Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 4.3

    MEDIUM
    CVE-2025-8891

    The OceanWP theme for WordPress is vulnerable to Cross-Site Request Forgery in versions 4.0.9 to 4.1.1. This is due to missing or incorrect nonce validation on the oceanwp_notice_button_click() function. This makes it possible for unauthenticated attacker... Read more

    Affected Products :
    • Published: Aug. 13, 2025
    • Modified: Aug. 26, 2025
    • Vuln Type: Cross-Site Request Forgery

  • 5.4

    MEDIUM
    CVE-2025-52130

    File upload vulnerability in WebErpMesv2 1.17 in the app/Http/Controllers/FactoryController.php controller. This flaw allows an authenticated attacker to upload arbitrary files, including PHP scripts, which can be accessed via direct GET requests, potenti... Read more

    Affected Products :
    • Published: Aug. 25, 2025
    • Modified: Aug. 26, 2025
    • Vuln Type: Authentication

  • 0.0

    NA
    CVE-2025-50383

    alextselegidis Easy!Appointments v1.5.1 was discovered to contain a SQL injection vulnerability via the order_by parameter.... Read more

    Affected Products : easyappointments
    • Published: Aug. 25, 2025
    • Modified: Aug. 26, 2025
    • Vuln Type: Injection

  • 6.5

    MEDIUM
    CVE-2025-44179

    Hitron CGNF-TWN 3.1.1.43-TWN-pre3 contains a command injection vulnerability in the telnet service. The issue arises due to improper input validation within the telnet command handling mechanism. An attacker can exploit this vulnerability by injecting arb... Read more

    Affected Products :
    • Published: Aug. 25, 2025
    • Modified: Aug. 26, 2025
    • Vuln Type: Injection

  • 5.3

    MEDIUM
    CVE-2025-29525

    DASAN GPON ONU H660WM OS version H660WMR210825 Hardware version DS-E5-583-A1 was discovered to contain insecure default credentials in the modem's control panel.... Read more

    Affected Products :
    • Published: Aug. 25, 2025
    • Modified: Aug. 26, 2025
    • Vuln Type: Authentication

  • 6.5

    MEDIUM
    CVE-2025-29524

    Incorrect access control in the component /cgi-bin/system_diagnostic_main.asp of DASAN GPON ONU H660WM H660WMR210825 allows attackers to access sensitive information.... Read more

    Affected Products :
    • Published: Aug. 25, 2025
    • Modified: Aug. 26, 2025
    • Vuln Type: Authorization

  • 5.1

    MEDIUM
    CVE-2024-46413

    Rebuild v3.7.7 was discovered to contain a Server-Side Request Forgery (SSRF) via the type parameter in the com.rebuild.web.admin.rbstore.RBStoreController#loadDataIndex method.... Read more

    Affected Products :
    • Published: Aug. 25, 2025
    • Modified: Aug. 26, 2025
    • Vuln Type: Server-Side Request Forgery

  • 6.5

    MEDIUM
    CVE-2024-46412

    Incorrect access control in the prehandle function of Rebuild v3.7.7 allows attackers to bypass authentication via a crafted GET request sent to /commons/ip-location.... Read more

    Affected Products :
    • Published: Aug. 25, 2025
    • Modified: Aug. 26, 2025
    • Vuln Type: Authentication

  • 6.5

    MEDIUM
    CVE-2024-53851

    Discourse is an open source platform for community discussion. In affected versions the endpoint for generating inline oneboxes for URLs wasn't enforcing limits on the number of URLs that it accepted, allowing a malicious user to inflict denial of service... Read more

    Affected Products : discourse
    • Published: Feb. 04, 2025
    • Modified: Aug. 26, 2025
    • Vuln Type: Denial of Service

  • 5.3

    MEDIUM
    CVE-2025-27505

    GeoServer is an open source server that allows users to share and edit geospatial data. It is possible to bypass the default REST API security and access the index page. The REST API security handles rest and its subpaths but not rest with an extension (e... Read more

    Affected Products : geoserver geoserver
    • Published: Jun. 10, 2025
    • Modified: Aug. 26, 2025
    • Vuln Type: Authorization

  • 6.5

    MEDIUM
    CVE-2025-22602

    Discourse is an open source platform for community discussion. In affected versions an attacker can execute arbitrary JavaScript on users' browsers by posting a malicious video placeholder html element. This issue only affects sites with CSP disabled. Thi... Read more

    Affected Products : discourse
    • Published: Feb. 04, 2025
    • Modified: Aug. 26, 2025
    • Vuln Type: Cross-Site Scripting

  • 7.5

    HIGH
    CVE-2025-30145

    GeoServer is an open source server that allows users to share and edit geospatial data. Malicious Jiffle scripts can be executed by GeoServer, either as a rendering transformation in WMS dynamic styles or as a WPS process, that can enter an infinite loop ... Read more

    Affected Products : geoserver geoserver
    • Published: Jun. 10, 2025
    • Modified: Aug. 26, 2025
    • Vuln Type: Denial of Service

  • 3.1

    LOW
    CVE-2025-22601

    Discourse is an open source platform for community discussion. In affected versions an attacker can trick a target user to make changes to their own username via carefully crafted link using the `activate-account` route. This problem has been patched in t... Read more

    Affected Products : discourse
    • Published: Feb. 04, 2025
    • Modified: Aug. 26, 2025
    • Vuln Type: Authentication

  • 7.5

    HIGH
    CVE-2022-40732

    An access violation vulnerability exists in the DirectComposition functionality win32kbase.sys driver version 10.0.22000.593 as part of Windows 11 version 22000.593 and version 10.0.20348.643 as part of Windows Server 2022 version 20348.643. A specially-c... Read more

    • Published: Dec. 18, 2024
    • Modified: Aug. 26, 2025

  • 6.5

    MEDIUM
    CVE-2024-56328

    Discourse is an open source platform for community discussion. An attacker can execute arbitrary JavaScript on users' browsers by posting a maliciously crafted onebox url. This issue only affects sites with CSP disabled. This problem has been patched in t... Read more

    Affected Products : discourse
    • Published: Feb. 04, 2025
    • Modified: Aug. 26, 2025
    • Vuln Type: Cross-Site Scripting

  • 9.9

    CRITICAL
    CVE-2025-30220

    GeoServer is an open source server that allows users to share and edit geospatial data. GeoTools Schema class use of Eclipse XSD library to represent schema data structure is vulnerable to XML External Entity (XXE) exploit. This impacts whoever exposes XM... Read more

    Affected Products : geonetwork geoserver geotools geoserver
    • Published: Jun. 10, 2025
    • Modified: Aug. 26, 2025
    • Vuln Type: XML External Entity

  • 6.5

    MEDIUM
    CVE-2022-40733

    An access violation vulnerability exists in the DirectComposition functionality win32kbase.sys driver version 10.0.22000.593 as part of Windows 11 version 22000.593 and version 10.0.20348.643 as part of Windows Server 2022 version 20348.643. A specially-c... Read more

    • Published: Dec. 18, 2024
    • Modified: Aug. 26, 2025

  • 9.8

    CRITICAL
    CVE-2024-41138

    A library injection vulnerability exists in the com.microsoft.teams2.modulehost.app helper app of Microsoft Teams (work or school) 24046.2813.2770.1094 for macOS. A specially crafted library can leverage Teams's access privileges, leading to a permission ... Read more

    Affected Products : teams
    • Published: Dec. 18, 2024
    • Modified: Aug. 26, 2025

  • 8.5

    HIGH
    CVE-2025-5689

    A flaw was found in the temporary user record that authd uses in the pre-auth NSS. As a result, a user login for the first time will be considered to be part of the root group in the context of that SSH session.... Read more

    Affected Products : authd
    • Published: Jun. 16, 2025
    • Modified: Aug. 26, 2025
    • Vuln Type: Authorization

  • 8.0

    HIGH
    CVE-2025-46815

    The identity infrastructure software ZITADEL offers developers the ability to manage user sessions using the Session API. This API enables the use of IdPs for authentication, known as idp intents. Following a successful idp intent, the client receives an ... Read more

    Affected Products : zitadel
    • Published: May. 06, 2025
    • Modified: Aug. 26, 2025
    • Vuln Type: Authentication
Showing 20 of 293425 Results