Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 7.8

    HIGH
    CVE-2025-61802

    Substance3D - Stager versions 3.1.4 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must ope... Read more

    Affected Products : macos windows substance_3d_stager
    • Published: Oct. 14, 2025
    • Modified: Oct. 16, 2025
    • Vuln Type: Memory Corruption

  • 8.4

    HIGH
    CVE-2025-43281

    The issue was addressed with improved authentication. This issue is fixed in macOS Sequoia 15.6. A local attacker may be able to elevate their privileges.... Read more

    Affected Products : macos
    • Published: Oct. 15, 2025
    • Modified: Oct. 16, 2025
    • Vuln Type: Authentication

  • 5.5

    MEDIUM
    CVE-2025-43282

    A double free issue was addressed with improved memory management. This issue is fixed in macOS Sequoia 15.6, iOS 18.6 and iPadOS 18.6, watchOS 11.6, tvOS 18.6, visionOS 2.6, macOS Ventura 13.7.7, macOS Sonoma 14.7.7, iPadOS 17.7.9. An app may be able to ... Read more

    Affected Products : macos iphone_os tvos watchos ipados visionos
    • Published: Oct. 15, 2025
    • Modified: Oct. 16, 2025
    • Vuln Type: Memory Corruption

  • 5.5

    MEDIUM
    CVE-2025-43313

    A logic issue was addressed with improved restrictions. This issue is fixed in macOS Ventura 13.7.7, macOS Sonoma 14.7.7, macOS Sequoia 15.6. An app may be able to access sensitive user data.... Read more

    Affected Products : macos
    • Published: Oct. 15, 2025
    • Modified: Oct. 16, 2025
    • Vuln Type: Authorization

  • 8.2

    HIGH
    CVE-2025-61536

    FelixRiddle dev-jobs-handlebars 1.0 uses absolute password-reset (magic) links using the untrusted `req.headers.host` header and forces the `http://` scheme. An attacker who can control the `Host` header (or exploit a misconfigured proxy/load-balancer tha... Read more

    Affected Products :
    • Published: Oct. 16, 2025
    • Modified: Oct. 16, 2025
    • Vuln Type: Server-Side Request Forgery

  • 8.2

    HIGH
    CVE-2025-22381

    Aggie 2.6.1 has a Host Header injection vulnerability in the forgot password functionality, allowing an attacker to reset a user's password.... Read more

    Affected Products :
    • Published: Oct. 16, 2025
    • Modified: Oct. 16, 2025
    • Vuln Type: Injection

  • 8.6

    HIGH
    CVE-2025-59051

    The FreePBX Endpoint Manager module includes a Network Scanning feature that provides web-based access to nmap functionality for network device discovery. In Endpoint Manager 16 before 16.0.92 and 17 before 17.0.6, insufficiently sanitized user-supplied i... Read more

    Affected Products : freepbx
    • Published: Oct. 14, 2025
    • Modified: Oct. 16, 2025
    • Vuln Type: Injection

  • 5.4

    MEDIUM
    CVE-2025-54272

    Adobe Experience Manager versions 11.6 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be exe... Read more

    Affected Products : experience_manager_forms
    • Published: Oct. 14, 2025
    • Modified: Oct. 16, 2025
    • Vuln Type: Cross-Site Scripting

  • 0.0

    NA
    CVE-2025-39974

    In the Linux kernel, the following vulnerability has been resolved: tracing/osnoise: Fix slab-out-of-bounds in _parse_integer_limit() When config osnoise cpus by write() syscall, the following KASAN splat may be observed: BUG: KASAN: slab-out-of-bounds... Read more

    Affected Products : linux_kernel
    • Published: Oct. 15, 2025
    • Modified: Oct. 16, 2025
    • Vuln Type: Memory Corruption

  • 9.3

    CRITICAL
    CVE-2018-25117

    VestaCP commit a3f0fa1 (2018-05-31) up to commit ee03eff (2018-06-13) contain embedded malicious code that resulted in a supply-chain compromise. New installations created from the compromised installer since at least May 2018 were subject to installation... Read more

    Affected Products :
    • Published: Oct. 15, 2025
    • Modified: Oct. 16, 2025
    • Vuln Type: Supply Chain

  • 6.4

    MEDIUM
    CVE-2025-11161

    The WPBakery Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the vc_custom_heading shortcode in all versions up to, and including, 8.6.1. This is due to insufficient restriction of allowed HTML tags and improper sanitiza... Read more

    Affected Products : page_builder
    • Published: Oct. 15, 2025
    • Modified: Oct. 16, 2025
    • Vuln Type: Cross-Site Scripting

  • 6.4

    MEDIUM
    CVE-2025-62374

    Parse Javascript SDK provides access to the powerful Parse Server backend from your JavaScript app. Prior to 7.0.0, injection of malicious payload allows attacker to remotely execute arbitrary code. ParseObject.fromJSON, ParseObject.pin, ParseObject.regi... Read more

    Affected Products :
    • Published: Oct. 14, 2025
    • Modified: Oct. 16, 2025
    • Vuln Type: Injection

  • 9.3

    CRITICAL
    CVE-2023-7311

    BYTEVALUE Intelligent Flow Control Router contains a command injection vulnerability via the /goform/webRead/open endpoint. The `path` parameter is not properly validated and is echoed into a shell context, allowing an attacker to inject and execute arbit... Read more

    Affected Products :
    • Published: Oct. 15, 2025
    • Modified: Oct. 16, 2025
    • Vuln Type: Injection

  • 0.0

    NA
    CVE-2025-39971

    In the Linux kernel, the following vulnerability has been resolved: i40e: fix idx validation in config queues msg Ensure idx is within range of active/initialized TCs when iterating over vf->ch[idx] in i40e_vc_config_queues_msg().... Read more

    Affected Products : linux_kernel
    • Published: Oct. 15, 2025
    • Modified: Oct. 16, 2025

  • 4.3

    MEDIUM
    CVE-2025-11176

    The Quick Featured Images plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 13.7.2 via the qfi_set_thumbnail and qfi_delete_thumbnail AJAX actions due to missing validation on a user controlled ke... Read more

    Affected Products :
    • Published: Oct. 15, 2025
    • Modified: Oct. 16, 2025
    • Vuln Type: Authorization

  • 0.0

    NA
    CVE-2025-39968

    In the Linux kernel, the following vulnerability has been resolved: i40e: add max boundary check for VF filters There is no check for max filters that VF can request. Add it.... Read more

    Affected Products : linux_kernel
    • Published: Oct. 15, 2025
    • Modified: Oct. 16, 2025
    • Vuln Type: Misconfiguration

  • 0.0

    NA
    CVE-2025-39966

    In the Linux kernel, the following vulnerability has been resolved: iommufd: Fix race during abort for file descriptors fput() doesn't actually call file_operations release() synchronously, it puts the file on a work queue and it will be released eventu... Read more

    Affected Products : linux_kernel
    • Published: Oct. 15, 2025
    • Modified: Oct. 16, 2025
    • Vuln Type: Race Condition

  • 5.5

    MEDIUM
    CVE-2025-10406

    The BlindMatrix e-Commerce WordPress plugin before 3.1 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users, such as contributors, to perform LFI attacks.... Read more

    Affected Products :
    • Published: Oct. 15, 2025
    • Modified: Oct. 16, 2025
    • Vuln Type: Path Traversal

  • 6.1

    MEDIUM
    CVE-2025-60374

    Stored Cross-Site Scripting (XSS) in Perfex CRM chatbot before 3.3.1 allows attackers to inject arbitrary HTML/JavaScript. The payload is executed in the browsers of users viewing the chat, resulting in client-side code execution, potential session token ... Read more

    Affected Products :
    • Published: Oct. 14, 2025
    • Modified: Oct. 16, 2025
    • Vuln Type: Cross-Site Scripting

  • 7.5

    HIGH
    CVE-2025-11501

    The Dynamically Display Posts plugin for WordPress is vulnerable to SQL Injection via the 'tax_query' parameter in all versions up to, and including, 1.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the... Read more

    Affected Products :
    • Published: Oct. 15, 2025
    • Modified: Oct. 16, 2025
    • Vuln Type: Injection
Showing 20 of 3675 Results