Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 9.8

    CRITICAL
    CVE-2025-13559

    The EduKart Pro plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.3. This is due to the 'edukart_pro_register_user_front_end' function not restricting what user roles a user can register with. This makes ... Read more

    Affected Products :
    • Published: Nov. 25, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Authorization

  • 6.0

    MEDIUM
    CVE-2025-59368

    An integer underflow vulnerability has been identified in Aicloud. An authenticated attacker may trigger this vulnerability by sending a crafted request, potentially impacting the availability of the device. Refer to the ' Security Update for ASUS Router... Read more

    Affected Products : router
    • Published: Nov. 25, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Denial of Service

  • 8.7

    HIGH
    CVE-2025-65951

    Inside Track / Entropy Derby is a research-grade horse-racing betting engine. Prior to commit 2d38d2f, the VDF-based timelock encryption system fails to enforce sequential delay against the betting operator. Bettors pre-compute the entire Wesolowski VDF a... Read more

    Affected Products :
    • Published: Nov. 25, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Cryptography

  • 4.3

    MEDIUM
    CVE-2025-13452

    The Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 14. This is due to a flawed permission check in the REST API permission callback that... Read more

    Affected Products :
    • Published: Nov. 25, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Authorization

  • 5.1

    MEDIUM
    CVE-2025-13584

    A security vulnerability has been detected in Eigenfocus up to 1.4.0. This vulnerability affects unknown code of the component Description Handler. The manipulation of the argument entry.description/time_entry.description leads to cross site scripting. Th... Read more

    Affected Products :
    • Published: Nov. 24, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Cross-Site Scripting

  • 7.2

    HIGH
    CVE-2025-13376

    The ProjectList plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 0.3.0. This makes it possible for authenticated attackers, with Editor-level access and above, to upload... Read more

    Affected Products :
    • Published: Nov. 25, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Misconfiguration

  • 9.6

    CRITICAL
    CVE-2025-60739

    Cross Site Request Forgery (CSRF) vulnerability in Ilevia EVE X1 Server Firmware Version v4.7.18.0.eden and before, Logic Version v6.00 - 2025_07_21 allows a remote attacker to execute arbitrary code via the /bh_web_backend component... Read more

    Affected Products :
    • Published: Nov. 25, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Cross-Site Request Forgery

  • 6.5

    MEDIUM
    CVE-2025-13443

    A vulnerability was detected in macrozheng mall up to 1.0.3. Affected by this issue is the function delete of the file /member/readHistory/delete. Performing manipulation of the argument ids results in improper access controls. Remote exploitation of the ... Read more

    Affected Products : mall
    • Published: Nov. 20, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Authorization

  • 6.1

    MEDIUM
    CVE-2025-60796

    phpPgAdmin 7.13.0 and earlier contains multiple cross-site scripting (XSS) vulnerabilities across various components. User-supplied input from $_REQUEST parameters is reflected in HTML output without proper encoding or sanitization in multiple locations i... Read more

    Affected Products : phppgadmin
    • Published: Nov. 20, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Cross-Site Scripting

  • 6.5

    MEDIUM
    CVE-2025-60797

    phpPgAdmin 7.13.0 and earlier contains a SQL injection vulnerability in dataexport.php at line 118. The application directly executes user-supplied SQL queries from the $_REQUEST['query'] parameter without any sanitization or parameterization via $data->c... Read more

    Affected Products : phppgadmin
    • Published: Nov. 20, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Injection

  • 6.5

    MEDIUM
    CVE-2025-60798

    phpPgAdmin 7.13.0 and earlier contains a SQL injection vulnerability in display.php at line 396. The application passes user-controlled input from $_REQUEST['query'] directly to the browseQuery function without proper sanitization. An authenticated attack... Read more

    Affected Products : phppgadmin
    • Published: Nov. 20, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Injection

  • 6.1

    MEDIUM
    CVE-2025-60799

    phpPgAdmin 7.13.0 and earlier contains an incorrect access control vulnerability in sql.php at lines 68-76. The application allows unauthorized manipulation of session variables by accepting user-controlled parameters ('subject', 'server', 'database', 'qu... Read more

    Affected Products : phppgadmin
    • Published: Nov. 20, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Authorization

  • 8.8

    HIGH
    CVE-2025-62709

    ClipBucket v5 is an open source video sharing platform. In ClipBucket version 5.5.2, a change to network.class.php causes the application to dynamically build the server URL from the incoming HTTP Host header when the configuration base_url is not set. Be... Read more

    Affected Products : clipbucket
    • Published: Nov. 20, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Server-Side Request Forgery

  • 8.8

    HIGH
    CVE-2025-48986

    Authorization bypass in Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes an logged in attacker to change other users' email address and potentialy take over their accounts using the forgot password functionality.... Read more

    Affected Products : revive_adserver
    • Published: Nov. 20, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Authorization

  • 6.3

    MEDIUM
    CVE-2025-48987

    Improper Neutralization of Input in Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes a potential reflected XSS attack.... Read more

    Affected Products : revive_adserver
    • Published: Nov. 20, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Cross-Site Scripting

  • 7.5

    HIGH
    CVE-2025-63889

    The fetch function in file thinkphp\library\think\Template.php in ThinkPHP 5.0.24 allows attackers to read arbitrary files via crafted file path in a template value.... Read more

    Affected Products : thinkphp
    • Published: Nov. 20, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Path Traversal

  • 9.8

    CRITICAL
    CVE-2025-63888

    The read function in file thinkphp\library\think\template\driver\File.php in ThinkPHP 5.0.24 contains a remote code execution vulnerability.... Read more

    Affected Products : thinkphp
    • Published: Nov. 20, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Injection

  • 7.3

    HIGH
    CVE-2025-66079

    Missing Authorization vulnerability in Jegstudio Gutenverse Form gutenverse-form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Gutenverse Form: from n/a through <= 2.2.0.... Read more

    Affected Products :
    • Published: Nov. 21, 2025
    • Modified: Nov. 24, 2025
    • Vuln Type: Authorization

  • 6.4

    MEDIUM
    CVE-2025-5092

    Multiple plugins and/or themes for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled lightGallery library (<= 2.8.3) in various versions due to insufficient input sanitization and output escaping on user supplied attributes.... Read more

    Affected Products : ibtana
    • Published: Nov. 20, 2025
    • Modified: Nov. 24, 2025
    • Vuln Type: Cross-Site Scripting

  • 6.1

    MEDIUM
    CVE-2025-13484

    A vulnerability was identified in Campcodes Complete Online Beauty Parlor Management System 1.0. This vulnerability affects unknown code of the file /admin/customer-list.php. The manipulation of the argument Name leads to cross site scripting. The attack ... Read more

    • Published: Nov. 20, 2025
    • Modified: Nov. 24, 2025
    • Vuln Type: Cross-Site Scripting
Showing 20 of 4540 Results