CVE & Exploit Intelligence Database

Updated 2h ago

Search and track vulnerabilities with real-time exploit intelligence. Cross-reference CVEs against public exploits from ExploitDB, Metasploit, GitHub, and Nuclei — with CVSS and EPSS scoring, CISA KEV monitoring, and AI-powered exploit analysis.

338,223 CVEs tracked 53,271 with exploits 4,730 exploited in wild 1,542 CISA KEV 3,929 Nuclei templates 37,826 vendors 42,547 researchers
176 results Clear all
CVE-2025-66305 4.9 MEDIUM 1 Writeup EPSS 0.00
Grav <1.8.0-beta.27 - DoS
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Denial of Service (DoS) vulnerability was identified in the "Languages" submenu of the Grav admin configuration panel (/admin/config/system). Specifically, the Supported parameter fails to properly validate user input. If a malformed value is inserted—such as a single forward slash (/) or an XSS test string—it causes a fatal regular expression parsing error on the server. This leads to application-wide failure due to the use of the preg_match() function with an improperly constructed regular expression, resulting in an error. Once triggered, the site becomes completely unavailable to all users. This vulnerability is fixed in 1.8.0-beta.27.
CWE-248 Dec 01, 2025
CVE-2025-0657 EPSS 0.00
Automated Logic and Carrier i-Vu Gen5 router drv_gen5_106-01-2380 -...
A weakness in Automated Logic and Carrier i-Vu Gen5 router on driver version drv_gen5_106-01-2380, allows malformed packets to be sent through BACnet MS/TP network causing the devices to enter a fault state. This fault state requires a manual power cycle to return the device to network visibility.
CWE-248 Nov 27, 2025
CVE-2025-8870 4.9 MEDIUM EPSS 0.00
Arista EOS - DoS
On affected platforms running Arista EOS, certain serial console input might result in an unexpected reload of the device.153
CWE-248 Nov 14, 2025
CVE-2025-12423 7.5 HIGH EPSS 0.00
Azure-access Blu-ic2 Firmware < 1.20 - Denial of Service
Protocol manipulation might lead to denial of service.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5 .
CWE-248 Oct 28, 2025
CVE-2025-59462 6.5 MEDIUM EPSS 0.00
C++ CLI Client - DoS
An attacker who tampers with the C++ CLI client may crash the UpdateService during file transfers, disrupting updates and availability.
CWE-248 Oct 27, 2025
CVE-2025-48430 5.5 MEDIUM EPSS 0.00
Command Centre Server <9.30.2482, <9.20.2819, <9.10.3672, <9.00.383...
Uncaught Exception (CWE-248) in the Command Centre Server allows an Authorized and Privileged Operator to crash the Command Centre Server at will. This issue affects Command Centre Server: 9.30 prior to vEL9.30.2482 (MR2), 9.20 prior to vEL9.20.2819 (MR4), 9.10 prior to vEL9.10.3672 (MR7), 9.00 prior to vEL9.00.3831 (MR8), all versions of 8.90 and prior.
CWE-248 Oct 23, 2025
CVE-2025-62370 7.5 HIGH 1 Writeup EPSS 0.00
Crates.io Alloy-dyn-abi < 0.8.26 - Denial of Service
Alloy Core libraries at the root of the Rust Ethereum ecosystem. Prior to 0.8.26 and 1.4.1, an uncaught panic triggered by malformed input to alloy_dyn_abi::TypedData could lead to a denial-of-service (DoS) via eip712_signing_hash(). Software with high availability requirements such as network services may be particularly impacted. If in use, external auto-restarting mechanisms can partially mitigate the availability issues unless repeated attacks are possible. The vulnerability was patched by adding a check to ensure the element is not empty before accessing its first element; an error is returned if it is empty. The fix is included in version v1.4.1 and backported to v0.8.26.
CWE-248 Oct 15, 2025
CVE-2025-59229 5.5 MEDIUM EPSS 0.00
Microsoft Office - DoS
Uncaught exception in Microsoft Office allows an unauthorized attacker to deny service locally.
CWE-248 Oct 14, 2025
CVE-2025-9124 EPSS 0.00
Product - DoS
A denial-of-service security issue in the affected product. The security issue stems from a fault occurring when a crafted CIP unconnected explicit message is sent. This can result in a major non-recoverable fault.
CWE-248 Oct 14, 2025
CVE-2025-59538 7.5 HIGH 1 Writeup EPSS 0.00
Argo CD <3.2.0-rc1 - Use After Free
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. For versions 2.9.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.6 and 3.0.17, when the webhook.azuredevops.username and webhook.azuredevops.password are not set in the default configuration, the /api/webhook endpoint crashes the entire argocd-server process when it receives an Azure DevOps Push event whose JSON array resource.refUpdates is empty. The slice index [0] is accessed without a length check, causing an index-out-of-range panic. A single unauthenticated HTTP POST is enough to kill the process. This issue is resolved in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19.
CWE-248 Oct 01, 2025
CVE-2025-55557 7.5 HIGH EPSS 0.00
PyTorch <2.7.0 - DoS
A Name Error occurs in pytorch v2.7.0 when a PyTorch model consists of torch.cummin and is compiled by Inductor, leading to a Denial of Service (DoS).
CWE-248 Sep 25, 2025
CVE-2025-55553 7.5 HIGH EPSS 0.00
pytorch <2.7.0 - DoS
A syntax error in the component proxy_tensor.py of pytorch v2.7.0 allows attackers to cause a Denial of Service (DoS).
CWE-248 Sep 25, 2025
CVE-2025-35436 5.3 MEDIUM 1 Writeup EPSS 0.00
CISA Thorium - Use After Free
CISA Thorium uses '.unwrap()' to handle errors related to account verification email messages. An unauthenticated remote attacker could cause a crash by providing a specially crafted email address or response. Fixed in commit 6a65a27.
CWE-248 Sep 17, 2025
CVE-2025-59014 2.7 LOW EPSS 0.00
TYPO3 CMS <13.4.17 - DoS
An uncaught exception in the Bookmark Toolbar of TYPO3 CMS versions 11.0.0–11.5.47, 12.0.0–12.4.36, and 13.0.0–13.4.17 lets administrator‑level backend users trigger a denial‑of‑service condition in the backend user interface by saving manipulated data in the bookmark toolbar.
CWE-248 Sep 09, 2025
CVE-2025-54777 4.3 MEDIUM EPSS 0.00
Multiple Products - DoS
Uncaught exception issue exists in Multiple products in bizhub series. If a malformed file is imported as an S/MIME Email certificate, it may cause a denial-of-service issue that disable the Web Connection feature.
CWE-248 Aug 29, 2025
CVE-2025-55194 5.7 MEDIUM 1 Writeup EPSS 0.00
Part-DB <1.17.3 - DoS
Part-DB is an open source inventory management system for electronic components. Prior to version 1.17.3, any authenticated user can upload a profile picture with a misleading file extension (e.g., .jpg.txt), resulting in a persistent 500 Internal Server Error when attempting to view or edit that user’s profile. This makes the profile permanently inaccessible via the UI for both users and administrators, constituting a Denial of Service (DoS) within the user management interface. This issue has been patched in version 1.17.3.
CWE-248 Aug 13, 2025
CVE-2013-10065 7.5 HIGH 1 PoC Analysis EPSS 0.49
Sysax Multi-Server 6.10 - DoS
A denial-of-service vulnerability exists in Sysax Multi-Server version 6.10 via its SSH daemon. A specially crafted SSH key exchange packet can trigger a crash in the service, resulting in loss of availability. The flaw is triggered during the handling of malformed key exchange data, including a non-standard byte (\x28) in place of the expected SSH protocol delimiter.
CWE-248 Aug 05, 2025
CVE-2025-47281 7.7 HIGH 1 Writeup EPSS 0.00
Kyverno < 1.14.2 - Improper Input Validation
Kyverno is a policy engine designed for cloud native platform engineering teams. In versions 1.14.1 and below, a Denial of Service (DoS) vulnerability exists due to improper handling of JMESPath variable substitutions. Attackers with permissions to create or update Kyverno policies can craft expressions using the {{@}} variable combined with a pipe and an invalid JMESPath function (e.g., {{@ | non_existent_function }}). This leads to a nil value being substituted into the policy structure. Subsequent processing by internal functions, specifically getValueAsStringMap, which expect string values, results in a panic due to a type assertion failure (interface {} is nil, not string). This crashes Kyverno worker threads in the admission controller and causes continuous crashes of the reports controller pod. This is fixed in version 1.14.2.
CWE-248 Jul 23, 2025
CVE-2025-54134 6.5 MEDIUM 1 Writeup EPSS 0.00
PSU Haxcms-nodejs < 11.0.9 - Improper Input Validation
HAX CMS NodeJs allows users to manage their microsite universe with a NodeJs backend. In versions 11.0.8 and below, the HAX CMS NodeJS application crashes when an authenticated attacker provides an API request lacking required URL parameters. This vulnerability affects the listFiles and saveFiles endpoints. This vulnerability exists because the application does not properly handle exceptions which occur as a result of changes to user-modifiable URL parameters. This is fixed in version 11.0.9.
CWE-248 Jul 21, 2025
CVE-2025-7338 7.5 HIGH 1 PoC Analysis EPSS 0.00
NPM Multer < 2.0.2 - Denial of Service
Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability that is present starting in version 1.4.4-lts.1 and prior to version 2.0.2 allows an attacker to trigger a Denial of Service (DoS) by sending a malformed multi-part upload request. This request causes an unhandled exception, leading to a crash of the process. Users should upgrade to version 2.0.2 to receive a patch. No known workarounds are available.
CWE-248 Jul 17, 2025

Investigate

Critical + Public Exploits Exploited in Wild + PoC High EPSS (>=0.7) + PoC With Nuclei Templates Latest Public Exploits

Ecosystems

Linux Maven Packagist PyPI npm Go ecosystem RubyGems crates.io NuGet Hex SwiftURL GitHub Actions

Reference Indexes

Exploit Database Researchers Vendors CWE Categories

Recent Blog Posts

CVE-2026-4105: systemd-machined Privilege Escalation - 72 Minutes from Drop to Bypass
Mar 13, 2026
CVE-2026-28391: OpenClaw Command Injection - The Day I Hacked Myself
Mar 09, 2026
Introducing FuzzForge: Autonomous Source-Code Fuzzing - Finding Bugs in nginx in 112 Minutes
Mar 08, 2026
CVE-2025-68670 Part 2: From Crash to RCE - The One That Fought Back (and Lost)
Mar 04, 2026
CVE-2025-68670: Pre-Auth xrdp Overflow - The One Where the Protocol Fought Back
Mar 04, 2026
CVE-2025-62507: Redis Stack Overflow to RCE in 68 Minutes - Then We Turned ASLR On
Mar 03, 2026
 View all posts →

CVEForge Labs

CVE-2016-15057 CRITICAL
Apache Continuum - Command Injection
CVE-2021-32824 CRITICAL
Apache Dubbo <2.6.10-2.7.10 - RCE
CVE-2023-42117 CRITICAL
Exim < 4.96.2 - Remote Code Execution
CVE-2024-31866 CRITICAL
Apache Zeppelin <0.11.1 - RCE
CVE-2024-37288 CRITICAL
Elastic Kibana - Insecure Deserialization
CVE-2024-43115 HIGH
Apache DolphinScheduler <3.2.2 - RCE
CVE-2024-45409 CRITICAL
Ruby-SAML <=1.16.0 - Auth Bypass
CVE-2024-56143 HIGH
Strapi < 5.5.2 - IDOR
CVE-2025-10622 HIGH
Red Hat Satellite - Command Injection
CVE-2025-11539 CRITICAL
Grafana Image Renderer - RCE
 View all labs →

KEV Gaps

CVE-2026-3910
Google Chrome <146.0.7680.75 - RCE
 CVE-2026-3909
Google Chrome < 146.0.7680.75 - Out-of-Bounds Access
 CVE-2026-1603
Ivanti Endpoint Manager < 2024 - Authentication Bypass
 CVE-2023-43000
macOS Ventura <13.5-iPadOS <16.6-Safari <16.6 - Use After Free
 CVE-2021-30952
tvOS <15.2 - RCE
 CVE-2021-22681
Rockwell Automation Studio 5000 <21 - Path Traversal
 CVE-2026-22719
VMware Aria Operations - Command Injection
 CVE-2026-25108
FileZen - Command Injection
 CVE-2026-22769
Dell RecoverPoint <6.0.3.1 HF1 - Auth Bypass
 CVE-2021-22175
Gitlab < 13.6.7 - SSRF
 CVE-2024-7694
Teamt5 Threatsonar Anti-ransomware < 3.5.0 - Unrestricted File Upload
 CVE-2020-7796
Zimbra Collaboration Suite <8.8.15 Patch 7 - SSRF