Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 8.8

    HIGH
    CVE-2025-68572

    Missing Authorization vulnerability in Spider Themes BBP Core bbp-core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BBP Core: from n/a through <= 1.4.1.... Read more

    Affected Products : bbp_core
    • Published: Dec. 24, 2025
    • Modified: Dec. 24, 2025
    • Vuln Type: Authorization

  • 8.8

    HIGH
    CVE-2025-65817

    LSC Smart Connect Indoor IP Camera 1.4.13 contains a RCE vulnerability in start_app.sh.... Read more

    Affected Products :
    • Published: Dec. 22, 2025
    • Modified: Dec. 23, 2025
    • Vuln Type: Injection

  • 8.8

    HIGH
    CVE-2025-34436

    AVideo versions prior to 20.1 allow any authenticated user to upload files into directories belonging to other users due to an insecure direct object reference. The upload functionality verifies authentication but does not enforce ownership checks.... Read more

    Affected Products : avideo
    • Published: Dec. 17, 2025
    • Modified: Dec. 19, 2025
    • Vuln Type: Authorization

  • 8.8

    HIGH
    CVE-2025-56127

    OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR600W allowing attackers to execute arbitrary commands via a crafted POST request to the get_wanobj in file /usr/lib/lua/luci/controller/admin/common.lua.... Read more

    Affected Products : rg-bcr600w_firmware rg-bcr600w
    • Published: Dec. 11, 2025
    • Modified: Dec. 18, 2025
    • Vuln Type: Injection

  • 8.8

    HIGH
    CVE-2025-14203

    A flaw has been found in code-projects Question Paper Generator up to 1.0. This vulnerability affects unknown code of the file /selectquestionuser.php. This manipulation of the argument subid causes sql injection. Remote exploitation of the attack is poss... Read more

    Affected Products : question_paper_generator
    • Published: Dec. 07, 2025
    • Modified: Dec. 10, 2025
    • Vuln Type: Injection

  • 8.8

    HIGH
    CVE-2025-65780

    An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Authenticated users can update their entire user document (beyond profile fields), including orgs/teams and loginDisabled, due to missing server-side... Read more

    Affected Products : wekan
    • Published: Dec. 15, 2025
    • Modified: Dec. 18, 2025
    • Vuln Type: Authorization

  • 8.8

    HIGH
    CVE-2024-44598

    FNT Command 13.4.0 is vulnerable to Code Execution via the C Base Module.... Read more

    Affected Products : fnt_command
    • Published: Dec. 15, 2025
    • Modified: Dec. 23, 2025
    • Vuln Type: Injection

  • 8.8

    HIGH
    CVE-2025-68608

    Missing Authorization vulnerability in DeluxeThemes Userpro userpro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Userpro: from n/a through <= 5.1.9.... Read more

    Affected Products : userpro
    • Published: Dec. 24, 2025
    • Modified: Dec. 24, 2025
    • Vuln Type: Authorization

  • 8.8

    HIGH
    CVE-2025-13481

    IBM Aspera Orchestrator 4.0.0 through 4.1.0 could allow an authenticated user to execute arbitrary commands with elevated privileges on the system due to improper validation of user supplied input.... Read more

    Affected Products : linux_kernel aspera_orchestrator
    • Published: Dec. 11, 2025
    • Modified: Dec. 15, 2025
    • Vuln Type: Injection

  • 8.8

    HIGH
    CVE-2025-56096

    OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR600W allowing attackers to execute arbitrary commands via a crafted POST request to the restart_modules in file /usr/lib/lua/luci/controller/admin/common.lua.... Read more

    Affected Products : rg-bcr600w_firmware rg-bcr600w
    • Published: Dec. 11, 2025
    • Modified: Dec. 26, 2025
    • Vuln Type: Injection

  • 8.8

    HIGH
    CVE-2023-53929

    phpMyFAQ 3.1.12 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into their profile names. Attackers can modify their user profile name with a payload like 'calc|a!z|' to trigger code execution when an ad... Read more

    Affected Products : phpmyfaq
    • Published: Dec. 17, 2025
    • Modified: Dec. 18, 2025
    • Vuln Type: Injection

  • 8.8

    HIGH
    CVE-2025-66294

    Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Server-Side Template Injection (SSTI) vulnerability exists in Grav that allows authenticated attackers with editor permissions to execute arbitrary commands on the server and, under certain cond... Read more

    Affected Products : grav grav-plugin-admin
    • Published: Dec. 01, 2025
    • Modified: Dec. 04, 2025
    • Vuln Type: Injection

  • 8.8

    HIGH
    CVE-2025-65897

    zdh_web is a data collection, processing, monitoring, scheduling, and management platform. In zdh_web thru 5.6.17, insufficient validation of file upload paths in the application allows an authenticated user to write arbitrary files to the server file sys... Read more

    Affected Products : zdh_web
    • Published: Dec. 05, 2025
    • Modified: Dec. 12, 2025
    • Vuln Type: Path Traversal

  • 8.8

    HIGH
    CVE-2025-7073

    A local privilege escalation vulnerability in Bitdefender Total Security 27.0.46.231 allows low-privileged attackers to elevate privileges. The issue arises from bdservicehost.exe deleting files from a user-writable directory (C:\ProgramData\Atc\Feedback)... Read more

    • Published: Dec. 10, 2025
    • Modified: Dec. 12, 2025
    • Vuln Type: Path Traversal

  • 8.8

    HIGH
    CVE-2023-53888

    Zomplog 3.9 contains a remote code execution vulnerability that allows authenticated attackers to inject and execute arbitrary PHP code through file manipulation endpoints. Attackers can upload malicious JavaScript files, rename them to PHP, and execute s... Read more

    Affected Products : zomplog
    • Published: Dec. 15, 2025
    • Modified: Dec. 24, 2025
    • Vuln Type: Injection

  • 8.8

    HIGH
    CVE-2025-67622

    Cross-Site Request Forgery (CSRF) vulnerability in titopandub Evergreen Post Tweeter evergreen-post-tweeter allows Stored XSS.This issue affects Evergreen Post Tweeter: from n/a through <= 1.8.9.... Read more

    Affected Products :
    • Published: Dec. 24, 2025
    • Modified: Dec. 24, 2025
    • Vuln Type: Cross-Site Request Forgery

  • 8.8

    HIGH
    CVE-2025-9121

    Pentaho Data Integration and Analytics Community Dashboard Editor plugin versions before 10.2.0.4, including 9.3.0.x and 8.3.x, deserialize untrusted JSON data without constraining the parser to approved classes and methods.... Read more

    Affected Products :
    • Published: Dec. 15, 2025
    • Modified: Dec. 16, 2025
    • Vuln Type: Information Disclosure

  • 8.8

    HIGH
    CVE-2025-60786

    A Zip Slip vulnerability in the import a Project component of iceScrum v7.54 Pro On-prem allows attackers to execute arbitrary code via uploading a crafted Zip file.... Read more

    Affected Products : icescrum
    • Published: Dec. 15, 2025
    • Modified: Dec. 23, 2025
    • Vuln Type: Path Traversal

  • 8.8

    HIGH
    CVE-2025-14085

    A vulnerability has been found in youlaitech youlai-mall 1.0.0/2.0.0. This impacts an unknown function of the file /app-api/v1/orders/. The manipulation of the argument orderId leads to improper control of dynamically-identified variables. Remote exploita... Read more

    Affected Products : youlai-mall
    • Published: Dec. 05, 2025
    • Modified: Dec. 10, 2025
    • Vuln Type: Injection

  • 8.8

    HIGH
    CVE-2023-53875

    GOM Player 2.3.90.5360 contains a remote code execution vulnerability in its Internet Explorer component that allows attackers to execute arbitrary code through DNS spoofing. Attackers can redirect victims using a malicious URL shortcut and WebDAV techniq... Read more

    Affected Products : gom_player
    • Published: Dec. 15, 2025
    • Modified: Dec. 18, 2025
    • Vuln Type: Injection
Showing 20 of 4784 Results