Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 9.8

    CRITICAL
    CVE-2025-36937

    In AudioDecoder::HandleProduceRequest of audio_decoder.cc, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed fo... Read more

    Affected Products : android
    • Published: Dec. 11, 2025
    • Modified: Dec. 15, 2025
    • Vuln Type: Memory Corruption

  • 9.8

    CRITICAL
    CVE-2020-36897

    QiHang Media Web Digital Signage 3.0.9 contains an unauthenticated remote code execution vulnerability in the QH.aspx file that allows attackers to upload malicious ASPX scripts. Attackers can exploit the file upload functionality by using the 'remotePath... Read more

    Affected Products : qihang_media_web_digital_signage
    • Published: Dec. 10, 2025
    • Modified: Dec. 17, 2025
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2025-67727

    Parse Server is an open source backend that can be deployed to any infrastructure that runs Node.js. In versions prior to 8.6.0-alpha.2, a GitHub CI workflow is triggered in a way that grants the GitHub Actions workflow elevated permissions, giving it acc... Read more

    Affected Products : parse-server
    • Published: Dec. 12, 2025
    • Modified: Dec. 22, 2025
    • Vuln Type: Misconfiguration

  • 9.8

    CRITICAL
    CVE-2025-14650

    A flaw has been found in itsourcecode Online Cake Ordering System 1.0. This affects an unknown part of the file /cakeshop/product.php. Executing manipulation of the argument Product can lead to sql injection. The attack can be launched remotely. The explo... Read more

    Affected Products : online_cake_ordering_system
    • Published: Dec. 14, 2025
    • Modified: Dec. 16, 2025
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2024-58311

    Dormakaba Saflok System 6000 contains a predictable key generation algorithm that allows attackers to derive card access keys from a 32-bit unique identifier. Attackers can exploit the deterministic key generation process by calculating valid access keys ... Read more

    Affected Products :
    • Published: Dec. 12, 2025
    • Modified: Dec. 15, 2025
    • Vuln Type: Cryptography

  • 9.8

    CRITICAL
    CVE-2025-66456

    Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. Versions 1.4.0 through 1.4.16 contain a prototype pollution vulnerability in `mergeDeep` after merging results of two standard ... Read more

    Affected Products : elysia
    • Published: Dec. 09, 2025
    • Modified: Dec. 17, 2025
    • Vuln Type: Misconfiguration

  • 9.8

    CRITICAL
    CVE-2025-65882

    An issue was discovered in openmptcprouter thru 0.64 in file common/package/utils/sys-upgrade-helper/src/tools/sysupgrade.c in function create_xor_ipad_opad allowing attackers to potentially write arbitrary files or execute arbitrary commands.... Read more

    Affected Products :
    • Published: Dec. 09, 2025
    • Modified: Dec. 12, 2025
    • Vuln Type: Misconfiguration

  • 9.8

    CRITICAL
    CVE-2025-50398

    Mercury D196G d196gv1-cn-up_2020-01-09_11.21.44 is vulnerable to Buffer Overflow in the function sub_404CAEDC via the parameter fac_password.... Read more

    Affected Products : d196g_firmware d196g
    • Published: Dec. 16, 2025
    • Modified: Dec. 22, 2025
    • Vuln Type: Memory Corruption

  • 9.8

    CRITICAL
    CVE-2025-10738

    The URL Shortener Plugin For WordPress plugin for WordPress is vulnerable to SQL Injection via the ‘analytic_id’ parameter in all versions up to, and including, 3.0.7 due to insufficient escaping on the user supplied parameter and lack of sufficient prepa... Read more

    Affected Products :
    • Published: Dec. 13, 2025
    • Modified: Dec. 15, 2025
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2025-14646

    A security flaw has been discovered in code-projects Student File Management System 1.0. This impacts an unknown function of the file /admin/delete_student.php. The manipulation of the argument stud_id results in sql injection. The attack may be performed... Read more

    Affected Products : student_file_management_system
    • Published: Dec. 14, 2025
    • Modified: Dec. 16, 2025
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2025-67530

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Besa besa allows PHP Local File Inclusion.This issue affects Besa: from n/a through <= 2.3.15.... Read more

    Affected Products :
    • Published: Dec. 09, 2025
    • Modified: Dec. 11, 2025
    • Vuln Type: Path Traversal

  • 9.8

    CRITICAL
    CVE-2025-13184

    Unauthenticated Telnet enablement via cstecgi.cgi (auth bypass) leading to unauthenticated root login with a blank password on factory/reset X5000R V9.1.0u.6369_B20230113 (arbitrary command execution). Earlier versions that share the same implementation, ... Read more

    Affected Products : x5000r_firmware x5000r
    • Published: Dec. 10, 2025
    • Modified: Dec. 19, 2025
    • Vuln Type: Authentication

  • 9.8

    CRITICAL
    CVE-2025-14440

    The JAY Login & Register plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.4.01. This is due to incorrect authentication checking in the 'jay_login_register_process_switch_back' function with the 'jay_login_re... Read more

    Affected Products :
    • Published: Dec. 13, 2025
    • Modified: Dec. 15, 2025
    • Vuln Type: Authentication

  • 9.8

    CRITICAL
    CVE-2025-14514

    A flaw has been found in Campcodes Supplier Management System 1.0. Affected is an unknown function of the file /admin/add_distributor.php. This manipulation of the argument txtDistributorAddress causes sql injection. The attack can be initiated remotely. ... Read more

    Affected Products : supplier_management_system
    • Published: Dec. 11, 2025
    • Modified: Dec. 16, 2025
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2025-65834

    Meltytech Shotcut 25.10.31 is vulnerable to Buffer Overflow. A memory access violation occurs when processing MLT project files with manipulated width and height parameters. By setting these values to extremely large numbers, the application attempts to a... Read more

    Affected Products :
    • Published: Dec. 16, 2025
    • Modified: Dec. 18, 2025
    • Vuln Type: Memory Corruption

  • 9.8

    CRITICAL
    CVE-2025-67525

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Opal_WP ekommart ekommart allows PHP Local File Inclusion.This issue affects ekommart: from n/a through < 4.3.1.... Read more

    Affected Products :
    • Published: Dec. 09, 2025
    • Modified: Dec. 11, 2025
    • Vuln Type: Path Traversal

  • 9.8

    CRITICAL
    CVE-2025-65854

    Insecure permissions in the scheduled tasks feature of MineAdmin v3.x allows attackers to execute arbitrary commands and execute a full account takeover.... Read more

    Affected Products : mineadmin
    • Published: Dec. 12, 2025
    • Modified: Dec. 19, 2025
    • Vuln Type: Misconfiguration

  • 9.8

    CRITICAL
    CVE-2025-29229

    linksys E5600 V1.1.0.26 is vulnerable to command injection in the function ddnsStatus.... Read more

    Affected Products :
    • Published: Dec. 23, 2025
    • Modified: Dec. 23, 2025
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2022-23851

    Netaxis API Orchestrator (APIO) before 0.19.3 allows server side template injection (SSTI).... Read more

    Affected Products :
    • Published: Dec. 17, 2025
    • Modified: Dec. 18, 2025
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2025-67524

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NooTheme Jobmonster Elementor Addon jobmonster-addon allows PHP Local File Inclusion.This issue affects Jobmonster Elementor Addon: fr... Read more

    Affected Products :
    • Published: Dec. 09, 2025
    • Modified: Dec. 11, 2025
    • Vuln Type: Path Traversal
Showing 20 of 4872 Results