Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 6.1

    MEDIUM
    CVE-2025-10066

    A security vulnerability has been detected in itsourcecode POS Point of Sale System 1.0. The affected element is an unknown function of the file /inventory/main/vendors/datatables/unit_testing/templates/dymanic_table.php. Such manipulation of the argument... Read more

    Affected Products : point_of_sale_system
    • Published: Sep. 07, 2025
    • Modified: Sep. 09, 2025
    • Vuln Type: Cross-Site Scripting

  • 6.1

    MEDIUM
    CVE-2025-10067

    A vulnerability was detected in itsourcecode POS Point of Sale System 1.0. The impacted element is an unknown function of the file /inventory/main/vendors/datatables/unit_testing/templates/empty_table.php. Performing manipulation of the argument scripts r... Read more

    Affected Products : point_of_sale_system
    • Published: Sep. 07, 2025
    • Modified: Sep. 09, 2025
    • Vuln Type: Cross-Site Scripting

  • 9.8

    CRITICAL
    CVE-2025-10068

    A flaw has been found in itsourcecode Online Discussion Forum 1.0. This affects an unknown function of the file /admin/admin_forum/add_views.php. Executing manipulation of the argument ID can lead to sql injection. It is possible to launch the attack remo... Read more

    • Published: Sep. 07, 2025
    • Modified: Sep. 09, 2025
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2025-10078

    A vulnerability was detected in SourceCodester Online Polling System 1.0. Affected is an unknown function of the file /admin/candidates.php. Performing manipulation of the argument ID results in sql injection. Remote exploitation of the attack is possible... Read more

    Affected Products : online_polling_system
    • Published: Sep. 08, 2025
    • Modified: Sep. 09, 2025
    • Vuln Type: Injection

  • 7.2

    HIGH
    CVE-2025-10081

    A flaw has been found in SourceCodester Pet Management System 1.0. This impacts an unknown function of the file /admin/profile.php. This manipulation of the argument website_image causes unrestricted upload. Remote exploitation of the attack is possible. ... Read more

    Affected Products : pet_grooming_management_software
    • Published: Sep. 08, 2025
    • Modified: Sep. 09, 2025
    • Vuln Type: Misconfiguration

  • 9.8

    CRITICAL
    CVE-2025-10082

    A vulnerability has been found in SourceCodester Online Polling System 1.0. Affected is an unknown function of the file /admin/manage-admins.php. Such manipulation of the argument email leads to sql injection. The attack can be executed remotely. The expl... Read more

    Affected Products : online_polling_system
    • Published: Sep. 08, 2025
    • Modified: Sep. 09, 2025
    • Vuln Type: Injection

  • 9.3

    CRITICAL
    CVE-2025-58450

    pREST (PostgreSQL REST), is an API that delivers an application on top of a Postgres database. SQL injection is possible in versions prior to 2.0.0-rc3. The validation present in versions prior to 2.0.0-rc3 does not provide adequate protection from inject... Read more

    Affected Products :
    • Published: Sep. 08, 2025
    • Modified: Sep. 09, 2025
    • Vuln Type: Injection

  • 8.7

    HIGH
    CVE-2025-58449

    Maho is a free and open source ecommerce platform. In Maho prior to 25.9.0, an authenticated staff user with access to the `Dashboard` and `Catalog\Manage Products` permissions can create a custom option on a listing with a file input field. By allowing f... Read more

    Affected Products :
    • Published: Sep. 08, 2025
    • Modified: Sep. 09, 2025
    • Vuln Type: Authentication

  • 3.1

    LOW
    CVE-2025-8277

    A flaw was found in libssh's handling of key exchange (KEX) processes when a client repeatedly sends incorrect KEX guesses. The library fails to free memory during these rekey operations, which can gradually exhaust system memory. This issue can lead to c... Read more

    Affected Products :
    • Published: Sep. 09, 2025
    • Modified: Sep. 09, 2025
    • Vuln Type: Denial of Service

  • 8.7

    HIGH
    CVE-2025-58365

    The XWiki blog application allows users of the XWiki platform to create and manage blog posts. Prior to version 9.14, the blog application in XWiki allowed remote code execution for any user who has edit right on any page. Normally, these are all logged-i... Read more

    Affected Products :
    • Published: Sep. 08, 2025
    • Modified: Sep. 09, 2025
    • Vuln Type: Information Disclosure

  • 8.8

    HIGH
    CVE-2025-55142

    Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authen... Read more

    Affected Products : connect_secure policy_secure
    • Published: Sep. 09, 2025
    • Modified: Sep. 09, 2025
    • Vuln Type: Authorization

  • 7.6

    HIGH
    CVE-2025-55148

    Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authen... Read more

    Affected Products : connect_secure policy_secure
    • Published: Sep. 09, 2025
    • Modified: Sep. 09, 2025
    • Vuln Type: Authorization

  • 6.1

    MEDIUM
    CVE-2025-55143

    Reflected text injection in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote una... Read more

    Affected Products : connect_secure policy_secure
    • Published: Sep. 09, 2025
    • Modified: Sep. 09, 2025
    • Vuln Type: Cross-Site Scripting

  • 9.3

    CRITICAL
    CVE-2025-54994

    @akoskm/create-mcp-server-stdio is an MCP server starter kit that uses the StdioServerTransport. Prior to version 0.0.13, the MCP Server is written in a way that is vulnerable to command injection vulnerability attacks as part of some of its MCP Server to... Read more

    Affected Products :
    • Published: Sep. 08, 2025
    • Modified: Sep. 09, 2025
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2025-9114

    The Doccure theme for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 1.4.8. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources... Read more

    Affected Products :
    • Published: Sep. 08, 2025
    • Modified: Sep. 09, 2025
    • Vuln Type: Authorization

  • 8.8

    HIGH
    CVE-2025-9112

    The Doccure theme for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'doccure_temp_file_uploader' function in all versions up to, and including, 1.4.8. This makes it possible for authenticated attackers, wit... Read more

    Affected Products :
    • Published: Sep. 08, 2025
    • Modified: Sep. 09, 2025
    • Vuln Type: Authentication

  • 8.9

    HIGH
    CVE-2025-55145

    Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authe... Read more

    Affected Products : policy_secure
    • Published: Sep. 09, 2025
    • Modified: Sep. 09, 2025
    • Vuln Type: Authorization

  • 9.1

    CRITICAL
    CVE-2025-10134

    The Goza - Nonprofit Charity WordPress Theme theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the alone_import_pack_restore_data() function in all versions up to, and including, 3.2.2. This makes it ... Read more

    Affected Products :
    • Published: Sep. 09, 2025
    • Modified: Sep. 09, 2025
    • Vuln Type: Path Traversal

  • 9.1

    CRITICAL
    CVE-2025-42958

    Due to a missing authentication check in the SAP NetWeaver application on IBM i-series, the application allows high privileged unauthorized users to read, modify, or delete sensitive information, as well as access administrative or privileged functionalit... Read more

    Affected Products : netweaver
    • Published: Sep. 09, 2025
    • Modified: Sep. 09, 2025
    • Vuln Type: Authentication

  • 4.3

    MEDIUM
    CVE-2025-42923

    Due to insufficient CSRF protection in SAP Fiori App Manage Work Center Groups, an authenticated user could be tricked by an attacker to send unintended request to the web server. This has low impact on integrity and no impact on confidentiality and avail... Read more

    Affected Products :
    • Published: Sep. 09, 2025
    • Modified: Sep. 09, 2025
    • Vuln Type: Cross-Site Request Forgery
Showing 20 of 4362 Results