Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 9.8

    CRITICAL
    CVE-2023-53921

    SitemagicCMS 4.4.3 contains a remote code execution vulnerability that allows attackers to upload malicious PHP files to the files/images directory. Attackers can upload a .phar file with system command execution payload to compromise the web application ... Read more

    Affected Products : sitemagic_cms
    • Published: Dec. 17, 2025
    • Modified: Dec. 31, 2025
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2023-53895

    PimpMyLog 1.7.14 contains an improper access control vulnerability that allows remote attackers to create admin accounts without authorization through the configuration endpoint. Attackers can exploit the unsanitized username field to inject malicious Jav... Read more

    Affected Products : pimp_my_log
    • Published: Dec. 16, 2025
    • Modified: Dec. 30, 2025
    • Vuln Type: Authentication

  • 9.8

    CRITICAL
    CVE-2023-53877

    Bus Reservation System 1.1 contains a SQL injection vulnerability in the pickup_id parameter that allows attackers to manipulate database queries. Attackers can exploit boolean-based, error-based, and time-based blind SQL injection techniques to steal inf... Read more

    Affected Products : bus_reservation_system
    • Published: Dec. 15, 2025
    • Modified: Dec. 18, 2025
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2025-10738

    The URL Shortener Plugin For WordPress plugin for WordPress is vulnerable to SQL Injection via the ‘analytic_id’ parameter in all versions up to, and including, 3.0.7 due to insufficient escaping on the user supplied parameter and lack of sufficient prepa... Read more

    Affected Products :
    • Published: Dec. 13, 2025
    • Modified: Dec. 15, 2025
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2023-53914

    UliCMS 2023.1 contains an authentication bypass vulnerability that allows unauthenticated attackers to create admin users through mass assignment in the UserController. Attackers can send a crafted POST request to the admin index.php endpoint with specifi... Read more

    Affected Products : ulicms
    • Published: Dec. 17, 2025
    • Modified: Dec. 24, 2025
    • Vuln Type: Authentication

  • 9.8

    CRITICAL
    CVE-2025-14646

    A security flaw has been discovered in code-projects Student File Management System 1.0. This impacts an unknown function of the file /admin/delete_student.php. The manipulation of the argument stud_id results in sql injection. The attack may be performed... Read more

    Affected Products : student_file_management_system
    • Published: Dec. 14, 2025
    • Modified: Dec. 16, 2025
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2025-13764

    The WP CarDealer plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.2.16. This is due to the 'WP_CarDealer_User::process_register' function not restricting what user roles a user can register with. This make... Read more

    Affected Products :
    • Published: Dec. 11, 2025
    • Modified: Dec. 12, 2025
    • Vuln Type: Authentication

  • 9.8

    CRITICAL
    CVE-2025-14518

    A vulnerability was identified in PowerJob up to 5.1.2. This vulnerability affects the function checkConnectivity of the file src/main/java/tech/powerjob/common/utils/net/PingPongUtils.java of the component Network Request Handler. The manipulation of the... Read more

    Affected Products : powerjob
    • Published: Dec. 11, 2025
    • Modified: Dec. 19, 2025
    • Vuln Type: Server-Side Request Forgery

  • 9.8

    CRITICAL
    CVE-2025-65354

    Improper input handling in /Grocery/search_products_itname.php inPuneethReddyHC event-management 1.0 permits SQL injection via the sitem_name POST parameter. Crafted payloads can alter query logic and disclose database contents. Exploitation may result in... Read more

    Affected Products :
    • Published: Dec. 23, 2025
    • Modified: Dec. 30, 2025
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2025-36937

    In AudioDecoder::HandleProduceRequest of audio_decoder.cc, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed fo... Read more

    Affected Products : android
    • Published: Dec. 11, 2025
    • Modified: Dec. 15, 2025
    • Vuln Type: Memory Corruption

  • 9.8

    CRITICAL
    CVE-2025-14334

    A flaw has been found in itsourcecode Student Management System 1.0. Affected is an unknown function of the file /new_adviser.php. Executing manipulation of the argument Name can lead to sql injection. The attack may be performed from remote. The exploit ... Read more

    Affected Products : student_management_system
    • Published: Dec. 09, 2025
    • Modified: Dec. 16, 2025
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2025-14537

    A weakness has been identified in code-projects Class and Exam Timetable Management 1.0. Affected by this issue is some unknown functionality of the file /preview7.php. This manipulation of the argument course_year_section/semester causes sql injection. R... Read more

    • Published: Dec. 11, 2025
    • Modified: Dec. 16, 2025
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2025-14664

    A vulnerability was identified in Campcodes Supplier Management System 1.0. This issue affects some unknown processing of the file /admin/view_unit.php. The manipulation of the argument chkId[] leads to sql injection. Remote exploitation of the attack is ... Read more

    Affected Products : supplier_management_system
    • Published: Dec. 14, 2025
    • Modified: Dec. 16, 2025
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2025-14661

    A vulnerability has been found in itsourcecode Student Managemen System 1.0. Affected by this issue is some unknown functionality of the file /advisers.php. Such manipulation of the argument sy leads to sql injection. The attack can be launched remotely. ... Read more

    Affected Products : student_management_system
    • Published: Dec. 14, 2025
    • Modified: Dec. 16, 2025
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2025-67517

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in artplacer ArtPlacer Widget artplacer-widget allows Blind SQL Injection.This issue affects ArtPlacer Widget: from n/a through <= 2.22.9.2.... Read more

    Affected Products : artplacer_widget
    • Published: Dec. 09, 2025
    • Modified: Dec. 11, 2025
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2025-13184

    Unauthenticated Telnet enablement via cstecgi.cgi (auth bypass) leading to unauthenticated root login with a blank password on factory/reset X5000R V9.1.0u.6369_B20230113 (arbitrary command execution). Earlier versions that share the same implementation, ... Read more

    Affected Products : x5000r_firmware x5000r
    • Published: Dec. 10, 2025
    • Modified: Dec. 19, 2025
    • Vuln Type: Authentication

  • 9.8

    CRITICAL
    CVE-2025-15226

    WMPro developed by Sunnet has a Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.... Read more

    Affected Products : wmpro
    • Published: Dec. 29, 2025
    • Modified: Dec. 31, 2025
    • Vuln Type: Misconfiguration

  • 9.8

    CRITICAL
    CVE-2025-15228

    BPMFlowWebkit developed by WELLTEND TECHNOLOGY has a Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.... Read more

    Affected Products : bpmflowwebkit
    • Published: Dec. 29, 2025
    • Modified: Dec. 31, 2025
    • Vuln Type: Misconfiguration

  • 9.8

    CRITICAL
    CVE-2025-14337

    A vulnerability was determined in itsourcecode Student Management System 1.0. This affects an unknown part of the file /new_grade.php. This manipulation of the argument grade causes sql injection. The attack can be initiated remotely. The exploit has been... Read more

    Affected Products : student_management_system
    • Published: Dec. 09, 2025
    • Modified: Dec. 16, 2025
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2025-14666

    A weakness has been identified in itsourcecode COVID Tracking System 1.0. The affected element is an unknown function of the file /admin/?page=user. This manipulation of the argument Username causes sql injection. The attack is possible to be carried out ... Read more

    Affected Products : covid_tracking_system
    • Published: Dec. 14, 2025
    • Modified: Dec. 23, 2025
    • Vuln Type: Injection
Showing 20 of 5219 Results