Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 6.8

    MEDIUM
    CVE-2025-28201

    An issue in Victure RX1800 EN_V1.0.0_r12_110933 allows physically proximate attackers to execute arbitrary code or gain root access.... Read more

    Affected Products : rx1800_firmware rx1800
    • Published: May. 09, 2025
    • Modified: Jun. 12, 2025
    • Vuln Type: Authentication

  • 4.8

    MEDIUM
    CVE-2024-8702

    The Backup Database WordPress plugin through 4.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed ... Read more

    Affected Products : backup_database
    • Published: May. 15, 2025
    • Modified: Jun. 12, 2025
    • Vuln Type: Cross-Site Scripting

  • 5.9

    MEDIUM
    CVE-2025-32407

    Samsung Internet for Galaxy Watch version 5.0.9, available up until Samsung Galaxy Watch 3, does not properly validate TLS certificates, allowing for an attacker to impersonate any and all websites visited by the user. This is a critical misconfiguration ... Read more

    Affected Products : internet
    • Published: May. 16, 2025
    • Modified: Jun. 12, 2025
    • Vuln Type: Misconfiguration

  • 7.2

    HIGH
    CVE-2025-4190

    The CSV Mass Importer WordPress plugin through 1.2 does not properly validate uploaded files, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to (for example in multisite setup)... Read more

    Affected Products : csv_mass_importer
    • Published: May. 17, 2025
    • Modified: Jun. 12, 2025
    • Vuln Type: Authorization

  • 9.8

    CRITICAL
    CVE-2025-48187

    RAGFlow through 0.18.1 allows account takeover because it is possible to conduct successful brute-force attacks against email verification codes to perform arbitrary account registration, login, and password reset. Codes are six digits and there is no rat... Read more

    Affected Products : ragflow
    • Published: May. 17, 2025
    • Modified: Jun. 12, 2025
    • Vuln Type: Authentication

  • 8.8

    HIGH
    CVE-2025-47273

    setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files t... Read more

    Affected Products : debian_linux setuptools
    • Published: May. 17, 2025
    • Modified: Jun. 12, 2025
    • Vuln Type: Path Traversal

  • 8.8

    HIGH
    CVE-2025-28202

    Incorrect access control in Victure RX1800 EN_V1.0.0_r12_110933 allows attackers to enable SSH and Telnet services without authentication.... Read more

    Affected Products : rx1800_firmware rx1800
    • Published: May. 09, 2025
    • Modified: Jun. 12, 2025
    • Vuln Type: Authentication

  • 9.8

    CRITICAL
    CVE-2025-47945

    Donetick an open-source app for managing tasks and chores. Prior to version 0.1.44, the application uses JSON Web Tokens (JWT) for authentication, but the signing secret has a weak default value. While the responsibility is left to the system administrato... Read more

    Affected Products : donetick
    • Published: May. 17, 2025
    • Modified: Jun. 12, 2025
    • Vuln Type: Authentication

  • 8.6

    HIGH
    CVE-2025-4863

    A vulnerability, which was classified as critical, was found in Advaya Softech GEMS ERP Portal 2.1. This affects an unknown part of the file /studentLogin/studentLogin.action. The manipulation of the argument userId leads to sql injection. It is possible ... Read more

    Affected Products : gems_erp_portal
    • Published: May. 18, 2025
    • Modified: Jun. 12, 2025
    • Vuln Type: Injection

  • 8.8

    HIGH
    CVE-2025-4866

    A vulnerability was found in weibocom rill-flow 0.1.18. It has been classified as critical. Affected is an unknown function of the component Management Console. The manipulation leads to code injection. It is possible to launch the attack remotely. The ex... Read more

    Affected Products : rill-flow
    • Published: May. 18, 2025
    • Modified: Jun. 12, 2025
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2025-4871

    A vulnerability, which was classified as critical, has been found in PCMan FTP Server 2.0.7. This issue affects some unknown processing of the component REST Command Handler. The manipulation leads to buffer overflow. The attack may be initiated remotely.... Read more

    Affected Products : pcman_ftp_server ftp_server
    • Published: May. 18, 2025
    • Modified: Jun. 12, 2025
    • Vuln Type: Memory Corruption

  • 9.8

    CRITICAL
    CVE-2025-4872

    A vulnerability, which was classified as critical, was found in FreeFloat FTP Server 1.0. Affected is an unknown function of the component CCC Command Handler. The manipulation leads to buffer overflow. It is possible to launch the attack remotely. The ex... Read more

    • Published: May. 18, 2025
    • Modified: Jun. 12, 2025
    • Vuln Type: Memory Corruption

  • 9.8

    CRITICAL
    CVE-2025-4905

    A vulnerability was found in iop-apl-uw basestation3 up to 3.0.4 and classified as problematic. This issue affects the function load_qc_pickl of the file basestation3/QC.py. The manipulation of the argument qc_file leads to deserialization. An attack has ... Read more

    Affected Products : basestation
    • Published: May. 19, 2025
    • Modified: Jun. 12, 2025
    • Vuln Type: Injection

  • 6.5

    MEDIUM
    CVE-2025-28371

    EnGenius ENH500 AP 2T2R V3.0 FW3.7.22 is vulnerable to Incorrect Access Control via the password change function. The device fails to validate the current password, allowing an attacker to submit a password change request with an invalid current password ... Read more

    Affected Products : enh500_firmware enh500
    • Published: May. 19, 2025
    • Modified: Jun. 12, 2025

  • 4.8

    MEDIUM
    CVE-2025-44108

    A stored Cross-Site Scripting (XSS) vulnerability exists in the administration panel of Flatpress CMS before 1.4 via the gallery captions component. An attacker with admin privileges can inject a malicious JavaScript payload into the system, which is then... Read more

    Affected Products : flatpress
    • Published: May. 19, 2025
    • Modified: Jun. 12, 2025
    • Vuln Type: Cross-Site Scripting

  • 8.8

    HIGH
    CVE-2024-55063

    Multiple Code Injection vulnerabilities in EasyVirt DC NetScope <= 8.7.0 allows remote authenticated attackers to execute arbitrary code via the (1) lang parameter to /international/keyboard/options; the (2) keyboard_layout or (3) keyboard_variant paramet... Read more

    Affected Products : dc_netscope
    • Published: May. 19, 2025
    • Modified: Jun. 12, 2025
    • Vuln Type: Injection

  • 7.6

    HIGH
    CVE-2025-30072

    Tiiwee X1 Alarm System TWX1HAKV2 allows Authentication Bypass by Capture-replay, leading to physical Access to the protected facilities without triggering an alarm.... Read more

    Affected Products : twx1hakv2_firmware twx1hakv2
    • Published: May. 19, 2025
    • Modified: Jun. 12, 2025
    • Vuln Type: Authentication

  • 6.2

    MEDIUM
    CVE-2025-3908

    The configuration initialization tool in OpenVPN 3 Linux v20 through v24 on Linux allows a local attacker to use symlinks pointing at an arbitrary directory which will change the ownership and permissions of that destination directory.... Read more

    Affected Products : linux_kernel openvpn3linux
    • Published: May. 19, 2025
    • Modified: Jun. 12, 2025
    • Vuln Type: Misconfiguration

  • 8.8

    HIGH
    CVE-2025-28203

    Victure RX1800 EN_V1.0.0_r12_110933 was discovered to contain a command injection vulnerability.... Read more

    Affected Products : rx1800_firmware rx1800
    • Published: May. 09, 2025
    • Modified: Jun. 12, 2025
    • Vuln Type: Injection

  • 6.5

    MEDIUM
    CVE-2025-43714

    The ChatGPT system through 2025-03-30 performs inline rendering of SVG documents (instead of, for example, rendering them as text inside a code block), which enables HTML injection within most modern graphical web browsers.... Read more

    Affected Products : chatgpt
    • Published: May. 19, 2025
    • Modified: Jun. 12, 2025
    • Vuln Type: Cross-Site Scripting
Showing 20 of 293436 Results