Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 2.0

    LOW
    CVE-2025-62654

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation MediaWiki QuizGame extension allows Stored XSS.This issue affects MediaWiki QuizGame extension: 1.39, 1.43, 1.44.... Read more

    Affected Products :
    • Published: Oct. 17, 2025
    • Modified: Oct. 21, 2025
    • Vuln Type: Cross-Site Scripting

  • 8.8

    HIGH
    CVE-2025-62428

    Drawing-Captcha APP provides interactive, engaging verification for Web-Based Applications. The vulnerability is a Host Header Injection in the /register and /confirm-email endpoints. It allows an attacker to manipulate the Host header in HTTP requests to... Read more

    Affected Products :
    • Published: Oct. 16, 2025
    • Modified: Oct. 21, 2025
    • Vuln Type: Injection

  • 6.5

    MEDIUM
    CVE-2025-48087

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jason C. Memberlite Shortcodes memberlite-shortcodes allows Stored XSS.This issue affects Memberlite Shortcodes: from n/a through 1.4.1.... Read more

    Affected Products : memberlite_shortcodes
    • Published: Oct. 17, 2025
    • Modified: Oct. 21, 2025
    • Vuln Type: Cross-Site Scripting

  • 9.4

    CRITICAL
    CVE-2025-8414

    Due to improper input validation, a buffer overflow vulnerability is present in Zigbee EZSP Host Applications. If the buffer overflows, stack corruption is possible. In certain conditions, this could lead to arbitrary code execution. Access to a networ... Read more

    Affected Products : gecko_software_development_kit
    • Published: Oct. 17, 2025
    • Modified: Oct. 21, 2025
    • Vuln Type: Memory Corruption

  • 5.8

    MEDIUM
    CVE-2025-62652

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation MediaWiki WebAuthn extension allows Stored XSS.This issue affects MediaWiki WebAuthn extension: 1.39, 1.43, 1.44.... Read more

    Affected Products :
    • Published: Oct. 17, 2025
    • Modified: Oct. 21, 2025
    • Vuln Type: Cross-Site Scripting

  • 9.8

    CRITICAL
    CVE-2017-20206

    The Appointments plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.2.1 via deserialization of untrusted input from the `wpmudev_appointments` cookie. This allows unauthenticated attackers to inject a PHP Object... Read more

    Affected Products :
    • Published: Oct. 18, 2025
    • Modified: Oct. 21, 2025
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2023-28815

    Some versions of Hikvision's iSecure Center Product contain insufficient parameter validation, resulting in a command injection vulnerability. Attackers may exploit this to gain platform privileges and execute arbitrary commands on the system.iSecure Cent... Read more

    Affected Products :
    • Published: Oct. 17, 2025
    • Modified: Oct. 21, 2025
    • Vuln Type: Injection

  • 6.3

    MEDIUM
    CVE-2025-25298

    Strapi is an open source headless CMS. The @strapi/core package before version 5.10.3 does not enforce a maximum password length when using bcryptjs for password hashing. Bcryptjs ignores any bytes beyond 72, so passwords longer than 72 bytes are silently... Read more

    Affected Products : strapi
    • Published: Oct. 16, 2025
    • Modified: Oct. 21, 2025
    • Vuln Type: Authentication

  • 9.8

    CRITICAL
    CVE-2025-62515

    pyquokka is a framework for making data lakes work for time series. In versions 0.3.1 and prior, the FlightServer class directly uses pickle.loads() to deserialize action bodies received from Flight clients without any sanitization or validation in the do... Read more

    Affected Products :
    • Published: Oct. 17, 2025
    • Modified: Oct. 21, 2025
    • Vuln Type: Injection

  • 9.3

    CRITICAL
    CVE-2025-11849

    Versions of the package mammoth from 0.3.25 and before 1.11.0; versions of the package mammoth from 0.3.25 and before 1.11.0; versions of the package mammoth before 1.11.0; versions of the package org.zwobble.mammoth:mammoth before 1.11.0 are vulnerable t... Read more

    Affected Products :
    • Published: Oct. 17, 2025
    • Modified: Oct. 21, 2025
    • Vuln Type: Path Traversal

  • 9.8

    CRITICAL
    CVE-2025-62353

    A path traversal vulnerability in all versions of the Windsurf IDE enables a threat actor to read and write arbitrary local files in and outside of current projects on an end user’s system. The vulnerability can be reached directly and through indirect pr... Read more

    Affected Products :
    • Published: Oct. 17, 2025
    • Modified: Oct. 21, 2025
    • Vuln Type: Path Traversal

  • 6.5

    MEDIUM
    CVE-2025-62508

    Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Citizen from 3.3.0 to 3.9.0 are vulnerable to stored cross-site scripting in the sticky header button message handling. In stickyHeader.js the copyButtonAttributes function... Read more

    Affected Products : citizen
    • Published: Oct. 17, 2025
    • Modified: Oct. 21, 2025
    • Vuln Type: Cross-Site Scripting

  • 9.8

    CRITICAL
    CVE-2025-49655

    Deserialization of untrusted data can occur in versions of the Keras framework running versions 3.11.0 up to but not including 3.11.3, enabling a maliciously uploaded Keras file containing a TorchModuleWrapper class to run arbitrary code on an end user’s ... Read more

    Affected Products : keras
    • Published: Oct. 17, 2025
    • Modified: Oct. 21, 2025
    • Vuln Type: Injection

  • 7.5

    HIGH
    CVE-2025-62356

    A path traversal vulnerability in all versions of the Qodo Qodo Gen IDE enables a threat actor to read arbitrary local files in and outside of current projects on an end user’s system. The vulnerability can be reached directly and through indirect prompt ... Read more

    Affected Products :
    • Published: Oct. 17, 2025
    • Modified: Oct. 21, 2025
    • Vuln Type: Path Traversal

  • 8.2

    HIGH
    CVE-2024-56143

    Strapi is an open-source headless content management system. In versions from 5.0.0 to before 5.5.2, the lookup operator provided by the document service does not properly sanitize query parameters for private fields. An attacker can access private fields... Read more

    Affected Products : strapi
    • Published: Oct. 16, 2025
    • Modified: Oct. 21, 2025
    • Vuln Type: Injection

  • 9.2

    CRITICAL
    CVE-2025-11899

    Agentflow developed by Flowring has an Use of Hard-coded Cryptographic Key vulnerability, allowing unauthenticated remote attackers to exploit the fixed key to generate verification information, thereby logging into the system as any user. Attacker must f... Read more

    Affected Products : agentflow
    • Published: Oct. 17, 2025
    • Modified: Oct. 21, 2025
    • Vuln Type: Cryptography

  • 6.9

    MEDIUM
    CVE-2025-62669

    Exposure of Sensitive Information to an Unauthorized Actor vulnerability in The Wikimedia Foundation Mediawiki - CentralAuth Extension allows Resource Leak Exposure.This issue affects Mediawiki - CentralAuth Extension: from master before 1.39.... Read more

    Affected Products :
    • Published: Oct. 18, 2025
    • Modified: Oct. 21, 2025
    • Vuln Type: Information Disclosure

  • 6.1

    MEDIUM
    CVE-2025-10612

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in giSoft Information Technologies City Guide allows Reflected XSS.This issue affects City Guide: before 1.4.45.... Read more

    Affected Products :
    • Published: Oct. 21, 2025
    • Modified: Oct. 21, 2025
    • Vuln Type: Cross-Site Scripting

  • 9.8

    CRITICAL
    CVE-2017-20208

    The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to PHP Object Injection in all versions up to 3.7.9.3 (exclusive) via deserialization of untrusted input from the is_expired_b... Read more

    Affected Products : registrationmagic
    • Published: Oct. 18, 2025
    • Modified: Oct. 21, 2025
    • Vuln Type: Injection

  • 0.0

    NA
    CVE-2025-40004

    In the Linux kernel, the following vulnerability has been resolved: net/9p: Fix buffer overflow in USB transport layer A buffer overflow vulnerability exists in the USB 9pfs transport layer where inconsistent size validation between packet header parsin... Read more

    Affected Products : linux_kernel
    • Published: Oct. 20, 2025
    • Modified: Oct. 21, 2025
    • Vuln Type: Memory Corruption
Showing 20 of 4132 Results