Latest CVE Feed

Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
  • 6.5

    MEDIUM
    CVE-2025-59810

    An improper access control vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.2, FortiSOAR PaaS 7.5.0 through 7.5.1, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 through 7.6.2, FortiSOAR on-premise 7... Read more

    • Published: Dec. 09, 2025
    • Modified: Dec. 09, 2025
    • Vuln Type: Authorization
  • 6.5

    MEDIUM
    CVE-2025-66388

    A vulnerability in Apache Airflow allowed authenticated UI users to view secret values in rendered templates due to secrets not being properly redacted, potentially exposing secrets to users without the appropriate authorization. Users are recommended to... Read more

    Affected Products : airflow
    • Published: Dec. 15, 2025
    • Modified: Dec. 16, 2025
    • Vuln Type: Information Disclosure
  • 6.5

    MEDIUM
    CVE-2025-62082

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nasir Uddin Generic Elements generic-elements-for-elementor allows Stored XSS.This issue affects Generic Elements: from n/a through <= 1.2.8.... Read more

    Affected Products :
    • Published: Dec. 09, 2025
    • Modified: Dec. 10, 2025
    • Vuln Type: Cross-Site Scripting
  • 6.5

    MEDIUM
    CVE-2025-63050

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sizam REHub Framework rehub-framework allows Stored XSS.This issue affects REHub Framework: from n/a through <= 19.9.8.... Read more

    Affected Products :
    • Published: Dec. 09, 2025
    • Modified: Dec. 09, 2025
    • Vuln Type: Cross-Site Scripting
  • 6.5

    MEDIUM
    CVE-2025-63055

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Liton Arefin Master Addons for Elementor master-addons allows Stored XSS.This issue affects Master Addons for Elementor: from n/a through <= 2.0.9.9.... Read more

    Affected Products : master_addons
    • Published: Dec. 09, 2025
    • Modified: Dec. 09, 2025
    • Vuln Type: Cross-Site Scripting
  • 6.5

    MEDIUM
    CVE-2025-67536

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress LearnPress learnpress allows Stored XSS.This issue affects LearnPress: from n/a through <= 4.2.9.4.... Read more

    Affected Products : learnpress
    • Published: Dec. 09, 2025
    • Modified: Dec. 09, 2025
    • Vuln Type: Cross-Site Scripting
  • 6.5

    MEDIUM
    CVE-2025-67537

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Blair Williams ThirstyAffiliates thirstyaffiliates allows Stored XSS.This issue affects ThirstyAffiliates: from n/a through <= 3.11.8.... Read more

    • Published: Dec. 09, 2025
    • Modified: Dec. 09, 2025
    • Vuln Type: Cross-Site Scripting
  • 6.5

    MEDIUM
    CVE-2025-14089

    A vulnerability was identified in Himool ERP up to 2.2. Affected by this issue is the function update_account of the file /api/admin/update_account/ of the component AdminActionViewSet. Such manipulation leads to improper authorization. The attack may be ... Read more

    Affected Products :
    • Published: Dec. 05, 2025
    • Modified: Dec. 08, 2025
    • Vuln Type: Authorization
  • 6.5

    MEDIUM
    CVE-2025-14516

    A vulnerability was found in Yalantis uCrop 2.2.11. Affected by this issue is the function downloadFile of the file com.yalantis.ucrop.task.BitmapLoadTask.java of the component URL Handler. Performing manipulation results in server-side request forgery. T... Read more

    Affected Products :
    • Published: Dec. 11, 2025
    • Modified: Dec. 12, 2025
    • Vuln Type: Server-Side Request Forgery
  • 6.5

    MEDIUM
    CVE-2025-66508

    1Panel is an open-source, web-based control panel for Linux server management. Versions 2.0.14 and below use Gin's default configuration which trusts all IP addresses as proxies (TrustedProxies = 0.0.0.0/0), allowing any client to spoof the X-Forwarded-Fo... Read more

    Affected Products : 1panel
    • Published: Dec. 09, 2025
    • Modified: Dec. 10, 2025
    • Vuln Type: Misconfiguration
  • 6.5

    MEDIUM
    CVE-2025-43464

    A denial-of-service issue was addressed with improved input validation. This issue is fixed in macOS Tahoe 26.1. Visiting a website may lead to an app denial-of-service.... Read more

    Affected Products : macos
    • Published: Dec. 12, 2025
    • Modified: Dec. 15, 2025
    • Vuln Type: Denial of Service
  • 6.5

    MEDIUM
    CVE-2025-65082

    Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables set via the Apache configuration unexpectedly superseding variables calculated by the server for CGI programs. This issue affe... Read more

    Affected Products : http_server
    • Published: Dec. 05, 2025
    • Modified: Dec. 10, 2025
    • Vuln Type: Misconfiguration
  • 6.5

    MEDIUM
    CVE-2025-64995

    A privilege escalation vulnerability was discovered in TeamViewer DEX (former 1E DEX), specifically within the 1E-Exchange-NomadClientHealth-ConfigureGeneralSetting instruction prior V3.4. Improper protection of the execution path on the local device allo... Read more

    Affected Products :
    • Published: Dec. 11, 2025
    • Modified: Dec. 12, 2025
    • Vuln Type: Authorization
  • 6.5

    MEDIUM
    CVE-2025-66511

    Nextcloud Calendar is a calendar app for Nextcloud. Prior to 6.0.3, the Calendar app generates participant tokens for meeting proposals using a hash function, allowing an attacker to compute valid participant tokens, which allowed them to request details ... Read more

    Affected Products : calendar notes
    • Published: Dec. 05, 2025
    • Modified: Dec. 10, 2025
    • Vuln Type: Cryptography
  • 6.5

    MEDIUM
    CVE-2025-64247

    Missing Authorization vulnerability in edmon.parker Read More & Accordion expand-maker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Read More & Accordion: from n/a through <= 3.5.4.1.... Read more

    Affected Products : read_more_\&_accordion
    • Published: Dec. 16, 2025
    • Modified: Dec. 17, 2025
    • Vuln Type: Authorization
  • 6.5

    MEDIUM
    CVE-2025-68079

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeNectar Salient Shortcodes salient-shortcodes allows Stored XSS.This issue affects Salient Shortcodes: from n/a through <= 1.5.4.... Read more

    Affected Products :
    • Published: Dec. 16, 2025
    • Modified: Dec. 16, 2025
    • Vuln Type: Cross-Site Scripting
  • 6.5

    MEDIUM
    CVE-2025-13809

    A vulnerability has been found in orionsec orion-ops up to 5925824997a3109651bbde07460958a7be249ed1. Affected by this issue is some unknown functionality of the file orion-ops-api/orion-ops-web/src/main/java/cn/orionsec/ops/controller/MachineInfoControlle... Read more

    Affected Products : orion-ops
    • Published: Dec. 01, 2025
    • Modified: Dec. 04, 2025
    • Vuln Type: Server-Side Request Forgery
  • 6.5

    MEDIUM
    CVE-2025-68080

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saad Iqbal User Avatar - Reloaded user-avatar-reloaded allows Stored XSS.This issue affects User Avatar - Reloaded: from n/a through <= 1.2.2.... Read more

    Affected Products : user_avatar-reloaded
    • Published: Dec. 16, 2025
    • Modified: Dec. 16, 2025
    • Vuln Type: Cross-Site Scripting
  • 6.5

    MEDIUM
    CVE-2025-66068

    Missing Authorization vulnerability in InstaWP InstaWP Connect instawp-connect allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects InstaWP Connect: from n/a through <= 0.1.1.9.... Read more

    Affected Products : instawp_connect
    • Published: Dec. 18, 2025
    • Modified: Dec. 18, 2025
    • Vuln Type: Authorization
  • 6.5

    MEDIUM
    CVE-2025-65657

    FeehiCMS version 2.1.1 has a Remote Code Execution via Unrestricted File Upload in Ad Management. FeehiCMS version 2.1.1 allows authenticated remote attackers to upload files that the server later executes (or stores in an executable location) without suf... Read more

    Affected Products : feehicms
    • Published: Dec. 02, 2025
    • Modified: Dec. 19, 2025
    • Vuln Type: Authentication
Showing 20 of 4949 Results