Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 9.8

    CRITICAL
    CVE-2025-15181

    A security flaw has been discovered in code-projects Refugee Food Management System 1.0. The impacted element is an unknown function of the file /home/pagenateRefugeesList.php. Performing manipulation of the argument rfid results in sql injection. Remote ... Read more

    Affected Products : refugee_food_management_system
    • Published: Dec. 29, 2025
    • Modified: Dec. 30, 2025
    • Vuln Type: Injection

  • 9.0

    HIGH
    CVE-2025-15193

    A vulnerability was detected in D-Link DWR-M920 up to 1.1.50. This affects the function sub_423848 of the file /boafrm/formParentControl. Performing manipulation of the argument submit-url results in buffer overflow. The attack is possible to be carried o... Read more

    Affected Products : dwr-m920_firmware dwr-m920
    • Published: Dec. 29, 2025
    • Modified: Dec. 30, 2025
    • Vuln Type: Memory Corruption

  • 8.8

    HIGH
    CVE-2025-15192

    A security vulnerability has been detected in D-Link DWR-M920 up to 1.1.50. The impacted element is the function sub_415328 of the file /boafrm/formLtefotaUpgradeQuectel. Such manipulation of the argument fota_url leads to command injection. The attack ca... Read more

    Affected Products : dwr-m920_firmware dwr-m920
    • Published: Dec. 29, 2025
    • Modified: Dec. 30, 2025
    • Vuln Type: Injection

  • 8.8

    HIGH
    CVE-2025-15191

    A weakness has been identified in D-Link DWR-M920 up to 1.1.50. The affected element is the function sub_4155B4 of the file /boafrm/formLtefotaUpgradeFibocom. This manipulation of the argument fota_url causes command injection. Remote exploitation of the ... Read more

    Affected Products : dwr-m920_firmware dwr-m920
    • Published: Dec. 29, 2025
    • Modified: Dec. 30, 2025
    • Vuln Type: Injection

  • 9.0

    HIGH
    CVE-2025-15190

    A security flaw has been discovered in D-Link DWR-M920 up to 1.1.50. Impacted is the function sub_42261C of the file /boafrm/formFilter. The manipulation of the argument ip6addr results in stack-based buffer overflow. The attack may be launched remotely. ... Read more

    Affected Products : dwr-m920_firmware dwr-m920
    • Published: Dec. 29, 2025
    • Modified: Dec. 30, 2025
    • Vuln Type: Memory Corruption

  • 9.0

    HIGH
    CVE-2025-15189

    A vulnerability was identified in D-Link DWR-M920 up to 1.1.50. This issue affects the function sub_464794 of the file /boafrm/formDefRoute. The manipulation of the argument submit-url leads to buffer overflow. The attack may be initiated remotely. The ex... Read more

    Affected Products : dwr-m920_firmware dwr-m920
    • Published: Dec. 29, 2025
    • Modified: Dec. 30, 2025
    • Vuln Type: Memory Corruption

  • 6.2

    MEDIUM
    CVE-2025-36154

    IBM Concert 1.0.0 through 2.1.0 stores sensitive information in cleartext during recursive docker builds which could be obtained by a local user.... Read more

    Affected Products : concert
    • Published: Dec. 24, 2025
    • Modified: Dec. 30, 2025
    • Vuln Type: Information Disclosure

  • 7.2

    HIGH
    CVE-2025-15143

    A security flaw has been discovered in EyouCMS up to 1.7.6. The affected element is an unknown function of the file /application/admin/logic/FilemanagerLogic.php of the component Backend Template Management. The manipulation of the argument content result... Read more

    Affected Products : eyoucms
    • Published: Dec. 28, 2025
    • Modified: Dec. 30, 2025
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2020-36902

    UBICOD Medivision Digital Signage 1.5.1 contains an authorization bypass vulnerability that allows normal users to escalate privileges by manipulating the 'ft[grp]' parameter. Attackers can send a GET request to /html/user with 'ft[grp]' set to integer va... Read more

    • Published: Dec. 10, 2025
    • Modified: Dec. 30, 2025
    • Vuln Type: Authorization

  • 4.7

    MEDIUM
    CVE-2025-67809

    An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A hardcoded Flickr API key and secret are present in the publicly accessible Flickr Zimlet used by Zimbra Collaboration. Because these credentials are embedded directly in the Zimlet, an... Read more

    Affected Products : collaboration
    • Published: Dec. 15, 2025
    • Modified: Dec. 30, 2025
    • Vuln Type: Misconfiguration

  • 8.8

    HIGH
    CVE-2020-36901

    UBICOD Medivision Digital Signage 1.5.1 contains a cross-site request forgery vulnerability that allows attackers to create administrative user accounts without proper request validation. Attackers can craft a malicious web page that submits a form to the... Read more

    • Published: Dec. 10, 2025
    • Modified: Dec. 30, 2025
    • Vuln Type: Cross-Site Request Forgery

  • 3.3

    LOW
    CVE-2025-55703

    An error-based SQL injection vulnerability exists in the Sunbird Power IQ 9.2.0 API. The vulnerability is due to an outdated API endpoint that applied arrays without proper input validation. This can allow attackers to manipulate SQL queries. This has bee... Read more

    Affected Products : power_iq
    • Published: Dec. 15, 2025
    • Modified: Dec. 30, 2025
    • Vuln Type: Injection

  • 8.8

    HIGH
    CVE-2019-25243

    FaceSentry 6.4.8 contains an authenticated remote command injection vulnerability in pingTest.php and tcpPortTest.php scripts. Attackers can exploit unsanitized input parameters to inject and execute arbitrary shell commands with root privileges by manipu... Read more

    • Published: Dec. 24, 2025
    • Modified: Dec. 30, 2025
    • Vuln Type: Injection

  • 5.1

    MEDIUM
    CVE-2019-25242

    FaceSentry Access Control System 6.4.8 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user consent. Attackers can craft malicious web pages to change administrator passwords, add new adm... Read more

    • Published: Dec. 24, 2025
    • Modified: Dec. 30, 2025
    • Vuln Type: Cross-Site Request Forgery

  • 9.8

    CRITICAL
    CVE-2025-14860

    Use-after-free in the Disability Access APIs component. This vulnerability affects Firefox < 146.0.1.... Read more

    Affected Products : firefox
    • Published: Dec. 18, 2025
    • Modified: Dec. 30, 2025
    • Vuln Type: Memory Corruption

  • 8.8

    HIGH
    CVE-2025-14861

    Memory safety bugs present in Firefox 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 146.0.1.... Read more

    Affected Products : firefox
    • Published: Dec. 18, 2025
    • Modified: Dec. 30, 2025
    • Vuln Type: Memory Corruption

  • 7.5

    HIGH
    CVE-2025-63757

    Integer overflow vulnerability in the yuv2ya16_X_c_template function in libswscale/output.c in FFmpeg 8.0.... Read more

    Affected Products : ffmpeg
    • Published: Dec. 18, 2025
    • Modified: Dec. 30, 2025
    • Vuln Type: Memory Corruption

  • 9.1

    CRITICAL
    CVE-2025-63386

    A Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/setup endpoint. The endpoint implements an insecure CORS policy that reflects any Origin header and enables Access-Control-Allow-Credentials: t... Read more

    Affected Products : dify
    • Published: Dec. 18, 2025
    • Modified: Dec. 30, 2025
    • Vuln Type: Misconfiguration

  • 9.1

    CRITICAL
    CVE-2025-63388

    A Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/system-features endpoint. The endpoint implements an overly permissive CORS policy that reflects arbitrary Origin headers and sets Access-Contr... Read more

    Affected Products : dify
    • Published: Dec. 18, 2025
    • Modified: Dec. 30, 2025
    • Vuln Type: Misconfiguration

  • 9.8

    CRITICAL
    CVE-2025-63389

    A critical authentication bypass vulnerability exists in Ollama platform's API endpoints in versions prior to and including v0.12.3. The platform exposes multiple API endpoints without requiring authentication, enabling remote attackers to perform unautho... Read more

    Affected Products : ollama
    • Published: Dec. 18, 2025
    • Modified: Dec. 30, 2025
    • Vuln Type: Authentication
Showing 20 of 5364 Results