Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 9.1

    CRITICAL
    CVE-2024-25181

    A critical vulnerability has been identified in givanz VvvebJs 1.7.2, which allows both Server-Side Request Forgery (SSRF) and arbitrary file reading. The vulnerability stems from improper handling of user-supplied URLs in the "file_get_contents" function... Read more

    Affected Products :
    • Published: Dec. 29, 2025
    • Modified: Dec. 31, 2025
    • Vuln Type: Server-Side Request Forgery

  • 9.1

    CRITICAL
    CVE-2025-15359

    DVP-12SE11T - Out-of-bound memory write Vulnerability... Read more

    Affected Products :
    • Published: Dec. 30, 2025
    • Modified: Dec. 31, 2025
    • Vuln Type: Memory Corruption

  • 9.1

    CRITICAL
    CVE-2025-61811

    ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary code execution in the context of the current user. A high privileged attacker could leverage this vulnerabilit... Read more

    Affected Products : coldfusion
    • Published: Dec. 10, 2025
    • Modified: Dec. 16, 2025
    • Vuln Type: Authorization

  • 9.1

    CRITICAL
    CVE-2025-66430

    Plesk 18.0 has Incorrect Access Control.... Read more

    Affected Products :
    • Published: Dec. 12, 2025
    • Modified: Dec. 15, 2025
    • Vuln Type: Authorization

  • 9.1

    CRITICAL
    CVE-2025-14850

    Advantech WebAccess/SCADA is vulnerable to directory traversal, which may allow an attacker to delete arbitrary files.... Read more

    Affected Products : webaccess\/scada
    • Published: Dec. 18, 2025
    • Modified: Dec. 31, 2025
    • Vuln Type: Path Traversal

  • 9.1

    CRITICAL
    CVE-2025-61808

    ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability that could lead to arbitrary code execution by a high priviledged attacker. Exploitation of this issue does not requi... Read more

    Affected Products : coldfusion
    • Published: Dec. 10, 2025
    • Modified: Dec. 12, 2025
    • Vuln Type: Misconfiguration

  • 9.1

    CRITICAL
    CVE-2025-34449

    Genymobile/scrcpy versions up to and including 3.3.3, prior to commit 3e40b24, contain a buffer overflow vulnerability in the sc_device_msg_deserialize() function. A compromised device can send crafted messages that cause out-of-bounds reads, which may re... Read more

    Affected Products : scrcpy
    • Published: Dec. 18, 2025
    • Modified: Dec. 31, 2025
    • Vuln Type: Memory Corruption

  • 9.1

    CRITICAL
    CVE-2025-68600

    Server-Side Request Forgery (SSRF) vulnerability in Yannick Lefebvre Link Library link-library allows Server Side Request Forgery.This issue affects Link Library: from n/a through <= 7.8.4.... Read more

    Affected Products : link_library
    • Published: Dec. 24, 2025
    • Modified: Dec. 29, 2025
    • Vuln Type: Server-Side Request Forgery

  • 9.1

    CRITICAL
    CVE-2025-63386

    A Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/setup endpoint. The endpoint implements an insecure CORS policy that reflects any Origin header and enables Access-Control-Allow-Credentials: t... Read more

    Affected Products : dify
    • Published: Dec. 18, 2025
    • Modified: Dec. 30, 2025
    • Vuln Type: Misconfiguration

  • 9.1

    CRITICAL
    CVE-2025-65319

    When using the attachment interaction functionality, Blue Mail 1.140.103 and below saves documents to a file system without a Mark-of-the-Web tag, which allows attackers to bypass the built-in file protection mechanisms of both Windows OS and third-party ... Read more

    Affected Products : bluemail
    • Published: Dec. 16, 2025
    • Modified: Dec. 31, 2025
    • Vuln Type: Misconfiguration

  • 9.1

    CRITICAL
    CVE-2024-49587

    Glutton V1 service endpoints were exposed without any authentication on Gotham stacks, this could have allowed users that did not have any permission to hit glutton backend directly and read/update/delete data. The affected service has been patched and au... Read more

    Affected Products :
    • Published: Dec. 19, 2025
    • Modified: Dec. 19, 2025
    • Vuln Type: Authentication

  • 9.1

    CRITICAL
    CVE-2025-65318

    When using the attachment interaction functionality, Canary Mail 5.1.40 and below saves documents to a file system without a Mark-of-the-Web tag, which allows attackers to bypass the built-in file protection mechanisms of both Windows OS and third-party s... Read more

    Affected Products : canary_mail
    • Published: Dec. 16, 2025
    • Modified: Dec. 31, 2025
    • Vuln Type: Misconfiguration

  • 9.1

    CRITICAL
    CVE-2025-65548

    NUT-14 allows cashu tokens to be created with a preimage hash. However, nutshell (cashubtc/nuts) before 0.18.0 do not validate the size of preimage when the token is spent. The preimage is stored by the mint and attacker can exploit this vulnerability to ... Read more

    Affected Products : nutshell nutshell
    • Published: Dec. 08, 2025
    • Modified: Dec. 15, 2025
    • Vuln Type: Denial of Service

  • 9.1

    CRITICAL
    CVE-2025-63388

    A Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/system-features endpoint. The endpoint implements an overly permissive CORS policy that reflects arbitrary Origin headers and sets Access-Contr... Read more

    Affected Products : dify
    • Published: Dec. 18, 2025
    • Modified: Dec. 30, 2025
    • Vuln Type: Misconfiguration

  • 9.1

    CRITICAL
    CVE-2025-68109

    ChurchCRM is an open-source church management system. In versions prior to 6.5.3, the Database Restore functionality does not validate the content or file extension of uploaded files. As a result, an attacker can upload a web shell file and subsequently u... Read more

    Affected Products : churchcrm
    • Published: Dec. 17, 2025
    • Modified: Dec. 18, 2025
    • Vuln Type: Authentication

  • 9.1

    CRITICAL
    CVE-2025-68435

    Zerobyte is a backup automation tool Zerobyte versions prior to 0.18.5 and 0.19.0 contain an authentication bypass vulnerability where authentication middleware is not properly applied to API endpoints. This results in certain API endpoints being accessib... Read more

    Affected Products :
    • Published: Dec. 17, 2025
    • Modified: Dec. 18, 2025
    • Vuln Type: Authentication

  • 9.1

    CRITICAL
    CVE-2025-65868

    XML external entity (XXE) injection in eyoucms v1.7.1 allows remote attackers to cause a denial of service via crafted body of a POST request.... Read more

    Affected Products : eyoucms
    • Published: Dec. 03, 2025
    • Modified: Dec. 16, 2025
    • Vuln Type: XML External Entity

  • 9.1

    CRITICAL
    CVE-2020-36898

    QiHang Media Web Digital Signage 3.0.9 contains an unauthenticated file deletion vulnerability in the QH.aspx endpoint that allows remote attackers to delete files without authentication. Attackers can exploit the 'data' parameter by sending a POST reques... Read more

    Affected Products : qihang_media_web_digital_signage
    • Published: Dec. 10, 2025
    • Modified: Dec. 17, 2025
    • Vuln Type: Path Traversal

  • 9.1

    CRITICAL
    CVE-2025-65849

    A cryptanalytic break in Altcha Proof-of-Work obfuscation mode version 0.8.0 and later allows for remote visitors to recover the Proof-of-Work nonce in constant time via mathematical deduction. NOTE: this is disputed by the Supplier because the product's ... Read more

    Affected Products :
    • Published: Dec. 08, 2025
    • Modified: Dec. 11, 2025
    • Vuln Type: Cryptography

  • 9.1

    CRITICAL
    CVE-2025-58130

    Insufficiently Protected Credentials vulnerability in Apache Fineract. This issue affects Apache Fineract: through 1.11.0. The issue is fixed in version 1.12.1. Users are encouraged to upgrade to version 1.13.0, the latest release.... Read more

    Affected Products : fineract
    • Published: Dec. 12, 2025
    • Modified: Dec. 18, 2025
    • Vuln Type: Authentication
Showing 20 of 5222 Results