Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 6.4

    MEDIUM
    CVE-2025-12660

    The Padlet Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'key' parameter in the 'wallwisher' shortcode in all versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping on u... Read more

    Affected Products :
    • Published: Nov. 21, 2025
    • Modified: Nov. 21, 2025
    • Vuln Type: Cross-Site Scripting

  • 6.4

    MEDIUM
    CVE-2025-12661

    The Pollcaster Shortcode Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'height' parameter in the 'pollcaster' shortcode in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escapi... Read more

    Affected Products :
    • Published: Nov. 21, 2025
    • Modified: Nov. 21, 2025
    • Vuln Type: Cross-Site Scripting

  • 6.4

    MEDIUM
    CVE-2025-11764

    The Shortcodes Bootstrap plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'type' parameter in the [notification] shortcode in all versions up to, and including, 1.1. This is due to missing input sanitization and output escaping. T... Read more

    Affected Products :
    • Published: Nov. 21, 2025
    • Modified: Nov. 21, 2025
    • Vuln Type: Cross-Site Scripting

  • 9.6

    CRITICAL
    CVE-2025-10571

    Authentication Bypass Using an Alternate Path or Channel vulnerability in ABB ABB Ability Edgenius.This issue affects ABB Ability Edgenius: 3.2.0.0, 3.2.1.1.... Read more

    Affected Products :
    • Published: Nov. 20, 2025
    • Modified: Nov. 21, 2025
    • Vuln Type: Authentication

  • 6.1

    MEDIUM
    CVE-2025-64984

    Kaspersky has fixed a security issue in Kaspersky Endpoint Security for Linux (any version with anti-virus databases prior to 18.11.2025), Kaspersky Industrial CyberSecurity for Linux Nodes (any version with anti-virus databases prior to 18.11.2025), and ... Read more

    Affected Products :
    • Published: Nov. 20, 2025
    • Modified: Nov. 21, 2025
    • Vuln Type: Cross-Site Scripting

  • 6.8

    MEDIUM
    CVE-2025-62346

    A Cross-Site Request Forgery (CSRF) vulnerability was identified in HCL Glovius Cloud. An attacker can force a user's web browser to execute an unwanted, malicious action on a trusted site where the user is authenticated, specifically on one endpoint.... Read more

    Affected Products :
    • Published: Nov. 20, 2025
    • Modified: Nov. 21, 2025
    • Vuln Type: Cross-Site Request Forgery

  • 5.4

    MEDIUM
    CVE-2025-55127

    HackerOne community member Dao Hoang Anh (yoyomiski) has reported an improper neutralization of whitespace in the username when adding new users. A username with leading or trailing whitespace could be virtually indistinguishable from its legitimate count... Read more

    Affected Products : revive_adserver
    • Published: Nov. 20, 2025
    • Modified: Nov. 21, 2025
    • Vuln Type: Misconfiguration

  • 6.9

    MEDIUM
    CVE-2025-64185

    Open OnDemand is an open-source HPC portal. Prior to versions 4.0.8 and 3.1.16, Open OnDemand packages create world writable locations in the GEM_PATH. Open OnDemand versions 4.0.8 and 3.1.16 have been patched for this vulnerability.... Read more

    Affected Products : open_ondemand
    • Published: Nov. 20, 2025
    • Modified: Nov. 21, 2025
    • Vuln Type: Misconfiguration

  • 6.4

    MEDIUM
    CVE-2025-11765

    The Stock Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'image_height' and 'image_width' shortcode attributes in all versions up to, and including, 1.1. This is due to insufficient input sanitization and output escaping. ... Read more

    Affected Products :
    • Published: Nov. 21, 2025
    • Modified: Nov. 21, 2025
    • Vuln Type: Cross-Site Scripting

  • 9.3

    CRITICAL
    CVE-2025-34320

    BASIS BBj versions prior to 25.00 contain a Jetty-served web endpoint that fails to properly validate or canonicalize input path segments. This allows unauthenticated directory traversal sequences to cause the server to read arbitrary system files accessi... Read more

    Affected Products :
    • Published: Nov. 20, 2025
    • Modified: Nov. 21, 2025
    • Vuln Type: Path Traversal

  • 4.9

    MEDIUM
    CVE-2025-12750

    The Groundhogg — CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to SQL Injection via the 'term' parameter in all versions up to, and including, 4.2.6.1 due to insufficient escaping on the user supplied parameter and lack of ... Read more

    Affected Products :
    • Published: Nov. 21, 2025
    • Modified: Nov. 21, 2025
    • Vuln Type: Injection

  • 6.4

    MEDIUM
    CVE-2025-11800

    The Surbma | MiniCRM Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute of the 'minicrm' shortcode in all versions up to, and including, 2.0. This is due to insufficient input sanitization and outp... Read more

    Affected Products :
    • Published: Nov. 21, 2025
    • Modified: Nov. 21, 2025
    • Vuln Type: Cross-Site Scripting

  • 6.4

    MEDIUM
    CVE-2025-11801

    The AudioTube plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'caption' shortcode attribute of the 'audiotube' shortcode in all versions up to, and including, 0.0.3. This is due to insufficient input sanitization and output escap... Read more

    Affected Products :
    • Published: Nov. 21, 2025
    • Modified: Nov. 21, 2025
    • Vuln Type: Cross-Site Scripting

  • 5.3

    MEDIUM
    CVE-2025-12039

    The BigBuy Dropshipping Connector for WooCommerce plugin for WordPress is vulnerable to IP Address Spoofing in all versions up to, and including, 2.0.5 due to insufficient IP address validation and use of user-supplied HTTP headers as a primary method for... Read more

    • Published: Nov. 21, 2025
    • Modified: Nov. 21, 2025
    • Vuln Type: Information Disclosure

  • 6.4

    MEDIUM
    CVE-2025-13141

    The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Gutenberg blocks in all versions up to, and including, 3.0.0 due to insufficient input validation on user-supplied HTML tag name... Read more

    Affected Products : ht_mega
    • Published: Nov. 21, 2025
    • Modified: Nov. 21, 2025
    • Vuln Type: Cross-Site Scripting

  • 6.4

    MEDIUM
    CVE-2025-11768

    The Islamic Phrases plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'phrases' shortcode attribute in all versions up to, and including, 2.12.2015. This is due to insufficient input sanitization and output escaping. This makes it ... Read more

    Affected Products :
    • Published: Nov. 21, 2025
    • Modified: Nov. 21, 2025
    • Vuln Type: Cross-Site Scripting

  • 6.4

    MEDIUM
    CVE-2025-12935

    The FluentCRM – Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, and CRM Solution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'fluentcrm_content' shortcode in all versions up to, and inc... Read more

    Affected Products :
    • Published: Nov. 21, 2025
    • Modified: Nov. 21, 2025
    • Vuln Type: Cross-Site Scripting

  • 5.3

    MEDIUM
    CVE-2025-11771

    The Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO plugin for WordPress is vulnerable to unauthenticated and unauthorized modification of data due to missing authentication and capability checks on the 'createSaleRecord' funct... Read more

    Affected Products :
    • Published: Nov. 21, 2025
    • Modified: Nov. 21, 2025
    • Vuln Type: Authentication

  • 5.3

    MEDIUM
    CVE-2025-11368

    The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 4.2.9.4. This is due to missing capability checks in the REST endpoint /wp-json/lp/v1/load_content_via_ajax ... Read more

    Affected Products : learnpress
    • Published: Nov. 21, 2025
    • Modified: Nov. 21, 2025
    • Vuln Type: Information Disclosure

  • 4.3

    MEDIUM
    CVE-2025-11773

    The Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'saveDeployedContract' function in all versions up to, and inc... Read more

    Affected Products :
    • Published: Nov. 21, 2025
    • Modified: Nov. 21, 2025
    • Vuln Type: Authorization
Showing 20 of 4538 Results