Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 8.8

    HIGH
    CVE-2025-56113

    OS Command Injection vulnerability in Ruijie RG-YST EST, YSTAP_3.0(1)B11P280YST250F V1.xxV2.xx allowing attackers to execute arbitrary commands via a crafted POST request to the pwdmodify in file /usr/lib/lua/luci/modules/common.lua.... Read more

    Affected Products :
    • Published: Dec. 11, 2025
    • Modified: Dec. 12, 2025
    • Vuln Type: Injection

  • 8.8

    HIGH
    CVE-2025-65593

    nopCommerce 4.90.0 is vulnerable to Cross Site Request Forgery (CSRF) via the Schedule Tasks functionality.... Read more

    Affected Products : nopcommerce
    • Published: Dec. 16, 2025
    • Modified: Dec. 19, 2025
    • Vuln Type: Cross-Site Request Forgery

  • 8.8

    HIGH
    CVE-2025-56097

    OS Command Injection vulnerability in Ruijie RG-EW1800GX PRO B11P226_EW1800GX-PRO_10223117 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_config/config_retain.lua.... Read more

    Affected Products :
    • Published: Dec. 11, 2025
    • Modified: Dec. 12, 2025
    • Vuln Type: Injection

  • 8.8

    HIGH
    CVE-2025-56095

    OS Command Injection vulnerability in Ruijie RG-EW1200G PRO RG-EW1200G PRO V1.00/V2.00/V3.00/V4.00 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_sta/nbr_cwmp.lua.... Read more

    Affected Products :
    • Published: Dec. 11, 2025
    • Modified: Dec. 12, 2025
    • Vuln Type: Injection

  • 8.8

    HIGH
    CVE-2025-56087

    OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR600W allowing attackers to execute arbitrary commands via a crafted POST request to the run_tcpdump in file /usr/lib/lua/luci/controller/admin/common_tcpdump.lua.... Read more

    Affected Products :
    • Published: Dec. 11, 2025
    • Modified: Dec. 12, 2025
    • Vuln Type: Injection

  • 8.8

    HIGH
    CVE-2025-12968

    The Infility Global plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation and capability checks in all versions up to, and including, 2.14.23. This is due to the `upload_file` function in the `infility_import_fil... Read more

    Affected Products : infility_global
    • Published: Dec. 12, 2025
    • Modified: Dec. 12, 2025
    • Vuln Type: Misconfiguration

  • 8.8

    HIGH
    CVE-2025-53900

    Kiteworks MFT orchestrates end-to-end file transfer workflows. Prior to version 9.1.0, an unfavourable definition of roles and permissions in Kiteworks MFT on managing Connections could lead to unexpected escalation of privileges for authorized users. Thi... Read more

    • Published: Nov. 29, 2025
    • Modified: Dec. 03, 2025
    • Vuln Type: Authorization

  • 8.8

    HIGH
    CVE-2025-56083

    OS Command Injection vulnerability in Ruijie X30-PRO X30-PRO-V1_09241521 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_sta/nbr_networkId_merge.lua.... Read more

    Affected Products :
    • Published: Dec. 11, 2025
    • Modified: Dec. 12, 2025
    • Vuln Type: Injection

  • 8.8

    HIGH
    CVE-2025-60081

    Deserialization of Untrusted Data vulnerability in add-ons.org PDF for Contact Form 7 pdf-for-contact-form-7 allows Object Injection.This issue affects PDF for Contact Form 7: from n/a through <= 6.3.4.... Read more

    Affected Products :
    • Published: Dec. 18, 2025
    • Modified: Dec. 18, 2025
    • Vuln Type: Injection

  • 8.8

    HIGH
    CVE-2025-43529

    A use-after-free issue was addressed with improved memory management. This issue is fixed in watchOS 26.2, Safari 26.2, iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, visionOS 26.2, tvOS 26.2. Processing maliciously crafted web ... Read more

    • Actively Exploited
    • Published: Dec. 17, 2025
    • Modified: Dec. 18, 2025
    • Vuln Type: Memory Corruption

  • 8.8

    HIGH
    CVE-2024-58281

    Dotclear 2.29 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files through the media upload functionality. Attackers can exploit the file upload process by crafting a PHP shell with a command exe... Read more

    Affected Products : dotclear
    • Published: Dec. 10, 2025
    • Modified: Dec. 19, 2025
    • Vuln Type: Injection

  • 8.8

    HIGH
    CVE-2025-66289

    OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the application does not invalidate existing sessions when a user is disabled or when a password change occurs, allowing active session cookies to remain valid i... Read more

    Affected Products : orangehrm
    • Published: Nov. 29, 2025
    • Modified: Dec. 03, 2025
    • Vuln Type: Authentication

  • 8.8

    HIGH
    CVE-2025-12189

    The Bread & Butter: Gate content + Capture leads + Collect first-party data + Nurture with Ai agents plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 7.10.1321. This is due to missing or incorrect nonc... Read more

    Affected Products : bread_and_butter
    • Published: Dec. 05, 2025
    • Modified: Dec. 17, 2025
    • Vuln Type: Cross-Site Request Forgery

  • 8.8

    HIGH
    CVE-2025-66448

    vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.11.1, vllm has a critical remote code execution vector in a config class named Nemotron_Nano_VL_Config. When vllm loads a model config that contains an auto_map entry, th... Read more

    Affected Products : vllm
    • Published: Dec. 01, 2025
    • Modified: Dec. 03, 2025
    • Vuln Type: Misconfiguration

  • 8.8

    HIGH
    CVE-2025-60082

    Deserialization of Untrusted Data vulnerability in add-ons.org PDF for WPForms pdf-for-wpforms allows Object Injection.This issue affects PDF for WPForms: from n/a through <= 6.3.1.... Read more

    Affected Products :
    • Published: Dec. 18, 2025
    • Modified: Dec. 18, 2025
    • Vuln Type: Injection

  • 8.8

    HIGH
    CVE-2025-65780

    An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Authenticated users can update their entire user document (beyond profile fields), including orgs/teams and loginDisabled, due to missing server-side... Read more

    Affected Products : wekan
    • Published: Dec. 15, 2025
    • Modified: Dec. 18, 2025
    • Vuln Type: Authorization

  • 8.8

    HIGH
    CVE-2024-58279

    appRain CMF 4.0.5 contains an authenticated remote code execution vulnerability that allows administrative users to upload malicious PHP files through the filemanager upload endpoint. Attackers can leverage authenticated access to generate a web shell wit... Read more

    Affected Products : apprain
    • Published: Dec. 10, 2025
    • Modified: Dec. 19, 2025
    • Vuln Type: Authentication

  • 8.8

    HIGH
    CVE-2025-14174

    Out of bounds memory access in ANGLE in Google Chrome on Mac prior to 143.0.7499.110 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)... Read more

    • Actively Exploited
    • Published: Dec. 12, 2025
    • Modified: Dec. 15, 2025
    • Vuln Type: Memory Corruption

  • 8.8

    HIGH
    CVE-2025-56396

    An issue was discovered in Ruoyi 4.8.1 allowing attackers to gain escalated privileges due to the owning department having higher rights than the active user.... Read more

    Affected Products : ruoyi
    • Published: Nov. 26, 2025
    • Modified: Dec. 04, 2025
    • Vuln Type: Authorization

  • 8.8

    HIGH
    CVE-2025-66214

    Ladybug adds message-based debugging, unit, system, and regression testing to Java applications. Versions prior to 3.0-20251107.114628 contain the APIs /iaf/ladybug/api/report/{storage} and /iaf/ladybug/api/report/upload, which allow uploading gzip-compre... Read more

    Affected Products : ladybug
    • Published: Dec. 09, 2025
    • Modified: Dec. 17, 2025
    • Vuln Type: Misconfiguration
Showing 20 of 4460 Results