Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 9.6

    CRITICAL
    CVE-2025-66022

    FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to version 1.7.1, an extension execution path in Faction’s extension framework permits untrusted extension code to execute arbitrary system commands on the server when a lifecycl... Read more

    Affected Products :
    • Published: Nov. 26, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Authentication

  • 4.3

    MEDIUM
    CVE-2025-66025

    Caido is a web security auditing toolkit. Prior to version 0.53.0, the Markdown renderer used in Caido’s Findings page improperly handled user-supplied Markdown, allowing attacker-controlled links to be rendered without confirmation. When a user opened a ... Read more

    Affected Products :
    • Published: Nov. 26, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Cross-Site Scripting

  • 7.1

    HIGH
    CVE-2025-66269

    The RupsMon and USBMate services in UPSilon 2000 run with SYSTEM privileges and contain unquoted service paths. This allows a local attacker to perform path interception and escalate privileges if they have write permissions to the directories proceeding ... Read more

    Affected Products :
    • Published: Nov. 26, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Path Traversal

  • 7.2

    HIGH
    CVE-2025-66264

    The CMService.exe service runs with SYSTEM privileges and contains an unquoted service path. This allows a local attacker with write privileges to the filesystem to insert a malicious executable in the path, leading to privilege escalation.... Read more

    Affected Products :
    • Published: Nov. 26, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Misconfiguration

  • 6.0

    MEDIUM
    CVE-2025-65953

    NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Prior to version 0.22.5, a Heap-Use-After-Free (UAF) vulnerability exists in the TCP transport component of NanoMQ, which relies on the underlying NanoNNG library (specifically in src/s... Read more

    Affected Products :
    • Published: Nov. 25, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Memory Corruption

  • 9.3

    CRITICAL
    CVE-2025-66266

    The RupsMon.exe service executable in UPSilon 2000 has insecure permissions, allowing the 'Everyone' group Full Control. A local attacker can replace the executable with a malicious binary to execute code with SYSTEM privileges or simply change the config... Read more

    Affected Products :
    • Published: Nov. 26, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Misconfiguration

  • 8.8

    HIGH
    CVE-2025-65957

    Core Bot Is an Open Source discord bot made for maple hospital servers. Prior to commit dffe050, the API keys (SUPABASE_API_KEY, TOKEN) are loaded using environment variables, but there are cases in code (error handling, summaries, webhooks) where configu... Read more

    Affected Products :
    • Published: Nov. 26, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Information Disclosure

  • 6.6

    MEDIUM
    CVE-2025-66019

    pypdf is a free and open-source pure-python PDF library. Prior to version 6.4.0, an attacker who uses this vulnerability can craft a PDF which leads to a memory usage of up to 1 GB per stream. This requires parsing the content stream of a page using the L... Read more

    Affected Products : pypdf
    • Published: Nov. 26, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Denial of Service

  • 4.3

    MEDIUM
    CVE-2025-65239

    Incorrect access control in the /aux1/ocussd/trace endpoint of OpenCode Systems USSD Gateway OC Release:5, version 6.13.11 allows attackers with low-level privileges to read server logs.... Read more

    Affected Products :
    • Published: Nov. 26, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Authorization

  • 8.6

    HIGH
    CVE-2025-66021

    OWASP Java HTML Sanitizer is a configureable HTML Sanitizer written in Java, allowing inclusion of HTML authored by third-parties in web applications while protecting against XSS. In version 20240325.1, OWASP java html sanitizer is vulnerable to XSS if H... Read more

    Affected Products :
    • Published: Nov. 26, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Cross-Site Scripting

  • 6.5

    MEDIUM
    CVE-2021-4472

    The mistral-dashboard plugin for openstack has a local file inclusion vulnerability through the 'Create Workbook' feature that may result in disclosure of arbitrary local files content.... Read more

    Affected Products :
    • Published: Nov. 26, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Path Traversal

  • 7.6

    HIGH
    CVE-2025-9558

    There is a potential OOB Write vulnerability in the gen_prov_start function in pb_adv.c. The full length of the received data is copied into the link.rx.buf receiver buffer without any validation on the data size.... Read more

    Affected Products : zephyr
    • Published: Nov. 26, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Memory Corruption

  • 7.4

    HIGH
    CVE-2025-13735

    Out-of-bounds Read vulnerability in ASR1903、ASR3901 in ASR Lapwing_Linux on Linux (nr_fw modules). This vulnerability is associated with program files Code/nr_fw/DLP/src/NrCgi.C. This issue affects Lapwing_Linux: before 2025/11/26.... Read more

    Affected Products :
    • Published: Nov. 26, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Memory Corruption

  • 9.8

    CRITICAL
    CVE-2025-62354

    Improper neutralization of special elements used in an OS command ('command injection') in Cursor allows an unauthorized attacker to execute commands that are outside of those specified in the allowlist, resulting in arbitrary code execution.... Read more

    Affected Products : cursor
    • Published: Nov. 26, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2025-13539

    The FindAll Membership plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.4. This is due to the plugin not properly logging in a user with the data that was previously verified through the 'findall_member... Read more

    Affected Products :
    • Published: Nov. 27, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Authentication

  • 7.5

    HIGH
    CVE-2025-65278

    An issue was discovered in file users.json in GroceryMart commit 21934e6 (2020-10-23) allowing unauthenticated attackers to gain sensitive information including plaintext usernames and passwords.... Read more

    Affected Products :
    • Published: Nov. 26, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Information Disclosure

  • 6.4

    MEDIUM
    CVE-2025-12151

    The Simple Folio plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'portfolio_name' parameter in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authen... Read more

    Affected Products :
    • Published: Nov. 27, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Cross-Site Scripting

  • 6.1

    MEDIUM
    CVE-2025-66036

    Retro is an online platform providing items of vintage collections. Prior to version 2.4.7, Retro is vulnerable to a cross-site scripting (XSS) in the input handling component. This issue has been patched in version 2.4.7.... Read more

    Affected Products :
    • Published: Nov. 29, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Cross-Site Scripting

  • 9.8

    CRITICAL
    CVE-2025-13675

    The Tiger theme for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 101.2.1. This is due to the 'paypal-submit.php' file not restricting what user roles a user can register with. This makes it possible for unauthentic... Read more

    Affected Products :
    • Published: Nov. 27, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Authentication

  • 9.2

    CRITICAL
    CVE-2024-5539

    The Access Control Bypass vulnerability found in ALC WebCTRL and Carrier i-Vu in versions up to and including 8.5 allows a malicious actor to bypass intended access restrictions and expose sensitive information via the web based building automation serv... Read more

    Affected Products :
    • Published: Nov. 27, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Authorization
Showing 20 of 4915 Results