Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 6.8

    MEDIUM
    CVE-2025-21073

    Insecure default configuration in USB connection mode prior to SMR Nov-2025 Release 1 allows privileged physical attackers to access user data. User interaction is required for triggering this vulnerability.... Read more

    Affected Products :
    • Published: Nov. 05, 2025
    • Modified: Nov. 05, 2025
    • Vuln Type: Misconfiguration

  • 5.7

    MEDIUM
    CVE-2025-21071

    Out-of-bounds write in handling opcode in fingerprint trustlet prior to SMR Nov-2025 Release 1 allows local privileged attackers to write out-of-bounds memory.... Read more

    Affected Products :
    • Published: Nov. 05, 2025
    • Modified: Nov. 05, 2025
    • Vuln Type: Memory Corruption

  • 9.8

    CRITICAL
    CVE-2025-11749

    The AI Engine plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.1.3 via the /mcp/v1/ REST API endpoint that exposes the 'Bearer Token' value when 'No-Auth URL' is enabled. This makes it possible f... Read more

    Affected Products : ai_engine
    • Published: Nov. 05, 2025
    • Modified: Nov. 05, 2025
    • Vuln Type: Information Disclosure

  • 5.3

    MEDIUM
    CVE-2025-11072

    The MelAbu WP Download Counter Button WordPress plugin through 1.8.6.7 does not validate the path of files to be downloaded, which could allow unauthenticated attacker to read/download arbitrary files.... Read more

    Affected Products :
    • Published: Nov. 05, 2025
    • Modified: Nov. 05, 2025
    • Vuln Type: Path Traversal

  • 5.3

    MEDIUM
    CVE-2025-10873

    The ElementInvader Addons for Elementor WordPress plugin before 1.4.1 allows unauthenticated user to send arbitrary e-mails to arbitrary addresses due to missing authorization on the elementinvader_addons_for_elementor_forms_send_form action.... Read more

    Affected Products :
    • Published: Nov. 05, 2025
    • Modified: Nov. 05, 2025
    • Vuln Type: Authorization

  • 6.3

    MEDIUM
    CVE-2025-10567

    The FunnelKit WordPress plugin before 3.12.0.1 does not sanitize user input before echoing it back in some of its checkout-related AJAX actions, allowing attackers to conduct reflected XSS attacks against logged-in users.... Read more

    Affected Products : funnel_builder
    • Published: Nov. 05, 2025
    • Modified: Nov. 05, 2025
    • Vuln Type: Cross-Site Scripting

  • 7.5

    HIGH
    CVE-2025-12197

    The The Events Calendar plugin for WordPress is vulnerable to blind SQL Injection via the 's' parameter in versions 6.15.1.1 to 6.15.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query... Read more

    Affected Products :
    • Published: Nov. 05, 2025
    • Modified: Nov. 05, 2025
    • Vuln Type: Injection

  • 6.4

    MEDIUM
    CVE-2025-11162

    The Spectra Gutenberg Blocks – Website Builder for the Block Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom CSS in all versions up to, and including, 2.19.14 due to insufficient input sanitization and output escapi... Read more

    Affected Products :
    • Published: Nov. 05, 2025
    • Modified: Nov. 05, 2025
    • Vuln Type: Cross-Site Scripting

  • 6.1

    MEDIUM
    CVE-2025-12580

    The SMS for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'paged' parameter in all versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthe... Read more

    Affected Products :
    • Published: Nov. 05, 2025
    • Modified: Nov. 05, 2025
    • Vuln Type: Cross-Site Scripting

  • 5.3

    MEDIUM
    CVE-2025-11835

    The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability and validation check on the PMS_AJAX_Checkout_Handler:... Read more

    Affected Products :
    • Published: Nov. 05, 2025
    • Modified: Nov. 05, 2025
    • Vuln Type: Authorization

  • 5.6

    MEDIUM
    CVE-2025-8871

    The Everest Forms (Pro) plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.9.7 via deserialization of untrusted input in the mime_content_type() function. This makes it possible for unauthenticated attackers... Read more

    Affected Products : everest_forms
    • Published: Nov. 05, 2025
    • Modified: Nov. 05, 2025
    • Vuln Type: Injection

  • 4.3

    MEDIUM
    CVE-2025-12582

    The Features plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'features_revert_option AJAX endpoint in all versions up to, and including, 0.0.2. This makes it possible for authenticated attac... Read more

    Affected Products :
    • Published: Nov. 05, 2025
    • Modified: Nov. 05, 2025
    • Vuln Type: Authorization

  • 9.8

    CRITICAL
    CVE-2025-12735

    The expr-eval library is a JavaScript expression parser and evaluator designed to safely evaluate mathematical expressions with user-defined variables. However, due to insufficient input validation, an attacker can pass a crafted variables object into the... Read more

    Affected Products :
    • Published: Nov. 05, 2025
    • Modified: Nov. 05, 2025
    • Vuln Type: Injection

  • 8.7

    HIGH
    CVE-2025-64110

    Cursor is a code editor built for programming with AI. In versions 1.7.23 and below, a logic bug allows a malicious agent to read sensitive files that should be protected via cursorignore. An attacker who has already achieved prompt injection, or a malici... Read more

    Affected Products : cursor
    • Published: Nov. 05, 2025
    • Modified: Nov. 05, 2025
    • Vuln Type: Path Traversal

  • 8.8

    HIGH
    CVE-2025-64109

    Cursor is a code editor built for programming with AI. In versions and below, a vulnerability in the Cursor CLI Beta allowed an attacker to achieve remote code execution through the MCP (Model Context Protocol) server mechanism by uploading a malicious MC... Read more

    Affected Products : cursor
    • Published: Nov. 05, 2025
    • Modified: Nov. 05, 2025
    • Vuln Type: Misconfiguration

  • 0.0

    NA
    CVE-2025-63334

    PocketVJ CP PocketVJ-CP-v3 pvj version 3.9.1 contains an unauthenticated remote code execution vulnerability in the submit_opacity.php component. The application fails to sanitize user input in the opacityValue POST parameter before passing it to a shell ... Read more

    Affected Products :
    • Published: Nov. 05, 2025
    • Modified: Nov. 05, 2025
    • Vuln Type: Injection

  • 8.8

    HIGH
    CVE-2025-64108

    Cursor is a code editor built for programming with AI. In versions 1.7.44 and below, various NTFS path quirks allow a prompt injection attacker to circumvent sensitive file protections and overwrite files which Cursor requires human approval to overwrite.... Read more

    Affected Products : cursor
    • Published: Nov. 04, 2025
    • Modified: Nov. 04, 2025
    • Vuln Type: Path Traversal

  • 8.8

    HIGH
    CVE-2025-64107

    Cursor is a code editor built for programming with AI. In versions 1.7.52 and below, manipulating internal settings may lead to RCE. Cursor detects path manipulation via forward slashes (./.cursor/./././././mcp.json etc.), and requires human approval to c... Read more

    Affected Products : cursor
    • Published: Nov. 04, 2025
    • Modified: Nov. 04, 2025
    • Vuln Type: Path Traversal

  • 8.8

    HIGH
    CVE-2025-64106

    Cursor is a code editor built for programming with AI. In versions 1.7.28 and below, an input validation flaw in Cursor's MCP server installation enables specially crafted deep-links to bypass the standard security warnings and conceal executed commands f... Read more

    Affected Products : cursor
    • Published: Nov. 04, 2025
    • Modified: Nov. 04, 2025
    • Vuln Type: Misconfiguration

  • 8.7

    HIGH
    CVE-2025-62722

    LinkAce is a self-hosted archive to collect website links. In versions 2.3.1 and below, the social media sharing functionality contains a Stored Cross-Site Scripting (XSS) vulnerability that allows any authenticated user to inject arbitrary JavaScript by ... Read more

    Affected Products : linkace
    • Published: Nov. 04, 2025
    • Modified: Nov. 05, 2025
    • Vuln Type: Cross-Site Scripting
Showing 20 of 3909 Results