Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 5.4

    MEDIUM
    CVE-2025-60096

    Missing Authorization vulnerability in CodexThemes TheGem (Elementor) allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects TheGem (Elementor): from n/a through 5.10.5.... Read more

    Affected Products :
    • Published: Sep. 26, 2025
    • Modified: Sep. 26, 2025
    • Vuln Type: Authorization

  • 5.4

    MEDIUM
    CVE-2025-35431

    CISA Thorium does not escape user controlled strings used in LDAP queries. An authenticated remote attacker can modify LDAP authorization data such as group memberships. Fixed in 1.1.1.... Read more

    Affected Products : thorium
    • Published: Sep. 17, 2025
    • Modified: Sep. 26, 2025
    • Vuln Type: Injection

  • 5.4

    MEDIUM
    CVE-2025-48357

    Cross-Site Request Forgery (CSRF) vulnerability in Theme Century Century ToolKit allows Cross Site Request Forgery. This issue affects Century ToolKit: from n/a through 1.2.1.... Read more

    Affected Products :
    • Published: Aug. 28, 2025
    • Modified: Aug. 29, 2025
    • Vuln Type: Cross-Site Request Forgery

  • 5.4

    MEDIUM
    CVE-2025-53337

    Missing Authorization vulnerability in Ashan Perera LifePress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects LifePress: from n/a through 2.1.3.... Read more

    Affected Products :
    • Published: Aug. 28, 2025
    • Modified: Aug. 29, 2025
    • Vuln Type: Authorization

  • 5.4

    MEDIUM
    CVE-2025-33082

    IBM Concert Software 1.0.0 through 1.1.0 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials di... Read more

    Affected Products : concert
    • Published: Sep. 01, 2025
    • Modified: Sep. 03, 2025
    • Vuln Type: Cross-Site Scripting

  • 5.4

    MEDIUM
    CVE-2025-40708

    Cross-Site Scripting (XSS) vulnerability in OpenAtlas v8.9.0 from the Austrian Centre for Digital Humanities and Cultural Heritage (ACDH-CH), due to inadequate validation of user input when a POST request is sent. The vulnerabilities could allow a remote ... Read more

    Affected Products : openatlas
    • Published: Aug. 29, 2025
    • Modified: Sep. 02, 2025
    • Vuln Type: Cross-Site Scripting

  • 5.4

    MEDIUM
    CVE-2025-40705

    Cross-Site Scripting (XSS) vulnerability in OpenAtlas v8.9.0 from the Austrian Centre for Digital Humanities and Cultural Heritage (ACDH-CH), due to inadequate validation of user input when a POST request is sent. The vulnerabilities could allow a remote ... Read more

    Affected Products : openatlas
    • Published: Aug. 29, 2025
    • Modified: Sep. 02, 2025
    • Vuln Type: Cross-Site Scripting

  • 5.4

    MEDIUM
    CVE-2025-9735

    A weakness has been identified in O2OA up to 10.0-410. This affects an unknown function of the file /x_query_assemble_designer/jaxrs/table of the component Personal Profile Page. This manipulation of the argument description/applicationName/queryName caus... Read more

    Affected Products : o2oa
    • Published: Aug. 31, 2025
    • Modified: Sep. 05, 2025
    • Vuln Type: Cross-Site Scripting

  • 5.4

    MEDIUM
    CVE-2025-33083

    IBM Concert Software 1.0.0 through 1.1.0 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials di... Read more

    Affected Products : concert
    • Published: Sep. 01, 2025
    • Modified: Sep. 03, 2025
    • Vuln Type: Cross-Site Scripting

  • 5.4

    MEDIUM
    CVE-2025-9865

    Inappropriate implementation in Toolbar in Google Chrome on Android prior to 140.0.7339.80 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform domain spoofing via a crafted HTML page. (Chromium security severity: Me... Read more

    Affected Products : android chrome edge_chromium
    • Published: Sep. 03, 2025
    • Modified: Sep. 04, 2025
    • Vuln Type: Information Disclosure

  • 5.4

    MEDIUM
    CVE-2025-9715

    A vulnerability was found in O2OA up to 10.0-410. Affected is an unknown function of the file /x_cms_assemble_control/jaxrs/script of the component Personal Profile Page. The manipulation of the argument name/alias/description results in cross site script... Read more

    Affected Products : o2oa
    • Published: Aug. 31, 2025
    • Modified: Sep. 10, 2025
    • Vuln Type: Cross-Site Scripting

  • 5.4

    MEDIUM
    CVE-2025-58639

    Missing Authorization vulnerability in Ali Khallad Contact Form By Mega Forms allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Contact Form By Mega Forms: from n/a through 1.6.1.... Read more

    Affected Products :
    • Published: Sep. 03, 2025
    • Modified: Sep. 04, 2025
    • Vuln Type: Authorization

  • 5.4

    MEDIUM
    CVE-2025-53291

    Missing Authorization vulnerability in spoddev2021 Spreadconnect. This issue affects Spreadconnect: from n/a through 2.1.5.... Read more

    Affected Products :
    • Published: Sep. 09, 2025
    • Modified: Sep. 11, 2025
    • Vuln Type: Authorization

  • 5.4

    MEDIUM
    CVE-2025-40694

    Stored Cross Site Scripting in Online Fire Reporting System v1.2 by PHPGurukul, that consists in a stored authenticated XSS due to the lack of propper validation of user inputs 'fromdate' and 'todate' parameters via POST at the endpoint '/ofrs/admin/bwdat... Read more

    Affected Products : online_fire_reporting_system
    • Published: Sep. 11, 2025
    • Modified: Sep. 12, 2025
    • Vuln Type: Cross-Site Scripting

  • 5.4

    MEDIUM
    CVE-2025-40693

    Stored Cross Site Scripting in Online Fire Reporting System v1.2 by PHPGurukul, that consists in a reflected and stored authenticated XSS due to the lack of propper validation of user inputs 'tname' parameter via GET and, 'teamleadname', 'teammember' and ... Read more

    Affected Products : online_fire_reporting_system
    • Published: Sep. 11, 2025
    • Modified: Sep. 12, 2025
    • Vuln Type: Cross-Site Scripting

  • 5.4

    MEDIUM
    CVE-2025-9659

    A vulnerability has been found in O2OA up to 10.0-410. The affected element is an unknown function of the file /x_portal_assemble_designer/jaxrs/widget of the component Personal Profile Page. Such manipulation leads to cross site scripting. The attack can... Read more

    Affected Products : o2oa
    • Published: Aug. 29, 2025
    • Modified: Sep. 16, 2025
    • Vuln Type: Cross-Site Scripting

  • 5.4

    MEDIUM
    CVE-2025-42915

    Fiori app Manage Payment Blocks does not perform the necessary authorization checks, allowing an attacker with basic user privileges to abuse functionalities that should be restricted to specific user groups.This issue could impact both the confidentialit... Read more

    Affected Products :
    • Published: Sep. 09, 2025
    • Modified: Sep. 09, 2025
    • Vuln Type: Authorization

  • 5.4

    MEDIUM
    CVE-2025-51971

    A reflected Cross-Site Scripting (XSS) vulnerability exists in register.php of PuneethReddyHC Online Shopping System Advanced 1.0. Unsanitized user input in the f_name parameter is reflected in the server response without proper HTML encoding or output es... Read more

    Affected Products : online_shopping_system_advanced
    • Published: Aug. 28, 2025
    • Modified: Sep. 09, 2025
    • Vuln Type: Cross-Site Scripting

  • 5.4

    MEDIUM
    CVE-2025-9718

    A security flaw has been discovered in O2OA up to 10.0-410. This affects an unknown part of the file /x_processplatform_assemble_designer/jaxrs/process of the component Personal Profile Page. Performing manipulation of the argument name/alias results in c... Read more

    Affected Products : o2oa
    • Published: Aug. 31, 2025
    • Modified: Sep. 09, 2025
    • Vuln Type: Cross-Site Scripting

  • 5.4

    MEDIUM
    CVE-2025-55144

    Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authen... Read more

    • Published: Sep. 09, 2025
    • Modified: Sep. 24, 2025
    • Vuln Type: Authorization
Showing 20 of 4479 Results