Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 8.8

    HIGH
    CVE-2025-63434

    The update mechanism in Xtooltech Xtool AnyScan Android Application 4.40.40 and prior is insecure. The application downloads and extracts update packages containing executable code without performing a cryptographic integrity or authenticity check on thei... Read more

    Affected Products : xtool_anyscan
    • Published: Nov. 24, 2025
    • Modified: Nov. 28, 2025
    • Vuln Type: Supply Chain

  • 4.6

    MEDIUM
    CVE-2025-63433

    Xtooltech Xtool AnyScan Android Application 4.40.40 and prior uses a hardcoded cryptographic key and IV to decrypt update metadata. The key is stored as a static value within the application's code. An attacker with the ability to intercept network traffi... Read more

    Affected Products : xtool_anyscan
    • Published: Nov. 24, 2025
    • Modified: Nov. 28, 2025
    • Vuln Type: Cryptography

  • 4.6

    MEDIUM
    CVE-2025-63432

    Xtooltech Xtool AnyScan Android Application 4.40.40 and prior is Missing SSL Certificate Validation. The application fails to properly validate the TLS certificate from its update server. An attacker on the same network can exploit this vulnerability by p... Read more

    Affected Products : xtool_anyscan
    • Published: Nov. 24, 2025
    • Modified: Nov. 28, 2025
    • Vuln Type: Misconfiguration

  • 4.6

    MEDIUM
    CVE-2025-60917

    A reflected cross-site scripting (XSS) vulnerability in the /overview/network/ endpoint of Austrian Archaeological Institute Openatlas before v8.12.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted pay... Read more

    Affected Products : openatlas
    • Published: Nov. 24, 2025
    • Modified: Nov. 28, 2025
    • Vuln Type: Cross-Site Scripting

  • 5.4

    MEDIUM
    CVE-2025-60916

    A reflected cross-site scripting (XSS) vulnerability in the /overview/network/ endpoint of Austrian Archaeological Institute Openatlas before v8.12.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted pay... Read more

    Affected Products : openatlas
    • Published: Nov. 24, 2025
    • Modified: Nov. 28, 2025
    • Vuln Type: Cross-Site Scripting

  • 8.1

    HIGH
    CVE-2025-60915

    An issue in the size query parameter (/views/file.py) of Austrian Archaeological Institute Openatlas before v8.12.0 allows attackers to execute a path traversal via a crafted request.... Read more

    Affected Products : openatlas
    • Published: Nov. 24, 2025
    • Modified: Nov. 28, 2025
    • Vuln Type: Path Traversal

  • 4.6

    MEDIUM
    CVE-2025-60914

    Incorrect access control in Austrian Archaeological Institute Openatlas before v8.12.0 allows attackers to access sensitive information via sending a crafted GET request to the /display_logo endpoint.... Read more

    Affected Products : openatlas
    • Published: Nov. 24, 2025
    • Modified: Nov. 28, 2025
    • Vuln Type: Authorization

  • 7.5

    HIGH
    CVE-2025-60638

    An issue was discovered in Free5GC v4.0.0 and v4.0.1 allowing an attacker to cause a denial of service via crafted POST request to the Nnssf_NSSAIAvailability API.... Read more

    Affected Products : free5gc
    • Published: Nov. 24, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Denial of Service

  • 6.5

    MEDIUM
    CVE-2025-60633

    An issue was discovered in Free5GC v4.0.0 and v4.0.1 allowing an attacker to cause a denial of service via the Nudm_SubscriberDataManagement API.... Read more

    Affected Products : free5gc udm
    • Published: Nov. 24, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Denial of Service

  • 6.5

    MEDIUM
    CVE-2025-60632

    An issue was discovered in Free5GC v4.0.0 and v4.0.1 allowing an attacker to cause a denial of service via crafted POST request to the Npcf_BDTPolicyControl API.... Read more

    Affected Products : free5gc
    • Published: Nov. 24, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Denial of Service

  • 5.3

    MEDIUM
    CVE-2025-56423

    An issue in Austrian Academy of Sciences (AW) Austrian Archaeological Institute OpenAtlas v.8.12.0 allows a remote attacker to obtain sensitive information via the login error messages... Read more

    Affected Products : openatlas
    • Published: Nov. 24, 2025
    • Modified: Nov. 28, 2025
    • Vuln Type: Information Disclosure

  • 7.6

    HIGH
    CVE-2025-56401

    ZIRA Group WBRM 7.0 is vulnerable to SQL Injection in referenceLookupsByTableNameAndColumnName.... Read more

    Affected Products :
    • Published: Nov. 24, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Injection

  • 8.3

    HIGH
    CVE-2025-44018

    A firmware downgrade vulnerability exists in the OTA Update functionality of GL-Inet GL-AXT1800 4.7.0. A specially crafted .tar file can lead to a firmware downgrade. An attacker can perform a man-in-the-middle attack to trigger this vulnerability.... Read more

    Affected Products :
    • Published: Nov. 24, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Misconfiguration

  • 0.0

    NA
    CVE-2025-40213

    In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: fix crash in set_mesh_sync and set_mesh_complete There is a BUG: KASAN: stack-out-of-bounds in set_mesh_sync due to memcpy from badly declared on-stack flexible array. ... Read more

    Affected Products : linux_kernel
    • Published: Nov. 24, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Memory Corruption

  • 8.7

    HIGH
    CVE-2025-10555

    A stored Cross-site Scripting (XSS) vulnerability affecting Service Items Management in DELMIA Service Process Engineer on Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session.... Read more

    Affected Products :
    • Published: Nov. 24, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Cross-Site Scripting

  • 8.7

    HIGH
    CVE-2025-10554

    A stored Cross-site Scripting (XSS) vulnerability affecting Requirements in ENOVIA Product Manager from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session.... Read more

    Affected Products :
    • Published: Nov. 24, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Cross-Site Scripting

  • 5.4

    MEDIUM
    CVE-2025-12978

    Fluent Bit in_http, in_splunk, and in_elasticsearch input plugins contain a flaw in the tag_key validation logic that fails to enforce exact key-length matching. This allows crafted inputs where a tag prefix is incorrectly treated as a full match. A remot... Read more

    Affected Products : fluent_bit
    • Published: Nov. 24, 2025
    • Modified: Nov. 28, 2025
    • Vuln Type: Misconfiguration

  • 9.1

    CRITICAL
    CVE-2025-12977

    Fluent Bit in_http, in_splunk, and in_elasticsearch input plugins fail to sanitize tag_key inputs. An attacker with network access or the ability to write records into Splunk or Elasticsearch can supply tag_key values containing special characters such as... Read more

    Affected Products : fluent_bit
    • Published: Nov. 24, 2025
    • Modified: Nov. 28, 2025
    • Vuln Type: Injection

  • 5.3

    MEDIUM
    CVE-2025-12972

    Fluent Bit out_file plugin does not properly sanitize tag values when deriving output file names. When the File option is omitted, the plugin uses untrusted tag input to construct file paths. This allows attackers with network access to craft tags contain... Read more

    Affected Products : fluent_bit
    • Published: Nov. 24, 2025
    • Modified: Nov. 28, 2025
    • Vuln Type: Path Traversal

  • 8.8

    HIGH
    CVE-2025-12970

    The extract_name function in Fluent Bit in_docker input plugin copies container names into a fixed size stack buffer without validating length. An attacker who can create containers or control container names, can supply a long name that overflows the buf... Read more

    Affected Products : fluent_bit
    • Published: Nov. 24, 2025
    • Modified: Nov. 28, 2025
    • Vuln Type: Memory Corruption
Showing 20 of 4040 Results