Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 7.2

    HIGH
    CVE-2025-12160

    The Simple User Registration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpr_admin_msg' parameter in all versions up to, and including, 6.6 due to insufficient input sanitization and output escaping. This makes it possible f... Read more

    Affected Products : simple_user_registration
    • Published: Nov. 21, 2025
    • Modified: Nov. 21, 2025
    • Vuln Type: Cross-Site Scripting

  • 1.9

    LOW
    CVE-2025-13425

    A bug in the filesystem traversal fallback path causes fs/diriterate/diriterate.go:Next() to overindex an empty slice when ReadDir returns nil for an empty directory, resulting in a panic (index out of range) and an application crash (denial of service) i... Read more

    Affected Products : osv-scalibr
    • Published: Nov. 20, 2025
    • Modified: Nov. 21, 2025
    • Vuln Type: Denial of Service

  • 9.3

    CRITICAL
    CVE-2025-34320

    BASIS BBj versions prior to 25.00 contain a Jetty-served web endpoint that fails to properly validate or canonicalize input path segments. This allows unauthenticated directory traversal sequences to cause the server to read arbitrary system files accessi... Read more

    Affected Products :
    • Published: Nov. 20, 2025
    • Modified: Nov. 21, 2025
    • Vuln Type: Path Traversal

  • 7.5

    HIGH
    CVE-2025-13138

    The WP Directory Kit plugin for WordPress is vulnerable to SQL Injection via the 'columns_search' parameter of the select_2_ajax() function in all versions up to, and including, 1.4.3 due to insufficient escaping on the user supplied parameter and lack of... Read more

    Affected Products : wp_directory_kit
    • Published: Nov. 21, 2025
    • Modified: Nov. 21, 2025
    • Vuln Type: Injection

  • 4.9

    MEDIUM
    CVE-2025-11973

    The 简数采集器 plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 2.6.3 via the __kds_flag functionality that imports featured images. This makes it possible for authenticated attackers, with Adminstrator-level acce... Read more

    Affected Products : keydatas
    • Published: Nov. 21, 2025
    • Modified: Nov. 21, 2025
    • Vuln Type: Path Traversal

  • 6.4

    MEDIUM
    CVE-2025-11768

    The Islamic Phrases plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'phrases' shortcode attribute in all versions up to, and including, 2.12.2015. This is due to insufficient input sanitization and output escaping. This makes it ... Read more

    Affected Products :
    • Published: Nov. 21, 2025
    • Modified: Nov. 21, 2025
    • Vuln Type: Cross-Site Scripting

  • 4.8

    MEDIUM
    CVE-2025-64521

    authentik is an open-source Identity Provider. Prior to versions 2025.8.5 and 2025.10.2, when authenticating with client_id and client_secret to an OAuth provider, authentik creates a service account for the provider. In previous authentik versions, authe... Read more

    Affected Products : authentik
    • Published: Nov. 19, 2025
    • Modified: Nov. 20, 2025
    • Vuln Type: Authentication

  • 5.8

    MEDIUM
    CVE-2025-64708

    authentik is an open-source Identity Provider. Prior to versions 2025.8.5 and 2025.10.2, in previous authentik versions, invitations were considered valid regardless if they are expired or not, thus relying on background tasks to clean up expired ones. In... Read more

    Affected Products : authentik
    • Published: Nov. 19, 2025
    • Modified: Nov. 20, 2025
    • Vuln Type: Authentication

  • 3.5

    LOW
    CVE-2025-64757

    Astro is a web framework. Prior to version 5.14.3, a vulnerability has been identified in the Astro framework's development server that allows arbitrary local file read access through the image optimization endpoint. The vulnerability affects Astro develo... Read more

    Affected Products : astro
    • Published: Nov. 19, 2025
    • Modified: Nov. 20, 2025
    • Vuln Type: Path Traversal

  • 7.1

    HIGH
    CVE-2025-64764

    Astro is a web framework. Prior to version 5.15.8, a reflected XSS vulnerability is present when the server islands feature is used in the targeted application, regardless of what was intended by the component template(s). This issue has been patched in v... Read more

    Affected Products : astro
    • Published: Nov. 19, 2025
    • Modified: Nov. 20, 2025
    • Vuln Type: Cross-Site Scripting

  • 7.2

    HIGH
    CVE-2025-65022

    i-Educar is free, fully online school management software. In versions 2.10.0 and prior, an authenticated time-based SQL injection vulnerability exists in the ieducar/intranet/agenda.php script. An attacker with access to an authenticated session can exec... Read more

    Affected Products : i-educar
    • Published: Nov. 19, 2025
    • Modified: Nov. 20, 2025
    • Vuln Type: Injection

  • 7.2

    HIGH
    CVE-2025-65023

    i-Educar is free, fully online school management software. In versions 2.10.0 and prior, an authenticated time-based SQL injection vulnerability exists in the ieducar/intranet/funcionario_vinculo_cad.php script. An attacker with access to an authenticated... Read more

    Affected Products : i-educar
    • Published: Nov. 19, 2025
    • Modified: Nov. 20, 2025
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2025-63223

    The Axel Technology StreamerMAX MK II devices (firmware versions 0.8.5 to 1.0.3) are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenticated remote attackers can list user accounts, create n... Read more

    Affected Products :
    • Published: Nov. 19, 2025
    • Modified: Nov. 20, 2025
    • Vuln Type: Authentication

  • 7.2

    HIGH
    CVE-2025-63220

    The Sound4 FIRST web-based management interface is vulnerable to Remote Code Execution (RCE) via a malicious firmware update package. The update mechanism fails to validate the integrity of manual.sh, allowing an attacker to inject arbitrary commands by m... Read more

    Affected Products :
    • Published: Nov. 19, 2025
    • Modified: Nov. 20, 2025
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2025-63207

    The R.V.R Elettronica TEX product (firmware TEXL-000400, Web GUI TLAN-000400) is vulnerable to broken access control due to improper authentication checks on the /_Passwd.html endpoint. An attacker can send an unauthenticated POST request to change the Ad... Read more

    Affected Products :
    • Published: Nov. 19, 2025
    • Modified: Nov. 20, 2025
    • Vuln Type: Authentication

  • 9.8

    CRITICAL
    CVE-2025-63206

    An authentication bypass issue was discovered in Dasan Switch DS2924 web based interface, firmware versions 1.01.18 and 1.02.00, allowing attackers to gain escalated privileges via storing crafted cookies in the web browser.... Read more

    Affected Products :
    • Published: Nov. 19, 2025
    • Modified: Nov. 20, 2025
    • Vuln Type: Authentication

  • 7.5

    HIGH
    CVE-2025-63205

    An issue was discovered in bridgetech probes VB220 IP Network Probe,VB120 Embedded IP + RF Probe, VB330 High-Capacity Probe, VB440 ST 2110 Production Analytics Probe, and NOMAD, firmware versions 6.5.0-9, allowing attackers to gain sensitive information s... Read more

    Affected Products :
    • Published: Nov. 19, 2025
    • Modified: Nov. 20, 2025
    • Vuln Type: Information Disclosure

  • 7.2

    HIGH
    CVE-2025-65024

    i-Educar is free, fully online school management software. In versions 2.10.0 and prior, an authenticated time-based SQL injection vulnerability exists in the ieducar/intranet/agenda_admin_cad.php script. An attacker with access to an authenticated sessio... Read more

    Affected Products : i-educar
    • Published: Nov. 19, 2025
    • Modified: Nov. 20, 2025
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2025-13400

    A vulnerability was detected in Tenda CH22 1.0.0.1. Affected is the function formWrlExtraGet of the file /goform/WrlExtraGet. Performing manipulation of the argument chkHz results in buffer overflow. Remote exploitation of the attack is possible. The expl... Read more

    Affected Products : ch22_firmware ch22
    • Published: Nov. 19, 2025
    • Modified: Nov. 20, 2025
    • Vuln Type: Memory Corruption

  • 9.8

    CRITICAL
    CVE-2025-13396

    A weakness has been identified in code-projects Courier Management System 1.0. This affects an unknown function of the file /add-office.php. This manipulation of the argument OfficeName causes sql injection. The attack may be initiated remotely. The explo... Read more

    Affected Products : courier_management_system
    • Published: Nov. 19, 2025
    • Modified: Nov. 20, 2025
    • Vuln Type: Injection
Showing 20 of 4551 Results