Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 9.8

    CRITICAL
    CVE-2025-54875

    FreshRSS is a free, self-hostable RSS aggregator. In versions 1.16.0 and above through 1.26.3, an unprivileged attacker can create a new admin user when registration is enabled through the use of a hidden field used only in the user management admin page,... Read more

    Affected Products : freshrss
    • Published: Sep. 29, 2025
    • Modified: Oct. 03, 2025
    • Vuln Type: Authentication

  • 6.1

    MEDIUM
    CVE-2025-57769

    FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below contain a vulnerability where a specially crafted page can trick a user into executing arbitrary JS code or promoting a user in FreshRSS by obscuring UI elements in iframes. If em... Read more

    Affected Products : freshrss
    • Published: Sep. 29, 2025
    • Modified: Oct. 03, 2025
    • Vuln Type: Cross-Site Scripting

  • 6.7

    MEDIUM
    CVE-2025-59948

    FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below do not sanitize certain event handler attributes in feed content, so by finding a page that renders feed entries without CSP, it is possible to execute an XSS payload. The Allow A... Read more

    Affected Products : freshrss
    • Published: Sep. 29, 2025
    • Modified: Oct. 03, 2025
    • Vuln Type: Cross-Site Scripting

  • 6.7

    MEDIUM
    CVE-2025-59950

    FreshRSS is a free, self-hostable RSS aggregator. In versions 1.26.3 and below, due to a bypass of double clickjacking protection (confirmation dialog), it is possible to trick the admin into clicking the Promote button in another user's management page a... Read more

    Affected Products : freshrss
    • Published: Sep. 30, 2025
    • Modified: Oct. 03, 2025
    • Vuln Type: Cross-Site Request Forgery

  • 6.9

    MEDIUM
    CVE-2025-61586

    FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below are vulnerable to directory enumeration by setting path in theme field, allowing attackers to gain additional information about the server by checking if certain directories exist... Read more

    Affected Products : freshrss
    • Published: Sep. 30, 2025
    • Modified: Oct. 03, 2025
    • Vuln Type: Path Traversal

  • 9.0

    HIGH
    CVE-2025-11123

    A flaw has been found in Tenda AC18 15.03.05.19. This impacts an unknown function of the file /goform/saveAutoQos. This manipulation of the argument enable causes stack-based buffer overflow. The attack may be initiated remotely. The exploit has been publ... Read more

    Affected Products : ac18_firmware ac18
    • Published: Sep. 28, 2025
    • Modified: Oct. 03, 2025
    • Vuln Type: Memory Corruption

  • 9.0

    HIGH
    CVE-2025-11122

    A vulnerability was detected in Tenda AC18 15.03.05.19. This affects an unknown function of the file /goform/WizardHandle. The manipulation of the argument WANT/mtuvalue results in stack-based buffer overflow. The attack can be launched remotely. The expl... Read more

    Affected Products : ac18_firmware ac18
    • Published: Sep. 28, 2025
    • Modified: Oct. 03, 2025
    • Vuln Type: Memory Corruption

  • 8.8

    HIGH
    CVE-2025-11121

    A security vulnerability has been detected in Tenda AC18 15.03.05.19. The impacted element is an unknown function of the file /goform/AdvSetLanip. The manipulation of the argument lanIp leads to command injection. The attack can be initiated remotely. The... Read more

    Affected Products : ac18_firmware ac18
    • Published: Sep. 28, 2025
    • Modified: Oct. 03, 2025
    • Vuln Type: Injection

  • 9.0

    HIGH
    CVE-2025-11120

    A weakness has been identified in Tenda AC8 16.03.34.06. The affected element is the function formSetServerConfig of the file /goform/SetServerConfig. Executing manipulation can lead to buffer overflow. It is possible to launch the attack remotely. The ex... Read more

    Affected Products : ac18_firmware ac8_firmware ac18
    • Published: Sep. 28, 2025
    • Modified: Oct. 03, 2025
    • Vuln Type: Memory Corruption

  • 6.1

    MEDIUM
    CVE-2025-11119

    A security flaw has been discovered in itsourcecode Hostel Management System 1.0. Impacted is an unknown function of the file /justines/index.php of the component POST Request Handler. Performing manipulation of the argument from results in cross site scr... Read more

    Affected Products : hostel_management_system
    • Published: Sep. 28, 2025
    • Modified: Oct. 03, 2025
    • Vuln Type: Cross-Site Scripting

  • 9.8

    CRITICAL
    CVE-2025-11118

    A vulnerability was identified in CodeAstro Student Grading System 1.0. This issue affects some unknown processing of the file /adminLogin.php. Such manipulation of the argument staffId leads to sql injection. The attack may be performed from remote. The ... Read more

    Affected Products : student_grading_system
    • Published: Sep. 28, 2025
    • Modified: Oct. 03, 2025
    • Vuln Type: Injection

  • 9.0

    HIGH
    CVE-2025-11117

    A vulnerability was determined in Tenda CH22 1.0.0.1. This vulnerability affects the function formWrlExtraGet of the file /goform/GstDhcpSetSer. This manipulation of the argument dips causes buffer overflow. The attack is possible to be carried out remote... Read more

    Affected Products : ch22_firmware ch22
    • Published: Sep. 28, 2025
    • Modified: Oct. 03, 2025
    • Vuln Type: Memory Corruption

  • 9.8

    CRITICAL
    CVE-2025-59743

    SQL injection vulnerability in AndSoft's e-TMS v25.03. This vulnerability could allow an attacker to retrieve, create, update, and delete databases by sending a POST request. The relationship between parameter and assigned identifier is a 'SessionID' cook... Read more

    Affected Products : e-tms
    • Published: Oct. 02, 2025
    • Modified: Oct. 02, 2025
    • Vuln Type: Injection

  • 8.7

    HIGH
    CVE-2025-59744

    Path traversal vulnerability in AndSoft's e-TMS v25.03. This vulnerability allows an attacker to access files only within the web root using the “docurl” parameter in “/lib/asp/DOCSAVEASASP.ASP”.... Read more

    Affected Products : e-tms
    • Published: Oct. 02, 2025
    • Modified: Oct. 02, 2025
    • Vuln Type: Path Traversal

  • 9.8

    CRITICAL
    CVE-2025-59742

    SQL injection vulnerability in AndSoft's e-TMS v25.03. This vulnerability could allow an attacker to retrieve, create, update, and delete databases by sending a POST request. The relationship between parameter and assigned identifier is a 'USRMAIL' parame... Read more

    Affected Products : e-tms
    • Published: Oct. 02, 2025
    • Modified: Oct. 02, 2025
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2025-59741

    Operating system command injection vulnerability in AndSoft's e-TMS v25.03. This vulnerability allows an attacker to execute operating system commands on the server by sending a POST request. The relationship between parameter and assigned identifier is a... Read more

    Affected Products : e-tms
    • Published: Oct. 02, 2025
    • Modified: Oct. 02, 2025
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2025-59740

    Operating system command injection vulnerability in AndSoft's e-TMS v25.03. This vulnerability allows an attacker to execute operating system commands on the server by sending a POST request. The relationship between parameter and assigned identifier is a... Read more

    Affected Products : e-tms
    • Published: Oct. 02, 2025
    • Modified: Oct. 02, 2025
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2025-59739

    Operating system command injection vulnerability in AndSoft's e-TMS v25.03. This vulnerability allows an attacker to execute operating system commands on the server by sending a POST request. The relationship between parameter and assigned identifier is a... Read more

    Affected Products : e-tms
    • Published: Oct. 02, 2025
    • Modified: Oct. 02, 2025
    • Vuln Type: Injection

  • 5.1

    MEDIUM
    CVE-2025-57443

    FrostWire 6.14.0-build-326 for macOS contains permissive entitlements (allow-dyld-environment-variables, disable-library-validation) that allow unprivileged local attackers to inject code into the FrostWire process via the DYLD_INSERT_LIBRARIES environmen... Read more

    Affected Products :
    • Published: Oct. 02, 2025
    • Modified: Oct. 02, 2025
    • Vuln Type: Misconfiguration

  • 9.8

    CRITICAL
    CVE-2025-59738

    Operating system command injection vulnerability in AndSoft's e-TMS v25.03. This vulnerability allows an attacker to execute operating system commands on the server by sending a POST request. The relationship between parameter and assigned identifier is a... Read more

    Affected Products : e-tms
    • Published: Oct. 02, 2025
    • Modified: Oct. 02, 2025
    • Vuln Type: Injection
Showing 20 of 4035 Results