Top 10 CISA August 2025 Vulnerabilities
Here are all of the vulnerabilities listed by CISA with a 10 rating. A 10 rating indicates
| Primary Vendor — Product | Description | Published | CVSS Score | Source Info |
| Microsoft–Azure Open AI | Azure OpenAI Elevation of Privilege Vulnerability | 8/7/2025 | 10 | CVE-2025-53767 |
| CybercentreCanada–assemblyline | The Assemblyline 4 Service Client interfaces with the API to fetch tasks and publish the result for a service in Assemblyline 4. In versions below 4.6.1.dev138, the Assemblyline 4 Service Client (task_handler.py) accepts a SHA-256 value returned by the service server and uses it directly as a local file name.A malicious or compromised server (or any MITM that can speak to client) can return a path-traversal payload such as `../../../etc/cron.d/evil` and force the client to write the downloaded bytes to an arbitrary location on disk. This is fixed in version 4.6.1.dev138. | 8/9/2025 | 10 | CVE-2025-55013 |
| ADOdb–ADOdb | ADOdb is a PHP database class library that provides abstractions for performing queries and managing databases. In versions 5.22.9 and below, improper escaping of a query parameter may allow an attacker to execute arbitrary SQL statements when the code using ADOdb connects to a sqlite3 database and calls the metaColumns(), metaForeignKeys() or metaIndexes() methods with a crafted table name. This is fixed in version 5.22.10. To workaround this issue, only pass controlled data to metaColumns(), metaForeignKeys() and metaIndexes() method’s $table parameter. | 8/5/2025 | 10 | CVE-2025-54119 |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a Misconfiguration vulnerability that could result in arbitrary code execution. An attacker could leverage this vulnerability to bypass security mechanisms and execute code. Exploitation of this issue does not require user interaction and scope is changed. | 8/5/2025 | 10 | CVE-2025-54253 |
| beeteam368–BeeTeam368 Extensions | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in beeteam368 BeeTeam368 Extensions allows PHP Local File Inclusion. This issue affects BeeTeam368 Extensions: from n/a through 1.9.4. | 8/14/2025 | 10 | CVE-2025-25174 |
| thehp–Global DNS | Improper Control of Generation of Code (‘Code Injection’) vulnerability in thehp Global DNS allows Remote Code Inclusion. This issue affects Global DNS: from n/a through 3.1.0. | 8/20/2025 | 10 | CVE-2025-53577 |
| StoreKeeper B.V.–StoreKeeper for WooCommerce | Unrestricted Upload of File with Dangerous Type vulnerability in StoreKeeper B.V. StoreKeeper for WooCommerce allows Using Malicious Files. This issue affects StoreKeeper for WooCommerce: from n/a through 14.4.4. | 8/20/2025 | 10 | CVE-2025-48148 |
| Paymenter–Paymenter | Paymenter is a free and open-source webshop solution for hostings. Prior to version 1.2.11, the ticket attachments functionality in Paymenter allows a malicious authenticated user to upload arbitrary files. This could result in sensitive data extraction from the database, credentials being read from configuration files, and arbitrary system commands being run under the web server user context. This vulnerability was patched by commit 87c3db4 and was released under the version 1.2.11 tag without any other code modifications compared to version 1.2.10. If upgrading is not immediately possible, administrators can mitigate this vulnerability with one or more of the following measures: updating nginx config to download attachments instead of executing them or disallowing access to /storage/ fully using a WAF such as Cloudflare. | 8/28/2025 | 10 | CVE-2025-58048 |
| LabRedesCefetRJ–WeGIA | WeGIA is a Web manager for charitable institutions. Prior to version 3.4.11, a remote code execution vulnerability was identified, caused by improper validation of uploaded files. The application allows an attacker to upload files with arbitrary filenames, including those with a .php extension. Because the uploaded file is written directly to disk without adequate sanitization or extension restrictions, a spreadsheet file followed by PHP code can be uploaded and executed on the server, leading to arbitrary code execution. This is due to insufficient mitigation of CVE-2025-22133. This issue has been patched in version 3.4.11. | 8/29/2025 | 10 | CVE-2025-58159 |
| add-ons.org–Drag and Drop File Upload for Elementor Forms | Unrestricted Upload of File with Dangerous Type vulnerability in add-ons.org Drag and Drop File Upload for Elementor Forms allows Upload a Web Shell to a Web Server. This issue affects Drag and Drop File Upload for Elementor Forms: from n/a through 1.5.3. | 8/28/2025 | 10 | CVE-2025-49387 |