Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 5.3

    MEDIUM
    CVE-2025-13317

    The Appointment Booking Calendar plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.3.96. This is due to the plugin exposing an unauthenticated booking processing endpoint (cpabc_appointments_check_IPN_veri... Read more

    Affected Products : appointment_booking_calendar
    • Published: Nov. 22, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Authorization

  • 5.3

    MEDIUM
    CVE-2025-12747

    The Tainacan plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.0.0 via uploaded files marked as private being exposed in wp-content without adequate protection. This makes it possible for unauthenticated a... Read more

    Affected Products : tainacan
    • Published: Nov. 21, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Information Disclosure

  • 7.5

    HIGH
    CVE-2025-13526

    The OneClick Chat to Order plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0.8 via the 'wa_order_thank_you_override' function due to missing validation on a user controlled key. This makes it ... Read more

    Affected Products :
    • Published: Nov. 22, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Authorization

  • 8.5

    HIGH
    CVE-2025-65109

    Minder is an open source software supply chain security platform. In Minder Helm version 0.20241106.3386+ref.2507dbf and Minder Go versions from 0.0.72 to 0.0.83, Minder users may fetch content in the context of the Minder server, which may include URLs w... Read more

    Affected Products :
    • Published: Nov. 21, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Supply Chain

  • 10.0

    CRITICAL
    CVE-2025-41115

    SCIM provisioning was introduced in Grafana Enterprise and Grafana Cloud in April to improve how organizations manage users and teams in Grafana by introducing automated user lifecycle management. In Grafana versions 12.x where SCIM provisioning is enabl... Read more

    Affected Products : grafana
    • Published: Nov. 21, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Authentication

  • 8.6

    HIGH
    CVE-2025-48507

    The security state of the calling processor into Arm® Trusted Firmware (TF-A) is not used and could potentially allow non-secure processors access to secure memories, access to crypto operations, and the ability to turn on and off subsystems within the SO... Read more

    Affected Products :
    • Published: Nov. 23, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Authentication

  • 5.3

    MEDIUM
    CVE-2025-13404

    The atec Duplicate Page & Post plugin for WordPress is vulnerable to unauthorized post duplication due to missing authorization validation on the duplicate_post() function in all versions up to, and including, 1.2.20. This makes it possible for authentica... Read more

    Affected Products :
    • Published: Nov. 25, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Authorization

  • 7.3

    HIGH
    CVE-2025-0003

    Inadequate lock protection within Xilinx Run time may allow a local attacker to trigger a Use-After-Free condition potentially resulting in loss of confidentiality or availability... Read more

    Affected Products :
    • Published: Nov. 24, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Memory Corruption

  • 5.7

    MEDIUM
    CVE-2025-0007

    Insufficient validation within Xilinx Run Time framework could allow a local attacker to escalate privileges from user space to kernel space, potentially compromising confidentiality, integrity, and/or availability.... Read more

    Affected Products :
    • Published: Nov. 24, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Memory Corruption

  • 5.1

    MEDIUM
    CVE-2025-13589

    FMS developed by Otsuka Information Technology has a Reflected Cross-site Scripting vulnerability, allowing unauthenticated remote attackers to execute arbitrary JavaScript codes in user's browser through phishing attacks.... Read more

    Affected Products :
    • Published: Nov. 24, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Cross-Site Scripting

  • 7.5

    HIGH
    CVE-2025-7402

    The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to time-based SQL Injection via the ‘site_id’ parameter in all versions up to, and including, 4.95 due to insufficient escaping on the user supplied parame... Read more

    Affected Products : ads_pro
    • Published: Nov. 24, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Injection

  • 7.1

    HIGH
    CVE-2025-12629

    The Broken Link Manager WordPress plugin through 0.6.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin... Read more

    Affected Products : broken_link_manager
    • Published: Nov. 24, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Cross-Site Scripting

  • 2.7

    LOW
    CVE-2025-13596

    A sensitive information disclosure vulnerability exists in the error handling component of ATISoluciones CIGES Application version 2.15.6 and earlier. When certain unexpected conditions trigger unhandled exceptions, the application returns detailed error ... Read more

    Affected Products : ciges
    • Published: Nov. 24, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Information Disclosure

  • 7.3

    HIGH
    CVE-2025-12739

    An attacker with viewer permissions in Looker could craft a malicious URL that, when opened by a Looker admin, would execute an attacker-supplied script. Exploitation required at least one Looker extension installed on the instance. Looker-hosted and Sel... Read more

    Affected Products :
    • Published: Nov. 24, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Cross-Site Scripting

  • 7.7

    HIGH
    CVE-2025-12740

    A Looker user with a Developer role could create a database connection using IBM DB2 driver and, by manipulating LookML, cause Looker to execute a malicious command, due to inadequate filtering of the driver's parameters. Looker-hosted and Self-hosted we... Read more

    Affected Products :
    • Published: Nov. 24, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Injection

  • 5.9

    MEDIUM
    CVE-2025-12394

    The Backup Migration WordPress plugin before 2.0.0 does not properly generate its backup path in certain server configurations, allowing unauthenticated users to fetch a log that discloses the backup filename. The backup archive is then downloadable witho... Read more

    Affected Products : backup_migration
    • Published: Nov. 24, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Information Disclosure

  • 7.5

    HIGH
    CVE-2025-41729

    An unauthenticated remote attacker can send a specially crafted Modbus read command to the device which leads to a denial of service.... Read more

    Affected Products :
    • Published: Nov. 24, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Denial of Service

  • 8.7

    HIGH
    CVE-2025-41016

    Inadequate access control vulnerability in Davantis DFUSION v6.177.7, which allows unauthorised actors to extract images and videos related to alarm events through access to “/alarms/<ALARM_ID>/<MEDIA>”, where the “MEDIA” parameter can take the value of “... Read more

    Affected Products :
    • Published: Nov. 24, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Authorization

  • 6.3

    MEDIUM
    CVE-2025-12628

    The WP 2FA WordPress plugin does not generate backup codes with enough entropy, which could allow attackers to bypass the second factor by brute forcing them... Read more

    Affected Products : wp_2fa
    • Published: Nov. 24, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Authentication

  • 6.9

    MEDIUM
    CVE-2025-41017

    Inadequate access control vulnerability in Davantis DDFUSION v6.177.7, which allows unauthorised actors to retrieve perspective parameters from security camera settings by accessing “/cameras/<CAMERA_ID>/perspective”.... Read more

    Affected Products :
    • Published: Nov. 24, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Authorization
Showing 20 of 4537 Results