Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 8.8

    HIGH
    CVE-2025-62703

    Fugue is a unified interface for distributed computing that lets users execute Python, Pandas, and SQL code on Spark, Dask, and Ray with minimal rewrites. In version 0.9.2 and prior, there is a remote code execution vulnerability by pickle deserialization... Read more

    Affected Products :
    • Published: Nov. 25, 2025
    • Modified: Nov. 26, 2025
    • Vuln Type: Injection

  • 6.1

    MEDIUM
    CVE-2025-63735

    A reflected Cross site scripting (XSS) vulnerability in Ruckus Unleashed 200.13.6.1.319 via the name parameter to the the captive-portal endpoint selfguestpass/guestAccessSubmit.jsp.... Read more

    Affected Products :
    • Published: Nov. 25, 2025
    • Modified: Nov. 26, 2025
    • Vuln Type: Cross-Site Scripting

  • 9.1

    CRITICAL
    CVE-2025-13565

    A weakness has been identified in SourceCodester Inventory Management System 1.0. The affected element is an unknown function of the file /model/user/resetPassword.php. Executing manipulation can lead to weak password recovery. The attack may be performed... Read more

    • Published: Nov. 23, 2025
    • Modified: Nov. 26, 2025
    • Vuln Type: Authentication

  • 4.3

    MEDIUM
    CVE-2025-43374

    An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in iPadOS 17.7.7, iOS 18.5 and iPadOS 18.5, visionOS 2.5, macOS Sonoma 14.7.3, macOS Ventura 13.7.3, macOS Sequoia 15.5, watchOS 11.5. An attacker in physical proximity... Read more

    Affected Products : macos iphone_os watchos ipados visionos
    • Published: Nov. 21, 2025
    • Modified: Nov. 26, 2025
    • Vuln Type: Memory Corruption

  • 4.3

    MEDIUM
    CVE-2025-31266

    A spoofing issue was addressed with improved truncation when displaying the fully qualified domain name This issue is fixed in Safari 18.5, macOS Sequoia 15.5. A website may be able to spoof the domain name in the title of a pop-up window.... Read more

    Affected Products : macos safari
    • Published: Nov. 21, 2025
    • Modified: Nov. 26, 2025
    • Vuln Type: Information Disclosure

  • 5.5

    MEDIUM
    CVE-2025-31248

    A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in macOS Ventura 13.7.3, macOS Sequoia 15.5, macOS Sonoma 14.7.3. An app may be able to access sensitive user data.... Read more

    Affected Products : macos
    • Published: Nov. 21, 2025
    • Modified: Nov. 26, 2025
    • Vuln Type: Path Traversal

  • 2.4

    LOW
    CVE-2025-31216

    The issue was addressed with improved checks. This issue is fixed in iPadOS 17.7.7, iOS 18.5 and iPadOS 18.5. An attacker with physical access to a device may be able to override managed Wi-Fi profiles.... Read more

    Affected Products : iphone_os ipados
    • Published: Nov. 21, 2025
    • Modified: Nov. 26, 2025
    • Vuln Type: Misconfiguration

  • 7.5

    HIGH
    CVE-2025-65998

    Apache Syncope can be configured to store the user password values in the internal database with AES encryption, though this is not the default option. When AES is configured, the default key value, hard-coded in the source code, is always used. This all... Read more

    Affected Products : syncope
    • Published: Nov. 24, 2025
    • Modified: Nov. 26, 2025
    • Vuln Type: Cryptography

  • 8.0

    HIGH
    CVE-2025-64660

    Improper access control in GitHub Copilot and Visual Studio Code allows an authorized attacker to execute code over a network.... Read more

    Affected Products : visual_studio_code
    • Published: Nov. 20, 2025
    • Modified: Nov. 26, 2025

  • 10.0

    CRITICAL
    CVE-2025-65108

    md-to-pdf is a CLI tool for converting Markdown files to PDF using Node.js and headless Chrome. Prior to version 5.2.5, a Markdown front-matter block that contains JavaScript delimiter causes the JS engine in gray-matter library to execute arbitrary code ... Read more

    Affected Products : markdown_to_pdf
    • Published: Nov. 21, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Injection

  • 4.8

    MEDIUM
    CVE-2025-13566

    A security vulnerability has been detected in jarun nnn up to 5.1. The impacted element is the function show_content_in_floating_window/run_cmd_as_plugin of the file nnn/src/nnn.c. The manipulation leads to double free. An attack has to be approached loca... Read more

    Affected Products :
    • Published: Nov. 23, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Memory Corruption

  • 9.1

    CRITICAL
    CVE-2025-64767

    hpke-js is a Hybrid Public Key Encryption (HPKE) module built on top of Web Cryptography API. Prior to version 1.7.5, the public SenderContext Seal() API has a race condition which allows for the same AEAD nonce to be re-used for multiple Seal() calls. Th... Read more

    Affected Products :
    • Published: Nov. 21, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Race Condition

  • 8.6

    HIGH
    CVE-2025-48507

    The security state of the calling processor into Arm® Trusted Firmware (TF-A) is not used and could potentially allow non-secure processors access to secure memories, access to crypto operations, and the ability to turn on and off subsystems within the SO... Read more

    Affected Products :
    • Published: Nov. 23, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Authentication

  • 8.5

    HIGH
    CVE-2025-65109

    Minder is an open source software supply chain security platform. In Minder Helm version 0.20241106.3386+ref.2507dbf and Minder Go versions from 0.0.72 to 0.0.83, Minder users may fetch content in the context of the Minder server, which may include URLs w... Read more

    Affected Products :
    • Published: Nov. 21, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Supply Chain

  • 2.9

    LOW
    CVE-2025-65111

    SpiceDB is an open source database system for creating and managing security-critical application permissions. Prior to version 1.47.1, if a schema includes the following characteristics: permission defined in terms of a union (+) and that union reference... Read more

    Affected Products : spicedb
    • Published: Nov. 21, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Authorization

  • 4.3

    MEDIUM
    CVE-2025-13136

    The GSheetConnector For Ninja Forms plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'njform-google-sheet-config ' page in all versions up to, and including, 2.0.1. This makes it possible for authe... Read more

    Affected Products :
    • Published: Nov. 22, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Authorization

  • 1.0

    LOW
    CVE-2025-54515

    The Secure Flag passed to Versal™ Adaptive SoC’s Arm® Trusted Firmware for Cortex®-A processors (TF-A) for Arm’s Power State Coordination Interface (PSCI) commands were incorrectly set to secure instead of using the processor’s actual security state. This... Read more

    Affected Products :
    • Published: Nov. 23, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Authentication

  • 7.5

    HIGH
    CVE-2025-13384

    The CP Contact Form with PayPal plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.3.56. This is due to the plugin exposing an unauthenticated IPN-like endpoint (via the 'cp_contactformpp_ipncheck' query pa... Read more

    Affected Products : cp_contact_form
    • Published: Nov. 22, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Authorization

  • 6.8

    MEDIUM
    CVE-2025-13524

    Improper resource release in the call termination process in AWS Wickr before version 6.62.13 on Windows, macOS and Linux may allow a call participant to continue receiving audio input from another user after they close their call window. This issue occur... Read more

    Affected Products :
    • Published: Nov. 21, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Denial of Service

  • 5.4

    MEDIUM
    CVE-2025-0504

    Black Duck SCA versions prior to 2025.10.0 had user role permissions configured in an overly broad manner. Users with the scoped Project Manager user role with the Global User Read access permission enabled access to certain Project Administrator function... Read more

    Affected Products : black_duck_sca
    • Published: Nov. 21, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Authorization
Showing 20 of 4554 Results