Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 7.9

    HIGH
    CVE-2025-40890

    A Stored Cross-Site Scripting vulnerability was discovered in the Dashboards functionality due to improper validation of an input parameter. An authenticated low-privilege user can craft a malicious dashboard containing a JavaScript payload and share i... Read more

    Affected Products : cmc guardian
    • Published: Nov. 25, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Cross-Site Scripting

  • 4.3

    MEDIUM
    CVE-2025-10646

    The Search Exclude plugin for WordPress is vulnerable to unauthorized modification of data due to a insufficient capability check on the Base::get_rest_permission() method in all versions up to, and including, 2.5.7. This makes it possible for authenticat... Read more

    Affected Products : search_exclude
    • Published: Nov. 25, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Authorization

  • 9.8

    CRITICAL
    CVE-2025-13559

    The EduKart Pro plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.3. This is due to the 'edukart_pro_register_user_front_end' function not restricting what user roles a user can register with. This makes ... Read more

    Affected Products :
    • Published: Nov. 25, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Authorization

  • 8.2

    HIGH
    CVE-2025-12003

    A path traversal vulnerability has been identified in WebDAV, which may allow unauthenticated remote attackers to impact the integrity of the device. Refer to the ' Security Update for ASUS Router Firmware' section on the ASUS Security Advisory for more i... Read more

    Affected Products : router
    • Published: Nov. 25, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Path Traversal

  • 4.4

    MEDIUM
    CVE-2025-12025

    The YouTube Subscribe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated att... Read more

    Affected Products :
    • Published: Nov. 25, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Cross-Site Scripting

  • 4.9

    MEDIUM
    CVE-2025-13385

    The Bookme – Free Online Appointment Booking and Scheduling Plugin for WordPress is vulnerable to time-based SQL Injection via the `filter[status]` parameter in all versions up to, and including, 4.2 due to insufficient escaping on the user supplied param... Read more

    Affected Products :
    • Published: Nov. 25, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Injection

  • 6.5

    MEDIUM
    CVE-2025-13380

    The AI Engine for WordPress: ChatGPT, GPT Content Generator plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.0.1. This is due to insufficient validation of user-supplied file paths in the 'lqdai_update_post... Read more

    Affected Products :
    • Published: Nov. 25, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Path Traversal

  • 6.1

    MEDIUM
    CVE-2025-13383

    The Job Board by BestWebSoft plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.2.1. This is due to the plugin storing the entire unsanitized `$_GET` superglobal array directly into the database via `... Read more

    Affected Products :
    • Published: Nov. 25, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Cross-Site Scripting

  • 4.8

    MEDIUM
    CVE-2025-59485

    Incorrect default permissions issue exists in Security Point (Windows) of MaLion prior to Ver.5.3.4. If this vulnerability is exploited, an arbitrary file could be placed in the specific folder by a user who can log in to the system where the product's Wi... Read more

    Affected Products :
    • Published: Nov. 25, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Misconfiguration

  • 6.5

    MEDIUM
    CVE-2025-12040

    The Wishlist for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0.9 via several functions in class-th-wishlist-frontend.php due to missing validation on a user controlled key. Thi... Read more

    Affected Products :
    • Published: Nov. 25, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Authorization

  • 7.3

    HIGH
    CVE-2025-52539

    A buffer overflow with Xilinx Run Time Environment may allow a local attacker to read or corrupt data from the advanced extensible interface (AXI), potentially resulting in loss of confidentiality, integrity, and/or availability.... Read more

    Affected Products :
    • Published: Nov. 24, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Memory Corruption

  • 8.8

    HIGH
    CVE-2025-56400

    Cross-Site Request Forgery (CSRF) vulnerability in the OAuth implementation of the Tuya SDK 6.5.0 for Android and iOS, affects the Tuya Smart and Smartlife mobile applications, as well as other third-party applications that integrate the SDK, allows an at... Read more

    Affected Products :
    • Published: Nov. 24, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Cross-Site Request Forgery

  • 6.5

    MEDIUM
    CVE-2025-63914

    An issue was discovered in Cinnamon kotaemon 0.11.0. The _may_extract_zip function in the \libs\ktem\ktem\index\file\ui.py file does not check the contents of uploaded ZIP files. Although the contents are extracted into a temporary folder that is cleared ... Read more

    Affected Products :
    • Published: Nov. 24, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Denial of Service

  • 5.3

    MEDIUM
    CVE-2025-12525

    The Locker Content plugin for WordPress is vulnerable to Sensitive Information Exposure in version 1.0.0 via the 'lockerco_submit_post' AJAX endpoint. This makes it possible for unauthenticated attackers to extract content from posts that has been protect... Read more

    Affected Products :
    • Published: Nov. 25, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Information Disclosure

  • 8.7

    HIGH
    CVE-2025-34350

    UnForm Server versions < 10.1.15 contain an unauthenticated arbitrary file read and SMB coercion vulnerability in the Doc Flow feature’s 'arc' endpoint. The Doc Flow module uses the 'arc' handler to retrieve and render pages or resources specified by the ... Read more

    Affected Products :
    • Published: Nov. 25, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Information Disclosure

  • 8.6

    HIGH
    CVE-2025-12816

    An interpretation-conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and earlier enables unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptogr... Read more

    Affected Products : forge
    • Published: Nov. 25, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Cryptography

  • 7.5

    HIGH
    CVE-2025-51741

    An issue was discovered in Veal98 Echo Open-Source Community System 2.2 thru 2.3 allowing an unauthenticated attacker to cause the server to send email verification messages to arbitrary users via the /sendEmailCodeForResetPwd endpoint potentially causing... Read more

    Affected Products :
    • Published: Nov. 25, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Denial of Service

  • 9.2

    CRITICAL
    CVE-2025-59366

    An authentication-bypass vulnerability exists in AiCloud. This vulnerability can be triggered by an unintended side effect of the Samba functionality, potentially leading to allow execution of specific functions without proper authorization. Refer to th... Read more

    Affected Products : router
    • Published: Nov. 25, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Authentication

  • 8.2

    HIGH
    CVE-2025-65965

    Grype is a vulnerability scanner for container images and filesystems. A credential disclosure vulnerability was found in Grype, affecting versions 0.68.0 through 0.104.0. If registry credentials are defined and the output of grype is written using the --... Read more

    Affected Products :
    • Published: Nov. 25, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Information Disclosure

  • 6.5

    MEDIUM
    CVE-2025-10144

    The Perfect Brands for WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the `brands` attribute of the `products` shortcode in all versions up to, and including, 3.6.2 due to insufficient escaping on the user supplied paramete... Read more

    Affected Products : perfect_brands_for_woocommerce
    • Published: Nov. 24, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Injection
Showing 20 of 4919 Results