Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 5.1

    MEDIUM
    CVE-2025-49641

    A regular Zabbix user with no permission to the Monitoring -> Problems view is still able to call the problem.view.refresh action and therefore still retrieve a list of active problems.... Read more

    Affected Products : zabbix
    • Published: Oct. 03, 2025
    • Modified: Oct. 08, 2025
    • Vuln Type: Authorization

  • 9.3

    CRITICAL
    CVE-2025-40636

    SQL injection vulnerability in Joomla module mod_vvisit_counter v2.0.4j3. This vulnerability allows an attacker to retrieve database content via the ‘cip_vvisitcounter’ cookie at all endpoints where the plugin counts visits.... Read more

    Affected Products :
    • Published: Oct. 03, 2025
    • Modified: Oct. 06, 2025
    • Vuln Type: Injection

  • 7.3

    HIGH
    CVE-2025-27237

    In Zabbix Agent and Agent 2 on Windows, the OpenSSL configuration file is loaded from a path writable by low-privileged users, allowing malicious modification and potential local privilege escalation by injecting a DLL.... Read more

    Affected Products : zabbix
    • Published: Oct. 03, 2025
    • Modified: Oct. 06, 2025
    • Vuln Type: Misconfiguration

  • 6.5

    MEDIUM
    CVE-2025-27236

    A regular Zabbix user can search other users in their user group via Zabbix API by select fields the user does not have access to view. This allows data-mining some field values the user does not have access to.... Read more

    Affected Products : zabbix
    • Published: Oct. 03, 2025
    • Modified: Oct. 08, 2025
    • Vuln Type: Authorization

  • 4.9

    MEDIUM
    CVE-2025-27231

    The LDAP 'Bind password' value cannot be read after saving, but a Super Admin account can leak it by changing LDAP 'Host' to a rogue LDAP server. To mitigate this, the 'Bind password' value is now reset on 'Host' change.... Read more

    Affected Products : zabbix
    • Published: Oct. 03, 2025
    • Modified: Oct. 08, 2025
    • Vuln Type: Misconfiguration

  • 9.1

    CRITICAL
    CVE-2025-10726

    The WPRecovery plugin for WordPress is vulnerable to SQL Injection via the 'data[id]' parameter in all versions up to, and including, 2.0. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existi... Read more

    Affected Products :
    • Published: Oct. 03, 2025
    • Modified: Oct. 06, 2025
    • Vuln Type: Injection

  • 8.8

    HIGH
    CVE-2025-10582

    The WP Dispatcher plugin for WordPress is vulnerable to SQL Injection via the ‘id’ parameter in all versions up to, and including, 1.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL que... Read more

    Affected Products :
    • Published: Oct. 03, 2025
    • Modified: Oct. 06, 2025
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2025-10547

    An uninitialized variable in the HTTP CGI request arguments processing component of Vigor Routers running DrayOS may allow an attacker the ability to perform RCE on the appliance through memory corruption.... Read more

    Affected Products :
    • Published: Oct. 03, 2025
    • Modified: Oct. 16, 2025
    • Vuln Type: Memory Corruption

  • 4.3

    MEDIUM
    CVE-2025-10311

    The Comment Info Detector plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.5. This is due to missing nonce validation on the options.php file when handling form submissions. This makes it possible ... Read more

    Affected Products :
    • Published: Oct. 03, 2025
    • Modified: Oct. 06, 2025
    • Vuln Type: Cross-Site Request Forgery

  • 4.3

    MEDIUM
    CVE-2025-10309

    The PayPal Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.3. This is due to missing nonce validation on the form creation and management functions. This makes it possible for unauthenticate... Read more

    Affected Products :
    • Published: Oct. 03, 2025
    • Modified: Oct. 06, 2025
    • Vuln Type: Cross-Site Request Forgery

  • 3.8

    LOW
    CVE-2025-10306

    The Backup Bolt plugin for WordPress is vulnerable to arbitrary file downloads and backup location writes in all versions up to, and including, 1.4.1 via the process_backup_batch() function. This makes it possible for authenticated attackers, with Adminis... Read more

    Affected Products : backup_bolt
    • Published: Oct. 03, 2025
    • Modified: Oct. 06, 2025
    • Vuln Type: Path Traversal

  • 4.3

    MEDIUM
    CVE-2025-10302

    The Ultimate Viral Quiz plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on thesave_options() function. This makes it possible for unauthentica... Read more

    Affected Products :
    • Published: Oct. 03, 2025
    • Modified: Oct. 06, 2025
    • Vuln Type: Cross-Site Request Forgery

  • 5.3

    MEDIUM
    CVE-2025-10212

    The SiteAlert (Formerly WP Health) plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple functions in all versions up to, and including, 1.9.8. This makes it possible for unauthenticated attackers ... Read more

    Affected Products :
    • Published: Oct. 03, 2025
    • Modified: Oct. 06, 2025
    • Vuln Type: Authorization

  • 6.4

    MEDIUM
    CVE-2025-10192

    The WP Photo Effects plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wppe_effect' shortcode in all versions up to, and including, 1.2.4 due to insufficient input sanitization and output escaping on user supplied attribu... Read more

    Affected Products :
    • Published: Oct. 03, 2025
    • Modified: Oct. 06, 2025
    • Vuln Type: Cross-Site Scripting

  • 6.4

    MEDIUM
    CVE-2025-10165

    The AP Background plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'adv_parallax_back' shortcode in all versions up to, and including, 3.8.2 due to insufficient input sanitization and output escaping on user supplied attr... Read more

    Affected Products :
    • Published: Oct. 03, 2025
    • Modified: Oct. 06, 2025
    • Vuln Type: Cross-Site Scripting

  • 4.4

    MEDIUM
    CVE-2025-10053

    The TableGen – Data Table Generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping. This makes it possible for aut... Read more

    Affected Products :
    • Published: Oct. 03, 2025
    • Modified: Oct. 06, 2025
    • Vuln Type: Cross-Site Scripting

  • 4.1

    MEDIUM
    CVE-2025-0876

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Isin Basi Advertisement Information Technologies Trade Inc. IT's Workif allows Cross-Site Scripting (XSS).This issue affects IT's Workif: through ... Read more

    Affected Products :
    • Published: Oct. 03, 2025
    • Modified: Oct. 06, 2025
    • Vuln Type: Cross-Site Scripting

  • 7.5

    HIGH
    CVE-2025-11234

    A flaw was found in QEMU. If the QIOChannelWebsock object is freed while it is waiting to complete a handshake, a GSource is leaked. This can lead to the callback firing later on and triggering a use-after-free in the use of the channel. This can be abuse... Read more

    Affected Products : qemu
    • Published: Oct. 03, 2025
    • Modified: Oct. 06, 2025
    • Vuln Type: Denial of Service

  • 9.8

    CRITICAL
    CVE-2025-6388

    The Spirit Framework plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.2.14. This is due to the custom_actions() function not properly validating a user's identity prior to authenticating them to the site.... Read more

    Affected Products :
    • Published: Oct. 03, 2025
    • Modified: Oct. 06, 2025
    • Vuln Type: Authentication

  • 8.4

    HIGH
    CVE-2025-11223

    Installer of Panasonic AutoDownloader version 1.2.8 contains an issue with the DLL search path, which may lead to loading a crafted DLL file in the same directory.... Read more

    Affected Products :
    • Published: Oct. 03, 2025
    • Modified: Oct. 06, 2025
    • Vuln Type: Misconfiguration
Showing 20 of 4072 Results