Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 9.8

    CRITICAL
    CVE-2025-62583

    Whale Browser before 4.33.325.17 allows an attacker to escape the iframe sandbox in a dual-tab environment.... Read more

    Affected Products : whale
    • Published: Oct. 16, 2025
    • Modified: Oct. 21, 2025
    • Vuln Type: Misconfiguration

  • 9.8

    CRITICAL
    CVE-2025-10611

    Due to an insufficient access control implementation in multiple WSO2 Products, authentication and authorization checks for certain REST APIs can be bypassed, allowing them to be invoked without proper validation. Successful exploitation of this vulnerab... Read more

    Affected Products : api_manager identity_server
    • Published: Oct. 16, 2025
    • Modified: Oct. 16, 2025
    • Vuln Type: Authentication

  • 9.8

    CRITICAL
    CVE-2025-11900

    The iSherlock developed by HGiga has an OS Command Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary OS commands and execute them on the server.... Read more

    Affected Products :
    • Published: Oct. 17, 2025
    • Modified: Oct. 21, 2025
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2025-60221

    Deserialization of Untrusted Data vulnerability in captivateaudio Captivate Sync captivatesync-trade allows Object Injection.This issue affects Captivate Sync: from n/a through <= 3.0.3.... Read more

    Affected Products :
    • Published: Oct. 22, 2025
    • Modified: Oct. 23, 2025
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2025-11629

    A vulnerability has been found in RainyGao DocSys up to 2.02.36. This impacts the function getUserList of the file /Manage/getUserList.do. Such manipulation leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclos... Read more

    Affected Products : docsys
    • Published: Oct. 12, 2025
    • Modified: Oct. 31, 2025
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2025-60039

    Deserialization of Untrusted Data vulnerability in rascals Noisa noisa allows Object Injection.This issue affects Noisa: from n/a through <= 2.6.0.... Read more

    Affected Products :
    • Published: Oct. 22, 2025
    • Modified: Oct. 23, 2025
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2025-6919

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cats Information Technology Software Development Technologies Aykome License Tracking System allows SQL Injection.This issue affects Aykome License Track... Read more

    Affected Products :
    • Published: Oct. 13, 2025
    • Modified: Oct. 14, 2025
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2025-53037

    Vulnerability in the Oracle Financial Services Analytical Applications Infrastructure product of Oracle Financial Services Applications (component: Platform). Supported versions that are affected are 8.0.7.9, 8.0.8.7 and 8.1.2.5. Easily exploitable vuln... Read more

    • Published: Oct. 21, 2025
    • Modified: Oct. 23, 2025

  • 9.8

    CRITICAL
    CVE-2025-34516

    Ilevia EVE X1 Server firmware versions ≤ 4.7.18.0.eden contain a use of default credentials vulnerability that allows an unauthenticated attacker to obtain remote access. Ilevia has declined to service this vulnerability, and recommends that customers not... Read more

    • Published: Oct. 16, 2025
    • Modified: Nov. 03, 2025
    • Vuln Type: Authentication

  • 9.8

    CRITICAL
    CVE-2017-20206

    The Appointments plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.2.1 via deserialization of untrusted input from the `wpmudev_appointments` cookie. This allows unauthenticated attackers to inject a PHP Object... Read more

    Affected Products :
    • Published: Oct. 18, 2025
    • Modified: Oct. 21, 2025
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2025-6439

    The WooCommerce Designer Pro plugin for WordPress, used by the Pricom - Printing Company & Design Services WordPress theme, is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'wcdp_save_canvas_design_ajax' function in... Read more

    Affected Products :
    • Published: Oct. 11, 2025
    • Modified: Oct. 14, 2025
    • Vuln Type: Path Traversal

  • 9.8

    CRITICAL
    CVE-2025-10294

    The OwnID Passwordless Login plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.3.4. This is due to the plugin not properly checking if the ownid_shared_secret value is empty prior to authenticating a user ... Read more

    Affected Products :
    • Published: Oct. 15, 2025
    • Modified: Oct. 16, 2025
    • Vuln Type: Authentication

  • 9.8

    CRITICAL
    CVE-2025-12215

    A flaw has been found in projectworlds Online Shopping System 1.0. Impacted is an unknown function of the file /login_submit.php. Executing manipulation of the argument keywords can lead to sql injection. The attack may be launched remotely. The exploit h... Read more

    Affected Products : online_shopping_system
    • Published: Oct. 27, 2025
    • Modified: Oct. 28, 2025
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2025-35051

    Newforma Project Center Server (NPCS) accepts serialized .NET data via the '/ProjectCenter.rem' endpoint on 9003/tcp, allowing a remote, unauthenticated attacker to execute arbitrary code with 'NT AUTHORITY\NetworkService' privileges. According to the rec... Read more

    • Published: Oct. 09, 2025
    • Modified: Oct. 14, 2025
    • Vuln Type: Information Disclosure

  • 9.8

    CRITICAL
    CVE-2025-11551

    A vulnerability was determined in code-projects Student Result Manager 1.0. This affects an unknown function of the file src/students/Database.java. This manipulation of the argument roll/name/gpa causes sql injection. It is possible to initiate the attac... Read more

    Affected Products : student_result_manager
    • Published: Oct. 09, 2025
    • Modified: Oct. 20, 2025
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2025-40765

    A vulnerability has been identified in TeleControl Server Basic V3.1 (All versions >= V3.1.2.2 < V3.1.2.3). The affected application contains an information disclosure vulnerability. This could allow an unauthenticated remote attacker to obtain password h... Read more

    Affected Products : telecontrol_server_basic
    • Published: Oct. 14, 2025
    • Modified: Oct. 21, 2025
    • Vuln Type: Information Disclosure

  • 9.8

    CRITICAL
    CVE-2025-11709

    A compromised web process was able to trigger out of bounds reads and writes in a more privileged process using manipulated WebGL textures. This vulnerability affects Firefox < 144, Firefox ESR < 115.29, Firefox ESR < 140.4, Thunderbird < 144, and Thunder... Read more

    Affected Products : firefox firefox_esr thunderbird
    • Published: Oct. 14, 2025
    • Modified: Nov. 03, 2025
    • Vuln Type: Memory Corruption

  • 9.8

    CRITICAL
    CVE-2025-10850

    The Felan Framework plugin for WordPress is vulnerable to improper authentication in versions up to, and including, 1.1.4. This is due to the hardcoded password in the 'fb_ajax_login_or_register' function and in the 'google_ajax_login_or_register' functio... Read more

    Affected Products :
    • Published: Oct. 16, 2025
    • Modified: Oct. 16, 2025
    • Vuln Type: Authentication

  • 9.8

    CRITICAL
    CVE-2025-11595

    A vulnerability was found in Campcodes Online Apartment Visitor Management System 1.0. Impacted is an unknown function of the file /admin-profile.php. Performing manipulation of the argument mobilenumber results in sql injection. Remote exploitation of th... Read more

    • Published: Oct. 11, 2025
    • Modified: Oct. 20, 2025
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2025-59246

    Azure Entra ID Elevation of Privilege Vulnerability... Read more

    Affected Products : microsoft_entra_id entra_id
    • Published: Oct. 09, 2025
    • Modified: Oct. 16, 2025
Showing 20 of 3938 Results