Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 7.5

    HIGH
    CVE-2025-68272

    Signal K Server is a server application that runs on a central hub in a boat. A Denial of Service (DoS) vulnerability in versions prior to 2.19.0 allows an unauthenticated attacker to crash the SignalK Server by flooding the access request endpoint (`/sig... Read more

    Affected Products :
    • Published: Jan. 01, 2026
    • Modified: Jan. 02, 2026
    • Vuln Type: Denial of Service

  • 6.9

    MEDIUM
    CVE-2025-66023

    NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Versions prior to 0.24.5 have a Heap-Use-After-Free (UAF) vulnerability within the MQTT bridge client component (implemented via the underlying NanoNNG library). The vulnerability is tr... Read more

    Affected Products :
    • Published: Jan. 01, 2026
    • Modified: Jan. 02, 2026
    • Vuln Type: Memory Corruption

  • 6.5

    MEDIUM
    CVE-2025-15406

    A flaw has been found in PHPGurukul Online Course Registration up to 3.1. This affects an unknown function. This manipulation causes missing authorization. Remote exploitation of the attack is possible. The exploit has been published and may be used.... Read more

    Affected Products : online_course_registration
    • Published: Jan. 01, 2026
    • Modified: Jan. 02, 2026
    • Vuln Type: Authorization

  • 5.3

    MEDIUM
    CVE-2025-15405

    A vulnerability was detected in PHPEMS up to 11.0. The impacted element is an unknown function. The manipulation results in cross-site request forgery. The attack may be launched remotely.... Read more

    Affected Products : phpems
    • Published: Jan. 01, 2026
    • Modified: Jan. 02, 2026
    • Vuln Type: Cross-Site Request Forgery

  • 6.5

    MEDIUM
    CVE-2025-15404

    A security vulnerability has been detected in campcodes School File Management System 1.0. The affected element is an unknown function of the file /save_file.php. The manipulation of the argument File leads to unrestricted upload. The attack may be initia... Read more

    Affected Products : school_file_management_system
    • Published: Jan. 01, 2026
    • Modified: Jan. 02, 2026
    • Vuln Type: Misconfiguration

  • 0.0

    NA
    CVE-2025-48769

    Use After Free vulnerability was discovered in fs/vfs/fs_rename code of the Apache NuttX RTOS, that due recursive implementation and single buffer use by two different pointer variables allowed arbitrary user provided size buffer reallocation and write to... Read more

    Affected Products : nuttx
    • Published: Jan. 01, 2026
    • Modified: Jan. 02, 2026
    • Vuln Type: Memory Corruption

  • 6.4

    MEDIUM
    CVE-2025-14627

    The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.35. This is due to inadequate validation of the resolved URL after following Bitly shortlink ... Read more

    Affected Products :
    • Published: Jan. 01, 2026
    • Modified: Jan. 02, 2026
    • Vuln Type: Server-Side Request Forgery

  • 5.8

    MEDIUM
    CVE-2025-15415

    A vulnerability has been found in xnx3 wangmarket up to 6.4. The impacted element is the function uploadImage of the file /sits/uploadImage.do of the component XML File Handler. The manipulation of the argument image leads to unrestricted upload. Remote e... Read more

    Affected Products : wangmarket
    • Published: Jan. 01, 2026
    • Modified: Jan. 02, 2026
    • Vuln Type: Misconfiguration

  • 0.0

    NA
    CVE-2025-13820

    The Comments WordPress plugin before 7.6.40 does not properly validate user's identity when using the disqus.com provider, allowing an attacker to log in to any user (when knowing their email address) when such user does not have an account on disqus.com... Read more

    Affected Products :
    • Published: Jan. 01, 2026
    • Modified: Jan. 02, 2026
    • Vuln Type: Authentication

  • 4.3

    MEDIUM
    CVE-2025-14428

    The All-in-one Sticky Floating Contact Form, Call, Click to Chat, and 50+ Social Icon Tabs - My Sticky Elements plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check on the 'my_sticky_elements_bulks' function in al... Read more

    Affected Products :
    • Published: Jan. 01, 2026
    • Modified: Jan. 02, 2026
    • Vuln Type: Authorization

  • 9.1

    CRITICAL
    CVE-2025-68118

    FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.20.0, a vulnerability exists in FreeRDP’s certificate handling code on Windows platforms. The function `freerdp_certificate_data_hash_ uses` the Microsoft-specific `_snpri... Read more

    Affected Products : freerdp
    • Published: Dec. 17, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Memory Corruption

  • 7.5

    HIGH
    CVE-2025-68131

    cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) serialization format. Starting in version 3.0.0 and prior to version 5.8.0, whhen a CBORDecoder instance is reused across multiple decode operations, values marked wi... Read more

    Affected Products : cbor2
    • Published: Dec. 31, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Information Disclosure

  • 8.3

    HIGH
    CVE-2025-68150

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.2 and 9.1.1-alpha.1, the Instagram authentication adapter allows clients to specify a custom API URL via the `apiURL` parameter i... Read more

    Affected Products : parse-server
    • Published: Dec. 16, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Server-Side Request Forgery

  • 7.7

    HIGH
    CVE-2025-68279

    Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to read arbitrary files from the server file system using crafted symbolic links in the repository. Version 5.15.1 fixes the issue.... Read more

    Affected Products : weblate
    • Published: Dec. 18, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Path Traversal

  • 9.1

    CRITICAL
    CVE-2025-68398

    Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to overwrite Git configuration remotely and override some of its behavior. Version 5.15.1 fixes the issue.... Read more

    Affected Products : weblate
    • Published: Dec. 18, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Misconfiguration

  • 7.5

    HIGH
    CVE-2025-68460

    Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a information disclosure vulnerability in the HTML style sanitizer.... Read more

    Affected Products : webmail
    • Published: Dec. 18, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Information Disclosure

  • 7.2

    HIGH
    CVE-2025-68461

    Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document.... Read more

    Affected Products : webmail
    • Published: Dec. 18, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Cross-Site Scripting

  • 7.7

    HIGH
    CVE-2025-68477

    Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0, Langflow provides an API Request component that can issue arbitrary HTTP requests within a flow. This component takes a user-supplied URL, performs only... Read more

    Affected Products : langflow
    • Published: Dec. 19, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Server-Side Request Forgery

  • 7.1

    HIGH
    CVE-2025-68478

    Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0, if an arbitrary path is specified in the request body's `fs_path`, the server serializes the Flow object into JSON and creates/overwrites a file at that... Read more

    Affected Products : langflow
    • Published: Dec. 19, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Path Traversal

  • 0.0

    NA
    CVE-2025-40309

    In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: Fix UAF on sco_conn_free BUG: KASAN: slab-use-after-free in sco_conn_free net/bluetooth/sco.c:87 [inline] BUG: KASAN: slab-use-after-free in kref_put include/linux/kref.... Read more

    Affected Products : linux_kernel
    • Published: Dec. 08, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Memory Corruption
Showing 20 of 4963 Results