Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 9.8

    CRITICAL
    CVE-2024-32641

    Masa CMS is an open source Enterprise Content Management platform. Masa CMS versions prior to 7.2.8, 7.3.13, and 7.4.6 are vulnerable to remote code execution. The vulnerability exists in the addParam function, which accepts user input via the criteria pa... Read more

    Affected Products : masacms
    • Published: Dec. 03, 2025
    • Modified: Dec. 05, 2025
    • Vuln Type: Injection

  • 7.0

    HIGH
    CVE-2025-12848

    Webform Multiple File Upload module for Drupal 7.x contains a cross-site scripting (XSS) vulnerability in the file name renderer. An unauthenticated attacker can exploit this vulnerability by uploading a file with a malicious filename containing JavaScrip... Read more

    Affected Products : drupal webform_multiple_file_upload
    • Published: Nov. 26, 2025
    • Modified: Dec. 05, 2025
    • Vuln Type: Cross-Site Scripting

  • 9.8

    CRITICAL
    CVE-2025-55469

    Incorrect access control in youlai-boot v2.21.1 allows attackers to escalate privileges and access the Administrator backend.... Read more

    Affected Products : youlai-boot
    • Published: Nov. 26, 2025
    • Modified: Dec. 05, 2025
    • Vuln Type: Authorization

  • 7.5

    HIGH
    CVE-2025-55471

    Incorrect access control in the getUserFormData function of youlai-boot v2.21.1 allows attackers to access sensitive information for other users.... Read more

    Affected Products : youlai-boot
    • Published: Nov. 26, 2025
    • Modified: Dec. 05, 2025
    • Vuln Type: Authorization

  • 7.5

    HIGH
    CVE-2025-65672

    Insecure Direct Object Reference (IDOR) in classroomio 0.1.13 allows unauthorized share and invite access to course settings.... Read more

    Affected Products : classroomio
    • Published: Nov. 26, 2025
    • Modified: Dec. 05, 2025
    • Vuln Type: Authorization

  • 5.4

    MEDIUM
    CVE-2025-65675

    Stored Cross site scripting (XSS) vulnerability in Classroomio LMS 0.1.13 allows authenticated attackers to execute arbitrary code via crafted SVG profile pictures.... Read more

    Affected Products : classroomio
    • Published: Nov. 26, 2025
    • Modified: Dec. 05, 2025
    • Vuln Type: Cross-Site Scripting

  • 8.8

    HIGH
    CVE-2025-65966

    OneUptime is a solution for monitoring and managing online services. In version 9.0.5598, a low-permission user can create new accounts through a direct API request instead of being restricted to the intended interface. This issue has been patched in vers... Read more

    Affected Products : oneuptime
    • Published: Nov. 26, 2025
    • Modified: Dec. 05, 2025
    • Vuln Type: Authentication

  • 8.2

    HIGH
    CVE-2025-66028

    OneUptime is a solution for monitoring and managing online services. Prior to version 8.0.5567, OneUptime is vulnerable to privilege escalation via Login Response Manipulation. During the login process, the server response included a parameter called isMa... Read more

    Affected Products : oneuptime
    • Published: Nov. 26, 2025
    • Modified: Dec. 05, 2025
    • Vuln Type: Authentication

  • 7.5

    HIGH
    CVE-2025-64333

    Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Prior to versions 7.0.13 and 8.0.2, a large HTTP content type, when logged can cause a stack overflow crashing Suricata.... Read more

    Affected Products : suricata
    • Published: Nov. 26, 2025
    • Modified: Dec. 05, 2025
    • Vuln Type: Denial of Service

  • 7.5

    HIGH
    CVE-2025-64332

    Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Prior to versions 7.0.13 and 8.0.2, a stack overflow that causes Suricata to crash can occur if SWF decompression is ena... Read more

    Affected Products : suricata
    • Published: Nov. 26, 2025
    • Modified: Dec. 05, 2025
    • Vuln Type: Memory Corruption

  • 8.0

    HIGH
    CVE-2025-65202

    TRENDnet TEW-657BRM 1.00.1 has an authenticated remote OS command injection vulnerability in the setup.cgi binary, exploitable via the HTTP parameters "command", "todo", and "next_file," which allows an attacker to execute arbitrary commands with root pri... Read more

    Affected Products : tew-657brm_firmware tew-657brm
    • Published: Nov. 26, 2025
    • Modified: Dec. 05, 2025
    • Vuln Type: Injection

  • 7.5

    HIGH
    CVE-2025-64330

    Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Prior to versions 7.0.13 and 8.0.2, a single byte read heap overflow when logging the verdict in eve.alert and eve.drop ... Read more

    Affected Products : suricata
    • Published: Nov. 26, 2025
    • Modified: Dec. 05, 2025
    • Vuln Type: Memory Corruption

  • 4.8

    MEDIUM
    CVE-2025-59117

    Windu CMS is vulnerable to multiple Stored Cross-Site Scripting (XSS) vulnerabilities in the page editing endpoint windu/admin/content/pages/edit/. This vulnerability can be exploited by a privileged user and may target users with higher privileges. Onl... Read more

    Affected Products : windu_cms
    • Published: Nov. 18, 2025
    • Modified: Dec. 05, 2025
    • Vuln Type: Cross-Site Scripting

  • 6.9

    MEDIUM
    CVE-2025-59116

    Windu CMS is vulnerable to User Enumeration. This issue occurs during logon, where a difference in messages could allow an attacker to determine if the login is valid or not, enabling a brute force attack with valid logins. Only version 4.1 was tested an... Read more

    Affected Products : windu_cms
    • Published: Nov. 18, 2025
    • Modified: Dec. 05, 2025
    • Vuln Type: Authentication

  • 5.4

    MEDIUM
    CVE-2025-59115

    Windu CMS is vulnerable to Stored Cross-Site Scripting (XSS) in the logon page where input data has no proper validation. Malicious attacker can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting logs page by admin. ... Read more

    Affected Products : windu_cms
    • Published: Nov. 18, 2025
    • Modified: Dec. 05, 2025
    • Vuln Type: Cross-Site Scripting

  • 6.5

    MEDIUM
    CVE-2025-59114

    Windu CMS is vulnerable to Cross-Site Request Forgery in file uploading functionality. Malicious attacker can craft special website, which when visited by the victim, will automatically send malicious file to the server. Only version 4.1 was tested and c... Read more

    Affected Products : windu_cms
    • Published: Nov. 18, 2025
    • Modified: Dec. 05, 2025
    • Vuln Type: Cross-Site Request Forgery

  • 7.5

    HIGH
    CVE-2025-59113

    Windu CMS implements weak client-side brute-force protection by using parameter loginError. Information about attempt count or timeout is not stored on the server, which allows a malicious attacker to bypass this brute-force protection by resetting this p... Read more

    Affected Products : windu_cms
    • Published: Nov. 18, 2025
    • Modified: Dec. 05, 2025
    • Vuln Type: Authentication

  • 6.5

    MEDIUM
    CVE-2025-59112

    Windu CMS is vulnerable to Cross-Site Request Forgery in user editing functionality. Malicious attacker can craft special website, which when visited by the victim, will automatically send POST request that deletes given user. Only version 4.1 was tested... Read more

    Affected Products : windu_cms
    • Published: Nov. 18, 2025
    • Modified: Dec. 05, 2025
    • Vuln Type: Cross-Site Request Forgery

  • 6.9

    MEDIUM
    CVE-2025-59111

    Windu CMS is vulnerable to Broken Access Control in user editing functionality. Malicious attacker can send a GET request which allows privileged users to delete Super Admins which is not possible with GUI. Only version 4.1 was tested and confirmed as vu... Read more

    Affected Products : windu_cms
    • Published: Nov. 18, 2025
    • Modified: Dec. 05, 2025
    • Vuln Type: Authorization

  • 6.8

    MEDIUM
    CVE-2025-59110

    Windu CMS is vulnerable to Cross-Site Request Forgery in user editing functionality. Implemented CSRF protection mechanism can be bypassed by using CSRF token of other user. It is worth noting that the registration is open and anyone can create an account... Read more

    Affected Products : windu_cms
    • Published: Nov. 18, 2025
    • Modified: Dec. 05, 2025
    • Vuln Type: Cross-Site Request Forgery
Showing 20 of 3884 Results