Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 5.4

    MEDIUM
    CVE-2023-53909

    WBCE CMS 1.6.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by uploading crafted SVG files through the media manager. Attackers can upload SVG files containing script tags to the /... Read more

    Affected Products : wbce_cms
    • Published: Dec. 17, 2025
    • Modified: Dec. 24, 2025
    • Vuln Type: Cross-Site Scripting

  • 5.4

    MEDIUM
    CVE-2023-53915

    Zenphoto 1.6 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by inserting HTML content into album descriptions. Attackers can create albums with malicious iframe or script tags in the de... Read more

    Affected Products : zenphoto
    • Published: Dec. 17, 2025
    • Modified: Dec. 24, 2025
    • Vuln Type: Cross-Site Scripting

  • 5.4

    MEDIUM
    CVE-2023-53916

    Zenphoto 1.6 contains a stored cross-site scripting vulnerability in the user postal code field accessible through the admin-users.php interface. When administrators view user information imported as HTML, malicious JavaScript payloads injected into the p... Read more

    Affected Products : zenphoto
    • Published: Dec. 17, 2025
    • Modified: Dec. 24, 2025
    • Vuln Type: Cross-Site Scripting

  • 9.8

    CRITICAL
    CVE-2023-53926

    PHPJabbers Simple CMS 5.0 contains a SQL injection vulnerability in the 'column' parameter that allows remote attackers to manipulate database queries. Attackers can inject crafted SQL payloads through the 'column' parameter in the index.php endpoint to p... Read more

    Affected Products : simple_cms
    • Published: Dec. 17, 2025
    • Modified: Dec. 24, 2025
    • Vuln Type: Injection

  • 8.8

    HIGH
    CVE-2023-53927

    PHPJabbers Simple CMS 5.0 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through section name parameters. Attackers can create sections with embedded JavaScript payloads that will execu... Read more

    Affected Products : simple_cms
    • Published: Dec. 17, 2025
    • Modified: Dec. 24, 2025
    • Vuln Type: Cross-Site Scripting

  • 8.6

    HIGH
    CVE-2025-34288

    Nagios XI versions prior to 2026R1.1 are vulnerable to local privilege escalation due to an unsafe interaction between sudo permissions and application file permissions. A user‑accessible maintenance script may be executed as root via sudo and includes an... Read more

    Affected Products : nagios_xi
    • Published: Dec. 16, 2025
    • Modified: Dec. 24, 2025
    • Vuln Type: Authentication

  • 8.8

    HIGH
    CVE-2023-53913

    Rukovoditel 3.3.1 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into the firstname field. Attackers can craft payloads like =calc|a!z| to trigger code execution when an admin exports customer data as a... Read more

    Affected Products : rukovoditel
    • Published: Dec. 17, 2025
    • Modified: Dec. 24, 2025
    • Vuln Type: Injection

  • 5.4

    MEDIUM
    CVE-2023-53903

    WebsiteBaker 2.13.3 contains a stored cross-site scripting vulnerability that allows authenticated users to upload malicious SVG files with embedded JavaScript. Attackers can upload crafted SVG files with script tags that execute when the file is viewed, ... Read more

    Affected Products : websitebaker
    • Published: Dec. 16, 2025
    • Modified: Dec. 24, 2025
    • Vuln Type: Cross-Site Scripting

  • 8.8

    HIGH
    CVE-2023-53981

    PhotoShow 3.0 contains a remote code execution vulnerability that allows authenticated administrators to inject malicious commands through the exiftran path configuration. Attackers can exploit the ffmpeg configuration settings by base64 encoding a revers... Read more

    Affected Products : photoshow
    • Published: Dec. 22, 2025
    • Modified: Dec. 24, 2025
    • Vuln Type: Injection

  • 6.5

    MEDIUM
    CVE-2025-60935

    An open redirect vulnerability in the login endpoint of Blitz Panel v1.17.0 allows attackers to redirect users to malicious domains via a crafted URL. This issue affects the next_url parameter in the login endpoint and could lead to phishing or token thef... Read more

    Affected Products :
    • Published: Dec. 24, 2025
    • Modified: Dec. 24, 2025
    • Vuln Type: Misconfiguration

  • 7.2

    HIGH
    CVE-2025-2515

    A vulnerability was found in BlueChi, a multi-node systemd service controller used in RHIVOS. This flaw allows a user with root privileges on a managed node (qm) to create or override systemd service unit files that affect the host node. This issue can le... Read more

    Affected Products :
    • Published: Dec. 24, 2025
    • Modified: Dec. 24, 2025
    • Vuln Type: Misconfiguration

  • 6.8

    MEDIUM
    CVE-2025-13407

    The Gravity Forms WordPress plugin before 2.9.23.1 does not properly prevent users from uploading dangerous files through its chunked upload functionality, allowing attackers to upload PHP files to affected sites and achieve Remote Code Execution, granted... Read more

    Affected Products :
    • Published: Dec. 24, 2025
    • Modified: Dec. 24, 2025
    • Vuln Type: Misconfiguration

  • 6.5

    MEDIUM
    CVE-2024-40317

    A reflected cross-site scripting (XSS) vulnerability in MyNET up to v26.08 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload into the parameter HTTP.... Read more

    Affected Products :
    • Published: Dec. 24, 2025
    • Modified: Dec. 24, 2025
    • Vuln Type: Cross-Site Scripting

  • 5.4

    MEDIUM
    CVE-2024-39037

    MyNET up to v26.08.316 was discovered to contain an Unauthenticated SQL Injection vulnerability via the intmenu parameter.... Read more

    Affected Products :
    • Published: Dec. 24, 2025
    • Modified: Dec. 24, 2025
    • Vuln Type: Injection

  • 6.1

    MEDIUM
    CVE-2024-35322

    MyNET up to v26.08 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the ficheiro parameter.... Read more

    Affected Products :
    • Published: Dec. 24, 2025
    • Modified: Dec. 24, 2025
    • Vuln Type: Cross-Site Scripting

  • 8.7

    HIGH
    CVE-2023-53896

    D-Link DAP-1325 firmware version 1.01 contains a broken access control vulnerability that allows unauthenticated attackers to download device configuration settings without authentication. Attackers can exploit the /cgi-bin/ExportSettings.sh endpoint to r... Read more

    Affected Products : dap-1325_firmware dap-1325
    • Published: Dec. 16, 2025
    • Modified: Dec. 24, 2025
    • Vuln Type: Authorization

  • 9.8

    CRITICAL
    CVE-2023-53914

    UliCMS 2023.1 contains an authentication bypass vulnerability that allows unauthenticated attackers to create admin users through mass assignment in the UserController. Attackers can send a crafted POST request to the admin index.php endpoint with specifi... Read more

    Affected Products : ulicms
    • Published: Dec. 17, 2025
    • Modified: Dec. 24, 2025
    • Vuln Type: Authentication

  • 5.1

    MEDIUM
    CVE-2022-50680

    A stored cross-site scripting vulnerability in Kentico Xperience allows administration users to inject malicious scripts via email marketing templates. Attackers can exploit this vulnerability to execute malicious scripts that could compromise user browse... Read more

    Affected Products : xperience
    • Published: Dec. 18, 2025
    • Modified: Dec. 24, 2025
    • Vuln Type: Cross-Site Scripting

  • 6.1

    MEDIUM
    CVE-2022-50681

    A reflected cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via administration input fields in the Rich text editor component. Attackers can exploit this vulnerability to execute arbitrary scripts in us... Read more

    Affected Products : xperience
    • Published: Dec. 18, 2025
    • Modified: Dec. 24, 2025
    • Vuln Type: Cross-Site Scripting

  • 6.9

    MEDIUM
    CVE-2022-50682

    A CRLF injection vulnerability in Kentico Xperience allows attackers to manipulate URL query string redirects via improper encoding in the routing engine. This could enable header injection and potentially facilitate further web application attacks.... Read more

    Affected Products : xperience
    • Published: Dec. 18, 2025
    • Modified: Dec. 24, 2025
    • Vuln Type: Injection
Showing 20 of 4962 Results