Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 6.5

    MEDIUM
    CVE-2025-63513

    kishan0725 Hospital Management System v4 has an Insecure Direct Object Reference (IDOR) vulnerability in the appointment cancellation functionality.... Read more

    Affected Products : hospital_management_system
    • Published: Nov. 18, 2025
    • Modified: Nov. 20, 2025
    • Vuln Type: Authorization

  • 6.1

    MEDIUM
    CVE-2025-63514

    kishan0725 Hospital Management System has a Cross-Site Scripting (XSS) vulnerability in appsearch.php via the email parameter.... Read more

    Affected Products : hospital_management_system
    • Published: Nov. 18, 2025
    • Modified: Nov. 20, 2025
    • Vuln Type: Cross-Site Scripting

  • 6.8

    MEDIUM
    CVE-2025-63892

    A vulnerability was determined in SourceCodester Student Grades Management System 1.0. Affected is the function create_classroom of the file /classroom.php of the component My Classrooms Management Page. This manipulation of the argument name/description ... Read more

    Affected Products : student_grades_management_system
    • Published: Nov. 18, 2025
    • Modified: Nov. 20, 2025
    • Vuln Type: Cross-Site Scripting

  • 8.6

    HIGH
    CVE-2025-34322

    Nagios Log Server versions prior to 2026R1.0.1 contain an authenticated command injection vulnerability via the experimental 'Natural Language Queries' feature. Configuration values for this feature are read from the application settings and incorporated ... Read more

    Affected Products : log_server
    • Published: Nov. 17, 2025
    • Modified: Nov. 20, 2025
    • Vuln Type: Injection

  • 8.5

    HIGH
    CVE-2025-34323

    Nagios Log Server versions prior to 2026R1.0.1 are vulnerable to local privilege escalation due to unsafe interaction between sudo rules and file system permissions. The web server account is granted passwordless sudo access to certain maintenance scripts... Read more

    Affected Products : log_server
    • Published: Nov. 17, 2025
    • Modified: Nov. 20, 2025
    • Vuln Type: Authentication

  • 6.5

    MEDIUM
    CVE-2025-64753

    grist-core is a spreadsheet hosting server. Prior to version 1.7.7, a user with only partial read access to a document could still access endpoints listing hashes for versions of that document and receive a full list of changes between versions, even if t... Read more

    Affected Products : grist-core
    • Published: Nov. 13, 2025
    • Modified: Nov. 20, 2025
    • Vuln Type: Authorization

  • 5.3

    MEDIUM
    CVE-2025-6171

    GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.2 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated attacker with reporter access to view branch names and pipeline details by a... Read more

    Affected Products : gitlab
    • Published: Nov. 15, 2025
    • Modified: Nov. 20, 2025
    • Vuln Type: Authorization

  • 3.5

    LOW
    CVE-2025-6945

    GitLab has remediated an issue in GitLab EE affecting all versions from 17.8 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated attacker to leak sensitive information from confidential issues by injecting hi... Read more

    Affected Products : gitlab
    • Published: Nov. 15, 2025
    • Modified: Nov. 20, 2025
    • Vuln Type: Injection

  • 4.3

    MEDIUM
    CVE-2025-7000

    An issue has been discovered in GitLab CE/EE affecting all versions from 17.6 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2, that, under specific conditions, could have allowed unauthorized users to view confidential branch names by accessin... Read more

    Affected Products : gitlab
    • Published: Nov. 15, 2025
    • Modified: Nov. 20, 2025
    • Vuln Type: Authorization

  • 7.5

    HIGH
    CVE-2025-13239

    A security vulnerability has been detected in Bdtask/CodeCanyon Isshue Multi Store eCommerce Shopping Cart Solution 5. Affected by this issue is some unknown functionality of the file /submit_checkout. Such manipulation of the argument order_total_amount/... Read more

    Affected Products : isshue
    • Published: Nov. 16, 2025
    • Modified: Nov. 20, 2025
    • Vuln Type: Misconfiguration

  • 8.8

    HIGH
    CVE-2025-13250

    A vulnerability was detected in WeiYe-Jing datax-web up to 2.1.2. This impacts the function remove/update/pause/start/triggerJob of the component Job Handler. Performing manipulation results in improper access controls. The attack may be initiated remotel... Read more

    Affected Products : datax-web
    • Published: Nov. 16, 2025
    • Modified: Nov. 20, 2025
    • Vuln Type: Authorization

  • 8.8

    HIGH
    CVE-2025-13251

    A flaw has been found in WeiYe-Jing datax-web up to 2.1.2. Affected is an unknown function. Executing manipulation can lead to sql injection. The attack may be launched remotely. The exploit has been published and may be used.... Read more

    Affected Products : datax-web
    • Published: Nov. 16, 2025
    • Modified: Nov. 20, 2025
    • Vuln Type: Injection

  • 7.1

    HIGH
    CVE-2025-11681

    Denial-of-service condition in M-Files Server versions before 25.11.15392.1, before 25.2 LTS SR2 and before 25.8 LTS SR2 allows an authenticated user to cause the MFserver process to crash.... Read more

    Affected Products : m-files_server
    • Published: Nov. 17, 2025
    • Modified: Nov. 20, 2025
    • Vuln Type: Denial of Service

  • 9.8

    CRITICAL
    CVE-2025-13267

    A vulnerability was detected in SourceCodester Dental Clinic Appointment Reservation System 1.0. Impacted is an unknown function of the file /success.php. Performing manipulation of the argument username/password results in sql injection. The attack can b... Read more

    • Published: Nov. 17, 2025
    • Modified: Nov. 20, 2025
    • Vuln Type: Injection

  • 6.1

    MEDIUM
    CVE-2025-63708

    Cross-Site Scripting (XSS) vulnerability exists in SourceCodester AI Font Matcher (nid=18425, 2025-10-10) that allows remote attackers to execute arbitrary JavaScript in victims' browsers. The vulnerability occurs in the webfonts API handling mechanism wh... Read more

    Affected Products : ai_font_matcher
    • Published: Nov. 17, 2025
    • Modified: Nov. 20, 2025
    • Vuln Type: Cross-Site Scripting

  • 9.8

    CRITICAL
    CVE-2025-13297

    A security vulnerability has been detected in itsourcecode Web-Based Internet Laboratory Management System 1.0. The impacted element is an unknown function of the file /course/controller.php. Such manipulation leads to sql injection. The attack can be exe... Read more

    • Published: Nov. 17, 2025
    • Modified: Nov. 20, 2025
    • Vuln Type: Injection

  • 7.2

    HIGH
    CVE-2025-12859

    A vulnerability has been found in DedeBIZ up to 6.3.2. This impacts an unknown function of the file /admin/templets_one_edit.php. The manipulation of the argument ids leads to sql injection. Remote exploitation of the attack is possible. The exploit has b... Read more

    Affected Products : dedebiz
    • Published: Nov. 07, 2025
    • Modified: Nov. 20, 2025
    • Vuln Type: Injection

  • 7.2

    HIGH
    CVE-2025-12860

    A vulnerability was found in DedeBIZ up to 6.3.2. Affected is an unknown function of the file /admin/freelist_main.php. The manipulation of the argument orderby results in sql injection. The attack can be executed remotely. The exploit has been made publi... Read more

    Affected Products : dedebiz
    • Published: Nov. 07, 2025
    • Modified: Nov. 20, 2025
    • Vuln Type: Injection

  • 5.4

    MEDIUM
    CVE-2025-63693

    The comment editing template (dzz/comment/template/edit_form.htm) in DzzOffice 2.3.x lacks adequate security escaping for user-controllable data in multiple contexts, including HTML and JavaScript strings. This allows low-privilege attackers to construct ... Read more

    Affected Products : dzzoffice
    • Published: Nov. 18, 2025
    • Modified: Nov. 20, 2025
    • Vuln Type: Cross-Site Scripting

  • 7.2

    HIGH
    CVE-2025-12861

    A vulnerability was determined in DedeBIZ up to 6.3.2. Affected by this vulnerability is an unknown functionality of the file /admin/spec_add.php. This manipulation of the argument flags[] causes sql injection. The attack is possible to be carried out rem... Read more

    Affected Products : dedebiz
    • Published: Nov. 07, 2025
    • Modified: Nov. 20, 2025
    • Vuln Type: Injection
Showing 20 of 3675 Results