system
CWE-416
Use After Free
No
61 #VU88822
Buffer overflow
CVE-2024-2961 GNU Glibc
Libraries used by multiple products
CWE-119
Memory corruption
Yes
62 #VU96815
Cross-site scripting
CVE-2024-27443 Synacor Inc. Zimbra Collaboration
Webmail solutions
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
No
63 #VU96085
Path traversal
CVE-2024-7399 Samsung MagicINFO 9 Server
Other server solutions
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Yes
64 #VU107159
Use-after-free
CVE-2025-29824 Microsoft Windows
Operating system
CWE-416
Use After Free
Yes
65 #VU109012
Deserialization of Untrusted Data
CVE-2025-42999 SAP SAP NetWeaver
Application servers
CWE-502
Deserialization of Untrusted Data
No
66 #VU109214
Stored cross-site scripting
CVE-2024-11182 Alt-N MDaemon
Mail servers
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
No
67 #VU109052
Input validation error
CVE-2025-32706 Microsoft Windows
Operating system
CWE-20
Improper input validation
No
68 #VU109051
Use-after-free
CVE-2025-32709 Microsoft Windows
Operating system
CWE-416
Use After Free
No
69 #VU109047
Use-after-free
CVE-2025-32701 Microsoft Windows
Operating system
CWE-416
Use After Free
No
70 #VU109018
Path traversal
CVE-2025-27920 Srimax Software System Output Messenger
Conferencing, Collaboration and VoIP solutions
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
No
71 #VU108659
Path traversal
CVE-2025-34028 Commvault Commvault
IDS/IPS systems, Firewalls and proxy servers
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Yes
72 #VU107961
Arbitrary file upload
CVE-2025-31324 SAP SAP NetWeaver
Application servers
CWE-434
Unrestricted Upload of File with Dangerous Type
Yes
73 #VU72753
Deserialization of Untrusted Data
CVE-2023-27372 spip.net SPIP
CMS
CWE-502
Deserialization of Untrusted Data
Yes
74 #VU105787
Path traversal
CVE-2025-2264 Santesoft PACS Server
Other server solutions
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Yes
75 #VU107997
Input validation error
CVE-2025-3928 Commvault Commvault
IDS/IPS systems, Firewalls and proxy servers
CWE-20
Improper input validation
No
76 #VU107992
Improper protection of alternate path
CVE-2024-58136 Yii Software Yii
CMS
CWE-424
Improper Protection of Alternate Path
No
77 #VU100611
Memory leak
CVE-2024-50302 Linux Foundation Linux kernel
Operating system
CWE-401
Missing release of memory after effective lifetime
No
78 #VU102090
Out-of-bounds write
CVE-2024-53197 Linux Foundation Linux kernel
Operating system
CWE-787
Out-of-bounds write
No
79 #VU96465
Use of hard-coded credentials
CVE-2024-28987 SolarWinds Web Help Desk
Other software
CWE-798
Use of Hard-coded Credentials
Yes
80 #VU107879
Stack-based buffer overflow
CVE-2025-42599 QUALITIA CO., LTD. Active! mail
Conferencing, Collaboration and VoIP solutions
CWE-121
Stack-based buffer overflow
No
81 #VU107642
Code Injection
CVE-2025-1976 Brocade Brocade Fabric OS
Operating system
CWE-94
Improper Control of Generation of Code ('Code Injection')
No
82 #VU103453
Path traversal
CVE-2024-57727 simple-help SimpleHelp
Other client software
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Yes
83 #VU96385
Type Confusion
CVE-2024-7971 Google Google Chromium
Web browsers
CWE-843
Type confusion
Yes
84 #VU82065
Improper Privilege Management
CVE-2023-20198 Cisco Systems, Inc Cisco IOS XE
Operating system
CWE-269
Improper Privilege Management
Yes
85 #VU107563
Improper authentication
CVE-2025-31201 Apple Inc. iPadOS
Operating system
CWE-287
Improper Authentication
No
86 #VU107562
Buffer overflow
CVE-2025-31200 Apple Inc. iPadOS
Operating system
CWE-119
Memory corruption
No
87 #VU105518
Input validation error
CVE-2025-26633 Microsoft Windows
Operating system
CWE-20
Improper input validation
Yes
88 #VU107382
OS Command Injection
CVE-2024-50566 Fortinet, Inc FortiManager
IDS/IPS systems, Firewalls and proxy servers
CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
No
89 #VU59699
Improper input validation
CVE-2021-35587 Oracle Oracle Access Manager
Directory software, identity management
CWE-20
Improper input validation
Yes
90 #VU78958
Inconsistent interpretation of HTTP requests
CVE-2022-22536 SAP SAP NetWeaver AS ABAP
Application servers
CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Yes
91 #VU87917
Embedded malicious code (backdoor)
CVE-2024-3094 tukaani.org XZ Utils
Libraries used by multiple products
CWE-506
Embedded Malicious Code
Yes
92 #VU104042
Code Injection
CVE-2023-35813 Sitecore Sitecore Experience Platform
Forum & blogging software
CWE-94
Improper Control of Generation of Code ('Code Injection')
Yes
93 #VU86914
Code Injection
CVE-2024-25600 bricksbuilder.io Bricks Builder
Modules and components for CMS
CWE-94
Improper Control of Generation of Code ('Code Injection')
Yes
94 #VU96800
Use of hard-coded credentials
CVE-2024-20439 Cisco Systems, Inc Cisco Smart Licensing Utility
Other server solutions
CWE-798
Use of Hard-coded Credentials
No
95 #VU106284
Input validation error
CVE-2025-30355 Matrix.org Synapse
Conferencing, Collaboration and VoIP solutions
CWE-20
Improper input validation
No
96 #VU68307
Code Injection
CVE-2022-42889 Apache Foundation Apache Commons Text
Software for developers
CWE-94
Improper Control of Generation of Code ('Code Injection')
Yes
97 #VU105991
Embedded malicious code (backdoor)
CVE-2025-30154 reviewdog reviewdog
Software for developers
CWE-506
Embedded Malicious Code
No
98 #VU88869
External Control of File Name or Path
CVE-2024-4040 CrushFTP CrushFTP
File servers (FTP/HTTP)
CWE-73
External Control of File Name or Path
Yes
99 #VU91716
Heap-based buffer overflow
CVE-2024-30085 Microsoft Windows
Operating system
CWE-122
Heap-based Buffer Overflow
Yes
100 #VU105548
Out-of-bounds write
CVE-2025-24201 WebKitGTK WebKitGTK+
Frameworks for developing and running applications
CWE-787
Out-of-bounds write
No