Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 6.1

    MEDIUM
    CVE-2025-12123

    The Customer Reviews Collector for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'email-text' parameter in all versions up to, and including, 4.6.1 due to insufficient input sanitization and output escaping. This... Read more

    Affected Products :
    • Published: Nov. 27, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Cross-Site Scripting

  • 4.3

    MEDIUM
    CVE-2025-13143

    The Poll, Survey & Quiz Maker Plugin by Opinion Stage plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 19.12.0. This is due to missing or insufficient nonce validation on the disconnect_account_action ... Read more

    Affected Products : poll\,_survey_\&_quiz_maker
    • Published: Nov. 27, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Cross-Site Request Forgery

  • 4.4

    MEDIUM
    CVE-2025-12185

    The StaffList plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, ... Read more

    Affected Products : stafflist
    • Published: Nov. 27, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Cross-Site Scripting

  • 8.8

    HIGH
    CVE-2025-13680

    The Tiger theme for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 101.2.1. This is due to the plugin allowing a user to update the user role through the $user->set_role() function. This makes it possible for authent... Read more

    Affected Products :
    • Published: Nov. 27, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Authorization

  • 6.4

    MEDIUM
    CVE-2025-12666

    The Google Drive upload and download link plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' parameter of the 'atachfilegoogle' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and ou... Read more

    Affected Products :
    • Published: Nov. 27, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Cross-Site Scripting

  • 3.6

    LOW
    CVE-2025-66040

    Spotipy is a Python library for the Spotify Web API. Prior to version 2.25.2, there is a cross-site scripting (XSS) vulnerability in the OAuth callback server that allows for JavaScript injection through the unsanitized error parameter. Attackers can exec... Read more

    Affected Products : spotipy
    • Published: Nov. 27, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Cross-Site Scripting

  • 4.1

    MEDIUM
    CVE-2025-66386

    app/Model/EventReport.php in MISP before 2.5.27 allows path traversal in view picture for a site-admin.... Read more

    Affected Products : misp
    • Published: Nov. 28, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Path Traversal

  • 9.8

    CRITICAL
    CVE-2025-13615

    The StreamTube Core plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 4.78. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system r... Read more

    Affected Products :
    • Published: Nov. 30, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Authorization

  • 3.3

    LOW
    CVE-2025-65681

    An issue was discovered in Overhang.IO (tutor-open-edx) (overhangio/tutor) 20.0.2 allowing local unauthorized attackers to gain access to sensitive information due to the absence of proper cache-control HTTP headers and client-side session checks.... Read more

    Affected Products :
    • Published: Nov. 26, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Information Disclosure

  • 5.0

    MEDIUM
    CVE-2025-66371

    Peppol-py before 1.1.1 allows XXE attacks because of the Saxon configuration. When validating XML-based invoices, the XML parser could read files from the filesystem and expose their content to a remote host.... Read more

    Affected Products :
    • Published: Nov. 28, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: XML External Entity

  • 7.5

    HIGH
    CVE-2025-13806

    A security vulnerability has been detected in nutzam NutzBoot up to 2.6.0-SNAPSHOT. This impacts an unknown function of the file nutzboot-demo/nutzboot-demo-simple/nutzboot-demo-simple-web3j/src/main/java/io/nutz/demo/simple/module/EthModule.java of the c... Read more

    Affected Products :
    • Published: Dec. 01, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Authorization

  • 5.4

    MEDIUM
    CVE-2025-30190

    Malicious content at office documents can be used to inject script code when editing a document. Unintended actions can be executed in the context of the users account, including exfiltration of sensitive information. Please deploy the provided updates an... Read more

    Affected Products : ox_app_suite
    • Published: Nov. 27, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2025-50433

    An issue was discovered in imonnit.com (2025-04-24) allowing malicious actors to gain escalated privileges via crafted password reset to take over arbitrary user accounts.... Read more

    Affected Products :
    • Published: Nov. 26, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Authentication

  • 5.3

    MEDIUM
    CVE-2025-13793

    A weakness has been identified in winston-dsouza Ecommerce-Website up to 87734c043269baac0b4cfe9664784462138b1b2e. Affected by this issue is some unknown functionality of the file /includes/header_menu.php of the component GET Parameter Handler. Executing... Read more

    Affected Products :
    • Published: Nov. 30, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Cross-Site Scripting

  • 5.0

    MEDIUM
    CVE-2025-66432

    In Oxide control plane 15 through 17 before 17.1, API tokens can be renewed past their expiration date.... Read more

    Affected Products :
    • Published: Nov. 30, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Authentication

  • 4.2

    MEDIUM
    CVE-2025-66433

    HTCondor Access Point before 25.3.1 allows an authenticated user to impersonate other users on the local machine by submitting a batch job. This is fixed in 24.12.14, 25.0.3, and 25.3.1. The earliest affected version is 24.7.3.... Read more

    Affected Products : htcondor
    • Published: Nov. 30, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Authentication

  • 7.5

    HIGH
    CVE-2025-41738

    An unauthenticated remote attacker may cause the visualisation server of the CODESYS Control runtime system to access a resource with a pointer of wrong type, potentially leading to a denial-of-service (DoS) condition.... Read more

    • Published: Dec. 01, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Denial of Service

  • 5.4

    MEDIUM
    CVE-2025-13296

    Cross-Site Request Forgery (CSRF) vulnerability in Tekrom Technology Inc. T-Soft E-Commerce allows Cross Site Request Forgery.This issue affects T-Soft E-Commerce: through 28112025.... Read more

    Affected Products :
    • Published: Dec. 01, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Cross-Site Request Forgery

  • 8.0

    HIGH
    CVE-2025-12638

    Keras version 3.11.3 is affected by a path traversal vulnerability in the keras.utils.get_file() function when extracting tar archives. The vulnerability arises because the function uses Python's tarfile.extractall() method without the security-critical f... Read more

    Affected Products : keras
    • Published: Nov. 28, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Path Traversal

  • 9.3

    CRITICAL
    CVE-2025-8890

    Firmware in SDMC NE6037 routers prior to version 7.1.12.2.44 has a network diagnostics tool vulnerable to a shell command injection attacks. In order to exploit this vulnerability, an attacker has to log in to the router's administrative portal, which by ... Read more

    Affected Products :
    • Published: Nov. 27, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Injection
Showing 20 of 4868 Results