Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 9.9

    CRITICAL
    CVE-2025-66255

    Unauthenticated Arbitrary File Upload (upgrade_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Missing signature validation all... Read more

    • Published: Nov. 26, 2025
    • Modified: Dec. 03, 2025
    • Vuln Type: Authentication

  • 9.9

    CRITICAL
    CVE-2025-66261

    Unauthenticated OS Command Injection (restore_settings.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform URL-decoded name parameter passed... Read more

    • Published: Nov. 26, 2025
    • Modified: Dec. 03, 2025
    • Vuln Type: Injection

  • 9.9

    CRITICAL
    CVE-2025-66253

    Unauthenticated OS Command Injection (start_upgrade.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform User input passed directly to exec()... Read more

    • Published: Nov. 26, 2025
    • Modified: Dec. 03, 2025
    • Vuln Type: Injection

  • 9.9

    CRITICAL
    CVE-2025-12419

    Mattermost versions 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12, 11.0.x <= 11.0.3 fail to properly validate OAuth state tokens during OpenID Connect authentication which allows an authenticated attacker with team creation privileges to take ... Read more

    Affected Products : mattermost_server
    • Published: Nov. 27, 2025
    • Modified: Dec. 03, 2025
    • Vuln Type: Authentication

  • 9.9

    CRITICAL
    CVE-2025-12421

    Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to to verify that the token used during the code exchange originates from the same authentication flow, which allows an authenticated user to perform acco... Read more

    Affected Products : mattermost_server
    • Published: Nov. 27, 2025
    • Modified: Dec. 03, 2025
    • Vuln Type: Authentication

  • 9.9

    CRITICAL
    CVE-2025-66256

    Unauthenticated Arbitrary File Upload (patch_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Unrestricted file upload in patch_... Read more

    • Published: Nov. 26, 2025
    • Modified: Dec. 03, 2025
    • Vuln Type: Misconfiguration

  • 9.9

    CRITICAL
    CVE-2025-68110

    ChurchCRM is an open-source church management system. Versions prior to 6.5.3 may disclose database information in an error message including the host, ip, username, and password. Version 6.5.3 fixes the issue.... Read more

    Affected Products :
    • Published: Dec. 17, 2025
    • Modified: Dec. 17, 2025
    • Vuln Type: Information Disclosure

  • 9.9

    CRITICAL
    CVE-2025-14700

    An input neutralization vulnerability in the Webhook Template component of Crafty Controller allows a remote, authenticated attacker to perform remote code execution via Server Side Template Injection.... Read more

    Affected Products : crafty_controller
    • Published: Dec. 17, 2025
    • Modified: Dec. 17, 2025
    • Vuln Type: Injection

  • 9.9

    CRITICAL
    CVE-2025-67781

    An issue was discovered in DriveLock 24.1 before 24.1.6, 24.2 before 24.2.7, and 25.1 before 25.1.5. Local unprivileged users can manipulate privileged processes to gain more privileges on Windows computers.... Read more

    Affected Products :
    • Published: Dec. 17, 2025
    • Modified: Dec. 17, 2025
    • Vuln Type: Authorization

  • 9.9

    CRITICAL
    CVE-2025-67164

    An authenticated arbitrary file upload vulnerability in the /storage/poc.php component of Pagekit CMS v1.0.18 allows attackers to execute arbitrary code via uploading a crafted PHP file.... Read more

    Affected Products :
    • Published: Dec. 17, 2025
    • Modified: Dec. 17, 2025
    • Vuln Type: Authentication

  • 9.9

    CRITICAL
    CVE-2025-68270

    The Open edX Platform is a learning management platform. Prior to commit 05d0d0936daf82c476617257aa6c35f0cd4ca060, CourseLimitedStaffRole users are able to access and edit courses in studio if they are granted the role on an org rather than on a course, a... Read more

    Affected Products : edx-platform
    • Published: Dec. 16, 2025
    • Modified: Dec. 16, 2025
    • Vuln Type: Authorization

  • 9.9

    CRITICAL
    CVE-2025-64721

    Sandboxie is a sandbox-based isolation software for 32-bit and 64-bit Windows NT-based operating systems. In versions 1.16.6 and below, the SYSTEM-level service SbieSvc.exe exposes SbieIniServer::RC4Crypt to sandboxed processes. The handler adds a fixed h... Read more

    Affected Products : sandboxie
    • Published: Dec. 11, 2025
    • Modified: Dec. 15, 2025
    • Vuln Type: Memory Corruption

  • 9.8

    CRITICAL
    CVE-2025-59390

    Apache Druid’s Kerberos authenticator uses a weak fallback secret when the `druid.auth.authenticator.kerberos.cookieSignatureSecret` configuration is not explicitly set. In this case, the secret is generated using `ThreadLocalRandom`, which is not a cryp... Read more

    Affected Products : druid
    • Published: Nov. 26, 2025
    • Modified: Dec. 04, 2025
    • Vuln Type: Authentication

  • 9.8

    CRITICAL
    CVE-2025-14245

    A vulnerability has been found in IdeaCMS up to 1.8. This affects the function whereRaw of the file app/common/logic/index/Coupon.php. Such manipulation of the argument params leads to sql injection. The attack may be launched remotely. The exploit has be... Read more

    Affected Products : ideacms
    • Published: Dec. 08, 2025
    • Modified: Dec. 11, 2025
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2025-64055

    An issue was discovered in Fanvil x210 V2 2.12.20 allowing unauthenticated attackers on the local network to access administrative functions of the device (e.g. file upload, firmware update, reboot...) via a crafted authentication bypass.... Read more

    Affected Products : x210_firmware x210
    • Published: Dec. 03, 2025
    • Modified: Dec. 10, 2025
    • Vuln Type: Authentication

  • 9.8

    CRITICAL
    CVE-2023-53740

    Screen SFT DAB 1.9.3 contains an authentication bypass vulnerability that allows attackers to change the admin password without providing the current credentials. Attackers can exploit the userManager.cgx endpoint by sending a crafted JSON request with a ... Read more

    • Published: Dec. 10, 2025
    • Modified: Dec. 17, 2025
    • Vuln Type: Authentication

  • 9.8

    CRITICAL
    CVE-2025-14324

    JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 146, Firefox ESR < 115.31, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6.... Read more

    Affected Products : firefox firefox_esr thunderbird
    • Published: Dec. 09, 2025
    • Modified: Dec. 11, 2025
    • Vuln Type: Memory Corruption

  • 9.8

    CRITICAL
    CVE-2025-65823

    The Meatmeet Pro was found to be shipped with hardcoded Wi-Fi credentials in the firmware, for the test network it was developed on. If an attacker retrieved this, and found the physical location of the Wi-Fi network, they could gain unauthorized access t... Read more

    Affected Products :
    • Published: Dec. 10, 2025
    • Modified: Dec. 12, 2025
    • Vuln Type: Misconfiguration

  • 9.8

    CRITICAL
    CVE-2025-65602

    A template injection vulnerability in the /vip/v1/file/save component of ChanCMS v3.3.4 allows attackers to execute arbitrary code via a crafted POST request.... Read more

    Affected Products : chancms
    • Published: Dec. 10, 2025
    • Modified: Dec. 17, 2025
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2025-14210

    A security vulnerability has been detected in projectworlds Advanced Library Management System 1.0. Affected is an unknown function of the file /delete_member.php. Such manipulation of the argument user_id leads to sql injection. The attack can be launche... Read more

    • Published: Dec. 08, 2025
    • Modified: Dec. 10, 2025
    • Vuln Type: Injection
Showing 20 of 4530 Results