Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 8.8

    HIGH
    CVE-2025-14861

    Memory safety bugs present in Firefox 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 146.0.1.... Read more

    Affected Products : firefox
    • Published: Dec. 18, 2025
    • Modified: Dec. 30, 2025
    • Vuln Type: Memory Corruption

  • 7.5

    HIGH
    CVE-2025-63757

    Integer overflow vulnerability in the yuv2ya16_X_c_template function in libswscale/output.c in FFmpeg 8.0.... Read more

    Affected Products : ffmpeg
    • Published: Dec. 18, 2025
    • Modified: Dec. 30, 2025
    • Vuln Type: Memory Corruption

  • 9.1

    CRITICAL
    CVE-2025-63386

    A Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/setup endpoint. The endpoint implements an insecure CORS policy that reflects any Origin header and enables Access-Control-Allow-Credentials: t... Read more

    Affected Products : dify
    • Published: Dec. 18, 2025
    • Modified: Dec. 30, 2025
    • Vuln Type: Misconfiguration

  • 9.1

    CRITICAL
    CVE-2025-63388

    A Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/system-features endpoint. The endpoint implements an overly permissive CORS policy that reflects arbitrary Origin headers and sets Access-Contr... Read more

    Affected Products : dify
    • Published: Dec. 18, 2025
    • Modified: Dec. 30, 2025
    • Vuln Type: Misconfiguration

  • 9.8

    CRITICAL
    CVE-2025-63389

    A critical authentication bypass vulnerability exists in Ollama platform's API endpoints in versions prior to and including v0.12.3. The platform exposes multiple API endpoints without requiring authentication, enabling remote attackers to perform unautho... Read more

    Affected Products : ollama
    • Published: Dec. 18, 2025
    • Modified: Dec. 30, 2025
    • Vuln Type: Authentication

  • 5.3

    MEDIUM
    CVE-2025-63390

    An authentication bypass vulnerability exists in AnythingLLM v1.8.5 in via the /api/workspaces endpoint. The endpoint fails to implement proper authentication checks, allowing unauthenticated remote attackers to enumerate and retrieve detailed information... Read more

    Affected Products : anythingllm
    • Published: Dec. 18, 2025
    • Modified: Dec. 30, 2025
    • Vuln Type: Authentication

  • 7.5

    HIGH
    CVE-2025-63391

    An authentication bypass vulnerability exists in Open-WebUI <=0.6.32 in the /api/config endpoint. The endpoint lacks proper authentication and authorization controls, exposing sensitive system configuration data to unauthenticated remote attackers.... Read more

    Affected Products : open_webui
    • Published: Dec. 18, 2025
    • Modified: Dec. 30, 2025
    • Vuln Type: Authentication

  • 3.3

    LOW
    CVE-2025-68469

    ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.1-14, ImageMagick crashes when processing a crafted TIFF file. Version 7.1.1-14 fixes the issue.... Read more

    Affected Products : imagemagick
    • Published: Dec. 18, 2025
    • Modified: Dec. 30, 2025
    • Vuln Type: Memory Corruption

  • 9.8

    CRITICAL
    CVE-2025-56157

    Default credentials in Dify thru 1.5.1. PostgreSQL username and password specified in the docker-compose.yaml file included in its source code.... Read more

    Affected Products : dify
    • Published: Dec. 18, 2025
    • Modified: Dec. 30, 2025
    • Vuln Type: Authentication

  • 6.5

    MEDIUM
    CVE-2025-59949

    FreshRSS is a free, self-hostable RSS aggregator. Versions prior to 1.27.1 have a logout cross-site request forgery vulnerability that can lead to denial of service via <track src>. Version 1.27.1 patches the issue.... Read more

    Affected Products : freshrss
    • Published: Dec. 18, 2025
    • Modified: Dec. 30, 2025
    • Vuln Type: Cross-Site Request Forgery

  • 8.6

    HIGH
    CVE-2024-58313

    xbtitFM 4.1.18 contains an insecure file upload vulnerability that allows authenticated attackers with administrative privileges to upload and execute arbitrary PHP code through the file_hosting feature. Attackers can bypass file type restrictions by modi... Read more

    Affected Products : xbtitfm
    • Published: Dec. 11, 2025
    • Modified: Dec. 30, 2025
    • Vuln Type: Misconfiguration

  • 8.7

    HIGH
    CVE-2024-58312

    xbtitFM 4.1.18 contains a path traversal vulnerability that allows unauthenticated attackers to access sensitive system files by manipulating URL parameters. Attackers can exploit directory traversal techniques to read critical system files like using enc... Read more

    Affected Products : xbtitfm
    • Published: Dec. 11, 2025
    • Modified: Dec. 30, 2025
    • Vuln Type: Path Traversal

  • 9.8

    CRITICAL
    CVE-2024-58309

    xbtitFM 4.1.18 contains an unauthenticated SQL injection vulnerability that allows remote attackers to manipulate database queries by injecting malicious SQL code through the msgid parameter. Attackers can send crafted requests to /shoutedit.php with EXTR... Read more

    Affected Products : xbtitfm
    • Published: Dec. 11, 2025
    • Modified: Dec. 30, 2025
    • Vuln Type: Injection

  • 10.0

    HIGH
    CVE-2025-14709

    A security vulnerability has been detected in Shiguangwu sgwbox N3 2.0.25. Affected by this issue is some unknown functionality of the file /usr/sbin/http_eshell_server of the component WIRELESSCFGGET Interface. The manipulation of the argument params lea... Read more

    Affected Products : n3_nas n3_firmware n3
    • Published: Dec. 15, 2025
    • Modified: Dec. 30, 2025
    • Vuln Type: Memory Corruption

  • 7.5

    HIGH
    CVE-2025-63387

    Dify v1.9.1 is vulnerable to Insecure Permissions. An unauthenticated attacker can directly send HTTP GET requests to the /console/api/system-features endpoint without any authentication credentials or session tokens. The endpoint fails to implement prope... Read more

    Affected Products : dify
    • Published: Dec. 18, 2025
    • Modified: Dec. 30, 2025
    • Vuln Type: Authorization

  • 9.8

    CRITICAL
    CVE-2025-15048

    A vulnerability was determined in Tenda WH450 1.0.0.18. This impacts an unknown function of the file /goform/CheckTools of the component HTTP Request Handler. Executing manipulation of the argument ipaddress can lead to command injection. The attack can b... Read more

    Affected Products : wh450_firmware wh450
    • Published: Dec. 23, 2025
    • Modified: Dec. 30, 2025
    • Vuln Type: Injection

  • 10.0

    HIGH
    CVE-2025-15047

    A vulnerability was found in Tenda WH450 1.0.0.18. This affects an unknown function of the file /goform/PPTPDClient of the component HTTP Request Handler. Performing manipulation of the argument Username results in stack-based buffer overflow. The attack ... Read more

    Affected Products : wh450_firmware wh450
    • Published: Dec. 23, 2025
    • Modified: Dec. 30, 2025
    • Vuln Type: Memory Corruption

  • 10.0

    HIGH
    CVE-2025-15046

    A vulnerability has been found in Tenda WH450 1.0.0.18. The impacted element is an unknown function of the file /goform/PPTPClient of the component HTTP Request Handler. Such manipulation of the argument netmsk leads to stack-based buffer overflow. It is ... Read more

    Affected Products : wh450_firmware wh450
    • Published: Dec. 23, 2025
    • Modified: Dec. 30, 2025
    • Vuln Type: Memory Corruption

  • 10.0

    HIGH
    CVE-2025-15045

    A flaw has been found in Tenda WH450 1.0.0.18. The affected element is an unknown function of the file /goform/Natlimit of the component HTTP Request Handler. This manipulation of the argument page causes stack-based buffer overflow. It is possible to ini... Read more

    Affected Products : wh450_firmware wh450
    • Published: Dec. 23, 2025
    • Modified: Dec. 30, 2025
    • Vuln Type: Memory Corruption

  • 6.1

    MEDIUM
    CVE-2025-65754

    Cross Site Scripting vulnerability in Algernon v1.17.4 allows attackers to execute arbitrary code via injecting a crafted payload into a filename.... Read more

    Affected Products : algernon
    • Published: Dec. 10, 2025
    • Modified: Dec. 30, 2025
    • Vuln Type: Cross-Site Scripting
Showing 20 of 5249 Results