Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 9.9

    CRITICAL
    CVE-2025-67164

    An authenticated arbitrary file upload vulnerability in the /storage/poc.php component of Pagekit CMS v1.0.18 allows attackers to execute arbitrary code via uploading a crafted PHP file.... Read more

    Affected Products : pagekit
    • Published: Dec. 17, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Authentication

  • 9.8

    CRITICAL
    CVE-2025-67165

    An Insecure Direct Object Reference (IDOR) in Pagekit CMS v1.0.18 allows attackers to escalate privileges.... Read more

    Affected Products : pagekit
    • Published: Dec. 17, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Authorization

  • 7.3

    HIGH
    CVE-2025-67285

    A SQL injection vulnerability was found in the '/cts/admin/?page=zone' file of ITSourcecode COVID Tracking System Using QR-Code v1.0. The reason for this issue is that attackers inject malicious code from the parameter 'id' and use it directly in SQL quer... Read more

    • Published: Dec. 17, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Injection

  • 9.6

    CRITICAL
    CVE-2025-67289

    An arbitrary file upload vulnerability in the Attachments module of Frappe Framework v15.89.0 allows attackers to execute arbitrary code via uploading a crafted XML file.... Read more

    Affected Products : frappe erpnext
    • Published: Dec. 22, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Injection

  • 6.1

    MEDIUM
    CVE-2025-67290

    A stored cross-site scripting (XSS) vulnerability in the Page Settings module of Piranha CMS v12.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Excerpt field.... Read more

    Affected Products : piranha_cms
    • Published: Dec. 22, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Cross-Site Scripting

  • 6.1

    MEDIUM
    CVE-2025-67291

    A stored cross-site scripting (XSS) vulnerability in the Media module of Piranha CMS v12.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name field.... Read more

    Affected Products : piranha_cms
    • Published: Dec. 22, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Cross-Site Scripting

  • 9.8

    CRITICAL
    CVE-2025-67418

    ClipBucket 5.5.2 is affected by an improper access control issue where the product is shipped or deployed with hardcoded default administrative credentials. An unauthenticated remote attacker can log in to the administrative panel using these default cred... Read more

    Affected Products : clipbucket
    • Published: Dec. 22, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Authentication

  • 6.5

    MEDIUM
    CVE-2025-67436

    Authenticated Remote Code Execution (RCE) in PluXml CMS 5.8.22 allows an attacker with administrator panel access to inject a malicious PHP webshell into a theme file (e.g., home.php).... Read more

    Affected Products : pluxml
    • Published: Dec. 22, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Injection

  • 7.6

    HIGH
    CVE-2025-67442

    EVE-NG 6.4.0-13-PRO is vulnerable to Directory Traversal. The /api/export interface allows authenticated users to export lab files. This interface lacks effective input validation and filtering when processing file path parameters submitted by users.... Read more

    Affected Products : eve-ng
    • Published: Dec. 19, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Path Traversal

  • 6.1

    MEDIUM
    CVE-2025-67443

    Schlix CMS before v2.2.9-5 is vulnerable to Cross Site Scripting (XSS). Due to lack of javascript sanitization in the login form, incorrect login attempts in logs are triggered as XSS in the admin panel.... Read more

    Affected Products : cms
    • Published: Dec. 22, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Cross-Site Scripting

  • 6.1

    MEDIUM
    CVE-2025-68115

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 8.6.1 and 9.1.0-alpha.3, a Reflected Cross-Site Scripting (XSS) vulnerability exists in Parse Server's password reset and email ve... Read more

    Affected Products : parse-server
    • Published: Dec. 16, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Cross-Site Scripting

  • 8.9

    HIGH
    CVE-2025-68116

    FileRise is a self-hosted web file manager / WebDAV server. Versions prior to 2.7.1 are vulnerable to Stored Cross-Site Scripting (XSS) due to unsafe handling of browser-renderable user uploads when served through the sharing and download endpoints. An at... Read more

    Affected Products : filerise
    • Published: Dec. 16, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Cross-Site Scripting

  • 5.8

    MEDIUM
    CVE-2023-7331

    A vulnerability was detected in PKrystian Full-Stack-Bank up to bf73a0179e3ff07c0d7dc35297cea0be0e5b1317. This vulnerability affects unknown code of the component User Handler. Performing manipulation results in sql injection. It is possible to initiate t... Read more

    Affected Products :
    • Published: Dec. 31, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Injection

  • 9.0

    HIGH
    CVE-2025-15431

    A flaw has been found in UTT 进取 512W 1.7.7-171114. This affects the function strcpy of the file /goform/formFtpServerDirConfig. Executing manipulation of the argument filename can lead to buffer overflow. The attack can be launched remotely. The exploit h... Read more

    Affected Products :
    • Published: Jan. 02, 2026
    • Modified: Jan. 02, 2026
    • Vuln Type: Memory Corruption

  • 5.8

    MEDIUM
    CVE-2025-15438

    A vulnerability was determined in PluXml up to 5.8.22. Affected is the function FileCookieJar::__destruct of the file core/admin/medias.php of the component Media Management Module. Executing manipulation of the argument File can lead to deserialization. ... Read more

    Affected Products :
    • Published: Jan. 02, 2026
    • Modified: Jan. 02, 2026
    • Vuln Type: Information Disclosure

  • 9.1

    CRITICAL
    CVE-2025-69288

    Titra is open source project time tracking software. Prior to version 0.99.49, Titra allows any authenticated Admin user to modify the timeEntryRule in the database. The value is then passed to a NodeVM value to execute as code. Without sanitization, it l... Read more

    Affected Products : titra
    • Published: Dec. 31, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Injection

  • 7.1

    HIGH
    CVE-2025-53235

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in osuthorpe Easy Social allows Reflected XSS.This issue affects Easy Social: from n/a through 1.3.... Read more

    Affected Products :
    • Published: Dec. 31, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Cross-Site Scripting

  • 7.1

    HIGH
    CVE-2023-7332

    PocketMine-MP versions prior to 4.18.1 contain an improper input validation vulnerability in inventory transaction handling. A remote attacker with a valid player session can request that the server drop more items than are available in the player's hotba... Read more

    Affected Products :
    • Published: Dec. 31, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Denial of Service

  • 6.5

    MEDIUM
    CVE-2026-0547

    A vulnerability was found in PHPGurukul Online Course Registration up to 3.1. This issue affects some unknown processing of the file /admin/edit-student-profile.php of the component Student Registration Page. The manipulation of the argument photo results... Read more

    Affected Products : online_course_registration
    • Published: Jan. 02, 2026
    • Modified: Jan. 02, 2026
    • Vuln Type: Misconfiguration

  • 5.1

    MEDIUM
    CVE-2025-15437

    A vulnerability was found in LigeroSmart up to 6.1.24. This affects an unknown part of the component Environment Variable Handler. Performing manipulation of the argument REQUEST_URI results in cross site scripting. The attack may be initiated remotely. T... Read more

    Affected Products :
    • Published: Jan. 02, 2026
    • Modified: Jan. 02, 2026
    • Vuln Type: Cross-Site Scripting
Showing 20 of 4310 Results