Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 6.5

    MEDIUM
    CVE-2025-46632

    Initialization vector (IV) reuse in the web management portal of the Tenda RX2 Pro 16.03.30.14 may allow an attacker to discern information about or more easily decrypt encrypted messages between client and server.... Read more

    Affected Products : rx2_pro_firmware rx2_pro
    • Published: May. 01, 2025
    • Modified: May. 27, 2025
    • Vuln Type: Cryptography

  • 6.5

    MEDIUM
    CVE-2025-46631

    Improper access controls in the web management portal of the Tenda RX2 Pro 16.03.30.14 allows an unauthenticated remote attacker to enable telnet access to the router's OS by sending a /goform/telnet web request.... Read more

    Affected Products : rx2_pro_firmware rx2_pro
    • Published: May. 01, 2025
    • Modified: May. 27, 2025
    • Vuln Type: Misconfiguration

  • 6.5

    MEDIUM
    CVE-2025-46630

    Improper access controls in the web management portal of the Tenda RX2 Pro 16.03.30.14 allows an unauthenticated remote attacker to enable 'ate' (a remote system management binary) by sending a /goform/ate web request.... Read more

    Affected Products : rx2_pro_firmware rx2_pro
    • Published: May. 01, 2025
    • Modified: May. 27, 2025
    • Vuln Type: Authorization

  • 6.5

    MEDIUM
    CVE-2025-46629

    Lack of access controls in the 'ate' management binary of the Tenda RX2 Pro 16.03.30.14 allows an unauthenticated remote attacker to perform unauthorized configuration changes for any router where 'ate' has been enabled by sending a crafted UDP packet... Read more

    Affected Products : rx2_pro_firmware rx2_pro
    • Published: May. 01, 2025
    • Modified: May. 27, 2025
    • Vuln Type: Authentication

  • 7.3

    HIGH
    CVE-2025-46628

    Lack of input validation/sanitization in the 'ate' management service in the Tenda RX2 Pro 16.03.30.14 allows an unauthorized remote attacker to gain root shell access to the device by sending a crafted UDP packet to the 'ate' service when it is enabled. ... Read more

    Affected Products : rx2_pro_firmware rx2_pro
    • Published: May. 01, 2025
    • Modified: May. 27, 2025
    • Vuln Type: Authentication

  • 8.2

    HIGH
    CVE-2025-46627

    Use of weak credentials in the Tenda RX2 Pro 16.03.30.14 allows an unauthenticated attacker to authenticate to the telnet service by calculating the root password based on easily-obtained device information. The password is based on the last two digits/oc... Read more

    Affected Products : rx2_pro_firmware rx2_pro
    • Published: May. 01, 2025
    • Modified: May. 27, 2025
    • Vuln Type: Authentication

  • 7.3

    HIGH
    CVE-2025-46626

    Reuse of a static AES key and initialization vector for encrypted traffic to the 'ate' management service of the Tenda RX2 Pro 16.03.30.14 allows an attacker to decrypt, replay, and/or forge traffic to the service.... Read more

    Affected Products : rx2_pro_firmware rx2_pro
    • Published: May. 01, 2025
    • Modified: May. 27, 2025
    • Vuln Type: Cryptography

  • 8.8

    HIGH
    CVE-2025-46625

    Lack of input validation/sanitization in the 'setLanCfg' API endpoint in httpd in the Tenda RX2 Pro 16.03.30.14 allows a remote attacker that is authorized to the web management portal to gain root shell access to the device by sending a crafted web reque... Read more

    Affected Products : rx2_pro_firmware rx2_pro
    • Published: May. 01, 2025
    • Modified: May. 27, 2025
    • Vuln Type: Injection

  • 7.4

    HIGH
    CVE-2025-46569

    Open Policy Agent (OPA) is an open source, general-purpose policy engine. Prior to version 1.4.0, when run as a server, OPA exposes an HTTP Data API for reading and writing documents. Requesting a virtual document through the Data API entails policy evalu... Read more

    Affected Products : open_policy_agent
    • Published: May. 01, 2025
    • Modified: May. 02, 2025
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2025-4174

    A vulnerability, which was classified as critical, has been found in PHPGurukul COVID19 Testing Management System 1.0. Affected by this issue is some unknown functionality of the file /login.php. The manipulation of the argument Username leads to sql inje... Read more

    Affected Products : covid19_testing_management_system
    • Published: May. 01, 2025
    • Modified: May. 09, 2025
    • Vuln Type: Injection

  • 6.3

    MEDIUM
    CVE-2025-3517

    Incorrect privilege assignment in PAM JIT elevation feature in Devolutions Server 2025.1.5.0 and earlier allows a PAM user to elevate a previously configured user configured in a PAM JIT account via failure to update the internal account’s SID when updati... Read more

    Affected Products : devolutions_server
    • Published: May. 01, 2025
    • Modified: Jun. 17, 2025
    • Vuln Type: Authorization

  • 6.1

    MEDIUM
    CVE-2025-36558

    KUNBUS PiCtory version 2.11.1 and earlier are vulnerable to a cross-site-scripting attack via the sso_token used for authentication. If an attacker provides the user with a PiCtory URL containing an HTML script as an sso_token, that script will reply to t... Read more

    Affected Products :
    • Published: May. 01, 2025
    • Modified: May. 02, 2025
    • Vuln Type: Cross-Site Scripting

  • 8.8

    HIGH
    CVE-2025-36521

    MicroDicom DICOM Viewer is vulnerable to an out-of-bounds read which may allow an attacker to cause memory corruption within the application. The user must open a malicious DCM file for exploitation.... Read more

    Affected Products : dicom_viewer
    • Published: May. 01, 2025
    • Modified: May. 02, 2025
    • Vuln Type: Memory Corruption

  • 9.0

    CRITICAL
    CVE-2025-35996

    KUNBUS PiCtory version 2.11.1 and earlier are vulnerable when an authenticated remote attacker crafts a special filename that can be stored by API endpoints. That filename is later transmitted to the client in order to show a list of configuration files. ... Read more

    Affected Products :
    • Published: May. 01, 2025
    • Modified: May. 02, 2025
    • Vuln Type: Cross-Site Scripting

  • 8.8

    HIGH
    CVE-2025-35975

    MicroDicom DICOM Viewer is vulnerable to an out-of-bounds write which may allow an attacker to execute arbitrary code. The user must open a malicious DCM file for exploitation.... Read more

    Affected Products : dicom_viewer
    • Published: May. 01, 2025
    • Modified: May. 02, 2025
    • Vuln Type: Memory Corruption

  • 9.8

    CRITICAL
    CVE-2025-32011

    KUNBUS PiCtory versions 2.5.0 through 2.11.1 have an authentication bypass vulnerability where a remote attacker can bypass authentication to get access due to a path traversal.... Read more

    Affected Products :
    • Published: May. 01, 2025
    • Modified: May. 02, 2025
    • Vuln Type: Authentication

  • 10.0

    CRITICAL
    CVE-2025-24522

    KUNBUS Revolution Pi OS Bookworm 01/2025 is vulnerable because authentication is not configured by default for the Node-RED server. This can give an unauthenticated remote attacker full access to the Node-RED server where they can run arbitrary commands o... Read more

    Affected Products :
    • Published: May. 01, 2025
    • Modified: May. 02, 2025
    • Vuln Type: Authentication

  • 7.7

    HIGH
    CVE-2025-46568

    Stirling-PDF is a locally hosted web application that allows you to perform various operations on PDF files. Prior to version 0.45.0, Stirling-PDF is vulnerable to SSRF-induced arbitrary file read. WeasyPrint redefines a set of HTML tags, including img, e... Read more

    Affected Products : stirling_pdf
    • Published: May. 01, 2025
    • Modified: Jun. 17, 2025
    • Vuln Type: Server-Side Request Forgery

  • 7.8

    HIGH
    CVE-2025-46567

    LLama Factory enables fine-tuning of large language models. Prior to version 1.0.0, a critical vulnerability exists in the `llamafy_baichuan2.py` script of the LLaMA-Factory project. The script performs insecure deserialization using `torch.load()` on use... Read more

    Affected Products : llama-factory
    • Published: May. 01, 2025
    • Modified: Jun. 17, 2025
    • Vuln Type: Misconfiguration

  • 9.8

    CRITICAL
    CVE-2025-46566

    DataEase is an open-source BI tool alternative to Tableau. Prior to version 2.10.9, authenticated users can complete RCE through the backend JDBC link. This issue has been patched in version 2.10.9.... Read more

    Affected Products : dataease
    • Published: May. 01, 2025
    • Modified: May. 28, 2025
    • Vuln Type: Authentication
Showing 20 of 293680 Results