Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 9.3

    CRITICAL
    CVE-2025-40804

    A vulnerability has been identified in SIMATIC Virtualization as a Service (SIVaaS) (All versions). The affected application exposes a network share without any authentication. This could allow an attacker to access or alter sensitive data without proper ... Read more

    Affected Products :
    • Published: Sep. 09, 2025
    • Modified: Sep. 09, 2025
    • Vuln Type: Authentication

  • 8.7

    HIGH
    CVE-2025-40797

    A vulnerability has been identified in SIMATIC PCS neo V4.1 (All versions), SIMATIC PCS neo V5.0 (All versions), User Management Component (UMC) (All versions < V2.15.1.3). Affected products contain a out-of-bounds read vulnerability in the integrated UMC... Read more

    Affected Products :
    • Published: Sep. 09, 2025
    • Modified: Sep. 09, 2025
    • Vuln Type: Denial of Service

  • 7.8

    HIGH
    CVE-2025-41701

    An unauthenticated attacker can trick a local user into executing arbitrary commands by opening a deliberately manipulated project file with an affected engineering tool. These arbitrary commands are executed in the user context.... Read more

    Affected Products :
    • Published: Sep. 09, 2025
    • Modified: Sep. 09, 2025
    • Vuln Type: Injection

  • 8.2

    HIGH
    CVE-2025-9166

    A denial-of-service security issue exists in the affected product and version. The security issue stems from the controller repeatedly attempting to forward messages. The issue could result in a major nonrecoverable fault on the controller.... Read more

    Affected Products : controllogix_5580_firmware
    • Published: Sep. 09, 2025
    • Modified: Sep. 09, 2025
    • Vuln Type: Denial of Service

  • 7.2

    HIGH
    CVE-2025-9951

    A heap-buffer-overflow write exists in jpeg2000dec FFmpeg which allows an attacker to potentially gain remote code execution or cause denial of service via the channel definition cdef atom of JPEG2000.... Read more

    Affected Products : ffmpeg
    • Published: Sep. 09, 2025
    • Modified: Sep. 09, 2025
    • Vuln Type: Memory Corruption

  • 8.2

    HIGH
    CVE-2025-33045

    APTIOV contains vulnerabilities in the BIOS where a privileged user may cause “Write-what-where Condition” and “Exposure of Sensitive Information to an Unauthorized Actor” through local access. The successful exploitation of these vulnerabilities can lead... Read more

    Affected Products : aptio_v
    • Published: Sep. 09, 2025
    • Modified: Sep. 09, 2025
    • Vuln Type: Information Disclosure

  • 4.3

    MEDIUM
    CVE-2025-42923

    Due to insufficient CSRF protection in SAP Fiori App Manage Work Center Groups, an authenticated user could be tricked by an attacker to send unintended request to the web server. This has low impact on integrity and no impact on confidentiality and avail... Read more

    Affected Products :
    • Published: Sep. 09, 2025
    • Modified: Sep. 09, 2025
    • Vuln Type: Cross-Site Request Forgery

  • 5.8

    MEDIUM
    CVE-2025-10107

    A vulnerability has been found in TRENDnet TEW-831DR 1.0 (601.130.1.1410). Impacted is an unknown function of the file /boafrm/formSysCmd. The manipulation of the argument sysHost leads to command injection. The attack is possible to be carried out remote... Read more

    Affected Products :
    • Published: Sep. 09, 2025
    • Modified: Sep. 09, 2025
    • Vuln Type: Injection

  • 9.1

    CRITICAL
    CVE-2025-10183

    A blind XML External Entity (XXE) injection in the OpenMessaging webservice in TecCom TecConnect 4.1 allows an unauthenticated attacker to exfiltrate arbitrary files to an attacker-controlled server. TecConnect 4.1 is considered end-of-life as of December... Read more

    Affected Products :
    • Published: Sep. 09, 2025
    • Modified: Sep. 09, 2025
    • Vuln Type: XML External Entity

  • 8.8

    HIGH
    CVE-2025-9112

    The Doccure theme for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'doccure_temp_file_uploader' function in all versions up to, and including, 1.4.8. This makes it possible for authenticated attackers, wit... Read more

    Affected Products :
    • Published: Sep. 08, 2025
    • Modified: Sep. 09, 2025
    • Vuln Type: Authentication

  • 8.8

    HIGH
    CVE-2025-52389

    An Insecure Direct Object Reference (IDOR) in Envasadora H2O Eireli - Soda Cristal v40.20.4 allows authenticated attackers to access sensitive data for other users via a crafted HTTP request.... Read more

    Affected Products :
    • Published: Sep. 08, 2025
    • Modified: Sep. 09, 2025
    • Vuln Type: Authorization

  • 6.4

    MEDIUM
    CVE-2023-21483

    Improper Access Control vulnerability in Galaxy Store prior to version 4.5.53.6 allows local attacker to access protected data using exported service.... Read more

    Affected Products : galaxy_store
    • Published: Sep. 03, 2025
    • Modified: Sep. 09, 2025
    • Vuln Type: Authorization

  • 5.0

    MEDIUM
    CVE-2025-21036

    Improper access control in Samsung Notes prior to version 4.4.30.63 allows local privileged attackers to access exported note files. User interaction is required for triggering this vulnerability.... Read more

    Affected Products : notes
    • Published: Sep. 03, 2025
    • Modified: Sep. 09, 2025
    • Vuln Type: Authorization

  • 4.3

    MEDIUM
    CVE-2025-21037

    Improper access control in Samsung Notes prior to version 4.4.30.63 allows physical attackers to access data across multiple user profiles. User interaction is required for triggering this vulnerability.... Read more

    Affected Products : notes
    • Published: Sep. 03, 2025
    • Modified: Sep. 09, 2025
    • Vuln Type: Authorization

  • 8.8

    HIGH
    CVE-2024-43115

    Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can execute any shell script server by alert script. This issue affects Apache DolphinScheduler: before 3.2.2. Users are recommended to upgrade to version 3.3.1, ... Read more

    Affected Products : dolphinscheduler
    • Published: Sep. 03, 2025
    • Modified: Sep. 09, 2025
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2024-43166

    Incorrect Default Permissions vulnerability in Apache DolphinScheduler. This issue affects Apache DolphinScheduler: before 3.2.2. Users are recommended to upgrade to version 3.3.1, which fixes the issue.... Read more

    Affected Products : dolphinscheduler
    • Published: Sep. 03, 2025
    • Modified: Sep. 09, 2025
    • Vuln Type: Misconfiguration

  • 4.2

    MEDIUM
    CVE-2025-58460

    A missing permission check in Jenkins OpenTelemetry Plugin 3.1543.v8446b_92b_cd64 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, c... Read more

    Affected Products : opentelemetry
    • Published: Sep. 03, 2025
    • Modified: Sep. 09, 2025
    • Vuln Type: Authorization

  • 6.1

    MEDIUM
    CVE-2025-55944

    Slink v1.4.9 allows stored cross-site scripting (XSS) via crafted SVG uploads. When a user views the shared image in a new browser tab, the embedded JavaScript executes. The issue affects both authenticated and unauthenticated users.... Read more

    Affected Products : slink
    • Published: Sep. 03, 2025
    • Modified: Sep. 09, 2025
    • Vuln Type: Cross-Site Scripting

  • 5.3

    MEDIUM
    CVE-2025-56435

    SQL Injection vulnerability in FoxCMS v1.2.6 and before allows a remote attacker to execute arbitrary code via the. file /DataBackup.php and the operation on the parameter id.... Read more

    Affected Products : foxcms
    • Published: Sep. 03, 2025
    • Modified: Sep. 09, 2025
    • Vuln Type: Injection

  • 5.3

    MEDIUM
    CVE-2025-56498

    An OS command injection vulnerability exists in PLDT WiFi Router's Prolink PGN6401V Firmware 8.1.2 web management interface. The ping6.asp page submits user input to the /boaform/formPing6 endpoint via the pingAddr parameter, which is not properly sanitiz... Read more

    Affected Products : pgn6401v_firmware pgn6401v
    • Published: Sep. 03, 2025
    • Modified: Sep. 09, 2025
    • Vuln Type: Injection
Showing 20 of 4467 Results