Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 6.4

    MEDIUM
    CVE-2025-68935

    ONLYOFFICE Docs before 9.2.1 allows XSS via the Font field for the Multilevel list settings window. This is related to DocumentServer.... Read more

    Affected Products : document_server
    • Published: Dec. 25, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Cross-Site Scripting

  • 6.4

    MEDIUM
    CVE-2025-68936

    ONLYOFFICE Docs before 9.2.1 allows XSS via the Color theme name. This is related to DocumentServer.... Read more

    Affected Products : document_server
    • Published: Dec. 25, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Cross-Site Scripting

  • 5.3

    MEDIUM
    CVE-2025-68938

    Gitea before 1.25.2 mishandles authorization for deletion of releases.... Read more

    Affected Products : gitea
    • Published: Dec. 26, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Authorization

  • 8.2

    HIGH
    CVE-2025-68939

    Gitea before 1.23.0 allows attackers to add attachments with forbidden file extensions by editing an attachment name via an attachment API.... Read more

    Affected Products : gitea
    • Published: Dec. 26, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Misconfiguration

  • 5.3

    MEDIUM
    CVE-2025-68940

    In Gitea before 1.22.5, branch deletion permissions are not adequately enforced after merging a pull request.... Read more

    Affected Products : gitea
    • Published: Dec. 26, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Authorization

  • 5.3

    MEDIUM
    CVE-2025-68941

    Gitea before 1.22.3 mishandles access to a private resource upon receiving an API token with scope limited to public resources.... Read more

    Affected Products : gitea
    • Published: Dec. 26, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Authorization

  • 5.4

    MEDIUM
    CVE-2025-68942

    Gitea before 1.22.2 allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text.... Read more

    Affected Products : gitea
    • Published: Dec. 26, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Cross-Site Scripting

  • 8.1

    HIGH
    CVE-2025-68948

    SiYuan is self-hosted, open source personal knowledge management software. In versions 3.5.1 and prior, the SiYuan Note application utilizes a hardcoded cryptographic secret for its session store. This unsafe practice renders the session encryption ineffe... Read more

    Affected Products : siyuan
    • Published: Dec. 27, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Cryptography

  • 5.4

    MEDIUM
    CVE-2025-68614

    LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Prior to version 25.12.0, the Alert Rule API is vulnerable to stored cross-site scripting. Alert rules can be created or updated via LibreNMS API. The alert rule name is not pro... Read more

    Affected Products : librenms
    • Published: Dec. 23, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Cross-Site Scripting

  • 6.5

    MEDIUM
    CVE-2025-68914

    Riello UPS NetMan 208 Application before 1.12 allows cgi-bin/login.cgi username SQL Injection. For example, an attacker can delete the LOGINFAILEDTABLE table.... Read more

    Affected Products : netman_208
    • Published: Dec. 24, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Injection

  • 5.5

    MEDIUM
    CVE-2025-68915

    Riello UPS NetMan 208 Application before 1.12 allows cgi-bin/loginbanner_w.cgi XSS via a crafted banner.... Read more

    Affected Products : netman_208
    • Published: Dec. 24, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Cross-Site Scripting

  • 10.0

    CRITICAL
    CVE-2025-67108

    eProsima Fast-DDS v3.3 was discovered to contain improper validation for ticket revocation, resulting in insecure communications and connections.... Read more

    Affected Products : fast_dds
    • Published: Dec. 23, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Cryptography

  • 6.5

    MEDIUM
    CVE-2025-67436

    Authenticated Remote Code Execution (RCE) in PluXml CMS 5.8.22 allows an attacker with administrator panel access to inject a malicious PHP webshell into a theme file (e.g., home.php).... Read more

    Affected Products : pluxml
    • Published: Dec. 22, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Injection

  • 7.5

    HIGH
    CVE-2025-15426

    A vulnerability was identified in jackying H-ui.admin up to 3.1. This affects an unknown function in the library /lib/webuploader/0.1.5/server/preview.php. The manipulation leads to unrestricted upload. The attack is possible to be carried out remotely. T... Read more

    Affected Products :
    • Published: Jan. 02, 2026
    • Modified: Jan. 02, 2026
    • Vuln Type: Misconfiguration

  • 5.1

    MEDIUM
    CVE-2025-15437

    A vulnerability was found in LigeroSmart up to 6.1.24. This affects an unknown part of the component Environment Variable Handler. Performing manipulation of the argument REQUEST_URI results in cross site scripting. The attack may be initiated remotely. T... Read more

    Affected Products :
    • Published: Jan. 02, 2026
    • Modified: Jan. 02, 2026
    • Vuln Type: Cross-Site Scripting

  • 5.3

    MEDIUM
    CVE-2025-14047

    The Registration, User Profile, Membership, Content Restriction, User Directory, and Frontend Post Submission – WP User Frontend plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'Frontend_Form_Ajax::... Read more

    Affected Products :
    • Published: Jan. 02, 2026
    • Modified: Jan. 02, 2026
    • Vuln Type: Authorization

  • 8.7

    HIGH
    CVE-2015-10145

    Gargoyle router management utility versions 1.5.x contain an authenticated OS command execution vulnerability in /utility/run_commands.sh. The application fails to properly restrict or validate input supplied via the 'commands' parameter, allowing an auth... Read more

    Affected Products :
    • Published: Dec. 31, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Injection

  • 4.4

    MEDIUM
    CVE-2025-53594

    A path traversal vulnerability has been reported to affect several product versions. If a local attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vuln... Read more

    Affected Products :
    • Published: Jan. 02, 2026
    • Modified: Jan. 02, 2026
    • Vuln Type: Path Traversal

  • 6.4

    MEDIUM
    CVE-2025-14627

    The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.35. This is due to inadequate validation of the resolved URL after following Bitly shortlink ... Read more

    Affected Products :
    • Published: Jan. 01, 2026
    • Modified: Jan. 02, 2026
    • Vuln Type: Server-Side Request Forgery

  • 8.1

    HIGH
    CVE-2025-59387

    An SQL injection vulnerability has been reported to affect MARS (Multi-Application Recovery Service). The remote attackers can then exploit the vulnerability to execute unauthorized code or commands. We have already fixed the vulnerability in the followi... Read more

    Affected Products :
    • Published: Jan. 02, 2026
    • Modified: Jan. 02, 2026
    • Vuln Type: Injection
Showing 20 of 4311 Results