Syntax: kev:true severity:critical epss:>0.95 vendor:cisco patch:false
Filters
Severity
Exploitation
Data Source
Data Quality
Vendor
CWE — Weakness Type
Clear all
Top 20 matches Showing top matches — use filters or a more specific query to narrow
CVE-2025-6949
CRITICAL CVSS 9.3
Find Similar
An Execution with Unnecessary Privileges vulnerability has been identified in Moxa’s network security appliances and routers. A critical authorization flaw in the API allows an authenticated, low-priv
CVE-2026-2095
CRITICAL CVSS 9.3
Find Similar
Agentflow developed by Flowring has an Authentication Bypass vulnerability, allowing unauthenticated remote attackers to exploit a specific functionality to obtain arbitrary user authentication token
A vulnerability in the REST API of Cisco Secure FMC Software could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. This vulnerability is due to inade
A potential uncontrolled search path vulnerability was reported in the LanSchool Classic client application that could allow a local authenticated user to execute arbitrary code with elevated privileg
CVE-2026-45829
CRITICAL CVSS 10.0
Find Similar
A pre-authentication, code injection vulnerability in version 1.0.0 or later of the ChromaDB Python project allows an unauthenticated attacker to run arbitrary code on the server by sending a maliciou
CVE-2025-34089
CRITICAL CVSS 9.3
Find Similar
An unauthenticated remote code execution vulnerability exists in Remote for Mac, a macOS remote control utility developed by Aexol Studio, in versions up to and including 2025.7. When the application
An unauthenticated remote attacker may use the devices traffic capture without authentication to grab plaintext administrative credentials.
CVE-2026-1731
CRITICAL CVSS 9.9 KEV
Find Similar
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain a critical pre-authentication remote code execution vulnerability. By sending specially crafted req
CVE-2026-22240
CRITICAL CVSS 10.0
Find Similar
The vulnerability exists in BLUVOYIX due to an improper password storage implementation and subsequent exposure via unauthenticated APIs. An unauthenticated remote attacker could exploit this vulnerab
An unauthenticated remote attacker can obtain limited sensitive information and/or DoS the device due to missing authentication for critical function.
There is an Access Control Vulnerability in some HikCentral Professional versions. This could allow an unauthenticated user to obtain the admin permission.
A flaw was found in Keycloak. An authenticated user can bypass configured WebAuthn policies during credential registration by manipulating client-side JavaScript. This occurs because the server-side p
Uncontrolled search path for some System Event Log Viewer Utility software for all versions within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with
CVE-2025-41651
CRITICAL CVSS 9.8
Find Similar
Due to missing authentication on a critical function of the devices an unauthenticated remote attacker can execute arbitrary commands, potentially enabling unauthorized upload or download of configura
A vulnerability in the authentication service feature of Cisco AsyncOS Software for Cisco Secure Web Appliance could allow an unauthenticated, remote attacker to bypass authentication policy requireme
A vulnerability in the REST API of Cisco Secure FMC Software could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. This vulnerability is due to inade
CVE-2025-34073
CRITICAL CVSS 10.0
Find Similar
An unauthenticated command injection vulnerability exists in stamparm/maltrail (Maltrail) versions <=0.54. A remote attacker can execute arbitrary operating system commands via the username parameter
An improper certificate validation vulnerability in Ivanti Secure Access Client before 22.8R6 allows a remote unauthenticated attacker to execute arbitrary code.
CVE-2026-1670
CRITICAL CVSS 9.3
Find Similar
The affected products are vulnerable to an unauthenticated API endpoint exposure, which may allow an attacker to remotely change the "forgot password" recovery email address.
An unauthenticated remote attacker is able to use an existing session id of a logged in user and gain full access to the device if configuration via ethernet is enabled.