Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 7.5

    HIGH
    CVE-2025-15436

    A vulnerability has been found in Yonyou KSOA 9.0. Affected by this issue is some unknown functionality of the file /worksheet/work_edit.jsp. Such manipulation of the argument Report leads to sql injection. The attack can be launched remotely. The exploit... Read more

    Affected Products :
    • Published: Jan. 02, 2026
    • Modified: Jan. 02, 2026
    • Vuln Type: Injection

  • 5.6

    MEDIUM
    CVE-2025-67707

    ArcGIS Server version 11.5 and earlier on Windows and Linux does not properly validate uploaded files file, which allows remote attackers to upload arbitrary files.... Read more

    Affected Products : arcgis_server
    • Published: Dec. 31, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Misconfiguration

  • 0.0

    NA
    CVE-2025-47411

    A user with a legitimate non-administrator account can exploit a vulnerability in the user ID creation mechanism in Apache StreamPipes that allows them to swap the username of an existing user with that of an administrator.  This vulnerability allows an ... Read more

    Affected Products : streampipes
    • Published: Jan. 01, 2026
    • Modified: Jan. 02, 2026
    • Vuln Type: Authorization

  • 1.2

    LOW
    CVE-2025-62852

    A buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed th... Read more

    Affected Products :
    • Published: Jan. 02, 2026
    • Modified: Jan. 02, 2026
    • Vuln Type: Memory Corruption

  • 8.7

    HIGH
    CVE-2015-10145

    Gargoyle router management utility versions 1.5.x contain an authenticated OS command execution vulnerability in /utility/run_commands.sh. The application fails to properly restrict or validate input supplied via the 'commands' parameter, allowing an auth... Read more

    Affected Products :
    • Published: Dec. 31, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Injection

  • 6.1

    MEDIUM
    CVE-2025-67709

    There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a v... Read more

    Affected Products : arcgis_server
    • Published: Dec. 31, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Cross-Site Scripting

  • 6.9

    MEDIUM
    CVE-2025-34469

    Cowrie versions prior to 2.9.0 contain a server-side request forgery (SSRF) vulnerability in the emulated shell implementation of wget and curl. In the default emulated shell configuration, these command emulations perform real outbound HTTP requests to a... Read more

    Affected Products :
    • Published: Dec. 31, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Server-Side Request Forgery

  • 8.1

    HIGH
    CVE-2025-11837

    An improper control of generation of code vulnerability has been reported to affect Malware Remover. The remote attackers can then exploit the vulnerability to bypass protection mechanism. We have already fixed the vulnerability in the following version:... Read more

    Affected Products :
    • Published: Jan. 02, 2026
    • Modified: Jan. 02, 2026
    • Vuln Type: Injection

  • 4.6

    MEDIUM
    CVE-2025-57705

    An allocation of resources without limits or throttling vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to prevent other systems... Read more

    Affected Products :
    • Published: Jan. 02, 2026
    • Modified: Jan. 02, 2026
    • Vuln Type: Denial of Service

  • 2.2

    LOW
    CVE-2025-62857

    A cross-site scripting (XSS) vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to bypass security mechanisms or read application data. We have already fixed the vulnerability in the following versi... Read more

    Affected Products :
    • Published: Jan. 02, 2026
    • Modified: Jan. 02, 2026
    • Vuln Type: Cross-Site Scripting

  • 6.5

    MEDIUM
    CVE-2025-15404

    A security vulnerability has been detected in campcodes School File Management System 1.0. The affected element is an unknown function of the file /save_file.php. The manipulation of the argument File leads to unrestricted upload. The attack may be initia... Read more

    Affected Products : school_file_management_system
    • Published: Jan. 01, 2026
    • Modified: Jan. 02, 2026
    • Vuln Type: Misconfiguration

  • 9.1

    CRITICAL
    CVE-2025-68118

    FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.20.0, a vulnerability exists in FreeRDP’s certificate handling code on Windows platforms. The function `freerdp_certificate_data_hash_ uses` the Microsoft-specific `_snpri... Read more

    Affected Products : freerdp
    • Published: Dec. 17, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Memory Corruption

  • 7.5

    HIGH
    CVE-2025-68131

    cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) serialization format. Starting in version 3.0.0 and prior to version 5.8.0, whhen a CBORDecoder instance is reused across multiple decode operations, values marked wi... Read more

    Affected Products : cbor2
    • Published: Dec. 31, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Information Disclosure

  • 8.3

    HIGH
    CVE-2025-68150

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.2 and 9.1.1-alpha.1, the Instagram authentication adapter allows clients to specify a custom API URL via the `apiURL` parameter i... Read more

    Affected Products : parse-server
    • Published: Dec. 16, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Server-Side Request Forgery

  • 7.7

    HIGH
    CVE-2025-68279

    Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to read arbitrary files from the server file system using crafted symbolic links in the repository. Version 5.15.1 fixes the issue.... Read more

    Affected Products : weblate
    • Published: Dec. 18, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Path Traversal

  • 9.1

    CRITICAL
    CVE-2025-68398

    Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to overwrite Git configuration remotely and override some of its behavior. Version 5.15.1 fixes the issue.... Read more

    Affected Products : weblate
    • Published: Dec. 18, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Misconfiguration

  • 7.5

    HIGH
    CVE-2025-68460

    Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a information disclosure vulnerability in the HTML style sanitizer.... Read more

    Affected Products : webmail
    • Published: Dec. 18, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Information Disclosure

  • 7.2

    HIGH
    CVE-2025-68461

    Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document.... Read more

    Affected Products : webmail
    • Published: Dec. 18, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Cross-Site Scripting

  • 7.7

    HIGH
    CVE-2025-68477

    Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0, Langflow provides an API Request component that can issue arbitrary HTTP requests within a flow. This component takes a user-supplied URL, performs only... Read more

    Affected Products : langflow
    • Published: Dec. 19, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Server-Side Request Forgery

  • 7.1

    HIGH
    CVE-2025-68478

    Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0, if an arbitrary path is specified in the request body's `fs_path`, the server serializes the Flow object into JSON and creates/overwrites a file at that... Read more

    Affected Products : langflow
    • Published: Dec. 19, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Path Traversal
Showing 20 of 5231 Results