Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 5.5

    MEDIUM
    CVE-2025-10954

    Versions of the package github.com/nyaruka/phonenumbers before 1.2.2 are vulnerable to Improper Validation of Syntactic Correctness of Input in the phonenumbers.Parse() function. An attacker can cause a panic by providing crafted input causing a "runtime ... Read more

    Affected Products :
    • Published: Sep. 27, 2025
    • Modified: Sep. 29, 2025
    • Vuln Type: Denial of Service

  • 4.8

    MEDIUM
    CVE-2025-11069

    A vulnerability was determined in westboy CicadasCMS 1.0. Affected by this issue is some unknown functionality of the file /system/org/save of the component Add Department Handler. This manipulation of the argument Name causes cross site scripting. The at... Read more

    Affected Products : cicadascms
    • Published: Sep. 27, 2025
    • Modified: Sep. 29, 2025
    • Vuln Type: Cross-Site Scripting

  • 8.8

    HIGH
    CVE-2025-59939

    WeGIA is a Web manager for charitable institutions. Prior to version 3.5.0, WeGIA is vulnerable to SQL Injection attacks in the control.php endpoint with the following parameters: nomeClasse=ProdutoControle&metodo=excluir&id_produto=[malicious command]. I... Read more

    Affected Products : wegia
    • Published: Sep. 27, 2025
    • Modified: Sep. 29, 2025
    • Vuln Type: Injection

  • 7.5

    HIGH
    CVE-2025-11052

    A security flaw has been discovered in kidaze CourseSelectionSystem 1.0/5.php. The impacted element is an unknown function of the file /Profilers/PriProfile/COUNT3s5.php. Performing manipulation of the argument csslc results in sql injection. The attack c... Read more

    Affected Products :
    • Published: Sep. 27, 2025
    • Modified: Sep. 29, 2025
    • Vuln Type: Injection

  • 8.5

    HIGH
    CVE-2025-41250

    VMware vCenter contains an SMTP header injection vulnerability. A malicious actor with non-administrative privileges on vCenter who has permission to create scheduled tasks may be able to manipulate the notification emails sent for scheduled tasks.... Read more

    Affected Products :
    • Published: Sep. 29, 2025
    • Modified: Sep. 29, 2025
    • Vuln Type: Injection

  • 8.1

    HIGH
    CVE-2025-57483

    A reflected cross-site scripting (XSS) vulnerability in tawk.to chatbox widget v4 allows attackers to execute arbitrary Javascript in the context of the user's browser via injecting a crafted payload into the vulnerable parameter.... Read more

    Affected Products :
    • Published: Sep. 29, 2025
    • Modified: Sep. 29, 2025
    • Vuln Type: Cross-Site Scripting

  • 9.8

    CRITICAL
    CVE-2025-10585

    Type confusion in V8 in Google Chrome prior to 140.0.7339.185 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)... Read more

    • Actively Exploited
    • Published: Sep. 24, 2025
    • Modified: Sep. 29, 2025
    • Vuln Type: Memory Corruption

  • 9.4

    CRITICAL
    CVE-2025-56752

    A vulnerability in the Ruijie RG-ES series switch firmware ESW_1.0(1)B1P39 enables remote attackers to fully bypass authentication mechanisms, providing them with unrestricted access to alter administrative settings and potentially seize control of affect... Read more

    • Published: Sep. 03, 2025
    • Modified: Sep. 29, 2025
    • Vuln Type: Authentication

  • 8.4

    HIGH
    CVE-2025-36193

    IBM Transformation Advisor 2.0.1 through 4.3.1 incorrectly assigns privileges to security critical files which could allow a local root escalation inside a container running the IBM Transformation Advisor Operator Catalog image.... Read more

    Affected Products : transformation_advisor
    • Published: Sep. 03, 2025
    • Modified: Sep. 29, 2025
    • Vuln Type: Authorization

  • 9.8

    CRITICAL
    CVE-2025-9934

    A vulnerability was found in TOTOLINK X5000R 9.1.0cu.2415_B20250515. This affects the function sub_410C34 of the file /cgi-bin/cstecgi.cgi. Performing manipulation of the argument pid results in command injection. Remote exploitation of the attack is poss... Read more

    Affected Products : x5000r_firmware x5000r
    • Published: Sep. 04, 2025
    • Modified: Sep. 29, 2025
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2025-9935

    A vulnerability was determined in TOTOLINK N600R 4.3.0cu.7866_B20220506. This vulnerability affects the function sub_4159F8 of the file /web_cste/cgi-bin/cstecgi.cgi. Executing manipulation can lead to command injection. The attack can be executed remotel... Read more

    Affected Products : n600r_firmware n600r
    • Published: Sep. 04, 2025
    • Modified: Sep. 29, 2025
    • Vuln Type: Injection

  • 9.0

    HIGH
    CVE-2025-9938

    A weakness has been identified in D-Link DI-8400 16.07.26A1. The affected element is the function yyxz_dlink_asp of the file /yyxz.asp. This manipulation of the argument ID causes stack-based buffer overflow. It is possible to initiate the attack remotely... Read more

    Affected Products : di-8400_firmware di-8400
    • Published: Sep. 04, 2025
    • Modified: Sep. 29, 2025
    • Vuln Type: Memory Corruption

  • 9.8

    CRITICAL
    CVE-2025-10034

    A vulnerability was found in D-Link DIR-825 1.08.01. This impacts the function get_ping6_app_stat of the file ping6_response.cg of the component httpd. Performing manipulation of the argument ping6_ipaddr results in buffer overflow. It is possible to init... Read more

    Affected Products : dir-825_firmware dir-825
    • Published: Sep. 06, 2025
    • Modified: Sep. 29, 2025
    • Vuln Type: Memory Corruption

  • 7.5

    HIGH
    CVE-2025-10093

    A vulnerability was identified in D-Link DIR-852 up to 1.00CN B09. Affected by this vulnerability is the function phpcgi_main of the file /getcfg.php of the component Device Configuration Handler. Such manipulation leads to information disclosure. The att... Read more

    Affected Products : dir-852_firmware dir-852
    • Published: Sep. 08, 2025
    • Modified: Sep. 29, 2025
    • Vuln Type: Information Disclosure

  • 4.6

    MEDIUM
    CVE-2025-21035

    Improper access control in Samsung Calendar prior to version 12.5.06.5 in Android 14 and 12.6.01.12 in Android 15 allows physical attackers to access data across multiple user profiles.... Read more

    Affected Products : android calendar
    • Published: Sep. 03, 2025
    • Modified: Sep. 29, 2025
    • Vuln Type: Authorization

  • 7.5

    HIGH
    CVE-2025-57349

    The messageformat package, an implementation of the Unicode MessageFormat 2 specification for JavaScript, is vulnerable to prototype pollution due to improper handling of message key paths in versions prior to 2.3.0. The flaw arises when processing nested... Read more

    Affected Products :
    • Published: Sep. 24, 2025
    • Modified: Sep. 29, 2025
    • Vuln Type: Misconfiguration

  • 7.5

    HIGH
    CVE-2025-57330

    The web3-core-subscriptions is a package designed to manages web3 subscriptions. A Prototype Pollution vulnerability in the attachToObject function of web3-core-subscriptions version 1.10.4 and before allows attackers to inject properties on Object.protot... Read more

    Affected Products :
    • Published: Sep. 24, 2025
    • Modified: Sep. 29, 2025
    • Vuln Type: Misconfiguration

  • 7.5

    HIGH
    CVE-2025-57328

    toggle-array is a package designed to enables a property on the object at the specified index, while disabling the property on all other objects. A Prototype Pollution vulnerability in the enable and disable function of toggle-array v1.0.1 and before allo... Read more

    Affected Products :
    • Published: Sep. 24, 2025
    • Modified: Sep. 29, 2025
    • Vuln Type: Injection

  • 8.1

    HIGH
    CVE-2025-55998

    A cross-site scripting (XSS) vulnerability in Smart Search & Filter Shopify and BigCommerce apps allows a remote attacker to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into several filter parameter... Read more

    Affected Products : smart_search_and_filter
    • Published: Sep. 08, 2025
    • Modified: Sep. 29, 2025
    • Vuln Type: Cross-Site Scripting

  • 7.5

    HIGH
    CVE-2025-55553

    A syntax error in the component proxy_tensor.py of pytorch v2.7.0 allows attackers to cause a Denial of Service (DoS).... Read more

    Affected Products :
    • Published: Sep. 25, 2025
    • Modified: Sep. 29, 2025
    • Vuln Type: Denial of Service
Showing 20 of 4261 Results