Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 7.3

    HIGH
    CVE-2025-12739

    An attacker with viewer permissions in Looker could craft a malicious URL that, when opened by a Looker admin, would execute an attacker-supplied script. Exploitation required at least one Looker extension installed on the instance. Looker-hosted and Sel... Read more

    Affected Products :
    • Published: Nov. 24, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Cross-Site Scripting

  • 9.6

    CRITICAL
    CVE-2025-60739

    Cross Site Request Forgery (CSRF) vulnerability in Ilevia EVE X1 Server Firmware Version v4.7.18.0.eden and before, Logic Version v6.00 - 2025_07_21 allows a remote attacker to execute arbitrary code via the /bh_web_backend component... Read more

    Affected Products :
    • Published: Nov. 25, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Cross-Site Request Forgery

  • 7.5

    HIGH
    CVE-2025-41729

    An unauthenticated remote attacker can send a specially crafted Modbus read command to the device which leads to a denial of service.... Read more

    Affected Products :
    • Published: Nov. 24, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Denial of Service

  • 8.7

    HIGH
    CVE-2025-41016

    Inadequate access control vulnerability in Davantis DFUSION v6.177.7, which allows unauthorised actors to extract images and videos related to alarm events through access to “/alarms/<ALARM_ID>/<MEDIA>”, where the “MEDIA” parameter can take the value of “... Read more

    Affected Products :
    • Published: Nov. 24, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Authorization

  • 5.1

    MEDIUM
    CVE-2025-65944

    Sentry-Javascript is an official Sentry SDKs for JavaScript. From version 10.11.0 to before 10.27.0, when a Node.js application using the Sentry SDK has sendDefaultPii: true it is possible to inadvertently send certain sensitive HTTP headers, including th... Read more

    Affected Products : astro
    • Published: Nov. 25, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Information Disclosure

  • 4.3

    MEDIUM
    CVE-2025-12587

    The Peer Publish plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the website management pages. This makes it possible for unauthenticated attackers to a... Read more

    Affected Products :
    • Published: Nov. 25, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Cross-Site Request Forgery

  • 6.9

    MEDIUM
    CVE-2025-41017

    Inadequate access control vulnerability in Davantis DDFUSION v6.177.7, which allows unauthorised actors to retrieve perspective parameters from security camera settings by accessing “/cameras/<CAMERA_ID>/perspective”.... Read more

    Affected Products :
    • Published: Nov. 24, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Authorization

  • 6.9

    MEDIUM
    CVE-2025-59372

    A path traversal vulnerability has been identified in certain router models. A remote, authenticated attacker could exploit this vulnerability to write files outside the intended directory, potentially affecting device integrity. Refer to the 'Security Up... Read more

    Affected Products : router
    • Published: Nov. 25, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Path Traversal

  • 4.3

    MEDIUM
    CVE-2025-12634

    The Refund Request for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'update_refund_status' function in all versions up to, and including, 1.0. This makes it possible for authe... Read more

    Affected Products :
    • Published: Nov. 25, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Authorization

  • 4.3

    MEDIUM
    CVE-2025-13382

    The Frontend File Manager Plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 23.4. This is due to the plugin not validating file ownership before processing file rename requests in the '/wpfm/v1/fi... Read more

    Affected Products : frontend_file_manager_plugin
    • Published: Nov. 25, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Authorization

  • 7.2

    HIGH
    CVE-2025-13376

    The ProjectList plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 0.3.0. This makes it possible for authenticated attackers, with Editor-level access and above, to upload... Read more

    Affected Products :
    • Published: Nov. 25, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Misconfiguration

  • 9.8

    CRITICAL
    CVE-2025-64693

    Security Point (Windows) of MaLion and MaLionCloud contains a heap-based buffer overflow vulnerability in processing Content-Length. Receiving a specially crafted request from a remote unauthenticated attacker could lead to arbitrary code execution with S... Read more

    Affected Products :
    • Published: Nov. 25, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Memory Corruption

  • 9.8

    CRITICAL
    CVE-2025-62691

    Security Point (Windows) of MaLion and MaLionCloud contains a stack-based buffer overflow vulnerability in processing HTTP headers. Receiving a specially crafted request from a remote unauthenticated attacker could lead to arbitrary code execution with SY... Read more

    Affected Products :
    • Published: Nov. 25, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Memory Corruption

  • 4.8

    MEDIUM
    CVE-2025-59485

    Incorrect default permissions issue exists in Security Point (Windows) of MaLion prior to Ver.5.3.4. If this vulnerability is exploited, an arbitrary file could be placed in the specific folder by a user who can log in to the system where the product's Wi... Read more

    Affected Products :
    • Published: Nov. 25, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Misconfiguration

  • 5.3

    MEDIUM
    CVE-2025-13389

    The Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `get_order_by_id()` function in all versions up to, and including, 14. This ... Read more

    Affected Products :
    • Published: Nov. 25, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Authorization

  • 6.5

    MEDIUM
    CVE-2025-13588

    A vulnerability was found in lKinderBueno Streamity Xtream IPTV Player up to 2.8. The impacted element is an unknown function of the file public/proxy.php. Performing manipulation results in server-side request forgery. The attack can be initiated remotel... Read more

    Affected Products :
    • Published: Nov. 24, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Server-Side Request Forgery

  • 7.7

    HIGH
    CVE-2025-12741

    A Looker user with Developer role could create a database connection using Denodo driver and, by manipulating LookML, cause Looker to execute a malicious command. Looker-hosted and Self-hosted were found to be vulnerable. This issue has already been miti... Read more

    Affected Products :
    • Published: Nov. 24, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Injection

  • 8.7

    HIGH
    CVE-2025-10554

    A stored Cross-site Scripting (XSS) vulnerability affecting Requirements in ENOVIA Product Manager from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session.... Read more

    Affected Products :
    • Published: Nov. 24, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Cross-Site Scripting

  • 5.3

    MEDIUM
    CVE-2025-13404

    The atec Duplicate Page & Post plugin for WordPress is vulnerable to unauthorized post duplication due to missing authorization validation on the duplicate_post() function in all versions up to, and including, 1.2.20. This makes it possible for authentica... Read more

    Affected Products :
    • Published: Nov. 25, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Authorization

  • 8.3

    HIGH
    CVE-2025-44018

    A firmware downgrade vulnerability exists in the OTA Update functionality of GL-Inet GL-AXT1800 4.7.0. A specially crafted .tar file can lead to a firmware downgrade. An attacker can perform a man-in-the-middle attack to trigger this vulnerability.... Read more

    Affected Products :
    • Published: Nov. 24, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Misconfiguration
Showing 20 of 4489 Results