Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 4.8

    MEDIUM
    CVE-2025-43771

    Multiple cross-site scripting (XSS) vulnerabilities in the Notifications widget in Liferay Portal 7.4.3.102 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5 and 2023.Q3.1 through 2023.Q3.10 allow remote attackers to inject arbitrary web scri... Read more

    Affected Products : liferay_portal dxp
    • Published: Oct. 08, 2025
    • Modified: Oct. 08, 2025
    • Vuln Type: Cross-Site Scripting

  • 7.2

    HIGH
    CVE-2025-11204

    The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 6.0.6.2 due to insufficient escaping on the user supplied parameter and... Read more

    Affected Products : registrationmagic
    • Published: Oct. 08, 2025
    • Modified: Oct. 08, 2025
    • Vuln Type: Injection

  • 7.4

    HIGH
    CVE-2025-9970

    Cleartext Storage of Sensitive Information in Memory vulnerability in ABB MConfig.This issue affects MConfig: through 1.4.9.21.... Read more

    Affected Products :
    • Published: Oct. 08, 2025
    • Modified: Oct. 08, 2025
    • Vuln Type: Information Disclosure

  • 7.5

    HIGH
    CVE-2025-11488

    A weakness has been identified in D-Link DIR-852 up to 20251002. This affects an unknown part of the file /HNAP1/. Executing manipulation can lead to command injection. The attack may be launched remotely. The exploit has been made available to the public... Read more

    Affected Products : dir-852_firmware
    • Published: Oct. 08, 2025
    • Modified: Oct. 08, 2025
    • Vuln Type: Injection

  • 8.6

    HIGH
    CVE-2025-48981

    An insecure implementation of the proprietary protocol DNET in Product CGM MEDICO allows attackers within the intranet to eavesdrop and manipulate data on the protocol because encryption is optional for this connection.... Read more

    Affected Products :
    • Published: Oct. 08, 2025
    • Modified: Oct. 08, 2025
    • Vuln Type: Cryptography

  • 9.8

    CRITICAL
    CVE-2025-52021

    A SQL Injection vulnerability exists in the edit_product.php file of PuneethReddyHC Online Shopping System Advanced 1.0. The product_id GET parameter is unsafely passed to a SQL query without proper validation or parameterization.... Read more

    Affected Products :
    • Published: Oct. 07, 2025
    • Modified: Oct. 08, 2025
    • Vuln Type: Injection

  • 10.0

    CRITICAL
    CVE-2025-3450

    An Improper Resource Locking vulnerability in the SDM component of B&R Automation Runtime versions before 6.3 and before Q4.93 may allow an unauthenticated network-based attacker to delete data causing denial of service conditions.... Read more

    Affected Products : automation_runtime
    • Published: Oct. 07, 2025
    • Modified: Oct. 08, 2025
    • Vuln Type: Race Condition

  • 7.5

    HIGH
    CVE-2025-43914

    Dell PowerProtect Data Domain BoostFS for Linux Ubuntu systems of Feature Release versions 7.7.1.0 through 8.3.0.15, LTS2025 release version 8.3.1.0, LTS2024 release versions 7.13.1.0 through 7.13.1.30, LTS 2023 release versions 7.10.1.0 through 7.10.1.60... Read more

    Affected Products :
    • Published: Oct. 07, 2025
    • Modified: Oct. 08, 2025
    • Vuln Type: Authorization

  • 8.4

    HIGH
    CVE-2025-11192

    A vulnerability in Extreme Networks’ Fabric Engine (VOSS) before 9.3 was discovered. When SD-WAN AutoSense is enabled on a port, it may automatically configure fabric connectivity without validating ISIS authentication settings. The SD-WAN AutoSense imple... Read more

    Affected Products :
    • Published: Oct. 07, 2025
    • Modified: Oct. 08, 2025
    • Vuln Type: Authentication

  • 4.5

    MEDIUM
    CVE-2025-11489

    A security vulnerability has been detected in wonderwhy-er DesktopCommanderMCP up to 0.2.13. This vulnerability affects the function isPathAllowed of the file src/tools/filesystem.ts. The manipulation leads to symlink following. The attack can only be per... Read more

    Affected Products :
    • Published: Oct. 08, 2025
    • Modified: Oct. 08, 2025
    • Vuln Type: Path Traversal

  • 5.3

    MEDIUM
    CVE-2025-11406

    A security flaw has been discovered in kaifangqian kaifangqian-base up to 7b3faecda13848b3ced6c17c7423b76c5b47b8ab. This issue affects the function getAllUsers of the file kaifangqian-parent/kaifangqian-system/src/main/java/com/kaifangqian/modules/system/... Read more

    Affected Products :
    • Published: Oct. 07, 2025
    • Modified: Oct. 08, 2025
    • Vuln Type: Information Disclosure

  • 9.9

    CRITICAL
    CVE-2025-44823

    Nagios Log Server before 2024R1.3.2 allows authenticated users to retrieve cleartext administrative API keys via a /nagioslogserver/index.php/api/system/get_users call. This is GL:NLS#475.... Read more

    Affected Products : log_server
    • Published: Oct. 07, 2025
    • Modified: Oct. 08, 2025
    • Vuln Type: Information Disclosure

  • 8.5

    HIGH
    CVE-2025-44824

    Nagios Log Server before 2024R1.3.2 allows authenticated users (with read-only API access) to stop the Elasticsearch service via a /nagioslogserver/index.php/api/system/stop?subsystem=elasticsearch call. The service stops even though "message": "Could not... Read more

    Affected Products : log_server
    • Published: Oct. 07, 2025
    • Modified: Oct. 08, 2025
    • Vuln Type: Authentication

  • 9.0

    HIGH
    CVE-2025-11408

    A security vulnerability has been detected in D-Link DI-7001 MINI 24.04.18B1. The affected element is an unknown function of the file /dbsrv.asp. Such manipulation of the argument str leads to buffer overflow. The attack may be launched remotely. The expl... Read more

    Affected Products :
    • Published: Oct. 07, 2025
    • Modified: Oct. 08, 2025
    • Vuln Type: Memory Corruption

  • 8.1

    HIGH
    CVE-2025-10494

    The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation when deleting profile pictures in all versions up to, and including, 1.4.89. This makes it poss... Read more

    • Published: Oct. 08, 2025
    • Modified: Oct. 08, 2025
    • Vuln Type: Path Traversal

  • 9.8

    CRITICAL
    CVE-2025-10587

    The Community Events plugin for WordPress is vulnerable to SQL Injection via the event_category parameter in all versions up to, and including, 1.5.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the exi... Read more

    Affected Products : community_events
    • Published: Oct. 08, 2025
    • Modified: Oct. 08, 2025
    • Vuln Type: Injection

  • 7.7

    HIGH
    CVE-2025-10635

    The Find Me On WordPress plugin through 2.0.9.1 does not sanitize and escape a parameter before using it in a SQL statement, allowing subscribers and above to perform SQL injection attacks... Read more

    Affected Products :
    • Published: Oct. 08, 2025
    • Modified: Oct. 08, 2025
    • Vuln Type: Injection

  • 9.3

    CRITICAL
    CVE-2025-10351

    SQL injection vulnerability based on the melis-cms module of the Melis platform from Melis Technology. This vulnerability allows an attacker to retrieve, create, update, and delete databases through the 'idPage' parameter in the '/melis/MelisCms/PageEditi... Read more

    Affected Products : meliscms
    • Published: Oct. 08, 2025
    • Modified: Oct. 08, 2025
    • Vuln Type: Injection

  • 9.3

    CRITICAL
    CVE-2025-10352

    Vulnerability in the melis-core module of Melis Technology's Melis Platform, which, if exploited, allows an unauthenticated attacker to create an administrator account via a request to '/melis/MelisCore/ToolUser/addNewUser'.... Read more

    Affected Products :
    • Published: Oct. 08, 2025
    • Modified: Oct. 08, 2025
    • Vuln Type: Authentication

  • 6.5

    MEDIUM
    CVE-2025-10649

    The Welcart e-Commerce plugin for WordPress is vulnerable to SQL Injection via the cookie in all versions up to, and including, 2.11.21 due to insufficient escaping on the user supplied value and lack of sufficient preparation on the existing SQL query. T... Read more

    Affected Products : welcart_e-commerce
    • Published: Oct. 08, 2025
    • Modified: Oct. 08, 2025
    • Vuln Type: Injection
Showing 20 of 3904 Results