Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 6.5

    MEDIUM
    CVE-2025-67436

    Authenticated Remote Code Execution (RCE) in PluXml CMS 5.8.22 allows an attacker with administrator panel access to inject a malicious PHP webshell into a theme file (e.g., home.php).... Read more

    Affected Products : pluxml
    • Published: Dec. 22, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Injection

  • 7.6

    HIGH
    CVE-2025-67442

    EVE-NG 6.4.0-13-PRO is vulnerable to Directory Traversal. The /api/export interface allows authenticated users to export lab files. This interface lacks effective input validation and filtering when processing file path parameters submitted by users.... Read more

    Affected Products : eve-ng
    • Published: Dec. 19, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Path Traversal

  • 6.1

    MEDIUM
    CVE-2025-67443

    Schlix CMS before v2.2.9-5 is vulnerable to Cross Site Scripting (XSS). Due to lack of javascript sanitization in the login form, incorrect login attempts in logs are triggered as XSS in the admin panel.... Read more

    Affected Products : cms
    • Published: Dec. 22, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Cross-Site Scripting

  • 6.1

    MEDIUM
    CVE-2025-68115

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 8.6.1 and 9.1.0-alpha.3, a Reflected Cross-Site Scripting (XSS) vulnerability exists in Parse Server's password reset and email ve... Read more

    Affected Products : parse-server
    • Published: Dec. 16, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Cross-Site Scripting

  • 8.9

    HIGH
    CVE-2025-68116

    FileRise is a self-hosted web file manager / WebDAV server. Versions prior to 2.7.1 are vulnerable to Stored Cross-Site Scripting (XSS) due to unsafe handling of browser-renderable user uploads when served through the sharing and download endpoints. An at... Read more

    Affected Products : filerise
    • Published: Dec. 16, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Cross-Site Scripting

  • 7.5

    HIGH
    CVE-2025-15425

    A vulnerability was determined in Yonyou KSOA 9.0. The impacted element is an unknown function of the file /worksheet/del_user.jsp of the component HTTP GET Parameter Handler. Executing manipulation of the argument ID can lead to sql injection. The attack... Read more

    Affected Products :
    • Published: Jan. 02, 2026
    • Modified: Jan. 02, 2026
    • Vuln Type: Injection

  • 6.5

    MEDIUM
    CVE-2025-15423

    A vulnerability has been found in EmpireSoft EmpireCMS up to 8.0. Impacted is the function CheckSaveTranFiletype of the file e/class/connect.php. Such manipulation leads to unrestricted upload. The attack may be launched remotely. The exploit has been dis... Read more

    Affected Products :
    • Published: Jan. 02, 2026
    • Modified: Jan. 02, 2026
    • Vuln Type: Misconfiguration

  • 7.5

    HIGH
    CVE-2025-15426

    A vulnerability was identified in jackying H-ui.admin up to 3.1. This affects an unknown function in the library /lib/webuploader/0.1.5/server/preview.php. The manipulation leads to unrestricted upload. The attack is possible to be carried out remotely. T... Read more

    Affected Products :
    • Published: Jan. 02, 2026
    • Modified: Jan. 02, 2026
    • Vuln Type: Misconfiguration

  • 5.3

    MEDIUM
    CVE-2025-14047

    The Registration, User Profile, Membership, Content Restriction, User Directory, and Frontend Post Submission – WP User Frontend plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'Frontend_Form_Ajax::... Read more

    Affected Products :
    • Published: Jan. 02, 2026
    • Modified: Jan. 02, 2026
    • Vuln Type: Authorization

  • 5.5

    MEDIUM
    CVE-2025-15422

    A flaw has been found in EmpireSoft EmpireCMS up to 8.0. This issue affects the function egetip of the file e/class/connect.php of the component IP Address Handler. This manipulation causes protection mechanism failure. The attack may be initiated remotel... Read more

    Affected Products :
    • Published: Jan. 02, 2026
    • Modified: Jan. 02, 2026
    • Vuln Type: Information Disclosure

  • 9.8

    CRITICAL
    CVE-2025-14998

    The Branda plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.24. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it po... Read more

    Affected Products :
    • Published: Jan. 02, 2026
    • Modified: Jan. 02, 2026
    • Vuln Type: Authentication

  • 9.0

    HIGH
    CVE-2025-15428

    A weakness has been identified in UTT 进取 512W 1.7.7-171114. Affected is the function strcpy of the file /goform/formRemoteControl. This manipulation of the argument Profile causes buffer overflow. It is possible to initiate the attack remotely. The exploi... Read more

    Affected Products :
    • Published: Jan. 02, 2026
    • Modified: Jan. 02, 2026
    • Vuln Type: Memory Corruption

  • 7.5

    HIGH
    CVE-2025-15421

    A vulnerability was detected in Yonyou KSOA 9.0. This vulnerability affects unknown code of the file /worksheet/agent_worksadd.jsp of the component HTTP GET Parameter Handler. The manipulation of the argument ID results in sql injection. The attack can be... Read more

    Affected Products :
    • Published: Jan. 02, 2026
    • Modified: Jan. 02, 2026
    • Vuln Type: Injection

  • 9.0

    HIGH
    CVE-2025-15429

    A security vulnerability has been detected in UTT 进取 512W 1.7.7-171114. Affected by this vulnerability is the function strcpy of the file /goform/formConfigCliForEngineerOnly. Such manipulation of the argument addCommand leads to buffer overflow. It is po... Read more

    Affected Products :
    • Published: Jan. 02, 2026
    • Modified: Jan. 02, 2026
    • Vuln Type: Memory Corruption

  • 4.8

    MEDIUM
    CVE-2025-15417

    A vulnerability was identified in Open5GS up to 2.7.6. Affected is the function sgwc_s11_handle_create_session_request of the file src/sgwc/s11-handler.c of the component GTPv2-C F-TEID Handler. Such manipulation leads to denial of service. The attack mus... Read more

    Affected Products : open5gs
    • Published: Jan. 01, 2026
    • Modified: Jan. 02, 2026
    • Vuln Type: Denial of Service

  • 4.8

    MEDIUM
    CVE-2025-15418

    A security flaw has been discovered in Open5GS up to 2.7.6. Affected by this vulnerability is the function ogs_gtp2_parse_bearer_qos in the library lib/gtp/v2/types.c of the component Bearer QoS IE Length Handler. Performing manipulation results in denial... Read more

    Affected Products : open5gs
    • Published: Jan. 02, 2026
    • Modified: Jan. 02, 2026
    • Vuln Type: Denial of Service

  • 7.5

    HIGH
    CVE-2025-15420

    A security vulnerability has been detected in Yonyou KSOA 9.0. This affects an unknown part of the file /worksheet/agent_work_report.jsp. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has bee... Read more

    Affected Products :
    • Published: Jan. 02, 2026
    • Modified: Jan. 02, 2026
    • Vuln Type: Injection

  • 1.2

    LOW
    CVE-2025-53590

    A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have ... Read more

    Affected Products : qts
    • Published: Jan. 02, 2026
    • Modified: Jan. 02, 2026
    • Vuln Type: Denial of Service

  • 7.5

    HIGH
    CVE-2026-0544

    A security flaw has been discovered in itsourcecode School Management System 1.0. This affects an unknown part of the file /student/index.php. The manipulation of the argument ID results in sql injection. It is possible to launch the attack remotely. The ... Read more

    Affected Products :
    • Published: Jan. 01, 2026
    • Modified: Jan. 02, 2026
    • Vuln Type: Injection

  • 5.3

    MEDIUM
    CVE-2025-15413

    A vulnerability was detected in wasm3 up to 0.5.0. Impacted is the function op_SetSlot_i32/op_CallIndirect of the file m3_exec.h. Performing manipulation results in memory corruption. The attack needs to be approached locally. The exploit is now public an... Read more

    Affected Products : wasm3
    • Published: Jan. 01, 2026
    • Modified: Jan. 02, 2026
    • Vuln Type: Memory Corruption
Showing 20 of 4945 Results