Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 0.0

    NA
    CVE-2025-56392

    An Insecure Direct Object Reference (IDOR) in the /dashboard/notes endpoint of Syaqui Collegetivity v1.0.0 allows attackers to impersonate other users and perform arbitrary operations via a crafted POST request.... Read more

    Affected Products :
    • Published: Sep. 30, 2025
    • Modified: Sep. 30, 2025
    • Vuln Type: Authorization

  • 6.1

    MEDIUM
    CVE-2025-56200

    A URL validation bypass vulnerability exists in validator.js through version 13.15.15. The isURL() function uses '://' as a delimiter to parse protocols, while browsers use ':' as the delimiter. This parsing difference allows attackers to bypass protocol ... Read more

    Affected Products :
    • Published: Sep. 30, 2025
    • Modified: Sep. 30, 2025
    • Vuln Type: Cross-Site Scripting

  • 6.1

    MEDIUM
    CVE-2025-56018

    SourceCodester Web-based Pharmacy Product Management System V1.0 is vulnerable to Cross Site Scripting (XSS) in Category Management via the category name field.... Read more

    Affected Products :
    • Published: Sep. 30, 2025
    • Modified: Sep. 30, 2025
    • Vuln Type: Cross-Site Scripting

  • 6.5

    MEDIUM
    CVE-2025-52050

    In Frappe ERPNext 15.57.5, the function get_loyalty_program_details_with_points() at erpnext/accounts/doctype/loyalty_program/loyalty_program.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injectin... Read more

    Affected Products :
    • Published: Sep. 30, 2025
    • Modified: Sep. 30, 2025
    • Vuln Type: Injection

  • 6.5

    MEDIUM
    CVE-2025-52049

    In Frappe ErpNext v15.57.5, the function get_timesheet_detail_rate() at erpnext/projects/doctype/timesheet/timesheet.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting SQL query into the time... Read more

    Affected Products :
    • Published: Sep. 30, 2025
    • Modified: Sep. 30, 2025
    • Vuln Type: Injection

  • 6.5

    MEDIUM
    CVE-2025-52047

    In Frappe ErpNext v15.57.5, the function get_income_account() at erpnext/controllers/queries.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting a SQL query into the filters.disabled parameter... Read more

    Affected Products :
    • Published: Sep. 30, 2025
    • Modified: Sep. 30, 2025
    • Vuln Type: Injection

  • 6.5

    MEDIUM
    CVE-2025-52043

    In Frappe ERPNext v15.57.5, the function import_coa() at erpnext/accounts/doctype/chart_of_accounts_importer/chart_of_accounts_importer.py is vulnerable to SQL injection, which allows an attacker to extract all information from databases by injecting a SQ... Read more

    Affected Products :
    • Published: Sep. 30, 2025
    • Modified: Sep. 30, 2025
    • Vuln Type: Injection

  • 4.9

    MEDIUM
    CVE-2025-36262

    IBM Planning Analytics Local 2.0.0 through 2.0.106 and 2.1.0 through 2.1.13 could allow a malicious privileged user to bypass the UI to gain unauthorized access to sensitive information due to the improper validation of input.... Read more

    Affected Products :
    • Published: Sep. 30, 2025
    • Modified: Sep. 30, 2025
    • Vuln Type: Authorization

  • 5.4

    MEDIUM
    CVE-2025-36132

    IBM Planning Analytics Local 2.0.0 through 2.0.106 and 2.1.0 through 2.1.13 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality po... Read more

    Affected Products :
    • Published: Sep. 30, 2025
    • Modified: Sep. 30, 2025
    • Vuln Type: Cross-Site Scripting

  • 4.8

    MEDIUM
    CVE-2025-28016

    A Reflected Cross-Site Scripting (XSS) vulnerability was found in loginsystem/edit-profile.php of the PHPGurukul User Registration & Login and User Management System V3.3. This vulnerability allows remote attackers to execute arbitrary JavaScript code via... Read more

    Affected Products :
    • Published: Sep. 30, 2025
    • Modified: Sep. 30, 2025
    • Vuln Type: Cross-Site Scripting

  • 9.8

    CRITICAL
    CVE-2025-10659

    The Telenium Online Web Application is vulnerable due to a PHP endpoint accessible to unauthenticated network users that improperly handles user-supplied input. This vulnerability occurs due to the insecure termination of a regular expression check within... Read more

    Affected Products :
    • Published: Sep. 30, 2025
    • Modified: Sep. 30, 2025
    • Vuln Type: Injection

  • 7.5

    HIGH
    CVE-2024-55017

    Account Takeover in Corezoid 6.6.0 in the OAuth2 implementation via an open redirect in the redirect_uri parameter allows attackers to intercept authorization codes and gain unauthorized access to victim accounts.... Read more

    Affected Products :
    • Published: Sep. 30, 2025
    • Modified: Sep. 30, 2025
    • Vuln Type: Authentication

  • 0.0

    NA
    CVE-2025-56132

    LiquidFiles filetransfer server is vulnerable to a user enumeration issue in its password reset functionality. The application returns distinguishable responses for valid and invalid email addresses, allowing unauthenticated attackers to determine the exi... Read more

    Affected Products :
    • Published: Sep. 30, 2025
    • Modified: Sep. 30, 2025
    • Vuln Type: Information Disclosure

  • 5.3

    MEDIUM
    CVE-2025-43827

    Insecure Direct Object Reference (IDOR) vulnerability with audit events in Liferay Portal 7.4.0 through 7.4.3.117, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4... Read more

    Affected Products :
    • Published: Sep. 30, 2025
    • Modified: Sep. 30, 2025
    • Vuln Type: Authorization

  • 7.5

    HIGH
    CVE-2025-11149

    This affects all versions of the package node-static; all versions of the package @nubosoftware/node-static. The package fails to catch an exception when user input includes null bytes. This allows attackers to access http://host/%00 and crash the server.... Read more

    Affected Products :
    • Published: Sep. 30, 2025
    • Modified: Sep. 30, 2025
    • Vuln Type: Denial of Service

  • 9.8

    CRITICAL
    CVE-2025-11148

    All versions of the package check-branches are vulnerable to Command Injection check-branches is a command-line tool that is interacted with locally, or via CI, to confirm no conflicts exist in git branches. However, the library follows these conventions... Read more

    Affected Products :
    • Published: Sep. 30, 2025
    • Modified: Sep. 30, 2025
    • Vuln Type: Injection

  • 0.0

    NA
    CVE-2025-57254

    An SQL injection vulnerability in user-login.php and index.php of Karthikg1908 Hospital Management System (HMS) 1.0 allows remote attackers to execute arbitrary SQL queries via the username and password POST parameters. The application fails to properly s... Read more

    Affected Products :
    • Published: Sep. 30, 2025
    • Modified: Sep. 30, 2025
    • Vuln Type: Injection

  • 6.5

    MEDIUM
    CVE-2025-57197

    In the Payeer Android application 2.5.0, an improper access control vulnerability exists in the authentication flow for the PIN change feature. A local attacker with root access to the device can dynamically instrument the app to bypass the current PIN ve... Read more

    Affected Products :
    • Published: Sep. 29, 2025
    • Modified: Sep. 30, 2025
    • Vuln Type: Authentication

  • 6.5

    MEDIUM
    CVE-2025-56764

    Trivision NC-227WF firmware 5.80 (build 20141010) login mechanism reveals whether a username exists or not by returning different error messages ("Unknown user" vs. "Wrong password"), allowing an attacker to enumerate valid usernames.... Read more

    Affected Products :
    • Published: Sep. 29, 2025
    • Modified: Sep. 30, 2025
    • Vuln Type: Authentication

  • 3.5

    LOW
    CVE-2025-56675

    The EKEN video doorbell T6 BT60PLUS_MAIN_V1.0_GC1084_20230531 periodically sends debug logs to the EKEN cloud servers with sensitive information such as the Wi-Fi SSID and password.... Read more

    Affected Products :
    • Published: Sep. 30, 2025
    • Modified: Sep. 30, 2025
    • Vuln Type: Information Disclosure
Showing 20 of 4466 Results