Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 7.5

    HIGH
    CVE-2025-41252

    Description: VMware NSX contains a username enumeration vulnerability. An unauthenticated malicious actor may exploit this to enumerate valid usernames, potentially leading to unauthorized access attempts. Impact: Username enumeration → facilitates unau... Read more

    Affected Products :
    • Published: Sep. 29, 2025
    • Modified: Sep. 29, 2025
    • Vuln Type: Authentication

  • 6.1

    MEDIUM
    CVE-2025-6396

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Webbeyaz Website Design Website Software allows Cross-Site Scripting (XSS).This issue affects Website Software: through 2025.07.14.... Read more

    Affected Products :
    • Published: Sep. 26, 2025
    • Modified: Sep. 29, 2025
    • Vuln Type: Cross-Site Scripting

  • 7.5

    HIGH
    CVE-2025-11030

    A vulnerability was detected in Tutorials-Website Employee Management System up to 611887d8f8375271ce8abc704507d46340837a60. Impacted is an unknown function of the file /admin/all-applied-leave.php of the component HTTP Request Handler. The manipulation r... Read more

    Affected Products : employee_management_system
    • Published: Sep. 26, 2025
    • Modified: Sep. 29, 2025
    • Vuln Type: Authorization

  • 8.2

    HIGH
    CVE-2025-59845

    Apollo Studio Embeddable Explorer & Embeddable Sandbox are website embeddable software solutions from Apollo GraphQL. Prior to Apollo Sandbox version 2.7.2 and Apollo Explorer version 3.7.3, a cross-site request forgery (CSRF) vulnerability was identified... Read more

    Affected Products :
    • Published: Sep. 26, 2025
    • Modified: Sep. 29, 2025
    • Vuln Type: Cross-Site Request Forgery

  • 8.1

    HIGH
    CVE-2025-59945

    SysReptor is a fully customizable pentest reporting platform. In versions from 2024.74 to before 2025.83, authenticated and unprivileged (non-admin) users can assign the is_project_admin permission to their own user. This allows users to read, modify and ... Read more

    Affected Products :
    • Published: Sep. 27, 2025
    • Modified: Sep. 29, 2025
    • Vuln Type: Authorization

  • 6.5

    MEDIUM
    CVE-2024-43192

    IBM Storage TS4500 Library 1.11.0.0 and 2.11.0.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.... Read more

    Affected Products :
    • Published: Sep. 27, 2025
    • Modified: Sep. 29, 2025
    • Vuln Type: Cross-Site Request Forgery

  • 4.3

    MEDIUM
    CVE-2025-10499

    The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.12.0. This is due to missing or incorrect nonce validation on the maybe_opt_in() functi... Read more

    Affected Products : ninja_forms
    • Published: Sep. 27, 2025
    • Modified: Sep. 29, 2025
    • Vuln Type: Cross-Site Request Forgery

  • 4.3

    MEDIUM
    CVE-2025-9894

    The Sync Feedly plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the crsf_cron_job_func function. This makes it possible for unauthenticat... Read more

    Affected Products :
    • Published: Sep. 27, 2025
    • Modified: Sep. 29, 2025
    • Vuln Type: Cross-Site Request Forgery

  • 4.3

    MEDIUM
    CVE-2025-9896

    The HidePost plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3.8. This is due to missing or incorrect nonce validation on the options.php settings page. This makes it possible for unauthenticated at... Read more

    Affected Products :
    • Published: Sep. 27, 2025
    • Modified: Sep. 29, 2025
    • Vuln Type: Cross-Site Request Forgery

  • 6.1

    MEDIUM
    CVE-2025-9899

    The Trust Reviews plugin for Google, Tripadvisor, Yelp, Airbnb and other platforms plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the feed... Read more

    Affected Products :
    • Published: Sep. 27, 2025
    • Modified: Sep. 29, 2025
    • Vuln Type: Cross-Site Request Forgery

  • 7.6

    HIGH
    CVE-2025-41246

    VMware Tools for Windows contains an improper authorisation vulnerability due to the way it handles user access controls. A malicious actor with non-administrative privileges on a guest VM, who is already authenticated through vCenter or ESX may exploit t... Read more

    Affected Products : tools
    • Published: Sep. 29, 2025
    • Modified: Sep. 29, 2025
    • Vuln Type: Authorization

  • 4.3

    MEDIUM
    CVE-2025-9944

    The Professional Contact Form plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on the watch_for_contact_form_submit function. This makes it p... Read more

    Affected Products :
    • Published: Sep. 27, 2025
    • Modified: Sep. 29, 2025
    • Vuln Type: Cross-Site Request Forgery

  • 0.0

    NA
    CVE-2025-56449

    A security vulnerability was identified in Obsidian Scheduler's REST API 5.0.0 thru 6.3.0. If an account is locked out due to not enrolling in MFA (e.g. after the 7-day enforcement window), the REST API still allows the use of Basic Authentication to auth... Read more

    Affected Products :
    • Published: Sep. 29, 2025
    • Modified: Sep. 29, 2025
    • Vuln Type: Authentication

  • 8.6

    HIGH
    CVE-2025-11130

    A weakness has been identified in iHongRen pptp-vpn 1.0/1.0.1 on macOS. This issue affects the function shouldAcceptNewConnection of the file HelpTool/HelperTool.m of the component XPC Service. This manipulation causes missing authentication. The attack c... Read more

    Affected Products :
    • Published: Sep. 29, 2025
    • Modified: Sep. 29, 2025
    • Vuln Type: Authentication

  • 7.5

    HIGH
    CVE-2025-36274

    IBM Aspera HTTP Gateway 2.0.0 through 2.3.1 stores sensitive information in clear text in easily obtainable files which can be read by an unauthenticated user.... Read more

    Affected Products : aspera_http_gateway
    • Published: Sep. 26, 2025
    • Modified: Sep. 29, 2025
    • Vuln Type: Information Disclosure

  • 7.3

    HIGH
    CVE-2025-7647

    The llama-index-core package, up to version 0.12.44, contains a vulnerability in the `get_cache_dir()` function where a predictable, hardcoded directory path `/tmp/llama_index` is used on Linux systems without proper security controls. This vulnerability ... Read more

    Affected Products : llamaindex
    • Published: Sep. 27, 2025
    • Modified: Sep. 29, 2025
    • Vuln Type: Misconfiguration

  • 7.2

    HIGH
    CVE-2025-9816

    The WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the User-Agent Header in all versions up to, and including, 14.5.4 due to insufficient input sanitization and outp... Read more

    Affected Products :
    • Published: Sep. 27, 2025
    • Modified: Sep. 29, 2025
    • Vuln Type: Cross-Site Scripting

  • 4.8

    MEDIUM
    CVE-2025-11019

    A vulnerability has been found in Total.js CMS up to 19.9.0. This impacts an unknown function of the component Files Menu. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public a... Read more

    Affected Products :
    • Published: Sep. 26, 2025
    • Modified: Sep. 29, 2025
    • Vuln Type: Cross-Site Scripting

  • 7.3

    HIGH
    CVE-2025-57424

    A stored cross-site scripting (XSS) vulnerability exists in the MyCourts v3 application within the LTA number profile field. An attacker can insert arbitrary JavaScript into their profile, which executes in the browser of any user viewing it, including ad... Read more

    Affected Products :
    • Published: Sep. 29, 2025
    • Modified: Sep. 29, 2025
    • Vuln Type: Cross-Site Scripting

  • 0.0

    NA
    CVE-2025-56233

    Openindiana, kernel SunOS 5.11 has a denial of service vulnerability. For the processing of TCP packets with RST or SYN flag set, Openindiana has a wide acceptable range of sequence numbers. It does not require the sequence number to exactly match the nex... Read more

    Affected Products :
    • Published: Sep. 29, 2025
    • Modified: Sep. 29, 2025
    • Vuln Type: Denial of Service
Showing 20 of 3950 Results