Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 9.1

    CRITICAL
    CVE-2025-68916

    Riello UPS NetMan 208 Application before 1.12 allows cgi-bin/certsupload.cgi /../ directory traversal for file upload with resultant code execution.... Read more

    Affected Products : netman_208
    • Published: Dec. 24, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Path Traversal

  • 6.4

    MEDIUM
    CVE-2025-68935

    ONLYOFFICE Docs before 9.2.1 allows XSS via the Font field for the Multilevel list settings window. This is related to DocumentServer.... Read more

    Affected Products : document_server
    • Published: Dec. 25, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Cross-Site Scripting

  • 6.4

    MEDIUM
    CVE-2025-68936

    ONLYOFFICE Docs before 9.2.1 allows XSS via the Color theme name. This is related to DocumentServer.... Read more

    Affected Products : document_server
    • Published: Dec. 25, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Cross-Site Scripting

  • 5.3

    MEDIUM
    CVE-2025-68938

    Gitea before 1.25.2 mishandles authorization for deletion of releases.... Read more

    Affected Products : gitea
    • Published: Dec. 26, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Authorization

  • 8.2

    HIGH
    CVE-2025-68939

    Gitea before 1.23.0 allows attackers to add attachments with forbidden file extensions by editing an attachment name via an attachment API.... Read more

    Affected Products : gitea
    • Published: Dec. 26, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Misconfiguration

  • 5.3

    MEDIUM
    CVE-2025-68940

    In Gitea before 1.22.5, branch deletion permissions are not adequately enforced after merging a pull request.... Read more

    Affected Products : gitea
    • Published: Dec. 26, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Authorization

  • 5.3

    MEDIUM
    CVE-2025-68941

    Gitea before 1.22.3 mishandles access to a private resource upon receiving an API token with scope limited to public resources.... Read more

    Affected Products : gitea
    • Published: Dec. 26, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Authorization

  • 5.4

    MEDIUM
    CVE-2025-68942

    Gitea before 1.22.2 allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text.... Read more

    Affected Products : gitea
    • Published: Dec. 26, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Cross-Site Scripting

  • 8.1

    HIGH
    CVE-2025-68948

    SiYuan is self-hosted, open source personal knowledge management software. In versions 3.5.1 and prior, the SiYuan Note application utilizes a hardcoded cryptographic secret for its session store. This unsafe practice renders the session encryption ineffe... Read more

    Affected Products : siyuan
    • Published: Dec. 27, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Cryptography

  • 9.6

    CRITICAL
    CVE-2025-66580

    Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. A critical Stored Cross-Site Scripting (XSS) vulnerability exists in versions prior to 0.11.1 in the Mermaid diagram rendering component. The applicat... Read more

    Affected Products : dive
    • Published: Dec. 19, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Cross-Site Scripting

  • 9.9

    CRITICAL
    CVE-2025-68613

    n8n is an open source workflow automation platform. Versions starting with 0.211.0 and prior to 1.120.4, 1.121.1, and 1.122.0 contain a critical Remote Code Execution (RCE) vulnerability in their workflow expression evaluation system. Under certain condit... Read more

    Affected Products : n8n
    • Published: Dec. 19, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Injection

  • 5.4

    MEDIUM
    CVE-2025-68614

    LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Prior to version 25.12.0, the Alert Rule API is vulnerable to stored cross-site scripting. Alert rules can be created or updated via LibreNMS API. The alert rule name is not pro... Read more

    Affected Products : librenms
    • Published: Dec. 23, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Cross-Site Scripting

  • 8.8

    HIGH
    CVE-2025-68645

    A Local File Inclusion (LFI) vulnerability exists in the Webmail Classic UI of Zimbra Collaboration (ZCS) 10.0 and 10.1 because of improper handling of user-supplied request parameters in the RestFilter servlet. An unauthenticated remote attacker can craf... Read more

    Affected Products : collaboration
    • Published: Dec. 22, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Path Traversal

  • 6.5

    MEDIUM
    CVE-2025-68914

    Riello UPS NetMan 208 Application before 1.12 allows cgi-bin/login.cgi username SQL Injection. For example, an attacker can delete the LOGINFAILEDTABLE table.... Read more

    Affected Products : netman_208
    • Published: Dec. 24, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Injection

  • 5.5

    MEDIUM
    CVE-2025-68915

    Riello UPS NetMan 208 Application before 1.12 allows cgi-bin/loginbanner_w.cgi XSS via a crafted banner.... Read more

    Affected Products : netman_208
    • Published: Dec. 24, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Cross-Site Scripting

  • 10.0

    CRITICAL
    CVE-2025-67108

    eProsima Fast-DDS v3.3 was discovered to contain improper validation for ticket revocation, resulting in insecure communications and connections.... Read more

    Affected Products : fast_dds
    • Published: Dec. 23, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Cryptography

  • 9.6

    CRITICAL
    CVE-2025-67289

    An arbitrary file upload vulnerability in the Attachments module of Frappe Framework v15.89.0 allows attackers to execute arbitrary code via uploading a crafted XML file.... Read more

    Affected Products : frappe erpnext
    • Published: Dec. 22, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Injection

  • 6.1

    MEDIUM
    CVE-2025-67290

    A stored cross-site scripting (XSS) vulnerability in the Page Settings module of Piranha CMS v12.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Excerpt field.... Read more

    Affected Products : piranha_cms
    • Published: Dec. 22, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Cross-Site Scripting

  • 6.1

    MEDIUM
    CVE-2025-67291

    A stored cross-site scripting (XSS) vulnerability in the Media module of Piranha CMS v12.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name field.... Read more

    Affected Products : piranha_cms
    • Published: Dec. 22, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Cross-Site Scripting

  • 9.8

    CRITICAL
    CVE-2025-67418

    ClipBucket 5.5.2 is affected by an improper access control issue where the product is shipped or deployed with hardcoded default administrative credentials. An unauthenticated remote attacker can log in to the administrative panel using these default cred... Read more

    Affected Products : clipbucket
    • Published: Dec. 22, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Authentication
Showing 20 of 4442 Results