Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 5.3

    MEDIUM
    CVE-2025-55366

    Incorrect access control in the component \controller\UserController.java of jshERP v3.5 allows attackers to arbitrarily reset user account passwords and execute a horizontal privilege escalation attack.... Read more

    Affected Products : jsherp
    • Published: Aug. 21, 2025
    • Modified: Sep. 09, 2025
    • Vuln Type: Authorization

  • 5.3

    MEDIUM
    CVE-2025-55367

    Incorrect access control in the component \controller\SupplierController.java of jshERP v3.5 allows unauthorized attackers to arbitrarily modify the supplier status under any account.... Read more

    Affected Products : jsherp
    • Published: Aug. 21, 2025
    • Modified: Sep. 09, 2025
    • Vuln Type: Authorization

  • 5.5

    MEDIUM
    CVE-2025-8840

    A vulnerability was determined in jshERP up to 3.5. Affected is an unknown function of the file /jshERP-boot/user/deleteBatch of the component Endpoint. The manipulation of the argument ids leads to improper authorization. It is possible to launch the att... Read more

    Affected Products : jsherp
    • Published: Aug. 11, 2025
    • Modified: Sep. 09, 2025
    • Vuln Type: Authorization

  • 5.4

    MEDIUM
    CVE-2025-9718

    A security flaw has been discovered in O2OA up to 10.0-410. This affects an unknown part of the file /x_processplatform_assemble_designer/jaxrs/process of the component Personal Profile Page. Performing manipulation of the argument name/alias results in c... Read more

    Affected Products : o2oa
    • Published: Aug. 31, 2025
    • Modified: Sep. 09, 2025
    • Vuln Type: Cross-Site Scripting

  • 5.4

    MEDIUM
    CVE-2025-9719

    A weakness has been identified in O2OA up to 10.0-410. This vulnerability affects unknown code of the file /x_processplatform_assemble_designer/jaxrs/script of the component Personal Profile Page. Executing manipulation of the argument name/alias/descript... Read more

    Affected Products : o2oa
    • Published: Aug. 31, 2025
    • Modified: Sep. 09, 2025
    • Vuln Type: Cross-Site Scripting

  • 8.8

    HIGH
    CVE-2025-8839

    A vulnerability was found in jshERP up to 3.5. This issue affects some unknown processing of the file /jshERP-boot/user/addUser of the component Endpoint. The manipulation leads to improper authorization. The attack may be initiated remotely. The exploit ... Read more

    Affected Products : jsherp
    • Published: Aug. 11, 2025
    • Modified: Sep. 09, 2025

  • 9.8

    CRITICAL
    CVE-2025-50722

    Insecure Permissions vulnerability in sparkshop v.1.1.7 allows a remote attacker to execute arbitrary code via the Common.php component... Read more

    Affected Products : sparkshop
    • Published: Aug. 25, 2025
    • Modified: Sep. 09, 2025
    • Vuln Type: Misconfiguration

  • 7.7

    HIGH
    CVE-2025-57809

    XGrammar is an open-source library for efficient, flexible, and portable structured generation. Prior to version 0.1.21, XGrammar has an infinite recursion issue in the grammar. This issue has been resolved in version 0.1.21.... Read more

    Affected Products : xgrammar
    • Published: Aug. 25, 2025
    • Modified: Sep. 09, 2025
    • Vuln Type: Denial of Service

  • 5.4

    MEDIUM
    CVE-2025-52217

    SelectZero Data Observability Platform before 2025.5.2 is vulnerable to HTML Injection. Legacy UI fields improperly handle user-supplied input, allowing injection of arbitrary HTML.... Read more

    Affected Products : selectzero
    • Published: Aug. 26, 2025
    • Modified: Sep. 09, 2025
    • Vuln Type: Cross-Site Scripting

  • 7.5

    HIGH
    CVE-2025-52218

    SelectZero Data Observability Platform before 2025.5.2 is vulnerable to Content Spoofing / Text Injection. Improper sanitization of unspecified parameters allows attackers to inject arbitrary text or limited HTML into the login page.... Read more

    Affected Products : selectzero
    • Published: Aug. 26, 2025
    • Modified: Sep. 09, 2025
    • Vuln Type: Injection

  • 6.5

    MEDIUM
    CVE-2025-52219

    SelectZero SelectZero Data Observability Platform before 2025.5.2 contains an Open Redirect vulnerability. Legacy UI fields can be used to create arbitrary external links via HTML Injection.... Read more

    Affected Products : selectzero
    • Published: Aug. 26, 2025
    • Modified: Sep. 09, 2025
    • Vuln Type: Misconfiguration

  • 6.1

    MEDIUM
    CVE-2025-56432

    A cross-site scripting (XSS) vulnerability exists in Nagios XI 2024R2. The vulnerability allows remote attackers to execute arbitrary JavaScript in the context of a logged-in user's session via a specially crafted URL. The issue resides in a web component... Read more

    Affected Products : nagios_xi
    • Published: Aug. 26, 2025
    • Modified: Sep. 09, 2025
    • Vuln Type: Cross-Site Scripting

  • 8.7

    HIGH
    CVE-2025-57810

    jsPDF is a library to generate PDFs in JavaScript. Prior to 3.0.2, user control of the first argument of the addImage method results in CPU utilization and denial of service. If given the possibility to pass unsanitized image data or URLs to the addImage ... Read more

    Affected Products : jspdf
    • Published: Aug. 26, 2025
    • Modified: Sep. 09, 2025
    • Vuln Type: Denial of Service

  • 6.5

    MEDIUM
    CVE-2025-50974

    The Calamaris log exporter CGI (/cgi-bin/logs.cgi/calamaris.dat) in IPFire 2.29 does not properly sanitize user-supplied input before incorporating parameter values into a shell command. An unauthenticated remote attacker can inject arbitrary OS commands ... Read more

    Affected Products : ipfire
    • Published: Aug. 26, 2025
    • Modified: Sep. 09, 2025
    • Vuln Type: Injection

  • 6.1

    MEDIUM
    CVE-2025-52184

    Cross Site Scripting vulnerability in Helpy.io v.2.8.0 allows a remote attacker to escalate privileges via the New Topic Ticket funtion.... Read more

    Affected Products : helpy
    • Published: Aug. 26, 2025
    • Modified: Sep. 09, 2025
    • Vuln Type: Cross-Site Scripting

  • 6.1

    MEDIUM
    CVE-2025-50976

    IPFire 2.29 DNS management interface (dns.cgi) fails to properly sanitize user-supplied input in the NAMESERVER, REMARK, and TLS_HOSTNAME query parameters, resulting in a reflected cross-site scripting (XSS) vulnerability.... Read more

    Affected Products : ipfire
    • Published: Aug. 26, 2025
    • Modified: Sep. 09, 2025
    • Vuln Type: Cross-Site Scripting

  • 5.4

    MEDIUM
    CVE-2025-50975

    IPFire 2.29 web-based firewall interface (firewall.cgi) fails to sanitize several rule parameters such as PROT, SRC_PORT, TGT_PORT, dnatport, key, ruleremark, src_addr, std_net_tgt, and tgt_addr, allowing an authenticated administrator to inject persisten... Read more

    Affected Products : ipfire
    • Published: Aug. 26, 2025
    • Modified: Sep. 09, 2025
    • Vuln Type: Cross-Site Scripting

  • 9.8

    CRITICAL
    CVE-2025-52353

    An arbitrary code execution vulnerability in Badaso CMS 2.9.11. The Media Manager allows authenticated users to upload files containing embedded PHP code via the file-upload endpoint, bypassing content-type validation. When such a file is accessed via its... Read more

    Affected Products : badaso
    • Published: Aug. 26, 2025
    • Modified: Sep. 09, 2025
    • Vuln Type: Authentication

  • 9.1

    CRITICAL
    CVE-2025-55443

    Telpo MDM 1.4.6 thru 1.4.9 for Android contains sensitive administrator credentials and MQTT server connection details (IP/port) that are stored in plaintext within log files on the device's external storage. This allows attackers with access to these log... Read more

    Affected Products : telpo_mdm
    • Published: Aug. 26, 2025
    • Modified: Sep. 09, 2025
    • Vuln Type: Information Disclosure

  • 5.8

    MEDIUM
    CVE-2025-56694

    Client-side password validation (CWE-602) in lumasoft fotoShare Cloud 2025-03-13 allowing unauthenticated attackers to view password-protected photo albums.... Read more

    Affected Products : fotoshare_cloud
    • Published: Aug. 27, 2025
    • Modified: Sep. 09, 2025
    • Vuln Type: Authentication
Showing 20 of 293259 Results