Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 7.8

    HIGH
    CVE-2025-61805

    Substance3D - Stager versions 3.1.4 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to e... Read more

    Affected Products : macos windows substance_3d_stager
    • Published: Oct. 14, 2025
    • Modified: Oct. 16, 2025
    • Vuln Type: Memory Corruption

  • 7.8

    HIGH
    CVE-2025-61803

    Substance3D - Stager versions 3.1.4 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that ... Read more

    Affected Products : macos windows substance_3d_stager
    • Published: Oct. 14, 2025
    • Modified: Oct. 16, 2025
    • Vuln Type: Memory Corruption

  • 7.8

    HIGH
    CVE-2025-61802

    Substance3D - Stager versions 3.1.4 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must ope... Read more

    Affected Products : macos windows substance_3d_stager
    • Published: Oct. 14, 2025
    • Modified: Oct. 16, 2025
    • Vuln Type: Memory Corruption

  • 8.4

    HIGH
    CVE-2025-43281

    The issue was addressed with improved authentication. This issue is fixed in macOS Sequoia 15.6. A local attacker may be able to elevate their privileges.... Read more

    Affected Products : macos
    • Published: Oct. 15, 2025
    • Modified: Oct. 16, 2025
    • Vuln Type: Authentication

  • 5.5

    MEDIUM
    CVE-2025-43282

    A double free issue was addressed with improved memory management. This issue is fixed in macOS Sequoia 15.6, iOS 18.6 and iPadOS 18.6, watchOS 11.6, tvOS 18.6, visionOS 2.6, macOS Ventura 13.7.7, macOS Sonoma 14.7.7, iPadOS 17.7.9. An app may be able to ... Read more

    Affected Products : macos iphone_os tvos watchos ipados visionos
    • Published: Oct. 15, 2025
    • Modified: Oct. 16, 2025
    • Vuln Type: Memory Corruption

  • 5.5

    MEDIUM
    CVE-2025-43313

    A logic issue was addressed with improved restrictions. This issue is fixed in macOS Ventura 13.7.7, macOS Sonoma 14.7.7, macOS Sequoia 15.6. An app may be able to access sensitive user data.... Read more

    Affected Products : macos
    • Published: Oct. 15, 2025
    • Modified: Oct. 16, 2025
    • Vuln Type: Authorization

  • 8.2

    HIGH
    CVE-2025-61536

    FelixRiddle dev-jobs-handlebars 1.0 uses absolute password-reset (magic) links using the untrusted `req.headers.host` header and forces the `http://` scheme. An attacker who can control the `Host` header (or exploit a misconfigured proxy/load-balancer tha... Read more

    Affected Products :
    • Published: Oct. 16, 2025
    • Modified: Oct. 16, 2025
    • Vuln Type: Server-Side Request Forgery

  • 8.2

    HIGH
    CVE-2025-22381

    Aggie 2.6.1 has a Host Header injection vulnerability in the forgot password functionality, allowing an attacker to reset a user's password.... Read more

    Affected Products :
    • Published: Oct. 16, 2025
    • Modified: Oct. 16, 2025
    • Vuln Type: Injection

  • 9.9

    CRITICAL
    CVE-2025-60306

    code-projects Simple Car Rental System 1.0 has a permission bypass issue where low privilege users can forge high privilege sessions and perform sensitive operations.... Read more

    Affected Products : simple_car_rental_system
    • Published: Oct. 10, 2025
    • Modified: Oct. 16, 2025
    • Vuln Type: Authentication

  • 4.1

    MEDIUM
    CVE-2025-60308

    code-projects Simple Online Hotel Reservation System 1.0 has a Cross Site Scripting (XSS) vulnerability in the Add Room function of the online hotel reservation system. Malicious JavaScript code is entered in the Description field, which can leak the admi... Read more

    • Published: Oct. 10, 2025
    • Modified: Oct. 16, 2025
    • Vuln Type: Cross-Site Scripting

  • 9.4

    CRITICAL
    CVE-2025-60269

    JEEWMS 20250820 is vulnerable to SQL Injection in the exportXls function located in the src/main/java/org/jeecgframework/web/cgreport/controller/excel/CgExportExcelController.java file.... Read more

    Affected Products : jeewms
    • Published: Oct. 10, 2025
    • Modified: Oct. 16, 2025
    • Vuln Type: Injection

  • 6.5

    MEDIUM
    CVE-2025-60268

    An arbitrary file upload vulnerability exists in JeeWMS 20250820, which is caused by the lack of file checking in the saveFiles function in /jeewms/cgUploadController.do. An attacker with normal privileges was able to upload a malicious file that would le... Read more

    Affected Products : jeewms
    • Published: Oct. 10, 2025
    • Modified: Oct. 16, 2025
    • Vuln Type: Misconfiguration

  • 8.5

    HIGH
    CVE-2025-59429

    FreePBX is an open source GUI for managing Asterisk. In versions prior to 16.0.68.39 for FreePBX 16 and versions prior to 17.0.18.38 for FreePBX 17, a reflected cross-site scripting vulnerability is present on the Asterisk HTTP Status page. The Asterisk H... Read more

    Affected Products : freepbx
    • Published: Oct. 14, 2025
    • Modified: Oct. 16, 2025
    • Vuln Type: Cross-Site Scripting

  • 6.5

    MEDIUM
    CVE-2025-60540

    karakeep v0.26.0 to v0.7.0 was discovered to contain a Server-Side Request Forgery (SSRF).... Read more

    Affected Products :
    • Published: Oct. 14, 2025
    • Modified: Oct. 16, 2025
    • Vuln Type: Server-Side Request Forgery

  • 0.0

    NA
    CVE-2025-39967

    In the Linux kernel, the following vulnerability has been resolved: fbcon: fix integer overflow in fbcon_do_set_font Fix integer overflow vulnerabilities in fbcon_do_set_font() where font size calculations could overflow when handling user-controlled fo... Read more

    Affected Products : linux_kernel
    • Published: Oct. 15, 2025
    • Modified: Oct. 16, 2025
    • Vuln Type: Memory Corruption

  • 6.4

    MEDIUM
    CVE-2025-11160

    The WPBakery Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom JS module in all versions up to, and including, 8.6.1. This is due to insufficient input sanitization and output escaping of user-supplied JavaScrip... Read more

    Affected Products : page_builder
    • Published: Oct. 15, 2025
    • Modified: Oct. 16, 2025
    • Vuln Type: Cross-Site Scripting

  • 6.8

    MEDIUM
    CVE-2025-31702

    A vulnerability exists in certain Dahua embedded products. Third-party malicious attacker with obtained normal user credentials could exploit the vulnerability to access certain data which are restricted to admin privileges, such as system-sensitive files... Read more

    Affected Products :
    • Published: Oct. 15, 2025
    • Modified: Oct. 16, 2025
    • Vuln Type: Authorization

  • 4.3

    MEDIUM
    CVE-2025-11176

    The Quick Featured Images plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 13.7.2 via the qfi_set_thumbnail and qfi_delete_thumbnail AJAX actions due to missing validation on a user controlled ke... Read more

    Affected Products :
    • Published: Oct. 15, 2025
    • Modified: Oct. 16, 2025
    • Vuln Type: Authorization

  • 8.6

    HIGH
    CVE-2025-59051

    The FreePBX Endpoint Manager module includes a Network Scanning feature that provides web-based access to nmap functionality for network device discovery. In Endpoint Manager 16 before 16.0.92 and 17 before 17.0.6, insufficiently sanitized user-supplied i... Read more

    Affected Products : freepbx
    • Published: Oct. 14, 2025
    • Modified: Oct. 16, 2025
    • Vuln Type: Injection

  • 9.5

    CRITICAL
    CVE-2025-62376

    pwn.college DOJO is an education platform for learning cybersecurity. In versions up to and including commit 781d91157cfc234a434d0bab45cbcf97894c642e, the /workspace endpoint contains an improper authentication vulnerability that allows an attacker to acc... Read more

    Affected Products :
    • Published: Oct. 14, 2025
    • Modified: Oct. 16, 2025
    • Vuln Type: Authentication
Showing 20 of 3902 Results