Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 6.5

    MEDIUM
    CVE-2025-6108

    A vulnerability was found in hansonwang99 Spring-Boot-In-Action up to 807fd37643aa774b94fd004cc3adbd29ca17e9aa. It has been declared as critical. Affected by this vulnerability is the function watermarkTest of the file /springbt_watermark/src/main/java/cn... Read more

    Affected Products :
    • Published: Jun. 16, 2025
    • Modified: Jun. 16, 2025
    • Vuln Type: Path Traversal

  • 10.0

    HIGH
    CVE-2025-6098

    A vulnerability was found in UTT 进取 750W up to 5.0. It has been classified as critical. This affects the function strcpy of the file /goform/setSysAdm of the component API. The manipulation of the argument passwd1 leads to buffer overflow. It is possible ... Read more

    Affected Products :
    • Published: Jun. 16, 2025
    • Modified: Jun. 16, 2025
    • Vuln Type: Memory Corruption

  • 4.3

    MEDIUM
    CVE-2025-6059

    The Seraphinite Accelerator plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.27.21. This is due to missing or incorrect nonce validation on the 'OnAdminApi_CacheOpBegin' function. This makes it possi... Read more

    Affected Products : seraphinite_accelerator
    • Published: Jun. 14, 2025
    • Modified: Jun. 16, 2025
    • Vuln Type: Cross-Site Request Forgery

  • 6.1

    MEDIUM
    CVE-2025-6040

    The Easy Flashcards plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.1. This is due to missing or incorrect nonce validation on the 'ef_settings_submenu' page. This makes it possible for unauthentica... Read more

    Affected Products :
    • Published: Jun. 14, 2025
    • Modified: Jun. 16, 2025
    • Vuln Type: Cross-Site Request Forgery

  • 6.1

    MEDIUM
    CVE-2025-6064

    The WP URL Shortener plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing or incorrect nonce validation on the 'url_shortener_settings' page. This makes it possible for unauthen... Read more

    Affected Products :
    • Published: Jun. 14, 2025
    • Modified: Jun. 16, 2025
    • Vuln Type: Cross-Site Request Forgery

  • 5.5

    MEDIUM
    CVE-2025-6012

    The Auto Attachments plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.8.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated atta... Read more

    Affected Products :
    • Published: Jun. 13, 2025
    • Modified: Jun. 16, 2025
    • Vuln Type: Cross-Site Scripting

  • 4.3

    MEDIUM
    CVE-2025-5928

    The WP Sliding Login/Dashboard Panel plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.1. This is due to missing or incorrect nonce validation on the wp_sliding_panel_user_options() function. This m... Read more

    Affected Products :
    • Published: Jun. 13, 2025
    • Modified: Jun. 16, 2025
    • Vuln Type: Cross-Site Request Forgery

  • 9.4

    CRITICAL
    CVE-2025-6030

    Use of fixed learning codes, one code to lock the car and the other code to unlock it, in the Key Fob Transmitter in Cyclone Matrix TRF Smart Keyless Entry System, which allows a replay attack. Research was completed on the 2024 KIA Soluto.  Attack conf... Read more

    Affected Products :
    • Published: Jun. 13, 2025
    • Modified: Jun. 16, 2025
    • Vuln Type: Cryptography

  • 9.0

    HIGH
    CVE-2025-6104

    A vulnerability, which was classified as critical, was found in Wifi-soft UniBox Controller up to 20250506. This affects an unknown part of the file /billing/pms_check.php. The manipulation of the argument ipaddress leads to os command injection. It is po... Read more

    Affected Products :
    • Published: Jun. 16, 2025
    • Modified: Jun. 16, 2025
    • Vuln Type: Injection

  • 5.5

    MEDIUM
    CVE-2025-6101

    A vulnerability classified as critical has been found in letta-ai letta up to 0.4.1. Affected is the function function_message of the file letta/letta/interface.py. The manipulation of the argument function_name/function_args leads to improper neutralizat... Read more

    Affected Products :
    • Published: Jun. 16, 2025
    • Modified: Jun. 16, 2025
    • Vuln Type: Injection

  • 8.8

    HIGH
    CVE-2025-5485

    User names used to access the web management interface are limited to the device identifier, which is a numerical identifier no more than 10 digits. A malicious actor can enumerate potential targets by incrementing or decrementing from known identifier... Read more

    Affected Products :
    • Published: Jun. 12, 2025
    • Modified: Jun. 16, 2025
    • Vuln Type: Authentication

  • 6.4

    MEDIUM
    CVE-2025-5233

    The Color Palette plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘hex’ parameter in all versions up to, and including, 4.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated at... Read more

    Affected Products :
    • Published: Jun. 13, 2025
    • Modified: Jun. 16, 2025
    • Vuln Type: Cross-Site Scripting

  • 8.7

    HIGH
    CVE-2025-4987

    A stored Cross-site Scripting (XSS) vulnerability affecting Opportunity Management in Project Portfolio Manager from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser sess... Read more

    Affected Products :
    • Published: Jun. 16, 2025
    • Modified: Jun. 16, 2025
    • Vuln Type: Cross-Site Scripting

  • 6.4

    MEDIUM
    CVE-2025-4667

    The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ssa_admin_upcoming_appointments, ssa_admin_upcoming_appointments, and ssa_past_appointments s... Read more

    Affected Products : simply_schedule_appointments
    • Published: Jun. 14, 2025
    • Modified: Jun. 16, 2025
    • Vuln Type: Cross-Site Scripting

  • 5.1

    MEDIUM
    CVE-2025-4233

    An insufficient implementation of cache vulnerability in Palo Alto Networks Prisma® Access Browser enables users to bypass certain data control policies.... Read more

    Affected Products :
    • Published: Jun. 12, 2025
    • Modified: Jun. 16, 2025
    • Vuln Type: Authorization

  • 8.4

    HIGH
    CVE-2025-4230

    A command injection vulnerability in Palo Alto Networks PAN-OS® software enables an authenticated administrator to bypass system restrictions and run arbitrary commands as a root user. To be able to exploit this issue, the user must have access to the PAN... Read more

    Affected Products : pan-os
    • Published: Jun. 13, 2025
    • Modified: Jun. 16, 2025
    • Vuln Type: Injection

  • 6.4

    MEDIUM
    CVE-2025-4216

    The DIOT SCADA with MQTT plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'diot' shortcode in all versions up to, and including, 1.0.5.1 due to insufficient input sanitization and output escaping on user supplied attribut... Read more

    Affected Products :
    • Published: Jun. 14, 2025
    • Modified: Jun. 16, 2025
    • Vuln Type: Cross-Site Scripting

  • 4.6

    MEDIUM
    CVE-2025-4228

    An incorrect privilege assignment vulnerability in Palo Alto Networks Cortex® XDR Broker VM allows an authenticated administrative user to execute certain files available within the Broker VM and escalate their privileges to root.... Read more

    Affected Products :
    • Published: Jun. 13, 2025
    • Modified: Jun. 16, 2025
    • Vuln Type: Authorization

  • 4.4

    MEDIUM
    CVE-2025-49598

    conda-forge-ci-setup is a package installed by conda-forge each time a build is run on CI. The conda-forge-ci-setup-feedstock setup script is vulnerable due to the unsafe use of the eval function when parsing version information from a custom-formatted me... Read more

    Affected Products :
    • Published: Jun. 13, 2025
    • Modified: Jun. 16, 2025
    • Vuln Type: Misconfiguration

  • 8.6

    HIGH
    CVE-2025-49468

    A SQL injection vulnerability in No Boss Calendar component before 5.0.7 for Joomla was discovered. The vulnerability allows remote authenticated users to execute arbitrary SQL commands via the id_module parameter.... Read more

    Affected Products :
    • Published: Jun. 13, 2025
    • Modified: Jun. 16, 2025
    • Vuln Type: Injection
Showing 20 of 293435 Results