Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 7.4

    HIGH
    CVE-2025-58407

    Kernel or driver software installed on a Guest VM may post improper commands to the GPU Firmware to exploit a TOCTOU race condition and trigger a read and/or write of data outside the allotted memory escaping the virtual machine.... Read more

    Affected Products : ddk
    • Published: Nov. 17, 2025
    • Modified: Nov. 18, 2025
    • Vuln Type: Race Condition

  • 4.5

    MEDIUM
    CVE-2025-55058

    CWE-20 Improper Input Validation... Read more

    Affected Products : rumpus
    • Published: Nov. 17, 2025
    • Modified: Nov. 18, 2025

  • 6.6

    MEDIUM
    CVE-2025-13133

    The Simple User Import Export plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 1.1.7 via the 'Import/export users' function. This makes it possible for authenticated attackers, with Administrator-level access and a... Read more

    Affected Products :
    • Published: Nov. 18, 2025
    • Modified: Nov. 18, 2025
    • Vuln Type: Injection

  • 7.5

    HIGH
    CVE-2025-65073

    OpenStack Keystone before 26.0.1, 27.0.0, and 28.0.0 allows a /v3/ec2tokens or /v3/s3tokens request with a valid AWS Signature to provide Keystone authorization.... Read more

    Affected Products : keystone
    • Published: Nov. 17, 2025
    • Modified: Nov. 18, 2025
    • Vuln Type: Authorization

  • 6.4

    MEDIUM
    CVE-2025-12962

    The Local Syndication plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.5a via the `url` parameter in the `[syndicate_local]` shortcode. This is due to the use of `wp_remote_get()` instead of `wp_saf... Read more

    Affected Products :
    • Published: Nov. 18, 2025
    • Modified: Nov. 18, 2025
    • Vuln Type: Server-Side Request Forgery

  • 8.1

    HIGH
    CVE-2025-12974

    The Gravity Forms plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the legacy chunked upload mechanism in all versions up to, and including, 2.9.21.1. This is due to the extension blacklist not including ... Read more

    Affected Products :
    • Published: Nov. 18, 2025
    • Modified: Nov. 18, 2025
    • Vuln Type: Authentication

  • 8.8

    HIGH
    CVE-2025-13088

    The Category and Product Woocommerce Tabs plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.0. This is due to insufficient input validation on the 'template' parameter in the categoryProductTab() function. ... Read more

    Affected Products :
    • Published: Nov. 18, 2025
    • Modified: Nov. 18, 2025
    • Vuln Type: Path Traversal

  • 6.1

    MEDIUM
    CVE-2025-12079

    The WP Twitter Auto Publish plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PostMessage in all versions up to, and including, 1.7.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthentic... Read more

    Affected Products :
    • Published: Nov. 18, 2025
    • Modified: Nov. 18, 2025
    • Vuln Type: Cross-Site Scripting

  • 7.5

    HIGH
    CVE-2025-12955

    The Live sales notification for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.3.39. This is due to the "getOrders" function lacking proper authorization and capability checks when the plugi... Read more

    Affected Products :
    • Published: Nov. 18, 2025
    • Modified: Nov. 18, 2025
    • Vuln Type: Authorization

  • 7.5

    HIGH
    CVE-2025-36118

    IBM Storage Virtualize 8.4, 8.5, 8.7, and 9.1 IKEv1 implementation allows remote attackers to obtain sensitive information from device memory via a Security Association (SA) negotiation request.... Read more

    Affected Products : storage_virtualize
    • Published: Nov. 17, 2025
    • Modified: Nov. 18, 2025
    • Vuln Type: Information Disclosure

  • 5.5

    MEDIUM
    CVE-2025-13193

    A flaw was found in libvirt. External inactive snapshots for shut-down VMs are incorrectly created as world-readable, making it possible for unprivileged users to inspect the guest OS contents. This results in an information disclosure vulnerability.... Read more

    Affected Products : libvirt
    • Published: Nov. 17, 2025
    • Modified: Nov. 18, 2025
    • Vuln Type: Information Disclosure

  • 7.2

    HIGH
    CVE-2025-11620

    The Multiple Roles per User plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'mrpu_add_multiple_roles_ui' and 'mrpu_save_multiple_user_roles' functions in all versions up to, and including, 1... Read more

    Affected Products :
    • Published: Nov. 18, 2025
    • Modified: Nov. 18, 2025
    • Vuln Type: Authorization

  • 6.5

    MEDIUM
    CVE-2025-13249

    A security vulnerability has been detected in Jiusi OA up to 20251102. This affects an unknown function of the file /OfficeServer?isAjaxDownloadTemplate=false of the component OfficeServer Interface. Such manipulation of the argument FileData leads to unr... Read more

    Affected Products : jiusi_oa
    • Published: Nov. 16, 2025
    • Modified: Nov. 18, 2025
    • Vuln Type: Misconfiguration

  • 6.9

    MEDIUM
    CVE-2025-64342

    ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. When the ESP32 is in advertising mode, if it receives a connection request containing an invalid Access Address (AA) of 0x00000000 or 0xFFFFFFFF, advertising may stop unexpectedly. I... Read more

    Affected Products : esp-idf
    • Published: Nov. 17, 2025
    • Modified: Nov. 18, 2025
    • Vuln Type: Denial of Service

  • 8.8

    HIGH
    CVE-2025-13319

    An injection vulnerability has been discovered in the API feature in Digi On-Prem Manager, enabling an attacker with valid API tokens to inject SQL via crafted input. The API is not enabled by default, and a valid API token is required to perform the att... Read more

    Affected Products :
    • Published: Nov. 17, 2025
    • Modified: Nov. 18, 2025
    • Vuln Type: Injection

  • 8.1

    HIGH
    CVE-2025-63916

    MyScreenTools v2.2.1.0 contains a critical OS command injection vulnerability in the GIF compression tool. The application fails to properly sanitize user-supplied file paths before passing them to cmd.exe, allowing attackers to execute arbitrary system c... Read more

    Affected Products :
    • Published: Nov. 17, 2025
    • Modified: Nov. 18, 2025
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2025-41733

    The commissioning wizard on the affected devices does not validate if the device is already initialized. An unauthenticated remote attacker can construct POST requests to set root credentials.... Read more

    Affected Products :
    • Published: Nov. 18, 2025
    • Modified: Nov. 18, 2025
    • Vuln Type: Authentication

  • 3.2

    LOW
    CVE-2025-12792

    The Mac App Store distribution of the Canva for Mac desktop app before 1.117.1 was built without Hardened Runtime. A local threat actor with unprivileged access could execute arbitrary code that inherits the TCC (Transparency, Consent, and Control) permis... Read more

    Affected Products : canva
    • Published: Nov. 18, 2025
    • Modified: Nov. 18, 2025
    • Vuln Type: Misconfiguration

  • 4.3

    MEDIUM
    CVE-2025-12372

    The Permalinks Cascade plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.2. This is due to the plugin not properly verifying that a user is authorized to perform an action in the handleTPCAdminAjaxRequest ... Read more

    Affected Products :
    • Published: Nov. 18, 2025
    • Modified: Nov. 18, 2025
    • Vuln Type: Authorization

  • 3.2

    LOW
    CVE-2025-65083

    GoSign Desktop through 2.4.1 disables TLS certificate validation when configured to use a proxy server. This can be problematic if the GoSign Desktop user selects an arbitrary proxy server without consideration of whether outbound HTTPS connections from t... Read more

    Affected Products :
    • Published: Nov. 17, 2025
    • Modified: Nov. 18, 2025
    • Vuln Type: Misconfiguration
Showing 20 of 3978 Results