Latest CVE Feed
-
8.1
HIGHCVE-2025-61787
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Versions prior to 2.5.3 and 2.2.15 are vulnerable to Command Line Injection attacks on Windows when batch files are executed. In Windows, ``CreateProcess()`` always implicitly spawns ``cmd.exe`` i... Read more
- Published: Oct. 08, 2025
- Modified: Oct. 16, 2025
- Vuln Type: Injection
-
8.1
HIGHCVE-2025-11720
The Firefox and Firefox Focus UI for the Android custom tab feature only showed the "site" that was loaded, not the full hostname. User supplied content hosted on a subdomain of a site could have been used to fool a user into thinking it was content from ... Read more
- Published: Oct. 14, 2025
- Modified: Oct. 15, 2025
- Vuln Type: Information Disclosure
-
8.1
HIGHCVE-2025-3719
An access control vulnerability was discovered in the CLI functionality due to a specific access restriction not being properly enforced for users with limited privileges. An authenticated user with limited privileges can issue administrative CLI commands... Read more
- Published: Oct. 07, 2025
- Modified: Oct. 09, 2025
- Vuln Type: Authorization
-
8.1
HIGHCVE-2025-62509
FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. Prior to version 1.4.0, a business logic flaw in FileRise’s file/folder handling allows low-privilege users to perform unauthorized operations (view/de... Read more
Affected Products :- Published: Oct. 20, 2025
- Modified: Oct. 21, 2025
- Vuln Type: Authorization
-
8.1
HIGHCVE-2025-58955
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in designervily Karzo karzo allows PHP Local File Inclusion.This issue affects Karzo: from n/a through < 2.6.... Read more
Affected Products :- Published: Oct. 22, 2025
- Modified: Oct. 22, 2025
- Vuln Type: Path Traversal
-
8.1
HIGHCVE-2025-59048
OpenBao's AWS Plugin generates AWS access credentials based on IAM policies. Prior to version 0.1.1, the AWS Plugin is vulnerable to cross-account IAM role Impersonation in the AWS auth method. The vulnerability allows an IAM role from an untrusted AWS ac... Read more
Affected Products :- Published: Oct. 23, 2025
- Modified: Oct. 27, 2025
- Vuln Type: Authorization
-
8.1
HIGHCVE-2025-11938
A vulnerability was found in ChurchCRM up to 5.18.0. This vulnerability affects unknown code of the file setup/routes/setup.php. Performing manipulation of the argument DB_PASSWORD/ROOT_PATH/URL results in deserialization. The attack may be initiated remo... Read more
Affected Products : churchcrm- Published: Oct. 19, 2025
- Modified: Oct. 27, 2025
- Vuln Type: Injection
-
8.1
HIGHCVE-2025-59550
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in designervily Xcare xcare allows PHP Local File Inclusion.This issue affects Xcare: from n/a through < 6.5.... Read more
Affected Products :- Published: Oct. 22, 2025
- Modified: Oct. 23, 2025
- Vuln Type: Path Traversal
-
8.1
HIGHCVE-2025-59555
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove Medizin medizin allows PHP Local File Inclusion.This issue affects Medizin: from n/a through < 1.9.7.... Read more
Affected Products :- Published: Oct. 22, 2025
- Modified: Oct. 23, 2025
- Vuln Type: Path Traversal
-
8.1
HIGHCVE-2025-9133
A missing authorization vulnerability in Zyxel ATP series firmware versions from V4.32 through V5.40, USG FLEX series firmware versions from V4.50 through V5.40, USG FLEX 50(W) series firmware versions from V4.16 through V5.40, and USG20(W)-VPN series fir... Read more
Affected Products : usg20w-vpn_firmware zld usg_flex_100_firmware atp100_firmware atp100 atp200 atp500 atp100w atp700 atp800 +10 more products- Published: Oct. 21, 2025
- Modified: Oct. 28, 2025
-
8.1
HIGHCVE-2025-59007
Deserialization of Untrusted Data vulnerability in themesflat TF Woo Product Grid Addon For Elementor tf-woo-product-grid allows Object Injection.This issue affects TF Woo Product Grid Addon For Elementor: from n/a through <= 1.0.1.... Read more
Affected Products :- Published: Oct. 22, 2025
- Modified: Oct. 22, 2025
- Vuln Type: Injection
-
8.1
HIGHCVE-2025-59250
Improper input validation in JDBC Driver for SQL Server allows an unauthorized attacker to perform spoofing over a network.... Read more
Affected Products : jdbc_driver_for_sql_server_12.8 jdbc_driver_for_sql_server_10.2 jdbc_driver_for_sql_server_12.6 jdbc_driver_for_sql_server_12.4 jdbc_driver_for_sql_server_12.10 jdbc_driver_for_sql_server_13.2 jdbc_driver_for_sql_server_12.2 jdbc_driver_for_sql_server_11.2 jdbc_driver_for_sql_server- Published: Oct. 14, 2025
- Modified: Oct. 30, 2025
-
8.1
HIGHCVE-2025-61751
Vulnerability in the Oracle Financial Services Analytical Applications Infrastructure product of Oracle Financial Services Applications (component: Platform). Supported versions that are affected are 8.0.7.9, 8.0.8.7 and 8.1.2.5. Easily exploitable vuln... Read more
Affected Products : financial_services_analytical_applications_infrastructure- Published: Oct. 21, 2025
- Modified: Oct. 24, 2025
-
8.1
HIGHCVE-2025-56224
A lack of rate limiting in the One-Time Password (OTP) verification endpoint of SigningHub v8.6.8 allows attackers to bypass verification via a bruteforce attack.... Read more
Affected Products : signinghub- Published: Oct. 20, 2025
- Modified: Oct. 27, 2025
- Vuln Type: Authentication
-
8.1
HIGHCVE-2025-58075
Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless of re... Read more
Affected Products : mattermost_server- Published: Oct. 16, 2025
- Modified: Oct. 21, 2025
- Vuln Type: Authorization
-
8.1
HIGHCVE-2025-60378
Stored HTML injection in RISE Ultimate Project Manager & CRM allows authenticated users to inject arbitrary HTML into invoices and messages. Injected content renders in emails, PDFs, and messaging/chat modules sent to clients or team members, enabling phi... Read more
Affected Products :- Published: Oct. 10, 2025
- Modified: Oct. 14, 2025
- Vuln Type: Cross-Site Scripting
-
8.1
HIGHCVE-2025-62506
MinIO is a high-performance object storage system. In all versions prior to RELEASE.2025-10-15T17-29-55Z, a privilege escalation vulnerability allows service accounts and STS (Security Token Service) accounts with restricted session policies to bypass the... Read more
Affected Products : minio- Published: Oct. 16, 2025
- Modified: Oct. 23, 2025
- Vuln Type: Authorization
-
8.1
HIGHCVE-2025-43323
This issue was addressed with additional entitlement checks. This issue is fixed in visionOS 26, tvOS 26, iOS 26 and iPadOS 26, watchOS 26. An app may be able to fingerprint the user.... Read more
- Published: Nov. 04, 2025
- Modified: Nov. 04, 2025
- Vuln Type: Authorization
-
8.1
HIGHCVE-2025-62964
Missing Authorization vulnerability in RealMag777 MDTF wp-meta-data-filter-and-taxonomy-filter allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MDTF: from n/a through <= 1.3.4.... Read more
Affected Products : wordpress_meta_data_and_taxonomies_filter- Published: Oct. 27, 2025
- Modified: Oct. 27, 2025
- Vuln Type: Authorization
-
8.1
HIGHCVE-2025-62927
Missing Authorization vulnerability in Nelio Software Nelio Content nelio-content allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Nelio Content: from n/a through <= 4.0.5.... Read more
Affected Products :- Published: Oct. 27, 2025
- Modified: Oct. 28, 2025
- Vuln Type: Authorization