Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 7.5

    HIGH
    CVE-2025-46175

    Ruoyi v4.8.0 is vulnerable to Incorrect Access Control. There is a missing checkUserDataScope permission check in the authRole method of SysUserController.java.... Read more

    Affected Products : ruoyi
    • Published: Nov. 26, 2025
    • Modified: Dec. 04, 2025
    • Vuln Type: Authorization

  • 8.5

    HIGH
    CVE-2025-34352

    JumpCloud Remote Assist for Windows versions prior to 0.317.0 include an uninstaller that is invoked by the JumpCloud Windows Agent as NT AUTHORITY\SYSTEM during agent uninstall or update operations. The Remote Assist uninstaller performs privileged creat... Read more

    Affected Products :
    • Published: Dec. 02, 2025
    • Modified: Dec. 04, 2025
    • Vuln Type: Race Condition

  • 7.6

    HIGH
    CVE-2025-66414

    MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. Prior to 1.24.0, The Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-bas... Read more

    Affected Products :
    • Published: Dec. 02, 2025
    • Modified: Dec. 04, 2025
    • Vuln Type: Misconfiguration

  • 5.4

    MEDIUM
    CVE-2025-52622

    The BigFix SaaS's HTTP responses were missing some security headers. The absence of these headers weakens the application's client-side security posture, making it more vulnerable to common web attacks that these headers are designed to mitigate, such as ... Read more

    Affected Products : bigfix_saas
    • Published: Dec. 02, 2025
    • Modified: Dec. 04, 2025
    • Vuln Type: Misconfiguration

  • 7.6

    HIGH
    CVE-2025-66468

    The Aimeos GrapesJS CMS extension provides page editor for creating content pages based on extensible components. Prior to 2021.10.8, 2022.10.8, 2023.10.8, 2024.10.8, and 2025.10.8, Javascript code can be injected by malicious editors for a stored XSS att... Read more

    Affected Products :
    • Published: Dec. 02, 2025
    • Modified: Dec. 04, 2025
    • Vuln Type: Cross-Site Scripting

  • 2.7

    LOW
    CVE-2025-66409

    ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In 5.5.1, 5.4.3, 5.3.4, 5.2.6, 5.1.6, and earlier, when AVRCP is enabled on ESP32, receiving a malformed VENDOR DEPENDENT command from a peer device can cause the Bluetooth stack to ... Read more

    Affected Products : esp-idf
    • Published: Dec. 02, 2025
    • Modified: Dec. 04, 2025
    • Vuln Type: Memory Corruption

  • 7.6

    HIGH
    CVE-2025-66416

    The MCP Python SDK, called `mcp` on PyPI, is a Python implementation of the Model Context Protocol (MCP). Prior to version 1.23.0, tThe Model Context Protocol (MCP) Python SDK does not enable DNS rebinding protection by default for HTTP-based servers. Whe... Read more

    Affected Products :
    • Published: Dec. 02, 2025
    • Modified: Dec. 04, 2025
    • Vuln Type: Misconfiguration

  • 9.3

    CRITICAL
    CVE-2025-13510

    The Iskra iHUB and iHUB Lite smart metering gateway exposes its web management interface without requiring authentication, allowing unauthenticated users to access and modify critical device settings.... Read more

    Affected Products :
    • Published: Dec. 02, 2025
    • Modified: Dec. 04, 2025
    • Vuln Type: Authentication

  • 4.5

    MEDIUM
    CVE-2025-64750

    SingularityCE and SingularityPRO are open source container platforms. Prior to SingularityCE 4.3.5 and SingularityPRO 4.1.11 and 4.3.5, if a user relies on LSM restrictions to prevent malicious operations then, under certain circumstances, an attacker can... Read more

    Affected Products : singularity
    • Published: Dec. 02, 2025
    • Modified: Dec. 04, 2025
    • Vuln Type: Misconfiguration

  • 6.5

    MEDIUM
    CVE-2025-66454

    Arcade MCP allows you to to create, deploy, and share MCP Servers. Prior to 1.5.4, the arcade-mcp HTTP server uses a hardcoded default worker secret ("dev") that is never validated or overridden during normal server startup. As a result, any unauthenticat... Read more

    Affected Products :
    • Published: Dec. 02, 2025
    • Modified: Dec. 04, 2025
    • Vuln Type: Authentication

  • 9.8

    CRITICAL
    CVE-2025-13542

    The DesignThemes LMS plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.4. This is due to the 'dtlms_register_user_front_end' function not restricting what user roles a user can register with. This makes i... Read more

    Affected Products :
    • Published: Dec. 02, 2025
    • Modified: Dec. 04, 2025
    • Vuln Type: Authentication

  • 5.2

    MEDIUM
    CVE-2025-57850

    A container privilege escalation flaw was found in certain CodeReady Workspaces images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands... Read more

    Affected Products :
    • Published: Dec. 02, 2025
    • Modified: Dec. 04, 2025
    • Vuln Type: Misconfiguration

  • 6.7

    MEDIUM
    CVE-2025-61915

    OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. Prior to version 2.4.15, a user in the lpadmin group can use the cups web ui to change the config and insert a malicious line. Then the cupsd process whic... Read more

    Affected Products : cups unix
    • Published: Nov. 29, 2025
    • Modified: Dec. 04, 2025
    • Vuln Type: Memory Corruption

  • 5.3

    MEDIUM
    CVE-2025-11379

    The WebP Express plugin for WordPress is vulnerable to information exposure via config files in all versions up to, and including, 0.25.9. This is due to the plugin not properly randomizing the name of the config file to prevent direct access on NGINX. Th... Read more

    Affected Products :
    • Published: Dec. 04, 2025
    • Modified: Dec. 04, 2025
    • Vuln Type: Information Disclosure

  • 7.6

    HIGH
    CVE-2025-65027

    RomM (ROM Manager) allows users to scan, enrich, browse and play their game collections with a clean and responsive interface. RomM contains multiple unrestricted file upload vulnerabilities that allow authenticated users to upload malicious SVG or HTML f... Read more

    Affected Products :
    • Published: Dec. 03, 2025
    • Modified: Dec. 04, 2025
    • Vuln Type: Cross-Site Scripting

  • 5.4

    MEDIUM
    CVE-2025-20381

    In Splunk MCP Server app versions below 0.2.4, a user with access to the "run_splunk_query" Model Context Protocol (MCP) tool could bypass the SPL command allowlist controls in MCP by embedding SPL commands as sub-searches, leading to unauthorized actions... Read more

    Affected Products :
    • Published: Dec. 03, 2025
    • Modified: Dec. 04, 2025
    • Vuln Type: Authorization

  • 0.0

    NA
    CVE-2025-40217

    In the Linux kernel, the following vulnerability has been resolved: pidfs: validate extensible ioctls Validate extensible ioctls stricter than we do now.... Read more

    Affected Products : linux_kernel
    • Published: Dec. 04, 2025
    • Modified: Dec. 04, 2025

  • 5.3

    MEDIUM
    CVE-2025-13472

    A fix was made in BlazeMeter Jenkins Plugin version 4.27 to allow users only with certain permissions to see the list of available resources like credential IDs, bzm workspaces and bzm project Ids. Prior to this fix, anyone could see this list as a dropdo... Read more

    Affected Products :
    • Published: Dec. 03, 2025
    • Modified: Dec. 04, 2025
    • Vuln Type: Authorization

  • 0.0

    NA
    CVE-2025-40244

    In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent() The syzbot reported issue in __hfsplus_ext_cache_extent(): [ 70.194323][ T9350] BUG: KMSAN: uninit-value in __hf... Read more

    Affected Products : linux_kernel
    • Published: Dec. 04, 2025
    • Modified: Dec. 04, 2025
    • Vuln Type: Memory Corruption

  • 0.0

    NA
    CVE-2025-40245

    In the Linux kernel, the following vulnerability has been resolved: nios2: ensure that memblock.current_limit is set when setting pfn limits On nios2, with CONFIG_FLATMEM set, the kernel relies on memblock_get_current_limit() to determine the limits of ... Read more

    Affected Products : linux_kernel
    • Published: Dec. 04, 2025
    • Modified: Dec. 04, 2025
Showing 20 of 4934 Results