CISA Known Exploited Vulnerabilities

This dashboard displays the latest vulnerabilities published by the Cybersecurity & Infrastructure Security Agency (CISA).

CVE-2025-58360

OSGeo GeoServer Improper Restriction of XML External Entity Reference Vulnerability

Vendor: OSGeo

Product: GeoServer

Added: 2025-12-11

Due Date: 2026-01-01

Description:

OSGeo GeoServer contains an improper restriction of XML external entity reference vulnerability that occurs when the application accepts XML input through a specific endpoint /geoserver/wms operation GetMap and could allow an attacker to define external entities within the XML request.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-611

CVE-2025-6218

RARLAB WinRAR Path Traversal Vulnerability

Vendor: RARLAB

Product: WinRAR

Added: 2025-12-09

Due Date: 2025-12-30

Description:

RARLAB WinRAR contains a path traversal vulnerability allowing an attacker to execute code in the context of the current user.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-22

CVE-2025-62221

Microsoft Windows Use After Free Vulnerability

Vendor: Microsoft

Product: Windows

Added: 2025-12-09

Due Date: 2025-12-30

Description:

Microsoft Windows Cloud Files Mini Filter Driver contains a use after free vulnerability that can allow an authorized attacker to elevate privileges locally.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-416

CVE-2022-37055

D-Link Routers Buffer Overflow Vulnerability

Vendor: D-Link

Product: Routers

Added: 2025-12-08

Due Date: 2025-12-29

Description:

D-Link Routers contains a buffer overflow vulnerability that has a high impact on confidentiality, integrity, and availability. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-120

CVE-2025-66644

Array Networks ArrayOS AG OS Command Injection Vulnerability

Vendor: Array Networks

Product: ArrayOS AG

Added: 2025-12-08

Due Date: 2025-12-29

Description:

Array Networks ArrayOS AG contains an OS command injection vulnerability that could allow an attacker to execute arbitrary commands.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-78

CVE-2025-55182

Ransomware

Meta React Server Components Remote Code Execution Vulnerability

Vendor: Meta

Product: React Server Components

Added: 2025-12-05

Due Date: 2025-12-12

Description:

Meta React Server Components contains a remote code execution vulnerability that could allow unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints. Please note CVE-2025-66478 has been rejected, but it is associated with CVE-2025- 55182.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CVE-2021-26828

OpenPLC ScadaBR Unrestricted Upload of File with Dangerous Type Vulnerability

Vendor: OpenPLC

Product: ScadaBR

Added: 2025-12-03

Due Date: 2025-12-24

Description:

OpenPLC ScadaBR contains an unrestricted upload of file with dangerous type vulnerability that allows remote authenticated users to upload and execute arbitrary JSP files via view_edit.shtm.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-434

CVE-2025-48633

Android Framework Information Disclosure Vulnerability

Vendor: Android

Product: Framework

Added: 2025-12-02

Due Date: 2025-12-23

Description:

Android Framework contains an unspecified vulnerability that allows for information disclosure.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CVE-2025-48572

Android Framework Privilege Escalation Vulnerability

Vendor: Android

Product: Framework

Added: 2025-12-02

Due Date: 2025-12-23

Description:

Android Framework contains an unspecified vulnerability that allows for privilege escalation.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CVE-2021-26829

OpenPLC ScadaBR Cross-site Scripting Vulnerability

Vendor: OpenPLC

Product: ScadaBR

Added: 2025-11-28

Due Date: 2025-12-19

Description:

OpenPLC ScadaBR contains a cross-site scripting vulnerability via system_settings.shtm.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-79

CVE-2025-61757

Oracle Fusion Middleware Missing Authentication for Critical Function Vulnerability

Vendor: Oracle

Product: Fusion Middleware

Added: 2025-11-21

Due Date: 2025-12-12

Description:

Oracle Fusion Middleware contains a missing authentication for critical function vulnerability, allowing unauthenticated remote attackers to take over Identity Manager.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-306

CVE-2025-13223

Google Chromium V8 Type Confusion Vulnerability

Vendor: Google

Product: Chromium V8

Added: 2025-11-19

Due Date: 2025-12-10

Description:

Google Chromium V8 contains a type confusion vulnerability that allows for heap corruption.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-843

CVE-2025-58034

Fortinet FortiWeb OS Command Injection Vulnerability

Vendor: Fortinet

Product: FortiWeb

Added: 2025-11-18

Due Date: 2025-11-25

Description:

Fortinet FortiWeb contains an OS command Injection vulnerability that may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests or CLI commands.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-78

CVE-2025-64446

Fortinet FortiWeb Path Traversal Vulnerability

Vendor: Fortinet

Product: FortiWeb

Added: 2025-11-14

Due Date: 2025-11-21

Description:

Fortinet FortiWeb contains a relative path traversal vulnerability that may allow an unauthenticated attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-23

CVE-2025-12480

Gladinet Triofox Improper Access Control Vulnerability

Vendor: Gladinet

Product: Triofox

Added: 2025-11-12

Due Date: 2025-12-03

Description:

Gladinet Triofox contains an improper access control vulnerability that allows access to initial setup pages even after setup is complete.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-284