Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 9.8

    CRITICAL
    CVE-2025-11391

    The PPOM – Product Addons & Custom Fields for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the image cropper functionality in all versions up to, and including, 33.0.15. This makes it poss... Read more

    Affected Products :
    • Published: Oct. 18, 2025
    • Modified: Oct. 21, 2025
    • Vuln Type: Misconfiguration

  • 6.4

    MEDIUM
    CVE-2020-36854

    The Async JavaScript plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.19.07.14. This is due to missing authorization checks on the aj_steps AJAX aciton along with a lack on sanitization on the settings... Read more

    Affected Products :
    • Published: Oct. 18, 2025
    • Modified: Oct. 21, 2025
    • Vuln Type: Cross-Site Scripting

  • 5.4

    MEDIUM
    CVE-2025-11378

    The ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'shortpixel_ajaxRequest' AJAX action in all versions up to, and includin... Read more

    Affected Products : image_optimizer
    • Published: Oct. 18, 2025
    • Modified: Oct. 21, 2025
    • Vuln Type: Authorization

  • 6.9

    MEDIUM
    CVE-2025-62665

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - Skin:BlueSky allows Stored XSS.This issue affects Mediawiki - Skin:BlueSky: from master before 1.39.... Read more

    Affected Products :
    • Published: Oct. 18, 2025
    • Modified: Oct. 21, 2025
    • Vuln Type: Cross-Site Scripting

  • 6.4

    MEDIUM
    CVE-2025-11361

    The Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.7.1 via the eb_save_ai_generated_image function. This makes it possible... Read more

    Affected Products :
    • Published: Oct. 18, 2025
    • Modified: Oct. 21, 2025
    • Vuln Type: Server-Side Request Forgery

  • 5.3

    MEDIUM
    CVE-2025-11256

    The Kognetiks Chatbot plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions in all versions up to, and including, 2.3.5. This makes it possible for unauthenticated attackers to uploa... Read more

    Affected Products : kognetiks_chatbot
    • Published: Oct. 18, 2025
    • Modified: Oct. 21, 2025
    • Vuln Type: Authorization

  • 0.0

    NA
    CVE-2025-40002

    In the Linux kernel, the following vulnerability has been resolved: thunderbolt: Fix use-after-free in tb_dp_dprx_work The original code relies on cancel_delayed_work() in tb_dp_dprx_stop(), which does not ensure that the delayed work item tunnel->dprx_... Read more

    Affected Products : linux_kernel
    • Published: Oct. 18, 2025
    • Modified: Oct. 21, 2025
    • Vuln Type: Race Condition

  • 8.5

    HIGH
    CVE-2025-5555

    A vulnerability has been found in Nixdorf Wincor PORT IO Driver up to 1.0.0.1. This affects the function sub_11100 in the library wnport.sys of the component IOCTL Handler. Such manipulation leads to stack-based buffer overflow. Local access is required t... Read more

    Affected Products :
    • Published: Oct. 18, 2025
    • Modified: Oct. 21, 2025
    • Vuln Type: Memory Corruption

  • 9.3

    CRITICAL
    CVE-2025-10678

    NetBird VPN when installed using vendor's provided script failed to remove or change default password of an admin account created by ZITADEL. This issue affects instances installed using vendor's provided script. This issue may affect instances created wi... Read more

    Affected Products :
    • Published: Oct. 20, 2025
    • Modified: Oct. 21, 2025
    • Vuln Type: Authentication

  • 0.0

    NA
    CVE-2025-40005

    In the Linux kernel, the following vulnerability has been resolved: spi: cadence-quadspi: Implement refcount to handle unbind during busy driver support indirect read and indirect write operation with assumption no force device removal(unbind) operation... Read more

    Affected Products : linux_kernel
    • Published: Oct. 20, 2025
    • Modified: Oct. 21, 2025
    • Vuln Type: Memory Corruption

  • 0.0

    NA
    CVE-2025-40007

    In the Linux kernel, the following vulnerability has been resolved: netfs: fix reference leak Commit 20d72b00ca81 ("netfs: Fix the request's work item to not require a ref") modified netfs_alloc_request() to initialize the reference counter to 2 instead... Read more

    Affected Products : linux_kernel
    • Published: Oct. 20, 2025
    • Modified: Oct. 21, 2025
    • Vuln Type: Denial of Service

  • 0.0

    NA
    CVE-2025-40009

    In the Linux kernel, the following vulnerability has been resolved: fs/proc/task_mmu: check p->vec_buf for NULL When the PAGEMAP_SCAN ioctl is invoked with vec_len = 0 reaches pagemap_scan_backout_range(), kernel panics with null-ptr-deref: [ 44.9368... Read more

    Affected Products : linux_kernel
    • Published: Oct. 20, 2025
    • Modified: Oct. 21, 2025
    • Vuln Type: Memory Corruption

  • 0.0

    NA
    CVE-2025-40010

    In the Linux kernel, the following vulnerability has been resolved: afs: Fix potential null pointer dereference in afs_put_server afs_put_server() accessed server->debug_id before the NULL check, which could lead to a null pointer dereference. Move the ... Read more

    Affected Products : linux_kernel
    • Published: Oct. 20, 2025
    • Modified: Oct. 21, 2025
    • Vuln Type: Memory Corruption

  • 0.0

    NA
    CVE-2025-40011

    In the Linux kernel, the following vulnerability has been resolved: drm/gma500: Fix null dereference in hdmi teardown pci_set_drvdata sets the value of pdev->driver_data to NULL, after which the driver_data obtained from the same dev is dereferenced in ... Read more

    Affected Products : linux_kernel
    • Published: Oct. 20, 2025
    • Modified: Oct. 21, 2025
    • Vuln Type: Memory Corruption

  • 1.8

    LOW
    CVE-2025-11624

    Potential stack buffer overwrite on the SFTP server side when receiving a malicious packet that has a handle size larger than the system handle or file descriptor size, but smaller than max handle size allowed.... Read more

    Affected Products : wolfssh
    • Published: Oct. 21, 2025
    • Modified: Oct. 21, 2025
    • Vuln Type: Memory Corruption

  • 9.4

    CRITICAL
    CVE-2025-11625

    Improper host authentication vulnerability in wolfSSH version 1.4.20 and earlier clients that allows authentication bypass and leaking of clients credentials.... Read more

    Affected Products : wolfssh
    • Published: Oct. 21, 2025
    • Modified: Oct. 21, 2025
    • Vuln Type: Authentication

  • 6.4

    MEDIUM
    CVE-2025-11270

    The Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'titleTag' attribute in all versions up to, and including, 5.7.1 due to insufficient input sanitization... Read more

    Affected Products :
    • Published: Oct. 18, 2025
    • Modified: Oct. 21, 2025
    • Vuln Type: Cross-Site Scripting

  • 6.9

    MEDIUM
    CVE-2025-62696

    Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in The Wikimedia Foundation Mediawiki Foundation - Springboard Extension allows Command Injection.This issue affects Mediawiki Foundation - Springboard Exten... Read more

    Affected Products :
    • Published: Oct. 21, 2025
    • Modified: Oct. 21, 2025

  • 8.1

    HIGH
    CVE-2025-62509

    FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. Prior to version 1.4.0, a business logic flaw in FileRise’s file/folder handling allows low-privilege users to perform unauthorized operations (view/de... Read more

    Affected Products :
    • Published: Oct. 20, 2025
    • Modified: Oct. 21, 2025
    • Vuln Type: Authorization

  • 6.8

    MEDIUM
    CVE-2025-6515

    The MCP SSE endpoint in oatpp-mcp returns an instance pointer as the session ID, which is not unique nor cryptographically secure. This allows network attackers with access to the oatpp-mcp server to guess future session IDs and hijack legitimate client M... Read more

    Affected Products :
    • Published: Oct. 20, 2025
    • Modified: Oct. 21, 2025
    • Vuln Type: Authentication
Showing 20 of 3910 Results