Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 6.1

    MEDIUM
    CVE-2025-14151

    The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'outbound_resource' parameter in the slimtrack AJAX action in all versions up to, and including, 5.3.2. This is due to insufficient input sanitization and out... Read more

    Affected Products :
    • Published: Dec. 19, 2025
    • Modified: Dec. 19, 2025
    • Vuln Type: Cross-Site Scripting

  • 4.3

    MEDIUM
    CVE-2025-12361

    The myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Program plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.9.7.1. This is due to the plugin not properly verifying that a user ... Read more

    Affected Products :
    • Published: Dec. 19, 2025
    • Modified: Dec. 19, 2025
    • Vuln Type: Authorization

  • 7.1

    HIGH
    CVE-2025-1927

    Cross-Site Request Forgery (CSRF) vulnerability in Restajet Information Technologies Inc. Online Food Delivery System allows Cross Site Request Forgery.This issue affects Online Food Delivery System: through 19122025.... Read more

    Affected Products :
    • Published: Dec. 19, 2025
    • Modified: Dec. 19, 2025
    • Vuln Type: Cross-Site Request Forgery

  • 3.8

    LOW
    CVE-2025-14881

    Multiple API endpoints allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only.... Read more

    Affected Products : pretix
    • Published: Dec. 19, 2025
    • Modified: Dec. 19, 2025
    • Vuln Type: Authorization

  • 5.7

    MEDIUM
    CVE-2025-14738

    Improper authentication vulnerability in TP-Link WA850RE (httpd modules) allows unauthenticated attackers to download the configuration file.This issue affects: ≤ WA850RE V2_160527, ≤ WA850RE V3_160922.... Read more

    Affected Products :
    • Published: Dec. 18, 2025
    • Modified: Dec. 19, 2025
    • Vuln Type: Authentication

  • 6.5

    MEDIUM
    CVE-2025-66058

    Missing Authorization vulnerability in PickPlugins Post Grid and Gutenberg Blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Post Grid and Gutenberg Blocks: from n/a through 2.3.17.... Read more

    Affected Products : post_grid
    • Published: Dec. 18, 2025
    • Modified: Dec. 19, 2025
    • Vuln Type: Authorization

  • 10.0

    CRITICAL
    CVE-2025-65037

    Improper control of generation of code ('code injection') in Azure Container Apps allows an unauthorized attacker to execute code over a network.... Read more

    Affected Products : azure_container_apps
    • Published: Dec. 18, 2025
    • Modified: Dec. 19, 2025

  • 9.8

    CRITICAL
    CVE-2025-64236

    Authentication Bypass Using an Alternate Path or Channel vulnerability in AmentoTech Tuturn allows Authentication Abuse.This issue affects Tuturn: from n/a before 3.6.... Read more

    Affected Products :
    • Published: Dec. 18, 2025
    • Modified: Dec. 19, 2025
    • Vuln Type: Authentication

  • 5.4

    MEDIUM
    CVE-2025-62960

    Missing Authorization vulnerability in Sparkle WP Construction Light allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Construction Light: from n/a through 1.6.7.... Read more

    Affected Products :
    • Published: Dec. 18, 2025
    • Modified: Dec. 19, 2025
    • Vuln Type: Authorization

  • 8.7

    HIGH
    CVE-2025-14896

    due to insufficient sanitazation in Vega’s `convert()` function when `safeMode` is enabled and the spec variable is an array. An attacker can craft a malicious Vega diagram specification that will allow them to send requests to any URL, including local fi... Read more

    Affected Products :
    • Published: Dec. 18, 2025
    • Modified: Dec. 19, 2025
    • Vuln Type: Server-Side Request Forgery

  • 7.4

    HIGH
    CVE-2025-14809

    ArcSearch for Android versions prior to 1.12.6 could display a different domain in the address bar than the content being shown, enabling address bar spoofing after user interaction via crafted web content.... Read more

    Affected Products :
    • Published: Dec. 19, 2025
    • Modified: Dec. 19, 2025
    • Vuln Type: Misconfiguration

  • 7.5

    HIGH
    CVE-2025-14812

    ArcSearch for iOS versions prior to 1.45.2 could display a different domain in the address bar than the content being shown after an iframe-triggered URI-scheme navigation, increasing spoofing risk.... Read more

    Affected Products :
    • Published: Dec. 19, 2025
    • Modified: Dec. 19, 2025
    • Vuln Type: Information Disclosure

  • 4.8

    MEDIUM
    CVE-2025-14946

    A flaw was found in libnbd. A malicious actor could exploit this by convincing libnbd to open a specially crafted Uniform Resource Identifier (URI). This vulnerability arises because non-standard hostnames starting with '-o' are incorrectly interpreted as... Read more

    Affected Products :
    • Published: Dec. 19, 2025
    • Modified: Dec. 19, 2025
    • Vuln Type: Misconfiguration

  • 1.7

    LOW
    CVE-2025-68457

    Orejime is a consent manager that focuses on accessibility. On HTML elements handled by Orejime prior to version 2.3.2, one could run malicious code by embedding `javascript:` code within data attributes. When consenting to the related purpose, Orejime wo... Read more

    Affected Products :
    • Published: Dec. 19, 2025
    • Modified: Dec. 19, 2025
    • Vuln Type: Cross-Site Scripting

  • 7.5

    HIGH
    CVE-2025-66524

    Apache NiFi 1.20.0 through 2.6.0 include the GetAsanaObject Processor, which requires integration with a configurable Distribute Map Cache Client Service for storing and retrieving state information. The GetAsanaObject Processor used generic Java Object s... Read more

    Affected Products : nifi
    • Published: Dec. 19, 2025
    • Modified: Dec. 19, 2025
    • Vuln Type: Misconfiguration

  • 6.9

    MEDIUM
    CVE-2025-14546

    Versions of the package fastapi-sso before 0.19.0 are vulnerable to Cross-site Request Forgery (CSRF) due to the improper validation of the OAuth state parameter during the authentication callback. While the get_login_url method allows for state generatio... Read more

    Affected Products :
    • Published: Dec. 19, 2025
    • Modified: Dec. 19, 2025
    • Vuln Type: Cross-Site Request Forgery

  • 7.7

    HIGH
    CVE-2025-14739

    Access of Uninitialized Pointer vulnerability in TP-Link WR940N and WR941ND allows local unauthenticated attackers the ability to execute DoS attack and potentially arbitrary code execution under the context of the ‘root’ user.This issue affects WR940N... Read more

    Affected Products :
    • Published: Dec. 18, 2025
    • Modified: Dec. 19, 2025
    • Vuln Type: Memory Corruption

  • 10.0

    CRITICAL
    CVE-2025-65041

    Improper authorization in Microsoft Partner Center allows an unauthorized attacker to elevate privileges over a network.... Read more

    Affected Products : partner_center
    • Published: Dec. 18, 2025
    • Modified: Dec. 19, 2025

  • 5.4

    MEDIUM
    CVE-2023-53935

    WBiz Desk 1.2 contains a SQL injection vulnerability that allows non-admin users to manipulate database queries through the 'tk' parameter in ticket.php. Attackers can inject crafted SQL statements using UNION-based techniques to extract sensitive databas... Read more

    Affected Products :
    • Published: Dec. 18, 2025
    • Modified: Dec. 19, 2025
    • Vuln Type: Injection

  • 8.8

    HIGH
    CVE-2025-62001

    BullWall Ransomware Containment contains excluded file paths, such as '$recycle.bin' that are not monitored. An attacker with file write permissions could bypass detection by renaming a directory. Versions 4.6.0.0, 4.6.0.6, 4.6.0.7, and 4.6.1.4 were confi... Read more

    Affected Products :
    • Published: Dec. 18, 2025
    • Modified: Dec. 19, 2025
    • Vuln Type: Misconfiguration
Showing 20 of 5224 Results