Cybersecurity Help has compiled a list of TOP-100 vulnerabilities that are known to be exploited in the wild. This page is being updated in real time to reflect all changes in our vulnerability database.
| # | EUVDB-ID | CVE-ID | Vendor | Software | Vulnerability type | Public exploit |
| 1 | #VU112907 Input validation error |
CVE-2025-6558 |
Google Chromium
Web browsers |
CWE-20 Improper input validation |
No | |
| 2 | #VU111237 Out-of-bounds read |
CVE-2025-5777 | Citrix |
Citrix Netscaler ADC
Software for system administration |
CWE-125 Out-of-bounds read |
Yes |
| 3 | #VU110708 External Control of File Name or Path |
CVE-2025-33053 | Microsoft |
Microsoft Internet Explorer
Web browsers |
CWE-73 External Control of File Name or Path |
Yes |
| 4 | #VU112272 Input validation error |
CVE-2025-47812 | Wing FTP Server |
Wing FTP Server
File servers (FTP/HTTP) |
CWE-20 Improper input validation |
Yes |
| 5 | #VU109187 Permissions, Privileges, and Access Controls |
CVE-2025-4664 |
Google Chromium
Web browsers |
CWE-264 Permissions, Privileges, and Access Controls |
Yes | |
| 6 | #VU105485 Input validation error |
CVE-2025-24813 | Apache Foundation |
Apache Tomcat
Web servers |
CWE-20 Improper input validation |
Yes |
| 7 | #VU110079 Out-of-bounds write |
CVE-2025-5419 |
Google Chromium
Web browsers |
CWE-787 Out-of-bounds write |
Yes | |
| 8 | #VU108680 Code Injection |
CVE-2025-3248 | Langflow |
Langflow
Other software solutions |
CWE-94 Improper Control of Generation of Code ('Code Injection') |
Yes |
| 9 | #VU112062 Type confusion |
CVE-2025-6554 |
Google Chromium
Web browsers |
CWE-843 Type confusion |
No | |
| 10 | #VU109837 Improper protection of alternate path |
CVE-2025-48827 | vBulletin |
vBulletin
Forum & blogging software |
CWE-424 Improper Protection of Alternate Path |
Yes |
| 11 | #VU110022 Code Injection |
CVE-2025-48828 | vBulletin |
vBulletin
Forum & blogging software |
CWE-94 Improper Control of Generation of Code ('Code Injection') |
Yes |
| 12 | #VU110003 Deserialization of Untrusted Data |
CVE-2025-49113 | Roundcube |
Roundcube
Webmail solutions |
CWE-502 Deserialization of Untrusted Data |
Yes |
| 13 | #VU110698 Deserialization of Untrusted Data |
CVE-2025-24016 | Wazuh |
Wazuh
Server solutions for antivurus protection |
CWE-502 Deserialization of Untrusted Data |
Yes |
| 14 | #VU111164 OS Command Injection |
CVE-2023-33538 | TP-Link |
TL-WR940N
Routers for home users |
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
Yes |
| 15 | #VU111952 Buffer overflow |
CVE-2025-6543 | Citrix |
Citrix NetScaler Gateway
Application servers |
CWE-119 Memory corruption |
No |
| 16 | #VU109821 Authentication Bypass by Spoofing |
CVE-2024-54085 | Siemens |
SIMATIC IPC RS-828A
Other software solutions |
CWE-290 Authentication Bypass by Spoofing |
No |
| 17 | #VU106029 Input validation error |
CVE-2025-2783 |
Google Chromium
Web browsers |
CWE-20 Improper input validation |
Yes | |
| 18 | #VU107594 Missing Authentication for Critical Function |
CVE-2025-32433 | erlang |
otp
Other software solutions |
CWE-306 Missing Authentication for Critical Function |
Yes |
| 19 | #VU105556 External Control of File Name or Path |
CVE-2025-24054 | Microsoft |
Windows
Operating system |
CWE-73 External Control of File Name or Path |
Yes |
| 20 | #VU70998 Permissions, Privileges, and Access Controls |
CVE-2023-21746 | Microsoft |
Windows
Operating system |
CWE-264 Permissions, Privileges, and Access Controls |
Yes |
| 21 | #VU106062 Missing authorization |
CVE-2025-2825 | CrushFTP |
CrushFTP
File servers (FTP/HTTP) |
CWE-862 Missing Authorization |
Yes |
| 22 | #VU106062 Missing authorization |
CVE-2025-31161 | CrushFTP |
CrushFTP
File servers (FTP/HTTP) |
CWE-862 Missing Authorization |
Yes |
| 23 | #VU82690 Deserialization of Untrusted Data |
CVE-2023-46604 | Apache Foundation |
ActiveMQ
Mail servers |
CWE-502 Deserialization of Untrusted Data |
Yes |
| 24 | #VU103970 Input validation error |
CVE-2025-1094 | PostgreSQL Global Development Group |
PostgreSQL
Database software |
CWE-20 Improper input validation |
Yes |
| 25 | #VU107991 Code Injection |
CVE-2025-32432 | Pixel & Tonic, Inc. |
Craft CMS
CMS |
CWE-94 Improper Control of Generation of Code ('Code Injection') |
Yes |
| 26 | #VU110036 Incorrect Authorization |
CVE-2025-21479 | Qualcomm |
SD855
Firmware |
CWE-863 Incorrect Authorization |
Yes |
| 27 | #VU103926 Missing Authentication for Critical Function |
CVE-2025-0108 | Palo Alto Networks, Inc. |
Palo Alto PAN-OS
Operating system |
CWE-306 Missing Authentication for Critical Function |
Yes |
| 28 | #VU74410 Permissions, Privileges, and Access Controls |
CVE-2023-0386 | Linux Foundation |
Linux kernel
Operating system |
CWE-264 Permissions, Privileges, and Access Controls |
Yes |
| 29 | #VU100528 OS Command Injection |
CVE-2024-9474 | Palo Alto Networks, Inc. |
Palo Alto PAN-OS
Operating system |
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
Yes |
| 30 | #VU100596 Improper authentication |
CVE-2024-0012 | Palo Alto Networks, Inc. |
Palo Alto PAN-OS
Operating system |
CWE-287 Improper Authentication |
Yes |
| 31 | #VU102617 Heap-based buffer overflow |
CVE-2025-21333 | Microsoft |
Windows
Operating system |
CWE-122 Heap-based Buffer Overflow |
Yes |
| 32 | #VU109101 Stack-based buffer overflow |
CVE-2025-32756 | Fortinet, Inc |
FortiVoice
Conferencing, Collaboration and VoIP solutions |
CWE-121 Stack-based buffer overflow |
Yes |
| 33 | #VU95292 Cross-site scripting |
CVE-2024-42009 | Roundcube |
Roundcube
Webmail solutions |
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
Yes |
| 34 | #VU102473 Stack-based buffer overflow |
CVE-2025-0282 | Ivanti |
Ivanti Connect Secure (formerly Pulse Connect Secure)
Remote access servers, VPN |
CWE-121 Stack-based buffer overflow |
Yes |
| 35 | #VU71002 Permissions, Privileges, and Access Controls |
CVE-2023-21768 | Microsoft |
Windows
Operating system |
CWE-264 Permissions, Privileges, and Access Controls |
Yes |
| 36 | #VU111086 Input validation error |
CVE-2025-43200 | Apple Inc. |
Apple iOS
Operating system |
CWE-20 Improper input validation |
No |
| 37 | #VU111078 Input validation error |
CVE-2023-29492 | Novi Survey |
Novi Survey
Other software |
CWE-20 Improper input validation |
No |
| 38 | #VU109049 Type confusion |
CVE-2025-30397 | Microsoft |
Microsoft Internet Explorer
Web browsers |
CWE-843 Type confusion |
Yes |
| 39 | #VU107018 Code Injection |
CVE-2025-2945 | PlanGenius Admin |
pgAdmin
Remote management & hosting panels |
CWE-94 Improper Control of Generation of Code ('Code Injection') |
Yes |
| 40 | #VU80032 Path traversal |
CVE-2023-2915 | Rockwell Automation |
ThinManager
Other server solutions |
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
Yes |
| 41 | #VU80035 Path traversal |
CVE-2023-2917 | Rockwell Automation |
ThinManager
Other server solutions |
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
Yes |
| 42 | #VU77799 Path traversal |
CVE-2023-27856 | Rockwell Automation |
ThinManager
Other server solutions |
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
Yes |
| 43 | #VU77800 Path traversal |
CVE-2023-27855 | Rockwell Automation |
ThinManager
Other server solutions |
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
Yes |
| 44 | #VU109035 Authentication bypass using an alternate path or channel |
CVE-2025-4427 | Ivanti |
Endpoint Manager Mobile (formerly MobileIron Core)
IDS/IPS systems, Firewalls and proxy servers |
CWE-288 Authentication Bypass Using an Alternate Path or Channel |
Yes |
| 45 | #VU109170 Code Injection |
CVE-2025-4428 | Ivanti |
Endpoint Manager Mobile (formerly MobileIron Core)
IDS/IPS systems, Firewalls and proxy servers |
CWE-94 Improper Control of Generation of Code ('Code Injection') |
Yes |
| 46 | #VU110085 Input validation error |
CVE-2025-35939 | Pixel & Tonic, Inc. |
Craft CMS
CMS |
CWE-20 Improper input validation |
No |
| 47 | #VU110037 Incorrect Authorization |
CVE-2025-21480 | Qualcomm |
SD855
Firmware |
CWE-863 Incorrect Authorization |
No |
| 48 | #VU110045 Use After Free |
CVE-2025-27038 | Qualcomm |
QCA6391
Mobile firmware & hardware |
CWE-416 Use After Free |
No |
| 49 | #VU104127 Improper Authentication |
CVE-2021-32030 | Asus |
GT-AC2900
Firmware |
CWE-287 Improper Authentication |
No |
| 50 | #VU101835 Exposed dangerous method or function |
CVE-2024-56145 | Pixel & Tonic, Inc. |
Craft CMS
CMS |
CWE-749 Exposed Dangerous Method or Function |
Yes |
| 51 | #VU105715 Out-of-bounds write |
CVE-2025-27363 | freetype.org |
FreeType
Libraries used by multiple products |
CWE-787 Out-of-bounds write |
Yes |
| 52 | #VU110000 SQL injection |
CVE-2025-2011 | averta |
Depicter - Modern Responsive Touch Slider
Modules and components for CMS |
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
Yes |
| 53 | #VU81040 Input validation error |
CVE-2023-41992 | Apple Inc. |
Apple iOS
Operating system |
CWE-20 Improper input validation |
Yes |
| 54 | #VU106969 Stack-based buffer overflow |
CVE-2025-22457 | Ivanti |
Ivanti Connect Secure (formerly Pulse Connect Secure)
Remote access servers, VPN |
CWE-121 Stack-based buffer overflow |
Yes |
| 55 | #VU85739 Missing Authorization |
CVE-2024-0204 | Fortra |
GoAnywhere MFT
Remote access servers, VPN |
CWE-862 Missing Authorization |
Yes |
| 56 | #VU109050 Use-after-free |
CVE-2025-30400 | Microsoft |
Windows
Operating system |
CWE-416 Use After Free |
Yes |
| 57 | #VU107322 Use of hard-coded cryptographic key |
CVE-2025-30406 | Gladinet |
CentreStack
File servers (FTP/HTTP) |
CWE-321 Use of Hard-coded Cryptographic Key |
Yes |
| 58 | #VU103330 Use-after-free |
CVE-2025-24085 | Apple Inc. |
Apple iOS
Operating system |
CWE-416 Use After Free |
No |
| 59 | #VU105846 SQL injection |
CVE-2025-24799 | glpi-project |
GLPI
CRM systems |
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
Yes |
| 60 | #VU71482 Use-after-free |
CVE-2023-0266 | Linux Foundation |
Linux kernel
Operating system |
CWE-416 Use After Free |
No |
| 61 | #VU88822 Buffer overflow |
CVE-2024-2961 | GNU |
Glibc
Libraries used by multiple products |
CWE-119 Memory corruption |
Yes |
| 62 | #VU96815 Cross-site scripting |
CVE-2024-27443 | Synacor Inc. |
Zimbra Collaboration
Webmail solutions |
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
No |
| 63 | #VU96085 Path traversal |
CVE-2024-7399 | Samsung |
MagicINFO 9 Server
Other server solutions |
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
Yes |
| 64 | #VU107159 Use-after-free |
CVE-2025-29824 | Microsoft |
Windows
Operating system |
CWE-416 Use After Free |
Yes |
| 65 | #VU109012 Deserialization of Untrusted Data |
CVE-2025-42999 | SAP |
SAP NetWeaver
Application servers |
CWE-502 Deserialization of Untrusted Data |
No |
| 66 | #VU109214 Stored cross-site scripting |
CVE-2024-11182 | Alt-N |
MDaemon
Mail servers |
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
No |
| 67 | #VU109052 Input validation error |
CVE-2025-32706 | Microsoft |
Windows
Operating system |
CWE-20 Improper input validation |
No |
| 68 | #VU109051 Use-after-free |
CVE-2025-32709 | Microsoft |
Windows
Operating system |
CWE-416 Use After Free |
No |
| 69 | #VU109047 Use-after-free |
CVE-2025-32701 | Microsoft |
Windows
Operating system |
CWE-416 Use After Free |
No |
| 70 | #VU109018 Path traversal |
CVE-2025-27920 | Srimax Software System |
Output Messenger
Conferencing, Collaboration and VoIP solutions |
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
No |
| 71 | #VU108659 Path traversal |
CVE-2025-34028 | Commvault |
Commvault
IDS/IPS systems, Firewalls and proxy servers |
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
Yes |
| 72 | #VU107961 Arbitrary file upload |
CVE-2025-31324 | SAP |
SAP NetWeaver
Application servers |
CWE-434 Unrestricted Upload of File with Dangerous Type |
Yes |
| 73 | #VU72753 Deserialization of Untrusted Data |
CVE-2023-27372 | spip.net |
SPIP
CMS |
CWE-502 Deserialization of Untrusted Data |
Yes |
| 74 | #VU105787 Path traversal |
CVE-2025-2264 | Santesoft |
PACS Server
Other server solutions |
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
Yes |
| 75 | #VU107997 Input validation error |
CVE-2025-3928 | Commvault |
Commvault
IDS/IPS systems, Firewalls and proxy servers |
CWE-20 Improper input validation |
No |
| 76 | #VU107992 Improper protection of alternate path |
CVE-2024-58136 | Yii Software |
Yii
CMS |
CWE-424 Improper Protection of Alternate Path |
No |
| 77 | #VU100611 Memory leak |
CVE-2024-50302 | Linux Foundation |
Linux kernel
Operating system |
CWE-401 Missing release of memory after effective lifetime |
No |
| 78 | #VU102090 Out-of-bounds write |
CVE-2024-53197 | Linux Foundation |
Linux kernel
Operating system |
CWE-787 Out-of-bounds write |
No |
| 79 | #VU96465 Use of hard-coded credentials |
CVE-2024-28987 | SolarWinds |
Web Help Desk
Other software |
CWE-798 Use of Hard-coded Credentials |
Yes |
| 80 | #VU107879 Stack-based buffer overflow |
CVE-2025-42599 | QUALITIA CO., LTD. |
Active! mail
Conferencing, Collaboration and VoIP solutions |
CWE-121 Stack-based buffer overflow |
No |
| 81 | #VU107642 Code Injection |
CVE-2025-1976 | Brocade |
Brocade Fabric OS
Operating system |
CWE-94 Improper Control of Generation of Code ('Code Injection') |
No |
| 82 | #VU103453 Path traversal |
CVE-2024-57727 | simple-help |
SimpleHelp
Other client software |
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
Yes |
| 83 | #VU96385 Type Confusion |
CVE-2024-7971 |
Google Chromium
Web browsers |
CWE-843 Type confusion |
Yes | |
| 84 | #VU82065 Improper Privilege Management |
CVE-2023-20198 | Cisco Systems, Inc |
Cisco IOS XE
Operating system |
CWE-269 Improper Privilege Management |
Yes |
| 85 | #VU107563 Improper authentication |
CVE-2025-31201 | Apple Inc. |
iPadOS
Operating system |
CWE-287 Improper Authentication |
No |
| 86 | #VU107562 Buffer overflow |
CVE-2025-31200 | Apple Inc. |
iPadOS
Operating system |
CWE-119 Memory corruption |
No |
| 87 | #VU105518 Input validation error |
CVE-2025-26633 | Microsoft |
Windows
Operating system |
CWE-20 Improper input validation |
Yes |
| 88 | #VU107382 OS Command Injection |
CVE-2024-50566 | Fortinet, Inc |
FortiManager
IDS/IPS systems, Firewalls and proxy servers |
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
No |
| 89 | #VU59699 Improper input validation |
CVE-2021-35587 | Oracle |
Oracle Access Manager
Directory software, identity management |
CWE-20 Improper input validation |
Yes |
| 90 | #VU78958 Inconsistent interpretation of HTTP requests |
CVE-2022-22536 | SAP |
SAP NetWeaver AS ABAP
Application servers |
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') |
Yes |
| 91 | #VU87917 Embedded malicious code (backdoor) |
CVE-2024-3094 | tukaani.org |
XZ Utils
Libraries used by multiple products |
CWE-506 Embedded Malicious Code |
Yes |
| 92 | #VU104042 Code Injection |
CVE-2023-35813 | Sitecore |
Sitecore Experience Platform
Forum & blogging software |
CWE-94 Improper Control of Generation of Code ('Code Injection') |
Yes |
| 93 | #VU86914 Code Injection |
CVE-2024-25600 | bricksbuilder.io |
Bricks Builder
Modules and components for CMS |
CWE-94 Improper Control of Generation of Code ('Code Injection') |
Yes |
| 94 | #VU96800 Use of hard-coded credentials |
CVE-2024-20439 | Cisco Systems, Inc |
Cisco Smart Licensing Utility
Other server solutions |
CWE-798 Use of Hard-coded Credentials |
No |
| 95 | #VU106284 Input validation error |
CVE-2025-30355 | Matrix.org |
Synapse
Conferencing, Collaboration and VoIP solutions |
CWE-20 Improper input validation |
No |
| 96 | #VU68307 Code Injection |
CVE-2022-42889 | Apache Foundation |
Apache Commons Text
Software for developers |
CWE-94 Improper Control of Generation of Code ('Code Injection') |
Yes |
| 97 | #VU105991 Embedded malicious code (backdoor) |
CVE-2025-30154 | reviewdog |
reviewdog
Software for developers |
CWE-506 Embedded Malicious Code |
No |
| 98 | #VU88869 External Control of File Name or Path |
CVE-2024-4040 | CrushFTP |
CrushFTP
File servers (FTP/HTTP) |
CWE-73 External Control of File Name or Path |
Yes |
| 99 | #VU91716 Heap-based buffer overflow |
CVE-2024-30085 | Microsoft |
Windows
Operating system |
CWE-122 Heap-based Buffer Overflow |
Yes |
| 100 | #VU105548 Out-of-bounds write |
CVE-2025-24201 | WebKitGTK |
WebKitGTK+
Frameworks for developing and running applications |
CWE-787 Out-of-bounds write |
No |