Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 8.7

    HIGH
    CVE-2025-34437

    AVideo versions prior to 20.0 permit any authenticated user to upload comment images to videos owned by other users. The endpoint validates authentication but omits ownership checks, allowing attackers to perform unauthorized uploads to arbitrary video ob... Read more

    Affected Products :
    • Published: Dec. 17, 2025
    • Modified: Dec. 17, 2025
    • Vuln Type: Authorization

  • 8.7

    HIGH
    CVE-2025-34436

    AVideo versions prior to 20.0 allow any authenticated user to upload files into directories belonging to other users due to an insecure direct object reference. The upload functionality verifies authentication but does not enforce ownership checks.... Read more

    Affected Products :
    • Published: Dec. 17, 2025
    • Modified: Dec. 17, 2025
    • Vuln Type: Authorization

  • 8.7

    HIGH
    CVE-2025-34435

    AVideo versions prior to 20.0 are vulnerable to an insecure direct object reference (IDOR) that allows any authenticated user to delete media files belonging to other users. The affected endpoint validates authentication but fails to verify ownership or e... Read more

    Affected Products :
    • Published: Dec. 17, 2025
    • Modified: Dec. 17, 2025
    • Vuln Type: Authorization

  • 9.3

    CRITICAL
    CVE-2025-34434

    AVideo versions prior to 20.0 with the ImageGallery plugin enabled is vulnerable to unauthenticated file upload and deletion. Plugin endpoints responsible for managing gallery images fail to enforce authentication checks and do not validate ownership, all... Read more

    Affected Products :
    • Published: Dec. 17, 2025
    • Modified: Dec. 17, 2025
    • Vuln Type: Authentication

  • 6.0

    MEDIUM
    CVE-2025-14760

    Missing cryptographic key commitment in the AWS SDK for C++ may allow a user with write access to the S3 bucket to introduce a new EDK that decrypts to different plaintext when the encrypted data key is stored in an "instruction file" instead of S3's meta... Read more

    Affected Products :
    • Published: Dec. 17, 2025
    • Modified: Dec. 17, 2025
    • Vuln Type: Cryptography

  • 6.0

    MEDIUM
    CVE-2025-14759

    Missing cryptographic key commitment in the Amazon S3 Encryption Client for .NET may allow a user with write access to the S3 bucket to introduce a new EDK that decrypts to different plaintext when the encrypted data key is stored in an "instruction file"... Read more

    Affected Products :
    • Published: Dec. 17, 2025
    • Modified: Dec. 17, 2025
    • Vuln Type: Cryptography

  • 0.0

    NA
    CVE-2025-67174

    A local file inclusion (LFI) vulnerability in RiteCMS v3.1.0 allows attackers to read arbitrary files on the host via a directory traversal in the admin_language_file and default_page_language_file in the admin.php component... Read more

    Affected Products :
    • Published: Dec. 17, 2025
    • Modified: Dec. 17, 2025
    • Vuln Type: Path Traversal

  • 6.8

    MEDIUM
    CVE-2025-67173

    A Cross-Site Request Forgery (CSRF) in the page creation/editing function of RiteCMS v3.1.0 allows attackers to arbitrarily create pages via a crafted POST request.... Read more

    Affected Products :
    • Published: Dec. 17, 2025
    • Modified: Dec. 17, 2025
    • Vuln Type: Cross-Site Request Forgery

  • 7.5

    HIGH
    CVE-2025-67171

    Incorrect access control in the /templates/ component of RiteCMS v3.1.0 allows attackers to access sensitive files via directory traversal.... Read more

    Affected Products :
    • Published: Dec. 17, 2025
    • Modified: Dec. 17, 2025
    • Vuln Type: Path Traversal

  • 6.1

    MEDIUM
    CVE-2025-67170

    A reflected cross-site scripting (XSS) vulnerability in RiteCMS v3.1.0 allows attackers to execute arbitrary code in the context of a user's browser via a crafted payload.... Read more

    Affected Products :
    • Published: Dec. 17, 2025
    • Modified: Dec. 17, 2025
    • Vuln Type: Cross-Site Scripting

  • 5.3

    MEDIUM
    CVE-2025-67168

    RiteCMS v3.1.0 was discovered to use insecure encryption to store passwords.... Read more

    Affected Products :
    • Published: Dec. 17, 2025
    • Modified: Dec. 17, 2025
    • Vuln Type: Cryptography

  • 0.0

    NA
    CVE-2025-66953

    CSRF vulnerability in narda miteq Uplink Power Contril Unit UPC2 v.1.17 allows a remote attacker to execute arbitrary code via the Web-based management interface and specifically the /system_setup.htm, /set_clock.htm, /receiver_setup.htm, /cal.htm?..., an... Read more

    Affected Products :
    • Published: Dec. 17, 2025
    • Modified: Dec. 17, 2025
    • Vuln Type: Cross-Site Request Forgery

  • 8.8

    HIGH
    CVE-2025-66395

    ChurchCRM is an open-source church management system. Prior to version 6.5.3, a SQL injection vulnerability exists in the `src/ListEvents.php` file. When filtering events by type, the `WhichType` POST parameter is not properly sanitized or type-casted bef... Read more

    Affected Products :
    • Published: Dec. 17, 2025
    • Modified: Dec. 17, 2025
    • Vuln Type: Injection

  • 10.0

    CRITICAL
    CVE-2025-62521

    ChurchCRM is an open-source church management system. Prior to version 5.21.0, a pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard allows unauthenticated attackers to inject arbitrary PHP code during the initial installati... Read more

    Affected Products :
    • Published: Dec. 17, 2025
    • Modified: Dec. 17, 2025
    • Vuln Type: Injection

  • 4.3

    MEDIUM
    CVE-2025-14081

    The Ultimate Member plugin for WordPress is vulnerable to Profile Privacy Setting Bypass in all versions up to, and including, 2.11.0. This is due to a flaw in the secure fields mechanism where field keys are stored in the allowed fields list before the `... Read more

    Affected Products :
    • Published: Dec. 17, 2025
    • Modified: Dec. 17, 2025
    • Vuln Type: Authorization

  • 6.4

    MEDIUM
    CVE-2025-13537

    The Live Composer – Free WordPress Website Builder plugin for WordPress is vulnerable to multiple Stored Cross-Site Scripting vulnerabilities via DOM manipulation in all versions up to, and including, 2.0.2 due to insufficient input sanitization and outpu... Read more

    Affected Products :
    • Published: Dec. 17, 2025
    • Modified: Dec. 17, 2025
    • Vuln Type: Cross-Site Scripting

  • 3.9

    LOW
    CVE-2025-13326

    Mattermost Desktop App versions <6.0.0 fail to enable the Hardened Runtime on the Mattermost Desktop App when packaged for Mac App Store which allows an attacker to inherit TCC permissions via copying the binary to a tmp folder.... Read more

    Affected Products :
    • Published: Dec. 17, 2025
    • Modified: Dec. 17, 2025
    • Vuln Type: Misconfiguration

  • 4.3

    MEDIUM
    CVE-2025-13324

    Mattermost versions 10.11.x <= 10.11.5, 11.0.x <= 11.0.4, 10.12.x <= 10.12.2 fail to invalidate invite tokens after use which allows malicious actors who have intercepted invite tokens to manipulate channel memberships including adding or removing users f... Read more

    Affected Products :
    • Published: Dec. 17, 2025
    • Modified: Dec. 17, 2025
    • Vuln Type: Authentication

  • 3.3

    LOW
    CVE-2025-13321

    Mattermost Desktop App versions <6.0.0 fail to sanitize sensitive information from Mattermost logs and clear data on server deletion which allows an attacker with access to the users system to gain access to potentially sensitive information via reading t... Read more

    Affected Products :
    • Published: Dec. 17, 2025
    • Modified: Dec. 17, 2025
    • Vuln Type: Information Disclosure

  • 6.4

    MEDIUM
    CVE-2025-13217

    The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the YouTube Video 'value' field in all versions up to, and including, 2.11.0.... Read more

    Affected Products :
    • Published: Dec. 17, 2025
    • Modified: Dec. 17, 2025
    • Vuln Type: Cross-Site Scripting
Showing 20 of 4549 Results