Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 8.8

    HIGH
    CVE-2025-57625

    CYRISMA Sensor before 444 for Windows has an Insecure Folder and File Permissions vulnerability. A low-privileged user can abuse these issues to escalate privileges and execute arbitrary code in the context of NT AUTHORITY\SYSTEM by replacing DataSpotlite... Read more

    Affected Products :
    • Published: Sep. 16, 2025
    • Modified: Sep. 17, 2025
    • Vuln Type: Misconfiguration

  • 8.8

    HIGH
    CVE-2025-10201

    Inappropriate implementation in Mojo in Google Chrome on Android, Linux, ChromeOS prior to 140.0.7339.127 allowed a remote attacker to bypass site isolation via a crafted HTML page. (Chromium security severity: High)... Read more

    • Published: Sep. 10, 2025
    • Modified: Sep. 22, 2025
    • Vuln Type: Misconfiguration

  • 8.8

    HIGH
    CVE-2025-10481

    A security vulnerability has been detected in SourceCodester Online Student File Management System 1.0. This impacts an unknown function of the file /remove_file.php. The manipulation of the argument ID leads to sql injection. Remote exploitation of the a... Read more

    • Published: Sep. 15, 2025
    • Modified: Sep. 22, 2025
    • Vuln Type: Injection

  • 8.8

    HIGH
    CVE-2025-10016

    The Sparkle framework includes a helper tool Autoupdate. Due to lack of authentication of connecting clients a local unprivileged attacker can request installation of crafted malicious PKG file by racing to connect to the daemon when other app spawns it ... Read more

    Affected Products :
    • Published: Sep. 16, 2025
    • Modified: Sep. 16, 2025
    • Vuln Type: Authentication

  • 8.8

    HIGH
    CVE-2025-56265

    An arbitrary file upload vulnerability in the Chat Trigger component of N8N v1.95.3, v1.100.1, and v1.101.1 allows attackers to execute arbitrary code via uploading a crafted HTML file.... Read more

    Affected Products : n8n
    • Published: Sep. 08, 2025
    • Modified: Sep. 12, 2025
    • Vuln Type: Misconfiguration

  • 8.8

    HIGH
    CVE-2025-10380

    The Advanced Views – Display Posts, Custom Fields, and More plugin for WordPress is vulnerable to Server-Side Template Injection in all versions up to, and including, 3.7.19. This is due to insufficient input sanitization and lack of access control when p... Read more

    Affected Products :
    • Published: Sep. 23, 2025
    • Modified: Sep. 23, 2025
    • Vuln Type: Injection

  • 8.8

    HIGH
    CVE-2025-56413

    OS Command injection vulnerability in function OperateSSH in 1panel 2.0.8 allowing attackers to execute arbitrary commands via the operation parameter to the /api/v2/hosts/ssh/operate endpoint.... Read more

    Affected Products : 1panel
    • Published: Sep. 10, 2025
    • Modified: Sep. 17, 2025
    • Vuln Type: Injection

  • 8.8

    HIGH
    CVE-2025-58756

    MONAI (Medical Open Network for AI) is an AI toolkit for health care imaging. In versions up to and including 1.5.0, in `model_dict = torch.load(full_path, map_location=torch.device(device), weights_only=True)` in monai/bundle/scripts.py , `weights_only=T... Read more

    Affected Products : medical_open_network_for_ai
    • Published: Sep. 09, 2025
    • Modified: Sep. 19, 2025
    • Vuln Type: Authentication

  • 8.8

    HIGH
    CVE-2025-20326

    A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM) Software and Cisco Unified CM Session Management Edition (SME) Software could allow an unauthenticated, remote attacker to conduct a cross-site requ... Read more

    Affected Products : unified_communications_manager
    • Published: Sep. 03, 2025
    • Modified: Sep. 10, 2025
    • Vuln Type: Cross-Site Request Forgery

  • 8.8

    HIGH
    CVE-2025-10057

    The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.28. This is due to the write_to_customfile() function writing unfiltered PHP code to a file. This m... Read more

    Affected Products :
    • Published: Sep. 17, 2025
    • Modified: Sep. 17, 2025
    • Vuln Type: Information Disclosure

  • 8.8

    HIGH
    CVE-2025-9216

    The StoreEngine – Powerful WordPress eCommerce Plugin for Payments, Memberships, Affiliates, Sales & More plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import() function in all versions up to, and ... Read more

    Affected Products :
    • Published: Sep. 17, 2025
    • Modified: Sep. 17, 2025
    • Vuln Type: Authentication

  • 8.8

    HIGH
    CVE-2025-10409

    A weakness has been identified in SourceCodester Student Grading System 1.0. This affects an unknown part of the file /rms.php?page=users. Executing manipulation of the argument fname can lead to sql injection. The attack can be launched remotely. The exp... Read more

    • Published: Sep. 14, 2025
    • Modified: Sep. 19, 2025
    • Vuln Type: Injection

  • 8.8

    HIGH
    CVE-2025-58176

    Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. In versions 0.9.0 through 0.9.3, there is a one-click Remote Code Execution vulnerability triggered through a custom url value, `transport` in the JSO... Read more

    Affected Products : dive
    • Published: Sep. 03, 2025
    • Modified: Sep. 11, 2025
    • Vuln Type: Misconfiguration

  • 8.8

    HIGH
    CVE-2025-10420

    A vulnerability was detected in SourceCodester Student Grading System 1.0. This affects an unknown part of the file /form137.php. Performing manipulation of the argument ID results in sql injection. The attack may be initiated remotely. The exploit is now... Read more

    • Published: Sep. 15, 2025
    • Modified: Sep. 19, 2025
    • Vuln Type: Injection

  • 8.8

    HIGH
    CVE-2025-59143

    color is a Javascript color conversion and manipulation library. On 8 September 2025, the npm publishing account for color was taken over after a phishing attack. Version 5.0.1 was published, functionally identical to the previous patch version, but with ... Read more

    Affected Products :
    • Published: Sep. 15, 2025
    • Modified: Sep. 16, 2025
    • Vuln Type: Supply Chain

  • 8.8

    HIGH
    CVE-2025-59144

    debug is a JavaScript debugging utility. On 8 September 2025, the npm publishing account for debug was taken over after a phishing attack. Version 4.4.2 was published, functionally identical to the previous patch version, but with a malware payload added ... Read more

    Affected Products : debug
    • Published: Sep. 15, 2025
    • Modified: Sep. 16, 2025
    • Vuln Type: Supply Chain

  • 8.8

    HIGH
    CVE-2025-59142

    color-string is a parser and generator for CSS color strings. On 8 September 2025, the npm publishing account for color-string was taken over after a phishing attack. Version 2.1.1 was published, functionally identical to the previous patch version, but w... Read more

    Affected Products : color-string
    • Published: Sep. 15, 2025
    • Modified: Sep. 16, 2025
    • Vuln Type: Supply Chain

  • 8.8

    HIGH
    CVE-2025-57439

    Creacast Creabox Manager 4.4.4 contains a critical Remote Code Execution vulnerability accessible via the edit.php endpoint. An authenticated attacker can inject arbitrary Lua code into the configuration, which is then executed on the server. This allows ... Read more

    Affected Products :
    • Published: Sep. 22, 2025
    • Modified: Sep. 22, 2025
    • Vuln Type: Injection

  • 8.8

    HIGH
    CVE-2025-59140

    backlash parses collected strings with escapes. On 8 September 2025, the npm publishing account for backslash was taken over after a phishing attack. Version 0.2.1 was published, functionally identical to the previous patch version, but with a malware pay... Read more

    Affected Products :
    • Published: Sep. 15, 2025
    • Modified: Sep. 16, 2025
    • Vuln Type: Supply Chain

  • 8.8

    HIGH
    CVE-2025-10592

    A security vulnerability has been detected in itsourcecode Online Public Access Catalog OPAC 1.0. This impacts an unknown function of the file mysearch.php of the component POST Parameter Handler. Such manipulation of the argument search_field/search_text... Read more

    Affected Products : online_public_access_catalog
    • Published: Sep. 17, 2025
    • Modified: Sep. 22, 2025
    • Vuln Type: Injection
Showing 20 of 4401 Results