Latest CVE Feed

Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
  • 6.5

    MEDIUM
    CVE-2025-63046

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CridioStudio ListingPro listingpro-plugin allows DOM-Based XSS.This issue affects ListingPro: from n/a through <= 2.9.9.... Read more

    Affected Products : listingpro
    • Published: Dec. 09, 2025
    • Modified: Dec. 09, 2025
    • Vuln Type: Cross-Site Scripting
  • 6.5

    MEDIUM
    CVE-2025-12687

    A vulnerability in TeamViewer DEX Client (former 1E Client) - Content Distribution Service (NomadBranch.exe) prior version 25.11 for Windows allows malicious actors to cause a denial of service (application crash) via a crafted command, resulting in servi... Read more

    Affected Products :
    • Published: Dec. 11, 2025
    • Modified: Dec. 12, 2025
    • Vuln Type: Denial of Service
  • 6.5

    MEDIUM
    CVE-2025-65815

    A lack of security checks in the file import process of AB TECHNOLOGY Document Reader: PDF, DOC, PPT v65.0 allows attackers to execute a directory traversal.... Read more

    Affected Products :
    • Published: Dec. 10, 2025
    • Modified: Dec. 12, 2025
    • Vuln Type: Path Traversal
  • 6.5

    MEDIUM
    CVE-2025-66511

    Nextcloud Calendar is a calendar app for Nextcloud. Prior to 6.0.3, the Calendar app generates participant tokens for meeting proposals using a hash function, allowing an attacker to compute valid participant tokens, which allowed them to request details ... Read more

    Affected Products : calendar notes
    • Published: Dec. 05, 2025
    • Modified: Dec. 10, 2025
    • Vuln Type: Cryptography
  • 6.5

    MEDIUM
    CVE-2025-65082

    Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables set via the Apache configuration unexpectedly superseding variables calculated by the server for CGI programs. This issue affe... Read more

    Affected Products : http_server
    • Published: Dec. 05, 2025
    • Modified: Dec. 10, 2025
    • Vuln Type: Misconfiguration
  • 6.5

    MEDIUM
    CVE-2025-9613

    A vulnerability was discovered in the PCI Express (PCIe) Integrity and Data Encryption (IDE) specification, where insufficient guidance on tag reuse after completion timeouts may allow multiple outstanding Non-Posted Requests to share the same tag. This t... Read more

    Affected Products :
    • Published: Dec. 09, 2025
    • Modified: Dec. 12, 2025
    • Vuln Type: Misconfiguration
  • 6.5

    MEDIUM
    CVE-2025-66202

    Astro is a web framework. Versions 5.15.7 and below have a double URL encoding bypass which allows any unauthenticated attacker to bypass path-based authentication checks in Astro middleware, granting unauthorized access to protected routes. While the ori... Read more

    Affected Products : astro
    • Published: Dec. 09, 2025
    • Modified: Dec. 10, 2025
    • Vuln Type: Authentication
  • 6.5

    MEDIUM
    CVE-2025-66508

    1Panel is an open-source, web-based control panel for Linux server management. Versions 2.0.14 and below use Gin's default configuration which trusts all IP addresses as proxies (TrustedProxies = 0.0.0.0/0), allowing any client to spoof the X-Forwarded-Fo... Read more

    Affected Products : 1panel
    • Published: Dec. 09, 2025
    • Modified: Dec. 10, 2025
    • Vuln Type: Misconfiguration
  • 6.5

    MEDIUM
    CVE-2025-63037

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in DFDevelopment Ronneby Theme Core ronneby-core allows DOM-Based XSS.This issue affects Ronneby Theme Core: from n/a through <= 1.5.68.... Read more

    Affected Products :
    • Published: Dec. 09, 2025
    • Modified: Dec. 09, 2025
    • Vuln Type: Cross-Site Scripting
  • 6.5

    MEDIUM
    CVE-2025-63045

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in averta Master Slider Pro masterslider allows DOM-Based XSS.This issue affects Master Slider Pro: from n/a through <= 3.7.12.... Read more

    Affected Products : master_slider
    • Published: Dec. 09, 2025
    • Modified: Dec. 09, 2025
    • Vuln Type: Cross-Site Scripting
  • 6.5

    MEDIUM
    CVE-2025-63061

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in hogash Kallyas kallyas allows DOM-Based XSS.This issue affects Kallyas: from n/a through <= 4.22.0.... Read more

    Affected Products :
    • Published: Dec. 09, 2025
    • Modified: Dec. 09, 2025
    • Vuln Type: Cross-Site Scripting
  • 6.5

    MEDIUM
    CVE-2025-14522

    A vulnerability was detected in baowzh hfly up to 638ff9abe9078bc977c132b37acbe1900b63491c. The impacted element is an unknown function of the file /Public/Kindeditor/php/upload_json.php. Performing manipulation of the argument imgFile results in unrestri... Read more

    Affected Products :
    • Published: Dec. 11, 2025
    • Modified: Dec. 12, 2025
    • Vuln Type: Misconfiguration
  • 6.5

    MEDIUM
    CVE-2025-66132

    Authorization Bypass Through User-Controlled Key vulnerability in FAPI Business s.r.o. FAPI Member fapi-member allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FAPI Member: from n/a through <= 2.2.26.... Read more

    Affected Products :
    • Published: Dec. 16, 2025
    • Modified: Dec. 17, 2025
    • Vuln Type: Authorization
  • 6.5

    MEDIUM
    CVE-2025-67976

    Missing Authorization vulnerability in Bob Watu Quiz watu allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Watu Quiz: from n/a through <= 3.4.5.... Read more

    Affected Products : watu_quiz
    • Published: Dec. 16, 2025
    • Modified: Dec. 17, 2025
    • Vuln Type: Authorization
  • 6.5

    MEDIUM
    CVE-2025-12689

    Mattermost versions 11.0.x <= 11.0.4, 10.12.x <= 10.12.2, 10.11.x <= 10.11.6 fail to check WebSocket request field for proper UTF-8 format, which allows attacker to crash Calls plug-in via sending malformed request.... Read more

    Affected Products : mattermost_server
    • Published: Dec. 17, 2025
    • Modified: Dec. 18, 2025
    • Vuln Type: Denial of Service
  • 6.5

    MEDIUM
    CVE-2025-55893

    TOTOLINK N200RE V9.3.5u.6437_B20230519 is vulnerable to command Injection in setOpModeCfg via hostName.... Read more

    Affected Products : n200re_firmware n200re
    • Published: Dec. 15, 2025
    • Modified: Dec. 17, 2025
    • Vuln Type: Injection
  • 6.5

    MEDIUM
    CVE-2025-55901

    TOTOLINK A3300R V17.0.0cu.596_B20250515 is vulnerable to command injection in the function NTPSyncWithHost via the host_time parameter.... Read more

    Affected Products : a3300r_firmware a3300r
    • Published: Dec. 15, 2025
    • Modified: Dec. 17, 2025
    • Vuln Type: Injection
  • 6.5

    MEDIUM
    CVE-2025-14117

    A vulnerability has been found in fit2cloud Halo 2.21.10. Impacted is an unknown function. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor... Read more

    Affected Products : halo
    • Published: Dec. 06, 2025
    • Modified: Dec. 12, 2025
    • Vuln Type: Cross-Site Request Forgery
  • 6.5

    MEDIUM
    CVE-2025-13231

    The Fancy Product Designer plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.4.8. This is due to a time-of-check/time-of-use (TOCTOU) race condition in the 'url' parameter of the fpd_custom_uplod_fil... Read more

    Affected Products : fancy_product_designer
    • Published: Dec. 16, 2025
    • Modified: Dec. 16, 2025
    • Vuln Type: Server-Side Request Forgery
  • 6.5

    MEDIUM
    CVE-2025-8305

    An authenticated local user can obtain information that allows claiming security policy rules of another user due to sensitive information being printed in plaintext in Identity Agent for Terminal Services debug files.... Read more

    Affected Products :
    • Published: Dec. 22, 2025
    • Modified: Dec. 23, 2025
    • Vuln Type: Information Disclosure
Showing 20 of 4949 Results