Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 6.5

    MEDIUM
    CVE-2025-63212

    GatesAir Flexiva-LX devices on firmware 1.0.13 and 2.0, including models LX100, LX300, LX600, and LX1000, expose sensitive session identifiers (sid) in the publicly accessible log file located at /log/Flexiva%20LX.log. An unauthenticated attacker can retr... Read more

    Affected Products :
    • Published: Nov. 19, 2025
    • Modified: Nov. 21, 2025
    • Vuln Type: Information Disclosure

  • 2.3

    LOW
    CVE-2025-11884

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in opentext uCMDB allows Stored XSS. The vulnerability could allow an attacker has high level access to UCMDB to create or update data with malicious... Read more

    Affected Products :
    • Published: Nov. 19, 2025
    • Modified: Nov. 21, 2025
    • Vuln Type: Cross-Site Scripting

  • 5.3

    MEDIUM
    CVE-2025-12778

    The Ultimate Member Widgets for Elementor – WordPress User Directory plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the handle_filter_users function in all versions up to, and including, 2.3. This ma... Read more

    Affected Products :
    • Published: Nov. 20, 2025
    • Modified: Nov. 21, 2025
    • Vuln Type: Authorization

  • 6.8

    MEDIUM
    CVE-2025-12502

    The attention-bar WordPress plugin through 0.7.2.1 does not sanitize and escape a parameter before using it in a SQL statement, allowing high privilege users such as administrator to perform SQL injection attacks... Read more

    Affected Products :
    • Published: Nov. 20, 2025
    • Modified: Nov. 21, 2025
    • Vuln Type: Injection

  • 7.1

    HIGH
    CVE-2025-11676

    Improper input validation vulnerability in TP-Link System Inc. TL-WR940N V6 (UPnP modules), which allows unauthenticated adjacent attackers to perform DoS attack. This issue affects TL-WR940N V6 <= Build 220801.... Read more

    Affected Products :
    • Published: Nov. 20, 2025
    • Modified: Nov. 21, 2025
    • Vuln Type: Denial of Service

  • 6.9

    MEDIUM
    CVE-2025-65100

    Isar is an integration system for automated root filesystem generation. In versions 0.11-rc1 and 0.11, defining ISAR_APT_SNAPSHOT_DATE alone does not set the correct timestamp value for security distribution, leading to missed security updates. This issue... Read more

    Affected Products :
    • Published: Nov. 19, 2025
    • Modified: Nov. 21, 2025
    • Vuln Type: Misconfiguration

  • 8.8

    HIGH
    CVE-2025-65103

    OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.9.5, an authenticated SQL Injection vulnerability in the API allows any user, regardless of permission level, to execute arbitrary SQL queries.... Read more

    Affected Products : openstamanager
    • Published: Nov. 19, 2025
    • Modified: Nov. 21, 2025
    • Vuln Type: Injection

  • 7.3

    HIGH
    CVE-2025-13433

    A security flaw has been discovered in Muse Group MuseHub 2.1.0.1567. The affected element is an unknown function of the file C:\Program Files\WindowsApps\Muse.MuseHub_2.1.0.1567_x64__rb9pth70m6nz6\Muse.Updater.exe of the component Windows Service. The ma... Read more

    Affected Products :
    • Published: Nov. 20, 2025
    • Modified: Nov. 21, 2025
    • Vuln Type: Misconfiguration

  • 4.8

    MEDIUM
    CVE-2025-13469

    A security vulnerability has been detected in Public Knowledge Project omp and ojs 3.3.0/3.4.0/3.5.0. Impacted is an unknown function of the file plugins/paymethod/manual/templates/paymentForm.tpl of the component Payment Instructions Setting Handler. The... Read more

    Affected Products :
    • Published: Nov. 20, 2025
    • Modified: Nov. 21, 2025
    • Vuln Type: Cross-Site Scripting

  • 9.2

    CRITICAL
    CVE-2025-12414

    An attacker could take over a Looker account in a Looker instance configured with OIDC authentication, due to email address string normalization.Looker-hosted and Self-hosted were found to be vulnerable. This issue has already been mitigated for Looker-h... Read more

    Affected Products :
    • Published: Nov. 20, 2025
    • Modified: Nov. 21, 2025
    • Vuln Type: Authentication

  • 8.1

    HIGH
    CVE-2025-64759

    Homarr is an open-source dashboard. Prior to version 1.43.3, stored XSS vulnerability exists, allowing the execution of arbitrary JavaScript in a user's browser, with minimal or no user interaction required, due to the rendering of a malicious uploaded SV... Read more

    Affected Products :
    • Published: Nov. 19, 2025
    • Modified: Nov. 21, 2025
    • Vuln Type: Cross-Site Scripting

  • 7.5

    HIGH
    CVE-2025-13442

    A security vulnerability has been detected in UTT 进取 750W up to 3.2.2-191225. Affected by this vulnerability is the function system of the file /goform/formPdbUpConfig. Such manipulation of the argument policyNames leads to command injection. The attack m... Read more

    Affected Products :
    • Published: Nov. 20, 2025
    • Modified: Nov. 21, 2025
    • Vuln Type: Injection

  • 6.8

    MEDIUM
    CVE-2025-62346

    A Cross-Site Request Forgery (CSRF) vulnerability was identified in HCL Glovius Cloud. An attacker can force a user's web browser to execute an unwanted, malicious action on a trusted site where the user is authenticated, specifically on one endpoint.... Read more

    Affected Products :
    • Published: Nov. 20, 2025
    • Modified: Nov. 21, 2025
    • Vuln Type: Cross-Site Request Forgery

  • 1.9

    LOW
    CVE-2025-13425

    A bug in the filesystem traversal fallback path causes fs/diriterate/diriterate.go:Next() to overindex an empty slice when ReadDir returns nil for an empty directory, resulting in a panic (index out of range) and an application crash (denial of service) i... Read more

    Affected Products : osv-scalibr
    • Published: Nov. 20, 2025
    • Modified: Nov. 21, 2025
    • Vuln Type: Denial of Service

  • 7.5

    HIGH
    CVE-2025-13138

    The WP Directory Kit plugin for WordPress is vulnerable to SQL Injection via the 'columns_search' parameter of the select_2_ajax() function in all versions up to, and including, 1.4.3 due to insufficient escaping on the user supplied parameter and lack of... Read more

    Affected Products : wp_directory_kit
    • Published: Nov. 21, 2025
    • Modified: Nov. 21, 2025
    • Vuln Type: Injection

  • 6.4

    MEDIUM
    CVE-2025-11765

    The Stock Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'image_height' and 'image_width' shortcode attributes in all versions up to, and including, 1.1. This is due to insufficient input sanitization and output escaping. ... Read more

    Affected Products :
    • Published: Nov. 21, 2025
    • Modified: Nov. 21, 2025
    • Vuln Type: Cross-Site Scripting

  • 6.1

    MEDIUM
    CVE-2025-64984

    Kaspersky has fixed a security issue in Kaspersky Endpoint Security for Linux (any version with anti-virus databases prior to 18.11.2025), Kaspersky Industrial CyberSecurity for Linux Nodes (any version with anti-virus databases prior to 18.11.2025), and ... Read more

    Affected Products :
    • Published: Nov. 20, 2025
    • Modified: Nov. 21, 2025
    • Vuln Type: Cross-Site Scripting

  • 6.4

    MEDIUM
    CVE-2025-11801

    The AudioTube plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'caption' shortcode attribute of the 'audiotube' shortcode in all versions up to, and including, 0.0.3. This is due to insufficient input sanitization and output escap... Read more

    Affected Products :
    • Published: Nov. 21, 2025
    • Modified: Nov. 21, 2025
    • Vuln Type: Cross-Site Scripting

  • 6.9

    MEDIUM
    CVE-2025-64185

    Open OnDemand is an open-source HPC portal. Prior to versions 4.0.8 and 3.1.16, Open OnDemand packages create world writable locations in the GEM_PATH. Open OnDemand versions 4.0.8 and 3.1.16 have been patched for this vulnerability.... Read more

    Affected Products : open_ondemand
    • Published: Nov. 20, 2025
    • Modified: Nov. 21, 2025
    • Vuln Type: Misconfiguration

  • 8.8

    HIGH
    CVE-2025-11985

    The Realty Portal plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'rp_save_property_settings' function in versions 0.1 to 0.4.1. This makes it possible ... Read more

    Affected Products :
    • Published: Nov. 21, 2025
    • Modified: Nov. 21, 2025
    • Vuln Type: Authorization
Showing 20 of 4530 Results