Latest Cybersecurity Vulnerabilities | Real-Time CVE Database

Latest 30 CVEs - Real-Time Cyber Threats

Cyber threats are constantly evolving, making real-time vulnerability tracking essential. Below are the 30 most recently disclosed Common Vulnerabilities and Exposures (CVEs), providing key details such as affected vendors, impact levels, and risk scores.

Each CVE entry includes a brief summary and a direct link to its full details, enabling cybersecurity professionals, system administrators, and developers to quickly assess and mitigate potential security risks.

CVE-2025-65961 Security Issue Details

Contao is an Open Source CMS. From version 4.0.0 to before 4.13.57, before 5.3.42, and before 5.6.5, it is possible to inject code into the template output that will be executed in the browser in the front end and back end. This issue has been patched in versions 4.13.57, 5.3.42, and 5.6.5. A workaround for this issue involves not using the affected templates or patch them manually.

Score: 3.3_/10 ⚠️ Moderate Risk

Published on 25 Nov 2025, 19:15 UTC (only 1 hour ago)

CVE-2025-65960 Active Exploit Warning

Contao is an Open Source CMS. From version 4.0.0 to before 4.13.57, before 5.3.42, and before 5.6.5, back end users with precise control over the contents of template closures can execute arbitrary PHP functions that do not have required parameters. This issue has been patched in versions 4.13.57, 5.3.42, and 5.6.5. A workaround for this issue involves manually patching the Contao\Template::once() method.

Score: 6.6_/10 🔥 High Risk

Published on 25 Nov 2025, 19:15 UTC (only 1 hour ago)

CVE-2025-64067 Technical Report

Primakon Pi Portal 1.0.18 API endpoints responsible for retrieving object-specific or filtered data (e.g., user profiles, project records) fail to implement sufficient server-side validation to confirm that the requesting user is authorized to access the requested object or dataset. This vulnerability can be exploited in two ways: Direct ID manipulation and IDOR, by changing an ID parameter (e.g., user_id, project_id) in the request, an attacker can access the object and data belonging to another user; and filter Omission, by omitting the filtering parameter entirely, an attacker can cause ... ⏳ Analysis in Progress 25 Nov 2025, 19:15 UTC (1 hour ago)

CVE-2025-64065 Technical Report

The Primakon Pi Portal 1.0.18 API /api/V2/pp_udfv_admin endpoint, fails to perform necessary server-side validation. The administrative LoginAs or user impersonation feature is vulnerable to a access control failure. This flaw allows any authenticated low-privileged user to execute a direct PATCH request, enabling them to impersonate any other arbitrary user, including application Administrators. This is due to a Broken Function Level Authorization failure (the function doesn't check the caller's privilege) compounded by an Insecure Design that permits a session switch without requiring the... ⏳ Analysis in Progress 25 Nov 2025, 19:15 UTC (1 hour ago)

CVE-2025-64064 Vulnerability Insight

Primakon Pi Portal 1.0.18 /api/v2/pp_users endpoint fails to adequately check user permissions before processing a PATCH request to modify the PP_SECURITY_PROFILE_ID. Because of weak access controls any low level user can use this API and change their permission to Administrator by using PP_SECURITY_PROFILE_ID=2 inside body of request and escalate privileges. ⏳ Analysis in Progress 25 Nov 2025, 19:15 UTC (1 hour ago)

CVE-2025-64063 Vulnerability Insight

Primakon Pi Portal 1.0.18 API endpoints fail to enforce sufficient authorization checks when processing requests. Specifically, a standard user can exploit this flaw by sending direct HTTP requests to administrative endpoints, bypassing the UI restrictions. This allows the attacker to manipulate data outside their assigned scope, including: Unauthorized Account modification, modifying/deleting arbitrary user accounts and changing passwords by sending a direct request to the user management API endpoint; Confidential Data Access, accessing and downloading sensitive organizational documents v... ⏳ Analysis in Progress 25 Nov 2025, 19:15 UTC (1 hour ago)

CVE-2025-61168 Security Notice

An issue in the cms_rest.php component of SIGB PMB v8.0.1.14 allows attackers to execute arbitrary code via unserializing an arbitrary file. ⏳ Analysis in Progress 25 Nov 2025, 19:15 UTC (1 hour ago)

CVE-2025-61167 Vulnerability Insight

SIGB PMB v8.0.1.14 was discovered to contain multiple SQL injection vulnerabilities in the /opac_css/ajax_selector.php component via the id and datas parameters. ⏳ Analysis in Progress 25 Nov 2025, 19:15 UTC (1 hour ago)

CVE-2025-34350 Security Notice

UnForm Server versions < 10.1.15 contain an unauthenticated arbitrary file read and SMB coercion vulnerability in the Doc Flow feature’s 'arc' endpoint. The Doc Flow module uses the 'arc' handler to retrieve and render pages or resources specified by the user-supplied 'pp' parameter, but it does so without enforcing authentication or restricting path inputs. As a result, an unauthenticated remote attacker can supply local filesystem paths to read arbitrary files accessible to the service account. On Windows deployments, providing a UNC path can also coerce the server into initiating outboun... ⏳ Analysis in Progress 25 Nov 2025, 19:15 UTC (1 hour ago)

CVE-2025-65085 Vulnerability Insight

A Heap-based Buffer Overflow vulnerability is present in Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions 12.6.1204.207 and prior that could allow an attacker to disclose information or execute arbitrary code. ⏳ Analysis in Progress 25 Nov 2025, 18:15 UTC (2 hours ago)

CVE-2025-65084 Technical Report

An Out-of-Bounds Write vulnerability is present in Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions 12.6.1204.207 and prior that could allow an attacker to disclose information or execute arbitrary code. ⏳ Analysis in Progress 25 Nov 2025, 18:15 UTC (2 hours ago)

CVE-2025-64066 Vulnerability Insight

Primakon Pi Portal 1.0.18 REST /api/v2/user/register endpoint suffers from a Broken Access Control vulnerability. The endpoint fails to implement any authorization checks, allowing unauthenticated attackers to perform POST requests to register new user accounts in the application's local database. This bypasses the intended security architecture, which relies on an external Identity Provider for initial user registration and assumes that internal user creation is an administrative-only function. This vector can also be chained with other vulnerabilities for privilege escalation and complete... ⏳ Analysis in Progress 25 Nov 2025, 18:15 UTC (2 hours ago)

CVE-2025-64062 Security Notice

The Primakon Pi Portal 1.0.18 /api/V2/pp_users?email endpoint is used for user data filtering but lacks proper server-side validation against the authenticated session. By manipulating the email parameter to an arbitrary value (e.g., otheruser@user.com), an attacker can assume the session and gain full access to the target user's data and privileges. Also, if the email parameter is left blank, the application defaults to the first user in the list, who is typically the application administrator, resulting in an immediate Privilege Escalation to the highest level. ⏳ Analysis in Progress 25 Nov 2025, 18:15 UTC (2 hours ago)

CVE-2025-33205 Exploitable Vulnerability Warning

NVIDIA NeMo framework contains a vulnerability in a predefined variable, where an attacker could cause inclusion of functionality from an untrusted control sphere by use of a predefined variable. A successful exploit of this vulnerability may lead to code execution.

Score: 7.3_/10 🔥 Very High Risk