Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 0.0

    NA
    CVE-2025-55797

    An improper access control vulnerability in FormCms v0.5.4 in the /api/schemas/history/[schemaId] endpoint allows unauthenticated attackers to access historical schema data if a valid schemaId is known or guessed.... Read more

    Affected Products :
    • Published: Sep. 30, 2025
    • Modified: Sep. 30, 2025
    • Vuln Type: Authorization

  • 0.0

    NA
    CVE-2025-56572

    An issue in finance.js v.4.1.0 allows a remote attacker to cause a denial of service via the seekZero() parameter.... Read more

    Affected Products :
    • Published: Sep. 30, 2025
    • Modified: Sep. 30, 2025
    • Vuln Type: Denial of Service

  • 0.0

    NA
    CVE-2025-56571

    Finance.js v4.1.0 contains a Denial of Service (DoS) vulnerability via the IRR function’s depth parameter. Improper handling of the recursion/iteration limit can lead to excessive CPU usage, causing application stalls or crashes.... Read more

    Affected Products :
    • Published: Sep. 30, 2025
    • Modified: Sep. 30, 2025
    • Vuln Type: Denial of Service

  • 0.0

    NA
    CVE-2025-56018

    SourceCodester Web-based Pharmacy Product Management System V1.0 is vulnerable to Cross Site Scripting (XSS) in Category Management via the category name field.... Read more

    Affected Products :
    • Published: Sep. 30, 2025
    • Modified: Sep. 30, 2025
    • Vuln Type: Cross-Site Scripting

  • 7.8

    HIGH
    CVE-2025-43372

    The issue was addressed with improved input validation. This issue is fixed in tvOS 26, watchOS 26, visionOS 26, macOS Tahoe 26, iOS 26 and iPadOS 26. Processing a maliciously crafted media file may lead to unexpected app termination or corrupt process me... Read more

    Affected Products : macos iphone_os tvos watchos ipados visionos
    • Published: Sep. 15, 2025
    • Modified: Sep. 30, 2025
    • Vuln Type: Memory Corruption

  • 5.3

    MEDIUM
    CVE-2025-43294

    An issue existed in the handling of environment variables. This issue was addressed with improved validation. This issue is fixed in macOS Tahoe 26. An app may be able to access sensitive user data.... Read more

    Affected Products : macos
    • Published: Sep. 15, 2025
    • Modified: Sep. 30, 2025
    • Vuln Type: Misconfiguration

  • 5.3

    MEDIUM
    CVE-2025-43308

    This issue was addressed with additional entitlement checks. This issue is fixed in macOS Sequoia 15.7, macOS Sonoma 14.8, macOS Tahoe 26. An app may be able to access sensitive user data.... Read more

    Affected Products : macos
    • Published: Sep. 15, 2025
    • Modified: Sep. 30, 2025
    • Vuln Type: Authorization

  • 5.3

    MEDIUM
    CVE-2025-43328

    A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Tahoe 26. An app may be able to access sensitive user data.... Read more

    Affected Products : macos
    • Published: Sep. 15, 2025
    • Modified: Sep. 30, 2025
    • Vuln Type: Authorization

  • 0.0

    NA
    CVE-2025-56676

    TitanSystems Zender v3.9.7 contains an account takeover vulnerability in its password reset functionality. A temporary password or reset token issued to one user can be used to log in as another user, due to improper validation of token-user linkage. This... Read more

    Affected Products :
    • Published: Sep. 30, 2025
    • Modified: Sep. 30, 2025
    • Vuln Type: Authentication

  • 6.5

    MEDIUM
    CVE-2025-43332

    A file quarantine bypass was addressed with additional checks. This issue is fixed in macOS Sequoia 15.7, macOS Sonoma 14.8, macOS Tahoe 26. An app may be able to break out of its sandbox.... Read more

    Affected Products : macos
    • Published: Sep. 15, 2025
    • Modified: Sep. 30, 2025
    • Vuln Type: Misconfiguration

  • 8.8

    HIGH
    CVE-2025-7779

    Local privilege escalation due to insecure XPC service configuration. The following products are affected: Acronis True Image (macOS) before build 42389, Acronis True Image for SanDisk (macOS) before build 42198, Acronis True Image for Western Digital (ma... Read more

    Affected Products :
    • Published: Sep. 30, 2025
    • Modified: Sep. 30, 2025
    • Vuln Type: Authorization

  • 9.1

    CRITICAL
    CVE-2025-7493

    A privilege escalation flaw from host to domain administrator was found in FreeIPA. This vulnerability is similar to CVE-2025-4404, where it fails to validate the uniqueness of the krbCanonicalName. While the previously released version added validations ... Read more

    Affected Products :
    • Published: Sep. 30, 2025
    • Modified: Sep. 30, 2025
    • Vuln Type: Authorization

  • 6.9

    MEDIUM
    CVE-2025-61586

    FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below are vulnerable to directory enumeration by setting path in theme field, allowing attackers to gain additional information about the server by checking if certain directories exist... Read more

    Affected Products : freshrss
    • Published: Sep. 30, 2025
    • Modified: Sep. 30, 2025
    • Vuln Type: Path Traversal

  • 6.5

    MEDIUM
    CVE-2025-59956

    AgentAPI is an HTTP API for Claude Code, Goose, Aider, Gemini, Amp, and Codex. Versions 0.3.3 and below are susceptible to a client-side DNS rebinding attack when hosted over plain HTTP on localhost. An attacker can gain access to the /messages endpoint s... Read more

    Affected Products :
    • Published: Sep. 30, 2025
    • Modified: Sep. 30, 2025
    • Vuln Type: Misconfiguration

  • 9.3

    CRITICAL
    CVE-2025-59954

    Knowage is an open source analytics and business intelligence suite. Versions 8.1.26 and below are vulnerable to Remote Code Exection through using an unsafe org.apache.commons.jxpath.JXPathContext in MetaService.java service. This issue is fixed in versi... Read more

    Affected Products : knowage
    • Published: Sep. 30, 2025
    • Modified: Sep. 30, 2025
    • Vuln Type: Injection

  • 6.7

    MEDIUM
    CVE-2025-59950

    FreshRSS is a free, self-hostable RSS aggregator. In versions 1.26.3 and below, due to a bypass of double clickjacking protection (confirmation dialog), it is possible to trick the admin into clicking the Promote button in another user's management page a... Read more

    Affected Products : freshrss
    • Published: Sep. 30, 2025
    • Modified: Sep. 30, 2025
    • Vuln Type: Cross-Site Request Forgery

  • 8.2

    HIGH
    CVE-2025-59937

    go-mail is a comprehensive library for sending mails with Go. In versions 0.7.0 and below, due to incorrect handling of the mail.Address values when a sender- or recipient address is passed to the corresponding MAIL FROM or RCPT TO commands of the SMTP cl... Read more

    Affected Products :
    • Published: Sep. 29, 2025
    • Modified: Sep. 30, 2025
    • Vuln Type: Information Disclosure

  • 5.2

    MEDIUM
    CVE-2025-57852

    A container privilege escalation flaw was found in KServe ModelMesh container images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands w... Read more

    Affected Products :
    • Published: Sep. 30, 2025
    • Modified: Sep. 30, 2025
    • Vuln Type: Misconfiguration

  • 5.3

    MEDIUM
    CVE-2025-57769

    FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below contain a vulnerability where a specially crafted page can trick a user into executing arbitrary JS code or promoting a user in FreshRSS by obscuring UI elements in iframes. If em... Read more

    Affected Products : freshrss
    • Published: Sep. 29, 2025
    • Modified: Sep. 30, 2025
    • Vuln Type: Cross-Site Scripting

  • 6.1

    MEDIUM
    CVE-2025-56795

    Mealie 3.0.1 and earlier is vulnerable to Stored Cross-Site Scripting (XSS) in the recipe creation functionality. Unsanitized user input in the "note" and "text" fields of the "/api/recipes/{recipe_name}" endpoint is rendered in the frontend without prope... Read more

    Affected Products :
    • Published: Sep. 29, 2025
    • Modified: Sep. 30, 2025
    • Vuln Type: Cross-Site Scripting
Showing 20 of 4321 Results