Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 9.8

    CRITICAL
    CVE-2025-63218

    The Axel Technology WOLF1MS and WOLF2MS devices (firmware versions 0.8.5 to 1.0.3) are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenticated remote attackers can list user accounts, create... Read more

    Affected Products :
    • Published: Nov. 19, 2025
    • Modified: Nov. 19, 2025
    • Vuln Type: Authentication

  • 4.9

    MEDIUM
    CVE-2025-61663

    A vulnerability has been identified in the GRUB2 bootloader's normal command that poses an immediate Denial of Service (DoS) risk. This flaw is a Use-after-Free issue, caused because the normal command is not properly unregistered when the module is unloa... Read more

    Affected Products :
    • Published: Nov. 18, 2025
    • Modified: Nov. 19, 2025
    • Vuln Type: Denial of Service

  • 5.0

    MEDIUM
    CVE-2025-12766

    An Insecure Direct Object Reference (IDOR) vulnerability in the Management Console of BlackBerry® AtHoc® (OnPrem) version 7.21 could allow an attacker to potentially gain unauthorized knowledge about other organizations hosted on the same Interactive Warn... Read more

    Affected Products :
    • Published: Nov. 19, 2025
    • Modified: Nov. 19, 2025
    • Vuln Type: Authorization

  • 4.9

    MEDIUM
    CVE-2025-61664

    A vulnerability in the GRUB2 bootloader has been identified in the normal module. This flaw, a memory Use After Free issue, occurs because the normal_exit command is not properly unregistered when its related module is unloaded. An attacker can exploit th... Read more

    Affected Products :
    • Published: Nov. 18, 2025
    • Modified: Nov. 19, 2025
    • Vuln Type: Memory Corruption

  • 5.3

    MEDIUM
    CVE-2025-12814

    The SiteSEO – SEO Simplified plugin for WordPress is vulnerable to unauthorized modification of data due to n incorrect capability check on the siteseo_reset_settings function in all versions up to, and including, 1.3.2. This makes it possible for authent... Read more

    Affected Products :
    • Published: Nov. 19, 2025
    • Modified: Nov. 19, 2025
    • Vuln Type: Authorization

  • 6.5

    MEDIUM
    CVE-2025-12174

    The Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'directorist_prepare_listings_export_file' and 'directorist_type_slug_cha... Read more

    Affected Products : directorist
    • Published: Nov. 19, 2025
    • Modified: Nov. 19, 2025
    • Vuln Type: Authorization

  • 4.8

    MEDIUM
    CVE-2025-13397

    A security vulnerability has been detected in mrubyc up to 3.4. This impacts the function mrbc_raw_realloc of the file src/alloc.c. Such manipulation of the argument ptr leads to null pointer dereference. An attack has to be approached locally. The name o... Read more

    Affected Products :
    • Published: Nov. 19, 2025
    • Modified: Nov. 19, 2025
    • Vuln Type: Memory Corruption

  • 5.4

    MEDIUM
    CVE-2025-11963

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Saysis Computer Systems Trade Ltd. Co. StarCities allows Reflected XSS.This issue affects StarCities: before 1.1.61.... Read more

    Affected Products :
    • Published: Nov. 19, 2025
    • Modified: Nov. 19, 2025
    • Vuln Type: Cross-Site Scripting

  • 8.1

    HIGH
    CVE-2025-65029

    Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an insecure direct object reference (IDOR) vulnerability allows any authenticated user to delete arbitrary participants from polls without ownership verification. The endp... Read more

    Affected Products : rallly
    • Published: Nov. 19, 2025
    • Modified: Nov. 19, 2025
    • Vuln Type: Authorization

  • 7.2

    HIGH
    CVE-2025-63227

    The Mozart FM Transmitter web management interface on version WEBMOZZI-00287, contains an unrestricted file upload vulnerability in the /patch.php endpoint. An attacker with administrative credentials can upload arbitrary files (e.g., PHP webshells), whic... Read more

    Affected Products :
    • Published: Nov. 18, 2025
    • Modified: Nov. 19, 2025
    • Vuln Type: Authentication

  • 8.6

    HIGH
    CVE-2025-10702

    Improper Control of Generation of Code ('Code Injection') vulnerability in Progress DataDirect Connect for JDBC drivers, Progress DataDirect Open Access JDBC driver and Hybrid Data Pipeline allows Remote Code Inclusion. The SpyAttribute connection optio... Read more

    Affected Products :
    • Published: Nov. 19, 2025
    • Modified: Nov. 19, 2025
    • Vuln Type: Injection

  • 0.0

    NA
    CVE-2025-63221

    The Axel Technology puma devices (firmware versions 0.8.5 to 1.0.3) are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenticated remote attackers can list user accounts, create new administra... Read more

    Affected Products :
    • Published: Nov. 19, 2025
    • Modified: Nov. 19, 2025
    • Vuln Type: Authentication

  • 5.3

    MEDIUM
    CVE-2025-12426

    The Quiz Maker plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.7.0.80. This is due to the plugin exposing quiz answers through the ays_quiz_check_answer AJAX action without proper authorization ... Read more

    Affected Products : quiz_maker
    • Published: Nov. 19, 2025
    • Modified: Nov. 19, 2025
    • Vuln Type: Authorization

  • 6.9

    MEDIUM
    CVE-2025-64765

    Astro is a web framework. Prior to version 5.15.8, a mismatch exists between how Astro normalizes request paths for routing/rendering and how the application’s middleware reads the path for validation checks. Astro internally applies decodeURI() to determ... Read more

    Affected Products : astro
    • Published: Nov. 19, 2025
    • Modified: Nov. 19, 2025
    • Vuln Type: Path Traversal

  • 5.3

    MEDIUM
    CVE-2025-12535

    The SureForms plugin for WordPress is vulnerable to Cross-Site Request Forgery Bypass in all versions up to, and including, 1.13.1. This is due to the plugin distributing generic WordPress REST API nonces (wp_rest) to unauthenticated users via the 'wp_aja... Read more

    Affected Products :
    • Published: Nov. 19, 2025
    • Modified: Nov. 19, 2025
    • Vuln Type: Cross-Site Request Forgery

  • 7.1

    HIGH
    CVE-2025-12472

    An attacker with a Looker Developer role could manipulate a LookML project to exploit a race condition during Git directory deletion, leading to arbitrary command execution on the Looker instance. Looker-hosted and Self-hosted were found to be vulnerab... Read more

    Affected Products :
    • Published: Nov. 19, 2025
    • Modified: Nov. 19, 2025
    • Vuln Type: Race Condition

  • 8.5

    HIGH
    CVE-2025-34333

    AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 configure the web document root at C:\\F2MAdmin\\F2E with overly permissive file system permissions. Authenticated local users have modify rights on this directory... Read more

    Affected Products :
    • Published: Nov. 19, 2025
    • Modified: Nov. 19, 2025
    • Vuln Type: Misconfiguration

  • 7.2

    HIGH
    CVE-2025-13206

    The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘name’ parameter in all versions up to, and including, 4.13.0 due to insufficient input sanitization and output escaping. This ... Read more

    Affected Products : givewp
    • Published: Nov. 19, 2025
    • Modified: Nov. 19, 2025
    • Vuln Type: Cross-Site Scripting

  • 9.3

    CRITICAL
    CVE-2025-12592

    Legacy Vivotek Device firmware uses default credetials for the root and user login accounts.... Read more

    Affected Products :
    • Published: Nov. 19, 2025
    • Modified: Nov. 19, 2025
    • Vuln Type: Authentication

  • 5.3

    MEDIUM
    CVE-2025-12427

    The YITH WooCommerce Wishlist plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.10.0 via the REST API endpoint and AJAX handler due to missing validation on user-controlled keys. This makes it p... Read more

    Affected Products : yith_woocommerce_wishlist
    • Published: Nov. 19, 2025
    • Modified: Nov. 19, 2025
    • Vuln Type: Authorization
Showing 20 of 3685 Results