Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 6.1

    MEDIUM
    CVE-2025-65026

    esm.sh is a nobuild content delivery network(CDN) for modern web development. Prior to version 136, The esm.sh CDN service contains a Template Literal Injection vulnerability (CWE-94) in its CSS-to-JavaScript module conversion feature. When a CSS file is ... Read more

    Affected Products :
    • Published: Nov. 19, 2025
    • Modified: Nov. 20, 2025
    • Vuln Type: Injection

  • 8.2

    HIGH
    CVE-2025-65025

    esm.sh is a nobuild content delivery network(CDN) for modern web development. Prior to version 136, the esm.sh CDN service is vulnerable to path traversal during NPM package tarball extraction. An attacker can craft a malicious NPM package containing spec... Read more

    Affected Products :
    • Published: Nov. 19, 2025
    • Modified: Nov. 20, 2025
    • Vuln Type: Path Traversal

  • 6.1

    MEDIUM
    CVE-2025-58412

    A improper neutralization of script-related html tags in a web page (basic xss) vulnerability in Fortinet FortiADC 8.0.0, FortiADC 7.6.0 through 7.6.3, FortiADC 7.4 all versions, FortiADC 7.2 all versions may allow attacker to execute unauthorized code or... Read more

    Affected Products : fortiadc
    • Published: Nov. 19, 2025
    • Modified: Nov. 20, 2025
    • Vuln Type: Cross-Site Scripting

  • 6.5

    MEDIUM
    CVE-2025-63878

    Github Restaurant Website Restoran v1.0 was discovered to contain a SQL injection vulnerability via the Contact Form page.... Read more

    Affected Products :
    • Published: Nov. 19, 2025
    • Modified: Nov. 19, 2025
    • Vuln Type: Injection

  • 7.5

    HIGH
    CVE-2025-63219

    The ITEL ISO FM SFN Adapter (firmware ISO2 2.0.0.0, WebServer 2.0) is vulnerable to session hijacking due to improper session management on the /home.html endpoint. An attacker can access an active session without authentication, allowing them to control ... Read more

    Affected Products :
    • Published: Nov. 19, 2025
    • Modified: Nov. 19, 2025
    • Vuln Type: Authentication

  • 6.8

    MEDIUM
    CVE-2025-65089

    XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Prior to version 1.27.0, a user with no view rights on a page may see the content of an office attachment displayed with the view file macro. This ... Read more

    Affected Products : pro_macros
    • Published: Nov. 19, 2025
    • Modified: Nov. 19, 2025
    • Vuln Type: Information Disclosure

  • 9.8

    CRITICAL
    CVE-2025-63210

    The Newtec Celox UHD (models: CELOXA504, CELOXA820) running firmware version celox-21.6.13 is vulnerable to an authentication bypass. An attacker can exploit this issue by modifying intercepted responses from the /celoxservice endpoint. By injecting a for... Read more

    Affected Products :
    • Published: Nov. 19, 2025
    • Modified: Nov. 19, 2025
    • Vuln Type: Authentication

  • 7.5

    HIGH
    CVE-2025-63209

    The ELCA Star Transmitter Remote Control firmware 1.25 for STAR150, BP1000, STAR300, STAR2000, STAR1000, STAR500, and possibly other models, contains an information disclosure vulnerability allowing unauthenticated attackers to retrieve admin credentials ... Read more

    Affected Products :
    • Published: Nov. 19, 2025
    • Modified: Nov. 19, 2025
    • Vuln Type: Information Disclosure

  • 4.6

    MEDIUM
    CVE-2025-63243

    A reflected cross-site scripting (XSS) vulnerability exists in the password change functionality of Pixeon WebLaudos 25.1 (01). The sle_sSenha parameter to the loginAlterarSenha.asp file. An attacker can craft a malicious URL that, when visited by a victi... Read more

    Affected Products :
    • Published: Nov. 19, 2025
    • Modified: Nov. 19, 2025
    • Vuln Type: Cross-Site Scripting

  • 8.6

    HIGH
    CVE-2025-10703

    Improper Control of Generation of Code ('Code Injection') vulnerability in Progress DataDirect Connect for JDBC drivers, Progress DataDirect Open Access JDBC driver and Hybrid Data Pipeline allows Remote Code Inclusion. The SpyAttribute connection option... Read more

    Affected Products :
    • Published: Nov. 19, 2025
    • Modified: Nov. 19, 2025
    • Vuln Type: Injection

  • 6.0

    MEDIUM
    CVE-2025-12743

    The Looker endpoint for generating new projects from database connections allows users to specify "looker" as a connection name, which is a reserved internal name for Looker's internal MySQL database. The schemas parameter is vulnerable to SQL injection, ... Read more

    Affected Products :
    • Published: Nov. 19, 2025
    • Modified: Nov. 19, 2025
    • Vuln Type: Injection

  • 8.6

    HIGH
    CVE-2025-10702

    Improper Control of Generation of Code ('Code Injection') vulnerability in Progress DataDirect Connect for JDBC drivers, Progress DataDirect Open Access JDBC driver and Hybrid Data Pipeline allows Remote Code Inclusion. The SpyAttribute connection optio... Read more

    Affected Products :
    • Published: Nov. 19, 2025
    • Modified: Nov. 19, 2025
    • Vuln Type: Injection

  • 6.9

    MEDIUM
    CVE-2025-34336

    eGovFramework/egovframe-common-components versions up to and including 4.3.1 contain an unauthenticated file upload vulnerability via the /utl/wed/insertImage.do and /utl/wed/insertImageCk.do image upload endpoints. These controllers accept multipart requ... Read more

    Affected Products :
    • Published: Nov. 19, 2025
    • Modified: Nov. 19, 2025
    • Vuln Type: Misconfiguration

  • 5.4

    MEDIUM
    CVE-2025-11963

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Saysis Computer Systems Trade Ltd. Co. StarCities allows Reflected XSS.This issue affects StarCities: before 1.1.61.... Read more

    Affected Products :
    • Published: Nov. 19, 2025
    • Modified: Nov. 19, 2025
    • Vuln Type: Cross-Site Scripting

  • 9.3

    CRITICAL
    CVE-2025-12592

    Legacy Vivotek Device firmware uses default credetials for the root and user login accounts.... Read more

    Affected Products :
    • Published: Nov. 19, 2025
    • Modified: Nov. 19, 2025
    • Vuln Type: Authentication

  • 9.8

    CRITICAL
    CVE-2025-63218

    The Axel Technology WOLF1MS and WOLF2MS devices (firmware versions 0.8.5 to 1.0.3) are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenticated remote attackers can list user accounts, create... Read more

    Affected Products :
    • Published: Nov. 19, 2025
    • Modified: Nov. 19, 2025
    • Vuln Type: Authentication

  • 10.0

    CRITICAL
    CVE-2025-63224

    The Itel DAB Encoder (IDEnc build 25aec8d) is vulnerable to Authentication Bypass due to improper JWT validation across devices. Attackers can reuse a valid JWT token obtained from one device to authenticate and gain administrative access to any other dev... Read more

    Affected Products :
    • Published: Nov. 19, 2025
    • Modified: Nov. 19, 2025
    • Vuln Type: Authentication

  • 4.7

    MEDIUM
    CVE-2025-0421

    Improper Restriction of Rendered UI Layers or Frames vulnerability in Shopside Software Technologies Inc. Shopside allows iFrame Overlay.This issue affects Shopside: through 05022025.... Read more

    Affected Products :
    • Published: Nov. 19, 2025
    • Modified: Nov. 19, 2025
    • Vuln Type: Misconfiguration

  • 7.5

    HIGH
    CVE-2025-13395

    A security flaw has been discovered in codehub666 94list up to 5831c8240e99a72b7d3508c79ef46ae4b96befe8. The impacted element is the function Login of the file /function.php. The manipulation results in sql injection. The attack can be launched remotely. ... Read more

    Affected Products :
    • Published: Nov. 19, 2025
    • Modified: Nov. 19, 2025
    • Vuln Type: Injection

  • 8.7

    HIGH
    CVE-2025-34337

    eGovFramework/egovframe-common-components versions up to and including 4.3.1 includes Web Editor image upload and related file delivery functionality that uses symmetric encryption to protect URL parameters, but exposes an encryption oracle that allows at... Read more

    Affected Products :
    • Published: Nov. 19, 2025
    • Modified: Nov. 19, 2025
    • Vuln Type: Information Disclosure
Showing 20 of 4566 Results