Latest CVE Feed
-
7.0
HIGHCVE-2025-34502
Deck Mate 2 lacks a verified secure-boot chain and runtime integrity validation for its controller and display modules. Without cryptographic boot verification, an attacker with physical access can modify or replace the bootloader, kernel, or filesystem a... Read more
Affected Products :- Published: Oct. 24, 2025
- Modified: Oct. 27, 2025
- Vuln Type: Misconfiguration
-
7.0
HIGHCVE-2025-58737
Use after free in Windows Remote Desktop allows an unauthorized attacker to execute code locally.... Read more
- Published: Oct. 14, 2025
- Modified: Oct. 16, 2025
-
7.0
HIGHCVE-2025-55331
Use after free in Windows PrintWorkflowUserSvc allows an authorized attacker to elevate privileges locally.... Read more
Affected Products : windows_10_21h2 windows_10_22h2 windows_server_2022 windows_11_22h2 windows_11_23h2 windows_server_2022_23h2 windows_server_23h2 windows_11_24h2 windows_server_2025 windows_11_25h2 +1 more products- Published: Oct. 14, 2025
- Modified: Oct. 27, 2025
-
7.0
HIGHCVE-2025-59195
Concurrent execution using shared resource with improper synchronization ('race condition') in Microsoft Graphics Component allows an authorized attacker to deny service locally.... Read more
Affected Products : windows_server_2019 windows_10_1809 windows_10_21h2 windows_10_22h2 windows_server_2022 windows_11_22h2 windows_11_23h2 windows_server_2022_23h2 windows_server_23h2 windows_11_24h2 +3 more products- Published: Oct. 14, 2025
- Modified: Oct. 30, 2025
-
7.0
HIGHCVE-2025-59261
Time-of-check time-of-use (toctou) race condition in Microsoft Graphics Component allows an authorized attacker to elevate privileges locally.... Read more
- Published: Oct. 14, 2025
- Modified: Oct. 17, 2025
-
7.0
HIGHCVE-2025-58727
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Connected Devices Platform Service allows an authorized attacker to elevate privileges locally.... Read more
- Published: Oct. 14, 2025
- Modified: Nov. 06, 2025
-
7.0
HIGHCVE-2025-59196
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows SSDP Service allows an authorized attacker to elevate privileges locally.... Read more
Affected Products : windows_server_2008 windows_server_2012 windows_server_2016 windows_server_2019 windows_10_1607 windows_10_1809 windows_10_21h2 windows_10_22h2 windows_server_2022 windows_11_22h2 +11 more products- Published: Oct. 14, 2025
- Modified: Oct. 30, 2025
-
7.0
HIGHCVE-2025-55684
Use after free in Windows PrintWorkflowUserSvc allows an authorized attacker to elevate privileges locally.... Read more
- Published: Oct. 14, 2025
- Modified: Oct. 27, 2025
-
7.0
HIGHCVE-2025-34500
Deck Mate 2's firmware update mechanism accepts packages without cryptographic signature verification, encrypts them with a single hard-coded AES key shared across devices, and uses a truncated HMAC for integrity validation. Attackers with access to the u... Read more
Affected Products :- Published: Oct. 24, 2025
- Modified: Oct. 27, 2025
- Vuln Type: Cryptography
-
7.0
HIGHCVE-2025-58733
Use after free in Inbox COM Objects allows an unauthorized attacker to execute code locally.... Read more
Affected Products : windows_server_2008 windows_server_2012 windows_server_2016 windows_server_2019 windows_10_1607 windows_10_1809 windows_10_21h2 windows_10_22h2 windows_server_2022 windows_11_22h2 +11 more products- Published: Oct. 14, 2025
- Modified: Oct. 16, 2025
-
7.0
HIGHCVE-2025-58736
Use after free in Inbox COM Objects allows an unauthorized attacker to execute code locally.... Read more
Affected Products : windows_server_2008 windows_server_2012 windows_server_2016 windows_server_2019 windows_10_1607 windows_10_1809 windows_10_21h2 windows_10_22h2 windows_server_2022 windows_11_22h2 +11 more products- Published: Oct. 14, 2025
- Modified: Oct. 16, 2025
-
7.0
HIGHCVE-2025-50174
Use after free in Windows Device Association Broker service allows an authorized attacker to elevate privileges locally.... Read more
- Published: Oct. 14, 2025
- Modified: Oct. 23, 2025
-
7.0
HIGHCVE-2025-59221
Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.... Read more
Affected Products : office word sharepoint_server 365_apps office_long_term_servicing_channel office_macos_2024 office_macos_2021 sharepoint_server_2016 word_2016 sharepoint_server_2019 +3 more products- Published: Oct. 14, 2025
- Modified: Oct. 16, 2025
-
6.9
MEDIUMCVE-2025-12461
This vulnerability allows an attacker to access parts of the application that are not protected by any type of access control. The attacker could access this path ‘…/epsilonnet/License/About.aspx’ and obtain information on both the licence and the config... Read more
Affected Products : epsilon_rh- Published: Oct. 29, 2025
- Modified: Oct. 30, 2025
- Vuln Type: Authorization
-
6.9
MEDIUMCVE-2025-62250
Improper Authentication in Liferay Portal 7.4.0 through 7.4.3.132, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote att... Read more
- Published: Oct. 21, 2025
- Modified: Oct. 21, 2025
- Vuln Type: Authentication
-
6.9
MEDIUMCVE-2025-55082
In NetX Duo version before 6.4.4, the component of Eclipse Foundation ThreadX, there was a potential out of bound read in _nx_secure_tls_process_clienthello() because of a missing validation of PSK length provided in the user message.... Read more
- Published: Oct. 15, 2025
- Modified: Oct. 21, 2025
- Vuln Type: Memory Corruption
-
6.9
MEDIUMCVE-2025-62418
Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (e.g. admin) to upload a crafted SVG file containing embedded JavaScript. When viewed, the malici... Read more
Affected Products : bagisto- Published: Oct. 16, 2025
- Modified: Oct. 22, 2025
- Vuln Type: Cross-Site Scripting
-
6.9
MEDIUMCVE-2025-62259
Liferay Portal 7.4.0 through 7.4.3.109, and older unsupported versions, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions does not limit access to APIs before a user has verifie... Read more
- Published: Oct. 27, 2025
- Modified: Oct. 30, 2025
- Vuln Type: Authentication
-
6.9
MEDIUMCVE-2025-62696
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in The Wikimedia Foundation Mediawiki Foundation - Springboard Extension allows Command Injection.This issue affects Mediawiki Foundation - Springboard Exten... Read more
Affected Products :- Published: Oct. 21, 2025
- Modified: Oct. 21, 2025
-
6.9
MEDIUMCVE-2025-62261
Liferay Portal 7.4.0 through 7.4.3.99, and older unsupported versions, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 34, and older unsupported versions stores password reset tokens in plain text, which allows... Read more
- Published: Oct. 27, 2025
- Modified: Nov. 10, 2025
- Vuln Type: Information Disclosure