Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 9.8

    CRITICAL
    CVE-2024-58311

    Dormakaba Saflok System 6000 contains a predictable key generation algorithm that allows attackers to derive card access keys from a 32-bit unique identifier. Attackers can exploit the deterministic key generation process by calculating valid access keys ... Read more

    Affected Products :
    • Published: Dec. 12, 2025
    • Modified: Dec. 15, 2025
    • Vuln Type: Cryptography

  • 8.8

    HIGH
    CVE-2024-58305

    WonderCMS 4.3.2 contains a cross-site scripting vulnerability that allows attackers to inject malicious JavaScript through the module installation endpoint. Attackers can craft a specially designed XSS payload to install a reverse shell module and execute... Read more

    Affected Products : wondercms
    • Published: Dec. 12, 2025
    • Modified: Dec. 15, 2025
    • Vuln Type: Cross-Site Scripting

  • 8.0

    HIGH
    CVE-2025-13970

    OpenPLC_V3 is vulnerable to a cross-site request forgery (CSRF) attack due to the absence of proper CSRF validation. This issue allows an unauthenticated attacker to trick a logged-in administrator into visiting a maliciously crafted link, potentially ... Read more

    Affected Products : openplc_v3_firmware
    • Published: Dec. 13, 2025
    • Modified: Dec. 15, 2025
    • Vuln Type: Cross-Site Request Forgery

  • 8.6

    HIGH
    CVE-2025-8083

    The Preset configuration https://v2.vuetifyjs.com/en/features/presets  feature of Vuetify is vulnerable to Prototype Pollution https://cheatsheetseries.owasp.org/cheatsheets/Prototype_Pollution_Prevention_Cheat_Sheet.html  due to the internal 'mergeDeep... Read more

    Affected Products :
    • Published: Dec. 12, 2025
    • Modified: Dec. 15, 2025
    • Vuln Type: Injection

  • 6.3

    MEDIUM
    CVE-2025-67721

    Aircompressor is a library with ports of the Snappy, LZO, LZ4, and Zstandard compression algorithms to Java. In versions 3.3 and below, incorrect handling of malformed data in Java-based decompressor implementations for Snappy and LZ4 allow remote attacke... Read more

    Affected Products :
    • Published: Dec. 12, 2025
    • Modified: Dec. 15, 2025
    • Vuln Type: Information Disclosure

  • 5.3

    MEDIUM
    CVE-2025-67749

    PCSX2 is a free and open-source PlayStation 2 (PS2) emulator. In versions 2.5.377 and below, an unchecked offset and size used in a memcpy operation inside PCSX2's CDVD SCMD 0x91 and SCMD 0x8F handlers allow a specially crafted disc image or ELF to cause ... Read more

    Affected Products :
    • Published: Dec. 12, 2025
    • Modified: Dec. 15, 2025
    • Vuln Type: Memory Corruption

  • 6.5

    MEDIUM
    CVE-2025-0969

    The Brizy – Page Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.7.16 via the get_users() function. This makes it possible for authenticated attackers, with Contributor-level access and ... Read more

    Affected Products : brizy
    • Published: Dec. 13, 2025
    • Modified: Dec. 15, 2025
    • Vuln Type: Information Disclosure

  • 5.9

    MEDIUM
    CVE-2025-10289

    The Filter & Grids plugin for WordPress is vulnerable to SQL Injection via the 'phrase' parameter in all versions up to, and including, 3.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQ... Read more

    Affected Products : filter_\&_grids
    • Published: Dec. 13, 2025
    • Modified: Dec. 15, 2025
    • Vuln Type: Injection

  • 4.4

    MEDIUM
    CVE-2025-14056

    The Custom Post Type UI plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'label' parameter during custom post type import in all versions up to, and including, 1.18.1 due to insufficient input sanitization and output escaping. Thi... Read more

    Affected Products : custom_post_type_ui
    • Published: Dec. 13, 2025
    • Modified: Dec. 15, 2025
    • Vuln Type: Cross-Site Scripting

  • 9.4

    CRITICAL
    CVE-2025-36752

    Growatt ShineLan-X communication dongle has an undocumented backup account with undocumented credentials which allows significant level access to the device, such as allowing any attacker to access the Setting Center. This means that this is effectively b... Read more

    Affected Products :
    • Published: Dec. 13, 2025
    • Modified: Dec. 15, 2025
    • Vuln Type: Authentication

  • 9.4

    CRITICAL
    CVE-2025-36751

    Encryption is missing on the configuration interface for Growatt ShineLan-X and MIC 3300TL-X. This allows an attacker with access to the network to intercept and potentially manipulate communication requests between the inverter and its cloud endpoint.... Read more

    Affected Products :
    • Published: Dec. 13, 2025
    • Modified: Dec. 15, 2025
    • Vuln Type: Cryptography

  • 8.4

    HIGH
    CVE-2025-36748

    ShineLan-X contains a stored cross site scripting (XSS) vulnerability in the local configuration web server. The JavaScript code snippet can be inserted in the communication module’s settings center. This may allow attackers to force a legitimate user’s b... Read more

    Affected Products :
    • Published: Dec. 13, 2025
    • Modified: Dec. 15, 2025
    • Vuln Type: Cross-Site Scripting

  • 6.5

    MEDIUM
    CVE-2025-14695

    A vulnerability was determined in SamuNatsu HaloBot up to 026b01d4a896d93eaaf9d5163a287dc9f267515b. Affected is the function html_renderer of the file plugins/html_renderer/index.js of the component Inter-plugin API. Executing manipulation of the argument... Read more

    Affected Products :
    • Published: Dec. 15, 2025
    • Modified: Dec. 15, 2025
    • Vuln Type: Injection

  • 4.8

    MEDIUM
    CVE-2025-14698

    A weakness has been identified in atlaszz AI Photo Team Galleryit App 1.3.8.2 on Android. This affects an unknown part of the component gallery.photogallery.pictures.vault.album. This manipulation causes path traversal. The attack needs to be launched loc... Read more

    Affected Products :
    • Published: Dec. 15, 2025
    • Modified: Dec. 15, 2025
    • Vuln Type: Path Traversal

  • 7.0

    HIGH
    CVE-2025-14038

    EDB Hybrid Manager contains a flaw that allows an unauthenticated attacker to directly access certain gRPC endpoints. This could allow an attacker to read potentially sensitive data or possibly cause a denial-of-service by writing malformed data to certai... Read more

    Affected Products :
    • Published: Dec. 15, 2025
    • Modified: Dec. 15, 2025
    • Vuln Type: Authentication

  • 4.8

    MEDIUM
    CVE-2025-14702

    A flaw has been found in Smartbit CommV Smartschool App up to 10.4.4. Impacted is an unknown function of the component be.smartschool.mobile.SplashActivity. Executing manipulation can lead to path traversal. The attack requires local access. The exploit h... Read more

    Affected Products :
    • Published: Dec. 15, 2025
    • Modified: Dec. 15, 2025
    • Vuln Type: Path Traversal

  • 6.4

    MEDIUM
    CVE-2025-14387

    The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attack... Read more

    Affected Products : learnpress
    • Published: Dec. 15, 2025
    • Modified: Dec. 15, 2025
    • Vuln Type: Cross-Site Scripting

  • 7.1

    HIGH
    CVE-2025-13823

    A security issue was found in the IPv6 stack in the Micro850 and Micro870 controllers when the controllers received multiple malformed packets during fuzzing. The controllers will go into recoverable fault with fault code 0xFE60. To recover the controller... Read more

    Affected Products :
    • Published: Dec. 15, 2025
    • Modified: Dec. 15, 2025
    • Vuln Type: Denial of Service

  • 7.5

    HIGH
    CVE-2025-14383

    The Booking Calendar plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'dates_to_check' parameter in all versions up to, and including, 10.14.8 due to insufficient escaping on the user supplied parameter and lack of sufficient p... Read more

    Affected Products : booking_calendar
    • Published: Dec. 15, 2025
    • Modified: Dec. 15, 2025
    • Vuln Type: Injection

  • 5.3

    MEDIUM
    CVE-2025-13950

    The OneSignal – Web Push Notifications plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the settings handling functionality in all versions up to, and including, 3.6.1. This is due to the plugin ... Read more

    • Published: Dec. 15, 2025
    • Modified: Dec. 15, 2025
    • Vuln Type: Authentication
Showing 20 of 5139 Results