Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 10.0

    CRITICAL
    CVE-2025-64126

    An OS command injection vulnerability exists due to improper input validation. The application accepts a parameter directly from user input without verifying it is a valid IP address or filtering potentially malicious characters. This could allow an un... Read more

    Affected Products :
    • Published: Nov. 26, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Injection

  • 5.8

    MEDIUM
    CVE-2025-49642

    Library loading on AIX Zabbix Agent builds can be hijacked by local users with write access to the /home/cecuser directory.... Read more

    Affected Products : zabbix
    • Published: Dec. 01, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Misconfiguration

  • 6.8

    MEDIUM
    CVE-2025-27232

    An authenticated Zabbix Super Admin can exploit the oauth.authorize action to read arbitrary files from the webserver leading to potential confidentiality loss.... Read more

    Affected Products : zabbix
    • Published: Dec. 01, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Path Traversal

  • 4.8

    MEDIUM
    CVE-2025-41070

    Reflected Cross-site Scripting (XSS) vulnerability in Sanoma's Clickedu. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending them a malicious URL in '/students/carpetes_varies.php'. This vulnerability can be... Read more

    Affected Products :
    • Published: Dec. 01, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Cross-Site Scripting

  • 7.8

    HIGH
    CVE-2025-41700

    An unauthenticated attacker can trick a local user into executing arbitrary code by opening a deliberately manipulated CODESYS project file with a CODESYS development system. This arbitrary code is executed in the user context.... Read more

    Affected Products : development_system
    • Published: Dec. 01, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Misconfiguration

  • 8.2

    HIGH
    CVE-2025-66384

    app/Controller/EventsController.php in MISP before 2.5.24 has invalid logic in checking for uploaded file validity, related to tmp_name.... Read more

    Affected Products : misp
    • Published: Nov. 28, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Misconfiguration

  • 6.1

    MEDIUM
    CVE-2025-13819

    Open redirect in the web server component of MiR Robot and Fleet software allows a remote attacker to redirect users to arbitrary external websites via a crafted parameter, facilitating phishing or social engineering attacks.... Read more

    Affected Products :
    • Published: Dec. 01, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Misconfiguration

  • 8.4

    HIGH
    CVE-2025-66223

    OpenObserve is a cloud-native observability platform. Prior to version 0.16.0, organization invitation tokens do not expire once issued, remain valid even after the invited user is removed from the organization, and allow multiple invitations to the same ... Read more

    Affected Products : openobserve
    • Published: Nov. 29, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Authorization

  • 6.9

    MEDIUM
    CVE-2025-12143

    Stack-based Buffer Overflow vulnerability in ABB Terra AC wallbox.This issue affects Terra AC wallbox: through 1.8.33.... Read more

    Affected Products :
    • Published: Nov. 28, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Memory Corruption

  • 9.4

    CRITICAL
    CVE-2025-66385

    UsersController::edit in Cerebrate before 1.30 allows an authenticated non-privileged user to escalate their privileges (e.g., obtain a higher role such as admin) via the user-edit endpoint by supplying or modifying role_id or organisation_id fields in th... Read more

    Affected Products : cerebrate
    • Published: Nov. 28, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Authorization

  • 2.4

    LOW
    CVE-2025-13742

    Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final email. If the name of the attendee contained HTML or Mark... Read more

    Affected Products : pretix
    • Published: Nov. 27, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Information Disclosure

  • 6.5

    MEDIUM
    CVE-2025-13378

    The AI ChatBot with ChatGPT and Content Generator by AYS plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.7.0 via the ays_chatgpt_pinecone_upsert function. This makes it possible for unauthenticated... Read more

    Affected Products : chatgpt_assistant
    • Published: Nov. 27, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Server-Side Request Forgery

  • 5.4

    MEDIUM
    CVE-2025-30186

    Malicious content uploaded as file can be used to execute script code when following attacker-controlled links. Unintended actions can be executed in the context of the users account, including exfiltration of sensitive information. Please deploy the prov... Read more

    Affected Products : ox_app_suite
    • Published: Nov. 27, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Cross-Site Scripting

  • 4.1

    MEDIUM
    CVE-2025-66386

    app/Model/EventReport.php in MISP before 2.5.27 allows path traversal in view picture for a site-admin.... Read more

    Affected Products : misp
    • Published: Nov. 28, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Path Traversal

  • 9.2

    CRITICAL
    CVE-2024-5539

    The Access Control Bypass vulnerability found in ALC WebCTRL and Carrier i-Vu in versions up to and including 8.5 allows a malicious actor to bypass intended access restrictions and expose sensitive information via the web based building automation serv... Read more

    Affected Products :
    • Published: Nov. 27, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Authorization

  • 8.7

    HIGH
    CVE-2020-36874

    ACE SECURITY WIP-90113 HD cameras contain an unauthenticated configuration disclosure vulnerability in the /web/cgi-bin/hi3510/backup.cgi endpoint. The endpoint permits remote download of a compressed configuration backup without requiring authentication ... Read more

    Affected Products :
    • Published: Nov. 26, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Information Disclosure

  • 6.9

    MEDIUM
    CVE-2024-5540

    The reflective cross-site scripting vulnerability found in ALC WebCTRL and Carrier i-Vu in versions older than 8.0 affects login panels allowing a malicious actor to compromise the client browser .... Read more

    Affected Products :
    • Published: Nov. 27, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Cross-Site Scripting

  • 4.4

    MEDIUM
    CVE-2025-12185

    The StaffList plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, ... Read more

    Affected Products : stafflist
    • Published: Nov. 27, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Cross-Site Scripting

  • 6.4

    MEDIUM
    CVE-2025-12649

    The SortTable Post plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter in the sorttablepost shortcode in all versions up to, and including, 4.2. This is due to insufficient input sanitization and output escaping on use... Read more

    Affected Products :
    • Published: Nov. 27, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Cross-Site Scripting

  • 9.4

    CRITICAL
    CVE-2025-62593

    Ray is an AI compute engine. Prior to version 2.52.0, developers working with Ray as a development tool can be exploited via a critical RCE vulnerability exploitable via Firefox and Safari. This vulnerability is due to an insufficient guard against browse... Read more

    Affected Products : ray
    • Published: Nov. 26, 2025
    • Modified: Dec. 01, 2025
    • Vuln Type: Authentication
Showing 20 of 4855 Results