Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 6.1

    MEDIUM
    CVE-2025-65540

    Multiple Cross-Site Scripting (XSS) vulnerabilities exist in xmall v1.1 due to improper handling of user-supplied data. User input fields such as username and description are directly rendered into HTML without proper sanitization or encoding, allowing at... Read more

    Affected Products :
    • Published: Nov. 29, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Cross-Site Scripting

  • 5.8

    MEDIUM
    CVE-2025-49642

    Library loading on AIX Zabbix Agent builds can be hijacked by local users with write access to the /home/cecuser directory.... Read more

    Affected Products : zabbix
    • Published: Dec. 01, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Misconfiguration

  • 6.4

    MEDIUM
    CVE-2025-12712

    The Shouty plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the shouty shortcode in all versions up to, and including, 0.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possibl... Read more

    Affected Products :
    • Published: Nov. 27, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Cross-Site Scripting

  • 9.2

    CRITICAL
    CVE-2024-5539

    The Access Control Bypass vulnerability found in ALC WebCTRL and Carrier i-Vu in versions up to and including 8.5 allows a malicious actor to bypass intended access restrictions and expose sensitive information via the web based building automation serv... Read more

    Affected Products :
    • Published: Nov. 27, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Authorization

  • 4.3

    MEDIUM
    CVE-2025-10476

    The WP Fastest Cache plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpfc_db_fix_callback() function in all versions up to, and including, 1.4.0. This makes it possible for authenticated att... Read more

    Affected Products : wp_fastest_cache
    • Published: Nov. 27, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Authorization

  • 5.3

    MEDIUM
    CVE-2025-13381

    The AI ChatBot with ChatGPT and Content Generator by AYS plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'ays_chatgpt_save_wp_media' function in all versions up to, and including, 2.7.0. This makes it pos... Read more

    Affected Products : chatgpt_assistant
    • Published: Nov. 27, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Authentication

  • 6.8

    MEDIUM
    CVE-2025-27232

    An authenticated Zabbix Super Admin can exploit the oauth.authorize action to read arbitrary files from the webserver leading to potential confidentiality loss.... Read more

    Affected Products : zabbix
    • Published: Dec. 01, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Path Traversal

  • 8.4

    HIGH
    CVE-2025-66223

    OpenObserve is a cloud-native observability platform. Prior to version 0.16.0, organization invitation tokens do not expire once issued, remain valid even after the invited user is removed from the organization, and allow multiple invitations to the same ... Read more

    Affected Products : openobserve
    • Published: Nov. 29, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Authorization

  • 6.5

    MEDIUM
    CVE-2025-62497

    Cross-site request forgery vulnerability exists in SNC-CX600W versions prior to Ver.2.8.0. If a user accesses a specially crafted webpage while logged in, unintended operations may be performed.... Read more

    Affected Products : snc-cx600w snc-cx600w_firmware
    • Published: Nov. 25, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Cross-Site Request Forgery

  • 6.1

    MEDIUM
    CVE-2025-64730

    Cross-site scripting vulnerability exists in SNC-CX600W all versions. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the product.... Read more

    Affected Products : snc-cx600w snc-cx600w_firmware
    • Published: Nov. 25, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Cross-Site Scripting

  • 7.5

    HIGH
    CVE-2025-36134

    IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.0.0.0 through 6.1.2.7 and 6.2.0.0 through 6.2.0.5 and 6.2.1.1 could disclose sensitive information due to a missing or insecure SameSite attribute for a sensitive cookie.... Read more

    • Published: Nov. 25, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Information Disclosure

  • 4.3

    MEDIUM
    CVE-2025-64061

    Primakon Pi Portal 1.0.18 /api/v2/users endpoint is vulnerable to unauthorized data exposure due to deficient access control mechanisms. Any authenticated user, regardless of their privilege level (including standard or low-privileged users), can make a G... Read more

    Affected Products : project_contract_management
    • Published: Nov. 25, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Authorization

  • 8.8

    HIGH
    CVE-2025-13768

    WebITR developed by Uniong has an Authentication Bypass vulnerability, allowing authenticated remote attackers to log into the system as any user by modifying a specific parameter. Attackers must first obtain a user ID to exploit this vulnerability.... Read more

    Affected Products : webitr
    • Published: Nov. 28, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Authentication

  • 7.1

    HIGH
    CVE-2025-13770

    WebITR developed by Uniong has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents.... Read more

    Affected Products : webitr
    • Published: Nov. 28, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Injection

  • 7.1

    HIGH
    CVE-2025-13771

    WebITR developed by Uniong has an Arbitrary File Read vulnerability, allowing authenticated remote attackers to exploit Relative Path Traversal to download arbitrary system files.... Read more

    Affected Products : webitr
    • Published: Nov. 28, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Path Traversal

  • 5.3

    MEDIUM
    CVE-2025-64067

    Primakon Pi Portal 1.0.18 API endpoints responsible for retrieving object-specific or filtered data (e.g., user profiles, project records) fail to implement sufficient server-side validation to confirm that the requesting user is authorized to access the ... Read more

    Affected Products : project_contract_management
    • Published: Nov. 25, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Authorization

  • 4.3

    MEDIUM
    CVE-2025-65647

    Insecure Direct Object Reference (IDOR) in the Track order function in PHPGURUKUL Online Shopping Portal 2.1 allows information disclosure via the oid parameter.... Read more

    Affected Products : online_shopping_portal
    • Published: Nov. 25, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Authorization

  • 8.8

    HIGH
    CVE-2025-64065

    The Primakon Pi Portal 1.0.18 API /api/V2/pp_udfv_admin endpoint, fails to perform necessary server-side validation. The administrative LoginAs or user impersonation feature is vulnerable to a access control failure. This flaw allows any authenticated low... Read more

    Affected Products : project_contract_management
    • Published: Nov. 25, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Authorization

  • 8.8

    HIGH
    CVE-2025-64064

    Primakon Pi Portal 1.0.18 /api/v2/pp_users endpoint fails to adequately check user permissions before processing a PATCH request to modify the PP_SECURITY_PROFILE_ID. Because of weak access controls any low level user can use this API and change their per... Read more

    Affected Products : project_contract_management
    • Published: Nov. 25, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Authorization

  • 9.8

    CRITICAL
    CVE-2025-64063

    Primakon Pi Portal 1.0.18 API endpoints fail to enforce sufficient authorization checks when processing requests. Specifically, a standard user can exploit this flaw by sending direct HTTP requests to administrative endpoints, bypassing the UI restriction... Read more

    Affected Products : project_contract_management
    • Published: Nov. 25, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Authorization
Showing 20 of 4541 Results