Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 9.8

    CRITICAL
    CVE-2025-44136

    MapTiler Tileserver-php v2.0 is vulnerable to Cross Site Scripting (XSS). The GET parameter "layer" is reflected in an error message without html encoding. This leads to XSS and allows an unauthenticated attacker to execute arbitrary HTML or JavaScript co... Read more

    Affected Products : tileserver_php
    • Published: Jul. 29, 2025
    • Modified: Aug. 06, 2025
    • Vuln Type: Cross-Site Scripting

  • 8.2

    HIGH
    CVE-2025-31965

    Improper access restrictions in HCL BigFix Remote Control Server WebUI (versions 10.1.0.0248 and lower) allow non-admin users to view unauthorized information on certain web pages.... Read more

    Affected Products :
    • Published: Jul. 29, 2025
    • Modified: Jul. 31, 2025
    • Vuln Type: Authorization

  • 7.6

    HIGH
    CVE-2025-28170

    Grandstream Networks GXP1628 <=1.0.4.130 is vulnerable to Incorrect Access Control. The device is configured with directory listing enabled, allowing unauthorized access to sensitive directories and files.... Read more

    Affected Products : gxp1628_firmware gxp1628
    • Published: Jul. 29, 2025
    • Modified: Aug. 06, 2025
    • Vuln Type: Authorization

  • 6.5

    MEDIUM
    CVE-2025-28171

    An issue in Grandstream UCM6510 v.1.0.20.52 and before allows a remote attacker to obtain sensitive information via the Login function at /cgi and /webrtccgi.... Read more

    Affected Products : ucm6510_firmware ucm6510
    • Published: Jul. 29, 2025
    • Modified: Aug. 06, 2025
    • Vuln Type: Information Disclosure

  • 7.7

    HIGH
    CVE-2025-51970

    A SQL Injection vulnerability exists in the action.php endpoint of PuneethReddyHC Online Shopping System Advanced 1.0 due to improper sanitization of user-supplied input in the keyword POST parameter.... Read more

    Affected Products : online_shopping_system_advanced
    • Published: Jul. 29, 2025
    • Modified: Aug. 06, 2025
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2025-50738

    The Memos application, up to version v0.24.3, allows for the embedding of markdown images with arbitrary URLs. When a user views a memo containing such an image, their browser automatically fetches the image URL without explicit user consent or interactio... Read more

    Affected Products : memos
    • Published: Jul. 29, 2025
    • Modified: Aug. 22, 2025
    • Vuln Type: Information Disclosure

  • 9.8

    CRITICAL
    CVE-2025-46059

    langchain-ai v0.3.51 was discovered to contain an indirect prompt injection vulnerability in the GmailToolkit component. This vulnerability allows attackers to execute arbitrary code and compromise the application via a crafted email message. NOTE: this i... Read more

    Affected Products :
    • Published: Jul. 29, 2025
    • Modified: Aug. 04, 2025
    • Vuln Type: Injection

  • 6.5

    MEDIUM
    CVE-2025-28172

    Grandstream Networks UCM6510 v1.0.20.52 and before is vulnerable to Improper Restriction of Excessive Authentication Attempts. An attacker can perform an arbitrary number of authentication attempts using different passwords and eventually gain access to t... Read more

    Affected Products : ucm6510_firmware ucm6510
    • Published: Jul. 29, 2025
    • Modified: Aug. 06, 2025
    • Vuln Type: Authentication

  • 6.3

    MEDIUM
    CVE-2025-52358

    A cross-site scripting vulnerability in Vivaldi United Group iCONTROL+ Server including Firmware version 4.7.8.0.eden Logic version 5.32 and below. This issue allows attackers to inject JavaScript payloads within the error or edit-menu-item parameters whi... Read more

    • Published: Jul. 29, 2025
    • Modified: Aug. 06, 2025
    • Vuln Type: Cross-Site Scripting

  • 7.5

    HIGH
    CVE-2024-42645

    An issue in FlashMQ v1.14.0 allows attackers to cause an assertion failure via sending a crafted retain message, leading to a Denial of Service (DoS).... Read more

    Affected Products : flashmq
    • Published: Jul. 29, 2025
    • Modified: Aug. 06, 2025
    • Vuln Type: Denial of Service

  • 7.5

    HIGH
    CVE-2024-42644

    FlashMQ v1.14.0 was discovered to contain an assertion failure in the function PublishCopyFactory::getNewPublish, which occurs when the QoS value of the publish object is greater than 0.... Read more

    Affected Products : flashmq
    • Published: Jul. 29, 2025
    • Modified: Aug. 06, 2025
    • Vuln Type: Denial of Service

  • 9.1

    CRITICAL
    CVE-2025-7458

    An integer overflow in the sqlite3KeyInfoFromExprList function in SQLite versions 3.39.2 through 3.41.1 allows an attacker with the ability to execute arbitrary SQL statements to cause a denial of service or disclose sensitive information from process mem... Read more

    Affected Products : sqlite
    • Published: Jul. 29, 2025
    • Modified: Aug. 11, 2025
    • Vuln Type: Denial of Service

  • 8.1

    HIGH
    CVE-2025-6505

    Unauthorized access and impersonation can occur in versions 4.6.2.3226 and below of Progress Software's Hybrid Data Pipeline Server on Linux. This vulnerability allows attackers to combine credentials from different sources, potentially leading to client ... Read more

    Affected Products :
    • Published: Jul. 29, 2025
    • Modified: Jul. 29, 2025
    • Vuln Type: Authentication

  • 8.4

    HIGH
    CVE-2025-6504

    In HDP Server versions below 4.6.2.2978 on Linux, unauthorized access could occur via IP spoofing using the X-Forwarded-For header.  Since XFF is a client-controlled header, it could be spoofed, allowing unauthorized access if the spoofed IP matched a wh... Read more

    Affected Products :
    • Published: Jul. 29, 2025
    • Modified: Jul. 29, 2025
    • Vuln Type: Authentication

  • 7.2

    HIGH
    CVE-2025-6175

    Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in DECE Software Geodi allows HTTP Request Splitting.This issue affects Geodi: before GEODI Setup 9.0.146.... Read more

    Affected Products : geodi
    • Published: Jul. 29, 2025
    • Modified: Jul. 29, 2025
    • Vuln Type: Injection

  • 5.4

    MEDIUM
    CVE-2025-6060

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in DECE Software Geodi allows Cross-Site Scripting (XSS).This issue affects Geodi: before GEODI Setup 9.0.146.... Read more

    Affected Products : geodi
    • Published: Jul. 29, 2025
    • Modified: Jul. 29, 2025
    • Vuln Type: Cross-Site Scripting

  • 6.9

    MEDIUM
    CVE-2025-54422

    Sandboxie is a sandbox-based isolation software for 32-bit and 64-bit Windows NT-based operating systems. In versions 1.16.1 and below, a critical security vulnerability exists in password handling mechanisms. During encrypted sandbox creation, user passw... Read more

    Affected Products : sandboxie sandboxie
    • Published: Jul. 29, 2025
    • Modified: Aug. 04, 2025
    • Vuln Type: Information Disclosure

  • 4.4

    MEDIUM
    CVE-2025-41241

    VMware vCenter contains a denial-of-service vulnerability. A malicious actor who is authenticated through vCenter and has permission to perform API calls for guest OS customisation may trigger this vulnerability to create a denial-of-service condition.... Read more

    • Published: Jul. 29, 2025
    • Modified: Jul. 29, 2025
    • Vuln Type: Denial of Service

  • 6.1

    MEDIUM
    CVE-2025-40686

    Reflected Cross-Site Scripting (XSS) in Human Resource Management System version 1.0. This vulnerability could allow an attacker to execute JavaScript code in the victim's browser by sending a malicious URL through the 'employeeid' parameter in/detailview... Read more

    Affected Products : human_resource_management_system
    • Published: Jul. 29, 2025
    • Modified: Aug. 04, 2025
    • Vuln Type: Cross-Site Scripting

  • 6.1

    MEDIUM
    CVE-2025-40685

    Reflected Cross-Site Scripting (XSS) in Human Resource Management System version 1.0. This vulnerability could allow an attacker to execute JavaScript code in the victim's browser by sending a malicious URL through the 'searcstate' parameter in/state.php.... Read more

    Affected Products : human_resource_management_system
    • Published: Jul. 29, 2025
    • Modified: Aug. 04, 2025
    • Vuln Type: Cross-Site Scripting
Showing 20 of 291384 Results