Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 8.8

    HIGH
    CVE-2025-6038

    The Lisfinity Core - Lisfinity Core plugin used for pebas® Lisfinity WordPress theme plugin for WordPress is vulnerable to privilege escalation via password update in all versions up to, and including, 1.4.0. This is due to the plugin not properly validat... Read more

    Affected Products :
    • Published: Oct. 09, 2025
    • Modified: Oct. 09, 2025
    • Vuln Type: Authentication

  • 5.4

    MEDIUM
    CVE-2025-11166

    The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to, and including, 9.0.46. This is due to the plugin exposing state-changing REST actions through an AJAX bridge without pr... Read more

    Affected Products : wp_go_maps
    • Published: Oct. 09, 2025
    • Modified: Oct. 09, 2025
    • Vuln Type: Cross-Site Request Forgery

  • 7.2

    HIGH
    CVE-2025-10496

    The Cookie Notice & Consent plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the uuid parameter in all versions up to, and including, 1.6.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthe... Read more

    Affected Products : cookie_notice_\&_consent
    • Published: Oct. 09, 2025
    • Modified: Oct. 09, 2025
    • Vuln Type: Cross-Site Scripting

  • 8.8

    HIGH
    CVE-2025-11535

    MongoDB Connector for BI installation via MSI on Windows leaves ACLs unset on custom install directories allows Privilege Escalation.This issue affects MongoDB Connector for BI: from 2.0.0 through 2.14.24.... Read more

    Affected Products :
    • Published: Oct. 08, 2025
    • Modified: Oct. 09, 2025
    • Vuln Type: Misconfiguration

  • 8.8

    HIGH
    CVE-2025-10240

    A vulnerability exists in the Progress Flowmon web application prior to version 12.5.5, whereby a user who clicks a malicious link provided by an attacker may inadvertently trigger unintended actions within their authenticated session.... Read more

    Affected Products : flowmon
    • Published: Oct. 09, 2025
    • Modified: Oct. 09, 2025
    • Vuln Type: Cross-Site Request Forgery

  • 9.8

    CRITICAL
    CVE-2025-7526

    The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to arbitrary file deletion (via renaming) due to insufficient file path validation in the set_user_profile_image function in all versions up to, and inc... Read more

    Affected Products : wp_travel_engine
    • Published: Oct. 09, 2025
    • Modified: Oct. 09, 2025
    • Vuln Type: Path Traversal

  • 9.8

    CRITICAL
    CVE-2025-10586

    The Community Events plugin for WordPress is vulnerable to SQL Injection via the ‘event_venue’ parameter in all versions up to, and including, 1.5.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the exis... Read more

    Affected Products : community_events
    • Published: Oct. 09, 2025
    • Modified: Oct. 09, 2025
    • Vuln Type: Injection

  • 10.0

    CRITICAL
    CVE-2025-36636

    In Tenable Security Center versions prior to 6.7.0, an improper access control vulnerability exists where an authenticated user could access areas outside of their authorized scope.... Read more

    Affected Products : security_center
    • Published: Oct. 08, 2025
    • Modified: Oct. 09, 2025
    • Vuln Type: Authorization

  • 7.2

    HIGH
    CVE-2025-11470

    A security vulnerability has been detected in SourceCodester Hotel and Lodge Management System up to 1.0. The impacted element is an unknown function of the file /manage_website.php. The manipulation of the argument website_image/back_login_image leads to... Read more

    Affected Products : hotel_and_lodge_management_system
    • Published: Oct. 08, 2025
    • Modified: Oct. 08, 2025
    • Vuln Type: Misconfiguration

  • 9.8

    CRITICAL
    CVE-2025-11471

    A vulnerability was detected in SourceCodester Hotel and Lodge Management System 1.0. This affects an unknown function of the file /edit_customer.php. The manipulation of the argument ID results in sql injection. The attack may be performed from remote. T... Read more

    Affected Products : hotel_and_lodge_management_system
    • Published: Oct. 08, 2025
    • Modified: Oct. 08, 2025
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2025-11472

    A flaw has been found in SourceCodester Hotel and Lodge Management System 1.0. This impacts an unknown function of the file /edit_room.php. This manipulation of the argument ID causes sql injection. It is possible to initiate the attack remotely. The expl... Read more

    Affected Products : hotel_and_lodge_management_system
    • Published: Oct. 08, 2025
    • Modified: Oct. 08, 2025
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2025-11473

    A vulnerability has been found in SourceCodester Hotel and Lodge Management System 1.0. Affected is an unknown function of the file /edit_curr.php. Such manipulation of the argument currsymbol leads to sql injection. It is possible to launch the attack re... Read more

    Affected Products : hotel_and_lodge_management_system
    • Published: Oct. 08, 2025
    • Modified: Oct. 08, 2025
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2025-11474

    A vulnerability was found in SourceCodester Hotel and Lodge Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /edit_booking.php. Performing manipulation of the argument Name results in sql injection. The attack ... Read more

    Affected Products : hotel_and_lodge_management_system
    • Published: Oct. 08, 2025
    • Modified: Oct. 08, 2025
    • Vuln Type: Injection

  • 8.8

    HIGH
    CVE-2025-57457

    An OS Command Injection vulnerability in the Admin panel in Curo UC300 5.42.1.7.1.63R1 allows local attackers to inject arbitrary OS Commands via the "IP Addr" parameter.... Read more

    Affected Products :
    • Published: Oct. 08, 2025
    • Modified: Oct. 08, 2025
    • Vuln Type: Injection

  • 6.5

    MEDIUM
    CVE-2025-11490

    A vulnerability has been found in wonderwhy-er DesktopCommanderMCP up to 0.2.13. The affected element is the function extractBaseCommand of the file src/command-manager.ts of the component Absolute Path Handler. Such manipulation leads to os command injec... Read more

    Affected Products :
    • Published: Oct. 08, 2025
    • Modified: Oct. 08, 2025
    • Vuln Type: Injection

  • 4.8

    MEDIUM
    CVE-2025-43771

    Multiple cross-site scripting (XSS) vulnerabilities in the Notifications widget in Liferay Portal 7.4.3.102 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5 and 2023.Q3.1 through 2023.Q3.10 allow remote attackers to inject arbitrary web scri... Read more

    Affected Products : liferay_portal dxp
    • Published: Oct. 08, 2025
    • Modified: Oct. 08, 2025
    • Vuln Type: Cross-Site Scripting

  • 5.3

    MEDIUM
    CVE-2025-61672

    Synapse is an open source Matrix homeserver implementation. Lack of validation for device keys in Synapse before 1.138.3 and in Synapse 1.139.0 allow an attacker registered on the victim homeserver to degrade federation functionality, unpredictably breaki... Read more

    Affected Products : synapse
    • Published: Oct. 08, 2025
    • Modified: Oct. 08, 2025
    • Vuln Type: Misconfiguration

  • 7.2

    HIGH
    CVE-2025-11204

    The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 6.0.6.2 due to insufficient escaping on the user supplied parameter and... Read more

    Affected Products : registrationmagic
    • Published: Oct. 08, 2025
    • Modified: Oct. 08, 2025
    • Vuln Type: Injection

  • 5.1

    MEDIUM
    CVE-2025-43830

    Stored cross-site scripting (XSS) vulnerability in Forms in Liferay Portal 7.3.2 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, and 7.3 GA through update 35 allows remote attackers to... Read more

    Affected Products : liferay_portal dxp
    • Published: Oct. 08, 2025
    • Modified: Oct. 08, 2025
    • Vuln Type: Cross-Site Scripting

  • 4.5

    MEDIUM
    CVE-2025-11489

    A security vulnerability has been detected in wonderwhy-er DesktopCommanderMCP up to 0.2.13. This vulnerability affects the function isPathAllowed of the file src/tools/filesystem.ts. The manipulation leads to symlink following. The attack can only be per... Read more

    Affected Products :
    • Published: Oct. 08, 2025
    • Modified: Oct. 08, 2025
    • Vuln Type: Path Traversal
Showing 20 of 3904 Results