Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 8.6

    HIGH
    CVE-2025-54520

    Improper Protection Against Voltage and Clock Glitches in FPGA devices, could allow an attacker with physical access to undervolt the platform resulting in a loss of confidentiality.... Read more

    Affected Products :
    • Published: Sep. 24, 2025
    • Modified: Sep. 26, 2025
    • Vuln Type: Misconfiguration

  • 0.0

    NA
    CVE-2025-57349

    The messageformat package, an implementation of the Unicode MessageFormat 2 specification for JavaScript, is vulnerable to prototype pollution due to improper handling of message key paths in versions prior to 2.3.0. The flaw arises when processing nested... Read more

    Affected Products :
    • Published: Sep. 24, 2025
    • Modified: Sep. 26, 2025
    • Vuln Type: Misconfiguration

  • 4.3

    MEDIUM
    CVE-2025-59426

    Lobe Chat is an open-source artificial intelligence chat framework. Prior to version 1.130.1, the project's OIDC redirect handling logic constructs the host and protocol of the final redirect URL based on the X-Forwarded-Host or Host headers and the X-For... Read more

    Affected Products : lobe_chat
    • Published: Sep. 25, 2025
    • Modified: Sep. 26, 2025
    • Vuln Type: Misconfiguration

  • 7.5

    HIGH
    CVE-2025-59833

    Flag Forge is a Capture The Flag (CTF) platform. In versions from 2.1.0 to before 2.3.0, the API endpoint GET /api/problems/:id returns challenge hints in plaintext within the question object, regardless of whether the user has unlocked them via point ded... Read more

    Affected Products :
    • Published: Sep. 24, 2025
    • Modified: Sep. 26, 2025
    • Vuln Type: Information Disclosure

  • 8.5

    HIGH
    CVE-2025-10941

    A vulnerability was determined in Topaz SERVCore Teller 2.14.0-RC2/2.14.1. Affected by this issue is some unknown functionality of the file SERVCoreTeller_2.0.40D.msi of the component Installer. Executing manipulation can lead to permission issues. The at... Read more

    Affected Products :
    • Published: Sep. 25, 2025
    • Modified: Sep. 26, 2025

  • 5.1

    MEDIUM
    CVE-2025-10943

    A security flaw has been discovered in MikeCen WeChat-Face-Recognition up to 6e3f72bf8547d80b59e330f1137e4aa505f492c1. This vulnerability affects the function valid of the file wx.php. The manipulation of the argument echostr results in cross site scripti... Read more

    Affected Products :
    • Published: Sep. 25, 2025
    • Modified: Sep. 26, 2025
    • Vuln Type: Cross-Site Scripting

  • 7.5

    HIGH
    CVE-2025-26278

    A prototype pollution in the lib.set function of dref v0.1.2 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.... Read more

    Affected Products :
    • Published: Sep. 25, 2025
    • Modified: Sep. 26, 2025
    • Vuln Type: Denial of Service

  • 7.7

    HIGH
    CVE-2025-59524

    Horilla is a free and open source Human Resource Management System (HRMS). Prior to version 1.4.0, the file upload flow performs validation only in the browser and does not enforce server-side checks. An attacker can bypass the client-side validation (for... Read more

    Affected Products : horilla
    • Published: Sep. 24, 2025
    • Modified: Sep. 26, 2025
    • Vuln Type: Authentication

  • 7.6

    HIGH
    CVE-2025-59251

    Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability... Read more

    Affected Products : edge_chromium
    • Published: Sep. 24, 2025
    • Modified: Sep. 26, 2025

  • 6.5

    MEDIUM
    CVE-2025-57354

    A vulnerability exists in the 'counterpart' library for Node.js and the browser due to insufficient sanitization of user-controlled input in translation key processing. The affected versions prior to 0.18.6 allow attackers to manipulate the library's tran... Read more

    Affected Products :
    • Published: Sep. 24, 2025
    • Modified: Sep. 26, 2025
    • Vuln Type: Injection

  • 6.5

    MEDIUM
    CVE-2025-57351

    A prototype pollution vulnerability exists in the ts-fns package versions prior to 13.0.7, where insufficient validation of user-provided keys in the assign function allows attackers to manipulate the Object.prototype chain. By leveraging this flaw, adver... Read more

    Affected Products :
    • Published: Sep. 24, 2025
    • Modified: Sep. 26, 2025
    • Vuln Type: Misconfiguration

  • 5.5

    MEDIUM
    CVE-2025-10947

    A flaw has been found in Sistemas Pleno Gestão de Locação up to 2025.7.x. The impacted element is an unknown function of the file /api/areacliente/pessoa/validarCpf of the component CPF Handler. Executing manipulation of the argument pes_cpf can lead to a... Read more

    Affected Products :
    • Published: Sep. 25, 2025
    • Modified: Sep. 26, 2025
    • Vuln Type: Authorization

  • 7.5

    HIGH
    CVE-2025-59830

    Rack is a modular Ruby web server interface. Prior to version 2.2.18, Rack::QueryParser enforces its params_limit only for parameters separated by &, while still splitting on both & and ;. As a result, attackers could use ; separators to bypass the parame... Read more

    Affected Products : rack
    • Published: Sep. 25, 2025
    • Modified: Sep. 26, 2025
    • Vuln Type: Denial of Service

  • 7.7

    HIGH
    CVE-2025-20327

    A vulnerability in the web UI of Cisco IOS Software could allow an authenticated, remote attacker with low privileges to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to improper input validation. An attacke... Read more

    Affected Products : ios
    • Published: Sep. 24, 2025
    • Modified: Sep. 26, 2025
    • Vuln Type: Denial of Service

  • 0.0

    NA
    CVE-2025-56241

    Aztech DSL5005EN firmware 1.00.AZ_2013-05-10 and possibly other versions allows unauthenticated attackers to change the administrator password via a crafted POST request to sysAccess.asp. This allows full administrative control of the router without authe... Read more

    Affected Products :
    • Published: Sep. 24, 2025
    • Modified: Sep. 26, 2025
    • Vuln Type: Authentication

  • 9.0

    HIGH
    CVE-2025-10942

    A vulnerability was identified in H3C Magic B3 up to 100R002. This affects the function AddMacList of the file /goform/aspForm. The manipulation of the argument param leads to buffer overflow. The attack can be initiated remotely. The exploit is publicly ... Read more

    Affected Products :
    • Published: Sep. 25, 2025
    • Modified: Sep. 26, 2025
    • Vuln Type: Memory Corruption

  • 8.2

    HIGH
    CVE-2025-59827

    Flag Forge is a Capture The Flag (CTF) platform. In version 2.1.0, the /api/admin/assign-badge endpoint lacks proper access control, allowing any authenticated user to assign high-privilege badges (e.g., Staff) to themselves. This could lead to privilege ... Read more

    Affected Products :
    • Published: Sep. 24, 2025
    • Modified: Sep. 26, 2025
    • Vuln Type: Authorization

  • 5.1

    MEDIUM
    CVE-2025-10944

    A weakness has been identified in yi-ge get-header-ip up to 589b23d0eb0043c310a6a13ce4bbe2505d0d0b15. This issue affects the function ip of the file ip.php. This manipulation of the argument callback causes cross site scripting. The attack may be initiate... Read more

    Affected Products :
    • Published: Sep. 25, 2025
    • Modified: Sep. 26, 2025
    • Vuln Type: Cross-Site Scripting

  • 7.5

    HIGH
    CVE-2025-48869

    Horilla is a free and open source Human Resource Management System (HRMS). Unauthenticated users can access uploaded resume files in Horilla 1.3.0 by directly guessing or predicting file URLs. These files are stored in a publicly accessible directory, all... Read more

    Affected Products : horilla
    • Published: Sep. 24, 2025
    • Modified: Sep. 26, 2025
    • Vuln Type: Information Disclosure

  • 9.8

    CRITICAL
    CVE-2025-59834

    ADB MCP Server is a MCP (Model Context Protocol) server for interacting with Android devices through ADB. In versions 0.1.0 and prior, the MCP Server is written in a way that is vulnerable to command injection vulnerability attacks as part of some of its ... Read more

    Affected Products :
    • Published: Sep. 25, 2025
    • Modified: Sep. 26, 2025
    • Vuln Type: Injection
Showing 20 of 4204 Results