Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 9.8

    CRITICAL
    CVE-2023-53894

    phpfm 1.7.9 contains an authentication bypass vulnerability that allows attackers to log in by exploiting loose type comparison in password hash validation. Attackers can craft specific password hashes beginning with 0e or 00e to bypass authentication and... Read more

    Affected Products :
    • Published: Dec. 16, 2025
    • Modified: Dec. 18, 2025
    • Vuln Type: Authentication

  • 9.8

    CRITICAL
    CVE-2025-14527

    A weakness has been identified in projectworlds Advanced Library Management System 1.0. This vulnerability affects unknown code of the file /view_book.php. Executing manipulation of the argument book_id can lead to sql injection. The attack can be execute... Read more

    • Published: Dec. 11, 2025
    • Modified: Dec. 15, 2025
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2025-67530

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Besa besa allows PHP Local File Inclusion.This issue affects Besa: from n/a through <= 2.3.15.... Read more

    Affected Products :
    • Published: Dec. 09, 2025
    • Modified: Dec. 11, 2025
    • Vuln Type: Path Traversal

  • 9.8

    CRITICAL
    CVE-2025-14653

    A vulnerability was determined in itsourcecode Student Management System 1.0. Impacted is an unknown function of the file /addrecord.php. This manipulation of the argument ID causes sql injection. Remote exploitation of the attack is possible. The exploit... Read more

    Affected Products : student_management_system
    • Published: Dec. 14, 2025
    • Modified: Dec. 16, 2025
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2025-14344

    The Multi Uploader for Gravity Forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'plupload_ajax_delete_file' function in all versions up to, and including, 1.1.7. This makes it possible for... Read more

    Affected Products :
    • Published: Dec. 12, 2025
    • Modified: Dec. 12, 2025
    • Vuln Type: Path Traversal

  • 9.8

    CRITICAL
    CVE-2025-13764

    The WP CarDealer plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.2.16. This is due to the 'WP_CarDealer_User::process_register' function not restricting what user roles a user can register with. This make... Read more

    Affected Products :
    • Published: Dec. 11, 2025
    • Modified: Dec. 12, 2025
    • Vuln Type: Authentication

  • 9.8

    CRITICAL
    CVE-2025-51511

    Cadmium CMS v.0.4.9 has a background arbitrary file upload vulnerability in /admin/content/filemanager/uploads.... Read more

    Affected Products :
    • Published: Dec. 23, 2025
    • Modified: Dec. 23, 2025
    • Vuln Type: Misconfiguration

  • 9.8

    CRITICAL
    CVE-2025-64206

    Deserialization of Untrusted Data vulnerability in TieLabs Jannah jannah allows Object Injection.This issue affects Jannah: from n/a through <= 7.6.0.... Read more

    Affected Products : jannah
    • Published: Dec. 18, 2025
    • Modified: Dec. 18, 2025
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2023-53877

    Bus Reservation System 1.1 contains a SQL injection vulnerability in the pickup_id parameter that allows attackers to manipulate database queries. Attackers can exploit boolean-based, error-based, and time-based blind SQL injection techniques to steal inf... Read more

    Affected Products : bus_reservation_system
    • Published: Dec. 15, 2025
    • Modified: Dec. 18, 2025
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2025-14514

    A flaw has been found in Campcodes Supplier Management System 1.0. Affected is an unknown function of the file /admin/add_distributor.php. This manipulation of the argument txtDistributorAddress causes sql injection. The attack can be initiated remotely. ... Read more

    Affected Products : supplier_management_system
    • Published: Dec. 11, 2025
    • Modified: Dec. 16, 2025
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2025-66438

    A Server-Side Template Injection (SSTI) vulnerability exists in the Frappe ERPNext through 15.89.0 Print Format rendering mechanism. Specifically, the API frappe.www.printview.get_html_and_style() triggers the rendering of the html field inside a Print Fo... Read more

    Affected Products :
    • Published: Dec. 15, 2025
    • Modified: Dec. 16, 2025
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2025-67790

    An issue was discovered in DriveLock 24.1 before 24.1.6, 24.2 before 24.2.7, and 25.1 before 25.1.5. An unprivileged user could cause occasionally a Blue Screen Of Death (BSOD) on Windows computers by using an IOCTL and an unterminated string.... Read more

    Affected Products : drivelock
    • Published: Dec. 17, 2025
    • Modified: Dec. 18, 2025
    • Vuln Type: Memory Corruption

  • 9.8

    CRITICAL
    CVE-2025-14620

    A vulnerability was determined in code-projects Student File Management System 1.0. Affected by this issue is some unknown functionality of the file /admin/login_query.php. Executing manipulation of the argument Username can lead to sql injection. The att... Read more

    Affected Products : student_file_management_system
    • Published: Dec. 13, 2025
    • Modified: Dec. 16, 2025
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2025-65213

    MooreThreads torch_musa through all versions contains an unsafe deserialization vulnerability in torch_musa.utils.compare_tool. The compare_for_single_op() and nan_inf_track_for_single_op() functions use pickle.load() on user-controlled file paths without... Read more

    Affected Products :
    • Published: Dec. 15, 2025
    • Modified: Dec. 16, 2025
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2025-14877

    A vulnerability was identified in Campcodes Supplier Management System 1.0. This affects an unknown function of the file /admin/add_retailer.php. The manipulation of the argument cmbAreaCode leads to sql injection. The attack is possible to be carried out... Read more

    Affected Products : supplier_management_system
    • Published: Dec. 18, 2025
    • Modified: Dec. 24, 2025
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2025-62849

    An SQL injection vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to execute unauthorized code or commands. We have already fixed the vulnerability in the following ... Read more

    Affected Products : quts_hero qts qts quts_hero
    • Published: Dec. 16, 2025
    • Modified: Dec. 17, 2025
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2025-14832

    A vulnerability was identified in itsourcecode Online Cake Ordering System 1.0. The affected element is an unknown function of the file /updateproduct.php?action=edit. Such manipulation of the argument ID leads to sql injection. It is possible to launch t... Read more

    Affected Products : online_cake_ordering_system
    • Published: Dec. 17, 2025
    • Modified: Dec. 18, 2025
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2025-66440

    An issue was discovered in Frappe ERPNext through 15.89.0. Function get_outstanding_reference_documents() at erpnext/accounts/doctype/payment_entry/payment_entry.py is vulnerable to SQL Injection. It allows an attacker to extract arbitrary data from the d... Read more

    Affected Products :
    • Published: Dec. 15, 2025
    • Modified: Dec. 16, 2025
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2025-67517

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in artplacer ArtPlacer Widget artplacer-widget allows Blind SQL Injection.This issue affects ArtPlacer Widget: from n/a through <= 2.22.9.2.... Read more

    Affected Products : artplacer_widget
    • Published: Dec. 09, 2025
    • Modified: Dec. 11, 2025
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2023-53874

    GOM Player 2.3.90.5360 contains a buffer overflow vulnerability in the equalizer preset name input field that allows attackers to crash the application. Attackers can overwrite the preset name with 260 'A' characters to trigger a buffer overflow and cause... Read more

    Affected Products : gom_player
    • Published: Dec. 15, 2025
    • Modified: Dec. 18, 2025
    • Vuln Type: Memory Corruption
Showing 20 of 4865 Results