Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 6.3

    MEDIUM
    CVE-2025-64408

    Apache Causeway faces Java deserialization vulnerabilities that allow remote code execution (RCE) through user-controllable URL parameters. These vulnerabilities affect all applications using Causeway's ViewModel functionality and can be exploited by auth... Read more

    Affected Products :
    • Published: Nov. 19, 2025
    • Modified: Nov. 19, 2025
    • Vuln Type: Injection

  • 6.1

    MEDIUM
    CVE-2025-63879

    A reflected cross-site scripted (XSS) vulnerability in the /ecommerce/products.php component of E-commerce Project v1.0 and earlier allows attackers to execute arbitrary Javascript in the context of a user's browser via injecting a crafted payload into th... Read more

    Affected Products :
    • Published: Nov. 19, 2025
    • Modified: Nov. 19, 2025
    • Vuln Type: Cross-Site Scripting

  • 8.7

    HIGH
    CVE-2025-34337

    eGovFramework/egovframe-common-components versions up to and including 4.3.1 includes Web Editor image upload and related file delivery functionality that uses symmetric encryption to protect URL parameters, but exposes an encryption oracle that allows at... Read more

    Affected Products :
    • Published: Nov. 19, 2025
    • Modified: Nov. 19, 2025
    • Vuln Type: Information Disclosure

  • 9.3

    CRITICAL
    CVE-2025-34328

    AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 include a web administration component (F2MAdmin) that exposes an unauthenticated script-management endpoint at AudioCodes_files/utils/IVR/diagram/ajaxScript.php. ... Read more

    Affected Products :
    • Published: Nov. 19, 2025
    • Modified: Nov. 19, 2025
    • Vuln Type: Path Traversal

  • 5.1

    MEDIUM
    CVE-2025-65012

    Kirby is an open-source content management system. From versions 5.0.0 to 5.1.3, attackers could change the title of any page or the name of any user to a malicious string. Then they could modify any content field of the same model without saving, making ... Read more

    Affected Products : kirby
    • Published: Nov. 18, 2025
    • Modified: Nov. 19, 2025
    • Vuln Type: Cross-Site Scripting

  • 8.5

    HIGH
    CVE-2025-34332

    AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 include a web administration component that controls back-end Windows services using helper batch scripts located under C:\\F2MAdmin\\F2E\\AudioCodes_files\\utils\... Read more

    Affected Products :
    • Published: Nov. 19, 2025
    • Modified: Nov. 19, 2025
    • Vuln Type: Misconfiguration

  • 7.5

    HIGH
    CVE-2025-64076

    Multiple vulnerabilities exist in cbor2 through version 5.7.0 in the decode_definite_long_string() function of the C extension decoder (source/decoder.c): (1) Integer Underflow Leading to Out-of-Bounds Read (CWE-191, CWE-125): An incorrect variable refere... Read more

    Affected Products :
    • Published: Nov. 18, 2025
    • Modified: Nov. 19, 2025
    • Vuln Type: Memory Corruption

  • 6.4

    MEDIUM
    CVE-2025-12878

    The FunnelKit – Funnel Builder for WooCommerce Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `wfop_phone` shortcode in all versions up to, and including, 3.13.1.2. This is due to insufficient input sanitization and out... Read more

    Affected Products : funnelkit_automations
    • Published: Nov. 19, 2025
    • Modified: Nov. 19, 2025
    • Vuln Type: Cross-Site Scripting

  • 7.2

    HIGH
    CVE-2025-13145

    The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.33.1. This is due to deserialization of untrusted data supplied via CSV file imports in the import_s... Read more

    Affected Products :
    • Published: Nov. 19, 2025
    • Modified: Nov. 19, 2025
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2025-41346

    Faulty authorization control in software WinPlus v24.11.27 by Informática del Este that allows another user to be impersonated simply by knowing their 'numerical ID', meaning that an attacker could compromise another user's account, thereby affecting the ... Read more

    Affected Products : winplus
    • Published: Nov. 18, 2025
    • Modified: Nov. 19, 2025
    • Vuln Type: Authorization

  • 9.8

    CRITICAL
    CVE-2025-41347

    Unlimited upload vulnerability for dangerous file types in WinPlus v24.11.27 from Informática del Este. This vulnerability allows an attacker to upload a 'webshell' by sending a POST request to '/WinplusPortal/ws/sWinplus.svc/json/uploadfile'.... Read more

    Affected Products : winplus
    • Published: Nov. 18, 2025
    • Modified: Nov. 19, 2025
    • Vuln Type: Misconfiguration

  • 9.8

    CRITICAL
    CVE-2025-41348

    SQL injection vulnerability in WinPlus v24.11.27 by Informática del Este. This vulnerability allows an attacker recover, create, update an delete databases by sendng a POST request using the parameters 'val1' and 'cont in '/WinplusPortal/ws/sWinplus.svc/j... Read more

    Affected Products : winplus
    • Published: Nov. 18, 2025
    • Modified: Nov. 19, 2025
    • Vuln Type: Injection

  • 5.4

    MEDIUM
    CVE-2025-41349

    Stored Cross-site Scripting (XSS)vylnerability type in WinPlus v24.11.27 byInformática del Este that consist of an stored XSS of a stored XSS due to a lack of proper validation of user input by sending a POST request using the 'descripcion' parameter in '... Read more

    Affected Products : winplus
    • Published: Nov. 18, 2025
    • Modified: Nov. 19, 2025
    • Vuln Type: Cross-Site Scripting

  • 5.4

    MEDIUM
    CVE-2025-41350

    Stored Cross-site Scripting (XSS)vylnerability type in WinPlus v24.11.27 byInformática del Este that consist of an stored XSS of a stored XSS due to a lack of proper validation of user input by sending a POST request using the 'descripcion' parameter in '... Read more

    Affected Products : winplus
    • Published: Nov. 18, 2025
    • Modified: Nov. 19, 2025
    • Vuln Type: Cross-Site Scripting

  • 5.3

    MEDIUM
    CVE-2025-63744

    A NULL pointer dereference vulnerability was discovered in radare2 6.0.5 and earlier within the load() function of bin_dyldcache.c. Processing a crafted file can cause a segmentation fault and crash the program.... Read more

    Affected Products : radare2
    • Published: Nov. 14, 2025
    • Modified: Nov. 19, 2025
    • Vuln Type: Memory Corruption

  • 5.5

    MEDIUM
    CVE-2025-63745

    A NULL pointer dereference vulnerability was discovered in radare2 6.0.5 and earlier within the info() function of bin_ne.c. A crafted binary input can trigger a segmentation fault, leading to a denial of service when the tool processes malformed data.... Read more

    Affected Products : radare2
    • Published: Nov. 14, 2025
    • Modified: Nov. 19, 2025
    • Vuln Type: Memory Corruption

  • 7.5

    HIGH
    CVE-2025-63891

    Information Disclosure in web-accessible backup file in SourceCodester Simple Online Book Store System allows a remote unauthenticated attacker to disclose full database contents (including schema and credential hashes) via an unauthenticated HTTP GET req... Read more

    Affected Products : simple_online_book_store_system
    • Published: Nov. 14, 2025
    • Modified: Nov. 19, 2025
    • Vuln Type: Information Disclosure

  • 8.0

    HIGH
    CVE-2025-48593

    In bta_hf_client_cb_init of bta_hf_client_main.cc, there is a possible remote code execution due to a use after free. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.... Read more

    Affected Products : android
    • Published: Nov. 18, 2025
    • Modified: Nov. 19, 2025
    • Vuln Type: Memory Corruption

  • 6.5

    MEDIUM
    CVE-2025-64084

    An authenticated SQL injection vulnerability exists in Cloudlog 2.7.5 and earlier. The vucc_details_ajax function in application/controllers/Awards.php does not properly sanitize the user-supplied Gridsquare POST parameter. This allows a remote, authentic... Read more

    Affected Products : cloudlog
    • Published: Nov. 14, 2025
    • Modified: Nov. 19, 2025
    • Vuln Type: Injection

  • 2.1

    LOW
    CVE-2025-41116

    When using the Grafana Databricks Datasource Plugin, if Oauth passthrough is enabled on the datasource, and multiple users are using the same datasource at the same time on a single Grafana instance, it  could result in  the wrong user identifier being u... Read more

    Affected Products :
    • Published: Nov. 11, 2025
    • Modified: Nov. 19, 2025
    • Vuln Type: Authorization
Showing 20 of 3919 Results