TOP-100 known vulnerabilities exploited in the wild (KEV)

Cybersecurity Help has compiled a list of TOP-100 vulnerabilities that are known to be exploited in the wild. This page is being updated in real time to reflect all changes in our vulnerability database.

Updated: 2 days ago

# EUVDB-ID CVE-ID Vendor Software Vulnerability type Public exploit
1 #VU110708
External Control of File Name or Path
CVE-2025-33053 Microsoft Microsoft Internet Explorer
Web browsers
CWE-73
External Control of File Name or Path
Yes
2 #VU100528
OS Command Injection
CVE-2024-9474 Palo Alto Networks, Inc. Palo Alto PAN-OS
Operating system
CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Yes
3 #VU100596
Improper authentication
CVE-2024-0012 Palo Alto Networks, Inc. Palo Alto PAN-OS
Operating system
CWE-287
Improper Authentication
Yes
4 #VU110003
Deserialization of Untrusted Data
CVE-2025-49113 Roundcube Roundcube
Webmail solutions
CWE-502
Deserialization of Untrusted Data
Yes
5 #VU102617
Heap-based buffer overflow
CVE-2025-21333 Microsoft Windows
Operating system
CWE-122
Heap-based Buffer Overflow
Yes
6 #VU108680
Code Injection
CVE-2025-3248 Langflow Langflow
Other software solutions
CWE-94
Improper Control of Generation of Code ('Code Injection')
Yes
7 #VU110698
Deserialization of Untrusted Data
CVE-2025-24016 Wazuh Wazuh
Server solutions for antivurus protection
CWE-502
Deserialization of Untrusted Data
Yes
8 #VU109101
Stack-based buffer overflow
CVE-2025-32756 Fortinet, Inc FortiVoice
Conferencing, Collaboration and VoIP solutions
CWE-121
Stack-based buffer overflow
Yes
9 #VU95292
Cross-site scripting
CVE-2024-42009 Roundcube Roundcube
Webmail solutions
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Yes
10 #VU107594
Missing Authentication for Critical Function
CVE-2025-32433 erlang otp
Other software solutions
CWE-306
Missing Authentication for Critical Function
Yes
11 #VU102473
Stack-based buffer overflow
CVE-2025-0282 Ivanti Ivanti Connect Secure (formerly Pulse Connect Secure)
Remote access servers, VPN
CWE-121
Stack-based buffer overflow
Yes
12 #VU71002
Permissions, Privileges, and Access Controls
CVE-2023-21768 Microsoft Windows
Operating system
CWE-264
Permissions, Privileges, and Access Controls
Yes
13 #VU111086
Input validation error
CVE-2025-43200 Apple Inc. Apple iOS
Operating system
CWE-20
Improper input validation
No
14 #VU111078
Input validation error
CVE-2023-29492 Novi Survey Novi Survey
Other software
CWE-20
Improper input validation
No
15 #VU109049
Type confusion
CVE-2025-30397 Microsoft Microsoft Internet Explorer
Web browsers
CWE-843
Type confusion
Yes
16 #VU106062
Missing authorization
CVE-2025-2825 CrushFTP CrushFTP
File servers (FTP/HTTP)
CWE-862
Missing Authorization
Yes
17 #VU106062
Missing authorization
CVE-2025-31161 CrushFTP CrushFTP
File servers (FTP/HTTP)
CWE-862
Missing Authorization
Yes
18 #VU107018
Code Injection
CVE-2025-2945 PlanGenius Admin pgAdmin
Remote management & hosting panels
CWE-94
Improper Control of Generation of Code ('Code Injection')
Yes
19 #VU109837
Improper protection of alternate path
CVE-2025-48827 vBulletin vBulletin
Forum & blogging software
CWE-424
Improper Protection of Alternate Path
Yes
20 #VU109187
Permissions, Privileges, and Access Controls
CVE-2025-4664 Google Google Chromium
Web browsers
CWE-264
Permissions, Privileges, and Access Controls
Yes
21 #VU80032
Path traversal
CVE-2023-2915 Rockwell Automation ThinManager
Other server solutions
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Yes
22 #VU80035
Path traversal
CVE-2023-2917 Rockwell Automation ThinManager
Other server solutions
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Yes
23 #VU77799
Path traversal
CVE-2023-27856 Rockwell Automation ThinManager
Other server solutions
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Yes
24 #VU77800
Path traversal
CVE-2023-27855 Rockwell Automation ThinManager
Other server solutions
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Yes
25 #VU109170
Code Injection
CVE-2025-4428 Ivanti Endpoint Manager Mobile (formerly MobileIron Core)
IDS/IPS systems, Firewalls and proxy servers
CWE-94
Improper Control of Generation of Code ('Code Injection')
Yes
26 #VU109035
Authentication bypass using an alternate path or channel
CVE-2025-4427 Ivanti Endpoint Manager Mobile (formerly MobileIron Core)
IDS/IPS systems, Firewalls and proxy servers
CWE-288
Authentication Bypass Using an Alternate Path or Channel
Yes
27 #VU110085
Input validation error
CVE-2025-35939 Pixel & Tonic, Inc. Craft CMS
CMS
CWE-20
Improper input validation
No
28 #VU110079
Out-of-bounds write
CVE-2025-5419 Google Google Chromium
Web browsers
CWE-787
Out-of-bounds write
No
29 #VU110036
Incorrect Authorization
CVE-2025-21479 Qualcomm SD855
Firmware
CWE-863
Incorrect Authorization
No
30 #VU110037
Incorrect Authorization
CVE-2025-21480 Qualcomm SD855
Firmware
CWE-863
Incorrect Authorization
No
31 #VU110045
Use After Free
CVE-2025-27038 Qualcomm QCA6391
Mobile firmware & hardware
CWE-416
Use After Free
No
32 #VU101835
Exposed dangerous method or function
CVE-2024-56145 Pixel & Tonic, Inc. Craft CMS
CMS
CWE-749
Exposed Dangerous Method or Function
Yes
33 #VU104127
Improper Authentication
CVE-2021-32030 Asus GT-AC2900
Firmware
CWE-287
Improper Authentication
No
34 #VU110022
Code Injection
CVE-2025-48828 vBulletin vBulletin
Forum & blogging software
CWE-94
Improper Control of Generation of Code ('Code Injection')
No
35 #VU105485
Input validation error
CVE-2025-24813 Apache Foundation Apache Tomcat
Web servers
CWE-20
Improper input validation
Yes
36 #VU106029
Input validation error
CVE-2025-2783 Google Google Chromium
Web browsers
CWE-20
Improper input validation
Yes
37 #VU105715
Out-of-bounds write
CVE-2025-27363 freetype.org FreeType
Libraries used by multiple products
CWE-787
Out-of-bounds write
Yes
38 #VU105556
External Control of File Name or Path
CVE-2025-24054 Microsoft Windows
Operating system
CWE-73
External Control of File Name or Path
Yes
39 #VU110000
SQL injection
CVE-2025-2011 averta Depicter - Modern Responsive Touch Slider
Modules and components for CMS
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Yes
40 #VU81040
Input validation error
CVE-2023-41992 Apple Inc. Apple iOS
Operating system
CWE-20
Improper input validation
Yes
41 #VU106969
Stack-based buffer overflow
CVE-2025-22457 Ivanti Ivanti Connect Secure (formerly Pulse Connect Secure)
Remote access servers, VPN
CWE-121
Stack-based buffer overflow
Yes
42 #VU85739
Missing Authorization
CVE-2024-0204 Fortra GoAnywhere MFT
Remote access servers, VPN
CWE-862
Missing Authorization
Yes
43 #VU109050
Use-after-free
CVE-2025-30400 Microsoft Windows
Operating system
CWE-416
Use After Free
Yes
44 #VU107322
Use of hard-coded cryptographic key
CVE-2025-30406 Gladinet CentreStack
File servers (FTP/HTTP)
CWE-321
Use of Hard-coded Cryptographic Key
Yes
45 #VU103330
Use-after-free
CVE-2025-24085 Apple Inc. Apple iOS
Operating system
CWE-416
Use After Free
No
46 #VU105846
SQL injection
CVE-2025-24799 glpi-project GLPI
CRM systems
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Yes
47 #VU71482
Use-after-free
CVE-2023-0266 Linux Foundation Linux kernel
Operating system
CWE-416
Use After Free
No
48 #VU88822
Buffer overflow
CVE-2024-2961 GNU Glibc
Libraries used by multiple products
CWE-119
Memory corruption
Yes
49 #VU96815
Cross-site scripting
CVE-2024-27443 Synacor Inc. Zimbra Collaboration
Webmail solutions
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
No
50 #VU96085
Path traversal
CVE-2024-7399 Samsung MagicINFO 9 Server
Other server solutions
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Yes
51 #VU107159
Use-after-free
CVE-2025-29824 Microsoft Windows
Operating system
CWE-416
Use After Free
Yes
52 #VU109012
Deserialization of Untrusted Data
CVE-2025-42999 SAP SAP NetWeaver
Application servers
CWE-502
Deserialization of Untrusted Data
No
53 #VU109214
Stored cross-site scripting
CVE-2024-11182 Alt-N MDaemon
Mail servers
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
No
54 #VU109052
Input validation error
CVE-2025-32706 Microsoft Windows
Operating system
CWE-20
Improper input validation
No
55 #VU109051
Use-after-free
CVE-2025-32709 Microsoft Windows
Operating system
CWE-416
Use After Free
No
56 #VU109047
Use-after-free
CVE-2025-32701 Microsoft Windows
Operating system
CWE-416
Use After Free
No
57 #VU109018
Path traversal
CVE-2025-27920 Srimax Software System Output Messenger
Conferencing, Collaboration and VoIP solutions
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
No
58 #VU108659
Path traversal
CVE-2025-34028 Commvault Commvault
IDS/IPS systems, Firewalls and proxy servers
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Yes
59 #VU107961
Arbitrary file upload
CVE-2025-31324 SAP SAP NetWeaver
Application servers
CWE-434
Unrestricted Upload of File with Dangerous Type
Yes
60 #VU72753
Deserialization of Untrusted Data
CVE-2023-27372 spip.net SPIP
CMS
CWE-502
Deserialization of Untrusted Data
Yes
61 #VU105787
Path traversal
CVE-2025-2264 Santesoft PACS Server
Other server solutions
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Yes
62 #VU107991
Code Injection
CVE-2025-32432 Pixel & Tonic, Inc. Craft CMS
CMS
CWE-94
Improper Control of Generation of Code ('Code Injection')
Yes
63 #VU107997
Input validation error
CVE-2025-3928 Commvault Commvault
IDS/IPS systems, Firewalls and proxy servers
CWE-20
Improper input validation
No
64 #VU107992
Improper protection of alternate path
CVE-2024-58136 Yii Software Yii
CMS
CWE-424
Improper Protection of Alternate Path
No
65 #VU100611
Memory leak
CVE-2024-50302 Linux Foundation Linux kernel
Operating system
CWE-401
Missing release of memory after effective lifetime
No
66 #VU102090
Out-of-bounds write
CVE-2024-53197 Linux Foundation Linux kernel
Operating system
CWE-787
Out-of-bounds write
No
67 #VU96465
Use of hard-coded credentials
CVE-2024-28987 SolarWinds Web Help Desk
Other software
CWE-798
Use of Hard-coded Credentials
Yes
68 #VU107879
Stack-based buffer overflow
CVE-2025-42599 QUALITIA CO., LTD. Active! mail
Conferencing, Collaboration and VoIP solutions
CWE-121
Stack-based buffer overflow
No
69 #VU107642
Code Injection
CVE-2025-1976 Brocade Brocade Fabric OS
Operating system
CWE-94
Improper Control of Generation of Code ('Code Injection')
No
70 #VU103453
Path traversal
CVE-2024-57727 simple-help SimpleHelp
Other client software
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Yes
71 #VU96385
Type Confusion
CVE-2024-7971 Google Google Chromium
Web browsers
CWE-843
Type confusion
Yes
72 #VU82065
Improper Privilege Management
CVE-2023-20198 Cisco Systems, Inc Cisco IOS XE
Operating system
CWE-269
Improper Privilege Management
Yes
73 #VU107563
Improper authentication
CVE-2025-31201 Apple Inc. iPadOS
Operating system
CWE-287
Improper Authentication
No
74 #VU107562
Buffer overflow
CVE-2025-31200 Apple Inc. iPadOS
Operating system
CWE-119
Memory corruption
No
75 #VU105518
Input validation error
CVE-2025-26633 Microsoft Windows
Operating system
CWE-20
Improper input validation
Yes
76 #VU107382
OS Command Injection
CVE-2024-50566 Fortinet, Inc FortiManager
IDS/IPS systems, Firewalls and proxy servers
CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
No
77 #VU59699
Improper input validation
CVE-2021-35587 Oracle Oracle Access Manager
Directory software, identity management
CWE-20
Improper input validation
Yes
78 #VU78958
Inconsistent interpretation of HTTP requests
CVE-2022-22536 SAP SAP NetWeaver AS ABAP
Application servers
CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Yes
79 #VU87917
Embedded malicious code (backdoor)
CVE-2024-3094 tukaani.org XZ Utils
Libraries used by multiple products
CWE-506
Embedded Malicious Code
Yes
80 #VU104042
Code Injection
CVE-2023-35813 Sitecore Sitecore Experience Platform
Forum & blogging software
CWE-94
Improper Control of Generation of Code ('Code Injection')
Yes
81 #VU86914
Code Injection
CVE-2024-25600 bricksbuilder.io Bricks Builder
Modules and components for CMS
CWE-94
Improper Control of Generation of Code ('Code Injection')
Yes
82 #VU96800
Use of hard-coded credentials
CVE-2024-20439 Cisco Systems, Inc Cisco Smart Licensing Utility
Other server solutions
CWE-798
Use of Hard-coded Credentials
No
83 #VU106284
Input validation error
CVE-2025-30355 Matrix.org Synapse
Conferencing, Collaboration and VoIP solutions
CWE-20
Improper input validation
No
84 #VU68307
Code Injection
CVE-2022-42889 Apache Foundation Apache Commons Text
Software for developers
CWE-94
Improper Control of Generation of Code ('Code Injection')
Yes
85 #VU105991
Embedded malicious code (backdoor)
CVE-2025-30154 reviewdog reviewdog
Software for developers
CWE-506
Embedded Malicious Code
No
86 #VU88869
External Control of File Name or Path
CVE-2024-4040 CrushFTP CrushFTP
File servers (FTP/HTTP)
CWE-73
External Control of File Name or Path
Yes
87 #VU91716
Heap-based buffer overflow
CVE-2024-30085 Microsoft Windows
Operating system
CWE-122
Heap-based Buffer Overflow
Yes
88 #VU105548
Out-of-bounds write
CVE-2025-24201 WebKitGTK WebKitGTK+
Frameworks for developing and running applications
CWE-787
Out-of-bounds write
No
89 #VU105882
Path traversal
CVE-2024-48248 NAKIVO Backup & Replication
File servers (FTP/HTTP)
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Yes
90 #VU105330
OS Command Injection
CVE-2025-1316 EDIMAX Technology IC-7100 IP Camera
Security hardware applicances
CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
No
91 #VU105851
Spoofing attack
N/A Microsoft Windows
Operating system
CWE-451
User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)
No
92 #VU105790
Embedded malicious code (backdoor)
CVE-2025-30066 tj-actions changed-files
Other software solutions
CWE-506
Embedded Malicious Code
Yes
93 #VU91106
OS Command Injection
CVE-2024-4577 PHP Group PHP
Scripting languages
CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Yes
94 #VU90703
Code Injection
CVE-2024-25641 The Cacti Group, Inc. Cacti
Other software
CWE-94
Improper Control of Generation of Code ('Code Injection')
Yes
95 #VU94758
Input validation error
CVE-2024-4879 ServiceNow ServiceNow
Other server solutions
CWE-20
Improper input validation
Yes
96 #VU82690
Deserialization of Untrusted Data
CVE-2023-46604 Apache Foundation ActiveMQ
Mail servers
CWE-502
Deserialization of Untrusted Data
Yes
97 #VU83960
Path traversal
CVE-2023-50164 Apache Foundation Apache Struts
Frameworks for developing and running applications
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Yes
98 #VU103970
Input validation error
CVE-2025-1094 PostgreSQL Global Development Group PostgreSQL
Database software
CWE-20
Improper input validation
Yes
99 #VU82544
Authentication bypass using an alternate path or channel
CVE-2023-46747 F5 Networks BIG-IP
Firmware
CWE-288
Authentication Bypass Using an Alternate Path or Channel
Yes
100 #VU105745
Server-Side Request Forgery (SSRF)
N/A OpenBMCS OpenBMCS
SCADA systems
CWE-918
Server-Side Request Forgery (SSRF)
Yes