Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 9.1

    CRITICAL
    CVE-2025-68620

    Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 expose two features that can be chained together to steal JWT authentication tokens without any prior authentication. The attack combines WebSocket-base... Read more

    Affected Products :
    • Published: Jan. 01, 2026
    • Modified: Jan. 02, 2026
    • Vuln Type: Authentication

  • 0.0

    NA
    CVE-2024-55374

    REDCap 14.3.13 allows an attacker to enumerate usernames due to an observable discrepancy between login attempts.... Read more

    Affected Products :
    • Published: Jan. 02, 2026
    • Modified: Jan. 02, 2026
    • Vuln Type: Authentication

  • 0.0

    NA
    CVE-2025-47411

    A user with a legitimate non-administrator account can exploit a vulnerability in the user ID creation mechanism in Apache StreamPipes that allows them to swap the username of an existing user with that of an administrator.  This vulnerability allows an ... Read more

    Affected Products : streampipes
    • Published: Jan. 01, 2026
    • Modified: Jan. 02, 2026
    • Vuln Type: Authorization

  • 4.3

    MEDIUM
    CVE-2025-69284

    Plane is an an open-source project management tool. In plane.io, a guest user doesn't have a permission to access https[:]//app[.]plane[.]so/[:]slug/settings. Prior to Plane version 1.2.0, a problem occurs when the `/api/workspaces/:slug/members/` is acce... Read more

    Affected Products : plane
    • Published: Jan. 02, 2026
    • Modified: Jan. 02, 2026
    • Vuln Type: Information Disclosure

  • 0.0

    NA
    CVE-2025-48768

    Release of Invalid Pointer or Reference vulnerability was discovered in fs/inode/fs_inoderemove code of the Apache NuttX RTOS that allowed root filesystem inode removal leading to a debug assert trigger (that is disabled by default), NULL pointer derefere... Read more

    Affected Products : nuttx
    • Published: Jan. 01, 2026
    • Modified: Jan. 02, 2026
    • Vuln Type: Denial of Service

  • 3.4

    LOW
    CVE-2025-69412

    KDE messagelib before 25.11.90 ignores SSL errors for threatMatches:find in the Google Safe Browsing Lookup API (aka phishing API), which might allow spoofing of threat data. NOTE: this Lookup API is not contacted in the messagelib default configuration.... Read more

    Affected Products : messagelib
    • Published: Jan. 01, 2026
    • Modified: Jan. 02, 2026
    • Vuln Type: Misconfiguration

  • 8.9

    HIGH
    CVE-2025-69286

    RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In versions prior to 0.22.0, the use of an insecure key generation algorithm in the API key and beta (assistant/agent share auth) token generation process allows these tokens to be mut... Read more

    Affected Products : ragflow
    • Published: Dec. 31, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Authentication

  • 0.0

    NA
    CVE-2025-65125

    SQL injection in gosaliajainam/online-movie-booking 5.5 in movie_details.php allows attackers to gain sensitive information.... Read more

    Affected Products :
    • Published: Jan. 02, 2026
    • Modified: Jan. 02, 2026
    • Vuln Type: Injection

  • 2.2

    LOW
    CVE-2025-62857

    A cross-site scripting (XSS) vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to bypass security mechanisms or read application data. We have already fixed the vulnerability in the following versi... Read more

    Affected Products : qumagie
    • Published: Jan. 02, 2026
    • Modified: Jan. 02, 2026
    • Vuln Type: Cross-Site Scripting

  • 6.3

    MEDIUM
    CVE-2025-15398

    A security vulnerability has been detected in Uasoft badaso up to 2.9.7. Affected is the function forgetPassword of the file src/Controllers/BadasoAuthController.php of the component Token Handler. Such manipulation leads to weak password recovery. The at... Read more

    Affected Products :
    • Published: Dec. 31, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Authentication

  • 7.0

    HIGH
    CVE-2025-62842

    An external control of file name or path vulnerability has been reported to affect HBS 3 Hybrid Backup Sync. If an attacker gains local network access, they can then exploit the vulnerability to read or modify files or directories. We have already fixed ... Read more

    Affected Products : hbs_3_hybrid_backup_sync
    • Published: Jan. 02, 2026
    • Modified: Jan. 02, 2026
    • Vuln Type: Path Traversal

  • 4.6

    MEDIUM
    CVE-2025-57705

    An allocation of resources without limits or throttling vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to prevent other systems... Read more

    Affected Products : qts quts_hero
    • Published: Jan. 02, 2026
    • Modified: Jan. 02, 2026
    • Vuln Type: Denial of Service

  • 6.1

    MEDIUM
    CVE-2025-67709

    There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a v... Read more

    Affected Products : arcgis_server
    • Published: Dec. 31, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Cross-Site Scripting

  • 1.2

    LOW
    CVE-2025-53590

    A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have ... Read more

    Affected Products : qts
    • Published: Jan. 02, 2026
    • Modified: Jan. 02, 2026
    • Vuln Type: Denial of Service

  • 8.1

    HIGH
    CVE-2025-59384

    A path traversal vulnerability has been reported to affect Qfiling. The remote attackers can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: Qfiling... Read more

    Affected Products :
    • Published: Jan. 02, 2026
    • Modified: Jan. 02, 2026
    • Vuln Type: Path Traversal

  • 1.3

    LOW
    CVE-2025-53592

    A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fi... Read more

    Affected Products : qts quts_hero
    • Published: Jan. 02, 2026
    • Modified: Jan. 02, 2026
    • Vuln Type: Denial of Service

  • 5.3

    MEDIUM
    CVE-2025-15411

    A weakness has been identified in WebAssembly wabt up to 1.0.39. This vulnerability affects the function wabt::AST::InsertNode of the file /src/repro/wabt/bin/wasm-decompile of the component wasm-decompile. This manipulation causes memory corruption. It i... Read more

    Affected Products : wabt
    • Published: Jan. 01, 2026
    • Modified: Jan. 02, 2026
    • Vuln Type: Memory Corruption

  • 6.9

    MEDIUM
    CVE-2025-34469

    Cowrie versions prior to 2.9.0 contain a server-side request forgery (SSRF) vulnerability in the emulated shell implementation of wget and curl. In the default emulated shell configuration, these command emulations perform real outbound HTTP requests to a... Read more

    Affected Products :
    • Published: Dec. 31, 2025
    • Modified: Jan. 02, 2026
    • Vuln Type: Server-Side Request Forgery

  • 4.6

    MEDIUM
    CVE-2025-59380

    A path traversal vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We ha... Read more

    Affected Products : qts quts_hero
    • Published: Jan. 02, 2026
    • Modified: Jan. 02, 2026
    • Vuln Type: Path Traversal

  • 6.4

    MEDIUM
    CVE-2025-14627

    The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.35. This is due to inadequate validation of the resolved URL after following Bitly shortlink ... Read more

    Affected Products :
    • Published: Jan. 01, 2026
    • Modified: Jan. 02, 2026
    • Vuln Type: Server-Side Request Forgery
Showing 20 of 5227 Results