Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 9.4

    CRITICAL
    CVE-2024-14003

    Nagios XI versions prior to 2024R1.2 are vulnerable to remote code execution (RCE) through its NRDP (Nagios Remote Data Processor) server plugins. Insufficient validation of inbound NRDP request parameters allows crafted input to reach command execution p... Read more

    Affected Products : xi
    • Published: Oct. 30, 2025
    • Modified: Oct. 30, 2025
    • Vuln Type: Injection

  • 9.4

    CRITICAL
    CVE-2025-60269

    JEEWMS 20250820 is vulnerable to SQL Injection in the exportXls function located in the src/main/java/org/jeecgframework/web/cgreport/controller/excel/CgExportExcelController.java file.... Read more

    Affected Products : jeewms
    • Published: Oct. 10, 2025
    • Modified: Oct. 16, 2025
    • Vuln Type: Injection

  • 9.4

    CRITICAL
    CVE-2025-34284

    Nagios XI versions prior to 2024R2 contain a command injection vulnerability in the WinRM plugin. Insufficient validation of user-supplied parameters allows an authenticated administrator to inject shell metacharacters that are incorporated into backend c... Read more

    Affected Products : xi
    • Published: Oct. 30, 2025
    • Modified: Oct. 30, 2025
    • Vuln Type: Injection

  • 9.4

    CRITICAL
    CVE-2024-14008

    Nagios XI versions prior to 2024R1.3.2 contain a remote command execution vulnerability in the WinRM Configuration Wizard. Insufficient validation of user-supplied input allows an authenticated administrator to inject shell metacharacters that are incorpo... Read more

    Affected Products : xi
    • Published: Oct. 30, 2025
    • Modified: Oct. 30, 2025
    • Vuln Type: Injection

  • 9.4

    CRITICAL
    CVE-2025-56749

    Creativeitem Academy LMS up to and including 6.14 uses a hardcoded default JWT secret for token signing. This predictable secret allows attackers to forge valid JWT tokens, leading to authentication bypass and unauthorized access to any user account.... Read more

    Affected Products : academy_lms
    • Published: Oct. 15, 2025
    • Modified: Oct. 21, 2025
    • Vuln Type: Authentication

  • 9.4

    CRITICAL
    CVE-2024-14009

    Nagios XI versions prior to 2024R1.0.1 contain a privilege escalation vulnerability in the System Profile component. The System Profile feature is an administrative diagnostic/configuration capability. Due to improper access controls and unsafe handling o... Read more

    Affected Products : xi
    • Published: Oct. 30, 2025
    • Modified: Oct. 30, 2025
    • Vuln Type: Authorization

  • 9.4

    CRITICAL
    CVE-2025-34134

    Nagios XI versions prior to 2024R1.4.2 contain a remote code execution vulnerability in the Business Process Intelligence (BPI) component. Insufficient validation and sanitization of administrator-controlled BPI configuration parameters (notably bpi_logfi... Read more

    Affected Products : xi
    • Published: Oct. 30, 2025
    • Modified: Oct. 30, 2025
    • Vuln Type: Misconfiguration

  • 9.4

    CRITICAL
    CVE-2025-10728

    When the module renders a Svg file that contains a <pattern> element, it might end up rendering it recursively leading to stack overflow DoS... Read more

    Affected Products :
    • Published: Oct. 03, 2025
    • Modified: Oct. 06, 2025
    • Vuln Type: Denial of Service

  • 9.4

    CRITICAL
    CVE-2025-59978

    An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Juniper Networks Junos Space allows an attacker to store script tags directly in web pages that, when viewed by another user, enable the attacker to e... Read more

    Affected Products : junos_space
    • Published: Oct. 09, 2025
    • Modified: Oct. 14, 2025
    • Vuln Type: Cross-Site Scripting

  • 9.4

    CRITICAL
    CVE-2025-60316

    SourceCodester Pet Grooming Management Software 1.0 is vulnerable to SQL Injection in admin/view_customer.php via the ID parameter.... Read more

    Affected Products : pet_grooming_management_software
    • Published: Oct. 09, 2025
    • Modified: Oct. 16, 2025
    • Vuln Type: Injection

  • 9.4

    CRITICAL
    CVE-2025-34277

    Nagios Log Server versions prior to 2024R1.3.1 contain a code injection vulnerability where malformed dashboard ID values are not properly validated before being forwarded to an internal API. An attacker able to supply crafted dashboard ID values can caus... Read more

    Affected Products :
    • Published: Oct. 30, 2025
    • Modified: Oct. 30, 2025
    • Vuln Type: Injection

  • 9.4

    CRITICAL
    CVE-2025-34292

    Rox, the software running BeWelcome, contains a PHP object injection vulnerability resulting from deserialization of untrusted data. User-controlled input is passed to PHP's unserialize(): the POST parameter `formkit_memory_recovery` in \\RoxPostHandler::... Read more

    Affected Products : rox
    • Published: Oct. 27, 2025
    • Modified: Oct. 30, 2025
    • Vuln Type: Injection

  • 9.4

    CRITICAL
    CVE-2025-61777

    Flag Forge is a Capture The Flag (CTF) platform. Starting in version 2.0.0 and prior to version 2.3.2, the `/api/admin/badge-templates` (GET) and `/api/admin/badge-templates/create` (POST) endpoints previously allowed access without authentication or auth... Read more

    Affected Products : flagforge
    • Published: Oct. 06, 2025
    • Modified: Oct. 30, 2025
    • Vuln Type: Authentication

  • 9.4

    CRITICAL
    CVE-2025-62360

    WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users.Prior to 3.5.1, a SQL Injection vulnerability was identified in the /html/funcionario/dependente_documento.php endpoint, specifically in the id_dependente param... Read more

    Affected Products : wegia
    • Published: Oct. 13, 2025
    • Modified: Oct. 20, 2025
    • Vuln Type: Injection

  • 9.4

    CRITICAL
    CVE-2025-62410

    In versions before 20.0.2, it was found that --disallow-code-generation-from-strings is not sufficient for isolating untrusted JavaScript in happy-dom. The untrusted script and the rest of the application still run in the same Isolate/process, so attacker... Read more

    Affected Products :
    • Published: Oct. 15, 2025
    • Modified: Oct. 16, 2025
    • Vuln Type: Misconfiguration

  • 9.3

    CRITICAL
    CVE-2025-6893

    An Execution with Unnecessary Privileges vulnerability has been identified in Moxa’s network security appliances and routers. A flaw in broken access control has been identified in the /api/v1/setting/data endpoint of the affected device. This flaw allows... Read more

    Affected Products : tn-4900_firmware
    • Published: Oct. 17, 2025
    • Modified: Oct. 21, 2025
    • Vuln Type: Authorization

  • 9.3

    CRITICAL
    CVE-2025-41019

    SQL injection in Sergestec's SISTICK v7.2. This vulnerability allows an attacker to retrieve, create, update, and delete databases through the 'id' parameter in '/index.php?view=ticket_detail'.... Read more

    Affected Products : exito
    • Published: Oct. 16, 2025
    • Modified: Oct. 16, 2025
    • Vuln Type: Injection

  • 9.3

    CRITICAL
    CVE-2025-59557

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ThemeMove Learts Addons learts-addons allows SQL Injection.This issue affects Learts Addons: from n/a through < 1.7.5.... Read more

    Affected Products :
    • Published: Oct. 22, 2025
    • Modified: Oct. 23, 2025
    • Vuln Type: Injection

  • 9.3

    CRITICAL
    CVE-2025-49931

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CrocoBlock JetSearch jet-search allows Blind SQL Injection.This issue affects JetSearch: from n/a through <= 3.5.10.... Read more

    Affected Products : jetsearch
    • Published: Oct. 22, 2025
    • Modified: Oct. 23, 2025
    • Vuln Type: Injection

  • 9.3

    CRITICAL
    CVE-2025-41009

    SQL injection vulnerability in the DRED virtual campus platform. This vulnerability allows an attacker to retrieve, create, update, and delete data from the database by sending a POST request using the ‘buscame’ parameter in ‘/catalogo_c/catalogo.php’.... Read more

    Affected Products :
    • Published: Oct. 27, 2025
    • Modified: Oct. 27, 2025
    • Vuln Type: Injection
Showing 20 of 4060 Results