Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 8.8

    HIGH
    CVE-2025-68586

    Missing Authorization vulnerability in Gora Tech Cooked cooked allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cooked: from n/a through <= 1.11.2.... Read more

    Affected Products :
    • Published: Dec. 24, 2025
    • Modified: Dec. 24, 2025
    • Vuln Type: Authorization

  • 8.8

    HIGH
    CVE-2025-56086

    OS Command Injection vulnerability in Ruijie RG-EW1200 EW_3.0(1)B11P227_EW1200_11130208RG-EW1200 V1.00 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/networkConnect.lua.... Read more

    • Published: Dec. 11, 2025
    • Modified: Dec. 26, 2025
    • Vuln Type: Injection

  • 8.8

    HIGH
    CVE-2023-53868

    Coppermine Gallery 1.6.25 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files through the plugin manager. Attackers can upload a zipped PHP file with system commands to the plugin directory and ... Read more

    Affected Products : coppermine_photo_gallery
    • Published: Dec. 15, 2025
    • Modified: Dec. 18, 2025
    • Vuln Type: Misconfiguration

  • 8.8

    HIGH
    CVE-2025-14214

    A vulnerability has been found in itsourcecode Student Information System 1.0. This affects an unknown part of the file /section_edit1.php. The manipulation of the argument ID leads to sql injection. Remote exploitation of the attack is possible. The expl... Read more

    • Published: Dec. 08, 2025
    • Modified: Dec. 09, 2025
    • Vuln Type: Injection

  • 8.8

    HIGH
    CVE-2025-66448

    vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.11.1, vllm has a critical remote code execution vector in a config class named Nemotron_Nano_VL_Config. When vllm loads a model config that contains an auto_map entry, th... Read more

    Affected Products : vllm
    • Published: Dec. 01, 2025
    • Modified: Dec. 03, 2025
    • Vuln Type: Misconfiguration

  • 8.8

    HIGH
    CVE-2025-13065

    The Starter Templates plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 4.4.41. This is due to insufficient file type validation detecting WXR files, allowing double extension files to bypass sanitization wh... Read more

    Affected Products :
    • Published: Dec. 06, 2025
    • Modified: Dec. 08, 2025
    • Vuln Type: Authentication

  • 8.8

    HIGH
    CVE-2025-65730

    Authentication Bypass via Hardcoded Credentials GoAway up to v0.62.18, fixed in 0.62.19, uses a hardcoded secret for signing JWT tokens used for authentication.... Read more

    Affected Products : goaway
    • Published: Dec. 05, 2025
    • Modified: Dec. 11, 2025
    • Vuln Type: Authentication

  • 8.8

    HIGH
    CVE-2025-13534

    The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.3.2. This is due to missing authorization checks on the eh_crm_edit_agent AJAX action. This makes it... Read more

    Affected Products : wsdesk
    • Published: Dec. 02, 2025
    • Modified: Dec. 04, 2025
    • Vuln Type: Authorization

  • 8.8

    HIGH
    CVE-2025-34437

    AVideo versions prior to 20.1 permit any authenticated user to upload comment images to videos owned by other users. The endpoint validates authentication but omits ownership checks, allowing attackers to perform unauthorized uploads to arbitrary video ob... Read more

    Affected Products : avideo avideo
    • Published: Dec. 17, 2025
    • Modified: Dec. 19, 2025
    • Vuln Type: Authorization

  • 8.8

    HIGH
    CVE-2025-14203

    A flaw has been found in code-projects Question Paper Generator up to 1.0. This vulnerability affects unknown code of the file /selectquestionuser.php. This manipulation of the argument subid causes sql injection. Remote exploitation of the attack is poss... Read more

    Affected Products : question_paper_generator
    • Published: Dec. 07, 2025
    • Modified: Dec. 10, 2025
    • Vuln Type: Injection

  • 8.8

    HIGH
    CVE-2025-67622

    Cross-Site Request Forgery (CSRF) vulnerability in titopandub Evergreen Post Tweeter evergreen-post-tweeter allows Stored XSS.This issue affects Evergreen Post Tweeter: from n/a through <= 1.8.9.... Read more

    Affected Products :
    • Published: Dec. 24, 2025
    • Modified: Dec. 24, 2025
    • Vuln Type: Cross-Site Request Forgery

  • 8.8

    HIGH
    CVE-2025-34436

    AVideo versions prior to 20.1 allow any authenticated user to upload files into directories belonging to other users due to an insecure direct object reference. The upload functionality verifies authentication but does not enforce ownership checks.... Read more

    Affected Products : avideo
    • Published: Dec. 17, 2025
    • Modified: Dec. 19, 2025
    • Vuln Type: Authorization

  • 8.8

    HIGH
    CVE-2025-56127

    OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR600W allowing attackers to execute arbitrary commands via a crafted POST request to the get_wanobj in file /usr/lib/lua/luci/controller/admin/common.lua.... Read more

    Affected Products : rg-bcr600w_firmware rg-bcr600w
    • Published: Dec. 11, 2025
    • Modified: Dec. 18, 2025
    • Vuln Type: Injection

  • 8.8

    HIGH
    CVE-2025-60786

    A Zip Slip vulnerability in the import a Project component of iceScrum v7.54 Pro On-prem allows attackers to execute arbitrary code via uploading a crafted Zip file.... Read more

    Affected Products : icescrum
    • Published: Dec. 15, 2025
    • Modified: Dec. 23, 2025
    • Vuln Type: Path Traversal

  • 8.8

    HIGH
    CVE-2025-66738

    An issue in Yealink T21P_E2 Phone 52.84.0.15 allows a remote normal privileged attacker to execute arbitrary code via a crafted request the ping function of the diagnostic component.... Read more

    Affected Products :
    • Published: Dec. 26, 2025
    • Modified: Dec. 27, 2025
    • Vuln Type: Injection

  • 8.8

    HIGH
    CVE-2023-53929

    phpMyFAQ 3.1.12 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into their profile names. Attackers can modify their user profile name with a payload like 'calc|a!z|' to trigger code execution when an ad... Read more

    Affected Products : phpmyfaq
    • Published: Dec. 17, 2025
    • Modified: Dec. 18, 2025
    • Vuln Type: Injection

  • 8.8

    HIGH
    CVE-2025-65780

    An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Authenticated users can update their entire user document (beyond profile fields), including orgs/teams and loginDisabled, due to missing server-side... Read more

    Affected Products : wekan
    • Published: Dec. 15, 2025
    • Modified: Dec. 18, 2025
    • Vuln Type: Authorization

  • 8.8

    HIGH
    CVE-2025-13481

    IBM Aspera Orchestrator 4.0.0 through 4.1.0 could allow an authenticated user to execute arbitrary commands with elevated privileges on the system due to improper validation of user supplied input.... Read more

    Affected Products : linux_kernel aspera_orchestrator
    • Published: Dec. 11, 2025
    • Modified: Dec. 15, 2025
    • Vuln Type: Injection

  • 8.8

    HIGH
    CVE-2023-53888

    Zomplog 3.9 contains a remote code execution vulnerability that allows authenticated attackers to inject and execute arbitrary PHP code through file manipulation endpoints. Attackers can upload malicious JavaScript files, rename them to PHP, and execute s... Read more

    Affected Products : zomplog
    • Published: Dec. 15, 2025
    • Modified: Dec. 24, 2025
    • Vuln Type: Injection

  • 8.8

    HIGH
    CVE-2025-7073

    A local privilege escalation vulnerability in Bitdefender Total Security 27.0.46.231 allows low-privileged attackers to elevate privileges. The issue arises from bdservicehost.exe deleting files from a user-writable directory (C:\ProgramData\Atc\Feedback)... Read more

    • Published: Dec. 10, 2025
    • Modified: Dec. 12, 2025
    • Vuln Type: Path Traversal
Showing 20 of 4776 Results