Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 6.1

    MEDIUM
    CVE-2025-14137

    The Simple AL Slider plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.2.10 due to insufficient input sanitization and output escaping. This makes it possib... Read more

    Affected Products : simple_al_slider
    • Published: Dec. 12, 2025
    • Modified: Dec. 12, 2025
    • Vuln Type: Cross-Site Scripting

  • 3.5

    LOW
    CVE-2025-10583

    The WP Fastest Cache plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.7.4 via the 'get_server_time_ajax_request' AJAX action. This makes it possible for authenticated attackers, with Subscriber-leve... Read more

    Affected Products : wp_fastest_cache
    • Published: Dec. 12, 2025
    • Modified: Dec. 12, 2025
    • Vuln Type: Server-Side Request Forgery

  • 8.8

    HIGH
    CVE-2025-12824

    The Player Leaderboard plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.0.2 via the 'player_leaderboard' shortcode. This is due to the plugin using an unsanitized user-supplied value from the shortcode's '... Read more

    Affected Products :
    • Published: Dec. 12, 2025
    • Modified: Dec. 12, 2025
    • Vuln Type: Path Traversal

  • 5.1

    MEDIUM
    CVE-2025-64781

    In GroupSession Free edition prior to ver5.7.1, GroupSession byCloud prior to ver5.7.1, and GroupSession ZION prior to ver5.7.1, "External page display restriction" is set to "Do not limit" in the initial configuration. With this configuration, the user m... Read more

    Affected Products :
    • Published: Dec. 12, 2025
    • Modified: Dec. 12, 2025
    • Vuln Type: Misconfiguration

  • 3.1

    LOW
    CVE-2025-67737

    AzuraCast is a self-hosted, all-in-one web radio management suite. Versions 0.23.1 mistakenly include an API endpoint that is intended for internal use by the SFTP software sftpgo, exposing it to the public-facing HTTP API for AzuraCast installations. A u... Read more

    Affected Products : azuracast
    • Published: Dec. 12, 2025
    • Modified: Dec. 12, 2025
    • Vuln Type: Misconfiguration

  • 8.7

    HIGH
    CVE-2025-67731

    Servify Express is a Node.js package to start an Express server and log the port it's running on. Prior to 1.2, the Express server used express.json() without a size limit, which could allow attackers to send extremely large request bodies. This can cause... Read more

    Affected Products :
    • Published: Dec. 12, 2025
    • Modified: Dec. 12, 2025
    • Vuln Type: Denial of Service

  • 5.3

    MEDIUM
    CVE-2025-64702

    quic-go is an implementation of the QUIC protocol in Go. Versions 0.56.0 and below are vulnerable to excessive memory allocation through quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large ... Read more

    Affected Products : quic-go
    • Published: Dec. 11, 2025
    • Modified: Dec. 12, 2025
    • Vuln Type: Denial of Service

  • 6.1

    MEDIUM
    CVE-2025-14049

    The VikRentItems Flexible Rental Management System plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'delto' parameter in all versions up to, and including, 1.2.0 due to insufficient input sanitization and output escaping. This ... Read more

    Affected Products :
    • Published: Dec. 12, 2025
    • Modified: Dec. 12, 2025
    • Vuln Type: Cross-Site Scripting

  • 6.5

    MEDIUM
    CVE-2025-13891

    The Image Gallery – Photo Grid & Video Gallery plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.13.3. This is due to the modula_list_folders AJAX endpoint that lacks proper path validation and base directory res... Read more

    Affected Products : modula_image_gallery
    • Published: Dec. 12, 2025
    • Modified: Dec. 12, 2025
    • Vuln Type: Path Traversal

  • 6.5

    MEDIUM
    CVE-2025-12960

    The Simple CSV Table plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.0.1 via the `href` parameter in the `[csv]` shortcode. This is due to insufficient path validation before concatenating user-supplied in... Read more

    Affected Products :
    • Published: Dec. 12, 2025
    • Modified: Dec. 12, 2025
    • Vuln Type: Path Traversal

  • 5.1

    MEDIUM
    CVE-2025-58576

    Cross-site request forgery vulnerability exists in GroupSession Free edition prior to ver5.3.0, GroupSession byCloud prior to ver5.3.3, and GroupSession ZION prior to ver5.3.2. If a user accesses a malicious page while logged in, unintended operations may... Read more

    Affected Products :
    • Published: Dec. 12, 2025
    • Modified: Dec. 12, 2025
    • Vuln Type: Cross-Site Request Forgery

  • 5.5

    MEDIUM
    CVE-2025-4970

    The BSK PDF Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated att... Read more

    Affected Products : bsk_pdf_manager
    • Published: Dec. 12, 2025
    • Modified: Dec. 12, 2025
    • Vuln Type: Cross-Site Scripting

  • 4.3

    MEDIUM
    CVE-2025-14356

    The Ultra Addons for Contact Form 7 plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'uacf7_get_generated_pdf' function in all versions up to, and including, 3.5.33. This makes it possible for auth... Read more

    • Published: Dec. 12, 2025
    • Modified: Dec. 12, 2025
    • Vuln Type: Authorization

  • 6.4

    MEDIUM
    CVE-2025-11876

    The Mailgun Subscriptions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mailgun_subscription_form' shortcode in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping on us... Read more

    Affected Products :
    • Published: Dec. 12, 2025
    • Modified: Dec. 12, 2025
    • Vuln Type: Cross-Site Scripting

  • 6.7

    MEDIUM
    CVE-2025-13663

    Under certain circumstances, the Quartus Prime Pro Installer for Windows does not check the permissions of the Quartus target installation directory if the target installation directory already exists.... Read more

    Affected Products : quartus_prime_pro
    • Published: Dec. 11, 2025
    • Modified: Dec. 12, 2025
    • Vuln Type: Misconfiguration

  • 6.8

    MEDIUM
    CVE-2025-13320

    The WP User Manager plugin for WordPress is vulnerable to Arbitrary File Deletion in all versions up to, and including, 2.9.12. This is due to insufficient validation of user-supplied file paths in the profile update functionality combined with improper h... Read more

    Affected Products : wp_user_manager
    • Published: Dec. 12, 2025
    • Modified: Dec. 12, 2025
    • Vuln Type: Path Traversal

  • 7.0

    HIGH
    CVE-2025-13053

    When a user configures the NAS to retrieve UPS status or control the UPS, a non-enforced TLS certificate verification can allow an attacker able to intercept network traffic between the client and server can perform a man-in-the-middle (MITM) attack, whic... Read more

    Affected Products : data_master
    • Published: Dec. 12, 2025
    • Modified: Dec. 12, 2025
    • Vuln Type: Misconfiguration

  • 6.7

    MEDIUM
    CVE-2025-13670

    The High Level Synthesis Compiler i++ command for Windows is vulnerable to a DLL planting vulnerability... Read more

    Affected Products : high_level_synthesis_compiler
    • Published: Dec. 12, 2025
    • Modified: Dec. 12, 2025
    • Vuln Type: Misconfiguration

  • 6.7

    MEDIUM
    CVE-2025-13669

    Uncontrolled Search Path Element vulnerability in Altera High Level Synthesis Compiler on Windows allows Search Order Hijacking.This issue affects High Level Synthesis Compiler: from 19.1 through 24.3.... Read more

    Affected Products : high_level_synthesis_compiler
    • Published: Dec. 12, 2025
    • Modified: Dec. 12, 2025
    • Vuln Type: Path Traversal

  • 6.7

    MEDIUM
    CVE-2025-13665

    The System Console Utility for Windows is vulnerable to a DLL planting vulnerability... Read more

    Affected Products : quartus_prime_standard
    • Published: Dec. 12, 2025
    • Modified: Dec. 12, 2025
    • Vuln Type: Misconfiguration
Showing 20 of 4849 Results