Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 9.6

    CRITICAL
    CVE-2025-9804

    An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user may exploit this flaw to perform unauthorized operatio... Read more

    Affected Products : api_manager identity_server
    • Published: Oct. 16, 2025
    • Modified: Oct. 17, 2025
    • Vuln Type: Authorization

  • 5.6

    MEDIUM
    CVE-2025-54271

    Creative Cloud Desktop versions 6.7.0.278 and earlier are affected by a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability that could lead to arbitrary file system write. A low-privileged attacker could exploit the timing between the check an... Read more

    • Published: Oct. 15, 2025
    • Modified: Oct. 17, 2025
    • Vuln Type: Race Condition

  • 6.1

    MEDIUM
    CVE-2025-43280

    The issue was resolved by not loading remote images This issue is fixed in iOS 18.6 and iPadOS 18.6. Forwarding an email could display remote images in Mail in Lockdown Mode.... Read more

    Affected Products : iphone_os ipados
    • Published: Oct. 15, 2025
    • Modified: Oct. 16, 2025
    • Vuln Type: Misconfiguration

  • 7.1

    HIGH
    CVE-2025-61543

    A Host Header Injection vulnerability exists in the password reset functionality of CraftMyCMS 4.0.2.2. The system uses `$_SERVER['HTTP_HOST']` directly to construct password reset links sent via email. An attacker can manipulate the Host header to send m... Read more

    Affected Products :
    • Published: Oct. 16, 2025
    • Modified: Oct. 16, 2025
    • Vuln Type: Injection

  • 7.8

    HIGH
    CVE-2025-53951

    An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability [CWE-22] in Fortinet FortiDLP Agent's Outlookproxy plugin for Windows 11.5.1 and 11.4.2 through 11.4.6 and 11.3.2 through 11.3.4 and 11.2.0 through 11.2.3 and ... Read more

    Affected Products : windows fortidlp_agent fortidlp
    • Published: Oct. 16, 2025
    • Modified: Oct. 16, 2025
    • Vuln Type: Path Traversal

  • 7.8

    HIGH
    CVE-2025-54658

    An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability [CWE-22] in Fortinet FortiDLP Agent's Outlookproxy plugin for MacOS 11.5.1 and 11.4.2 through 11.4.6 and 11.3.2 through 11.3.4 and 11.2.0 through 11.2.3 and 11... Read more

    Affected Products : macos fortidlp_agent fortidlp
    • Published: Oct. 16, 2025
    • Modified: Oct. 16, 2025
    • Vuln Type: Path Traversal

  • 6.0

    MEDIUM
    CVE-2025-53950

    An Exposure of Private Personal Information ('Privacy Violation') vulnerability [CWE-359] in Fortinet FortiDLP Agent's Outlookproxy plugin for MacOS and Windows 11.5.1 and 11.4.2 through 11.4.6 and 11.3.2 through 11.3.4 and 11.2.0 through 11.2.3 and 11.1.... Read more

    Affected Products : macos windows fortidlp_agent fortidlp
    • Published: Oct. 16, 2025
    • Modified: Oct. 16, 2025
    • Vuln Type: Information Disclosure

  • 4.4

    MEDIUM
    CVE-2025-46752

    A insertion of sensitive information into log file in Fortinet FortiDLP 12.0.0 through 12.0.5, 11.5.1, 11.4.6, 11.4.5 allows attacker to information disclosure via re-using the enrollment code.... Read more

    Affected Products : windows fortidlp_agent fortidlp
    • Published: Oct. 16, 2025
    • Modified: Oct. 16, 2025
    • Vuln Type: Information Disclosure

  • 8.4

    HIGH
    CVE-2025-43281

    The issue was addressed with improved authentication. This issue is fixed in macOS Sequoia 15.6. A local attacker may be able to elevate their privileges.... Read more

    Affected Products : macos
    • Published: Oct. 15, 2025
    • Modified: Oct. 16, 2025
    • Vuln Type: Authentication

  • 5.5

    MEDIUM
    CVE-2025-43282

    A double free issue was addressed with improved memory management. This issue is fixed in macOS Sequoia 15.6, iOS 18.6 and iPadOS 18.6, watchOS 11.6, tvOS 18.6, visionOS 2.6, macOS Ventura 13.7.7, macOS Sonoma 14.7.7, iPadOS 17.7.9. An app may be able to ... Read more

    Affected Products : macos iphone_os tvos watchos ipados visionos
    • Published: Oct. 15, 2025
    • Modified: Oct. 16, 2025
    • Vuln Type: Memory Corruption

  • 5.5

    MEDIUM
    CVE-2025-43313

    A logic issue was addressed with improved restrictions. This issue is fixed in macOS Ventura 13.7.7, macOS Sonoma 14.7.7, macOS Sequoia 15.6. An app may be able to access sensitive user data.... Read more

    Affected Products : macos
    • Published: Oct. 15, 2025
    • Modified: Oct. 16, 2025
    • Vuln Type: Authorization

  • 8.2

    HIGH
    CVE-2025-61536

    FelixRiddle dev-jobs-handlebars 1.0 uses absolute password-reset (magic) links using the untrusted `req.headers.host` header and forces the `http://` scheme. An attacker who can control the `Host` header (or exploit a misconfigured proxy/load-balancer tha... Read more

    Affected Products :
    • Published: Oct. 16, 2025
    • Modified: Oct. 16, 2025
    • Vuln Type: Server-Side Request Forgery

  • 8.2

    HIGH
    CVE-2025-22381

    Aggie 2.6.1 has a Host Header injection vulnerability in the forgot password functionality, allowing an attacker to reset a user's password.... Read more

    Affected Products :
    • Published: Oct. 16, 2025
    • Modified: Oct. 16, 2025
    • Vuln Type: Injection

  • 6.5

    MEDIUM
    CVE-2025-20359

    Multiple Cisco products are affected by a vulnerability in the Snort 3 HTTP Decoder that could allow an unauthenticated, remote attacker to cause the disclosure of possible sensitive data or cause the Snort 3 Detection Engine to crash. This vulnerabili... Read more

    Affected Products : cyber_vision cyber_vision_center
    • Published: Oct. 15, 2025
    • Modified: Oct. 16, 2025
    • Vuln Type: Denial of Service

  • 6.4

    MEDIUM
    CVE-2025-10140

    The Quick Social Login plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'quick-login' shortcode in all versions up to, and including, 1.4.6 due to insufficient input sanitization and output escaping on user supplied attri... Read more

    Affected Products :
    • Published: Oct. 15, 2025
    • Modified: Oct. 16, 2025
    • Vuln Type: Cross-Site Scripting

  • 6.4

    MEDIUM
    CVE-2025-10139

    The WP BookWidgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bw_link' shortcode in all versions up to, and including, 0.9 due to insufficient input sanitization and output escaping on user supplied attributes. Thi... Read more

    Affected Products :
    • Published: Oct. 15, 2025
    • Modified: Oct. 16, 2025
    • Vuln Type: Cross-Site Scripting

  • 6.4

    MEDIUM
    CVE-2025-10135

    The WP ViewSTL plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'viewstl' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This ma... Read more

    Affected Products :
    • Published: Oct. 15, 2025
    • Modified: Oct. 16, 2025
    • Vuln Type: Cross-Site Scripting

  • 6.4

    MEDIUM
    CVE-2025-10133

    The URLYar URL Shortner plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'urlyar_shortlink' shortcode in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping on user supplied... Read more

    Affected Products :
    • Published: Oct. 15, 2025
    • Modified: Oct. 16, 2025
    • Vuln Type: Cross-Site Scripting

  • 6.4

    MEDIUM
    CVE-2025-10132

    The Dhivehi Text plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'dhivehi' shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This ... Read more

    Affected Products :
    • Published: Oct. 15, 2025
    • Modified: Oct. 16, 2025
    • Vuln Type: Cross-Site Scripting

  • 4.4

    MEDIUM
    CVE-2025-10056

    The Task Scheduler plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.6.3 via the “Check Website” task. This makes it possible for authenticated attackers, with Administrator-level access and above, t... Read more

    Affected Products :
    • Published: Oct. 15, 2025
    • Modified: Oct. 16, 2025
    • Vuln Type: Server-Side Request Forgery
Showing 20 of 3877 Results