Latest Cybersecurity Vulnerabilities - Real-Time Updates

Latest 30 CVEs - Real-Time Cyber Threats

Cyber threats are constantly evolving, making real-time vulnerability tracking essential. Below are the 30 most recently disclosed Common Vulnerabilities and Exposures (CVEs), providing key details such as affected vendors, impact levels, and risk scores.

Each CVE entry includes a brief summary and a direct link to its full details, enabling cybersecurity professionals, system administrators, and developers to quickly assess and mitigate potential security risks.

CVE-2025-12598 Security Flaw Alert
A flaw has been found in SourceCodester Best House Rental Management System 1.0. Affected by this issue is the function save_tenant of the file /admin_class.php. Executing manipulation of the argument firstname can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used. Other parameters might be affected as well.
Score: 4.7_/10 ⚠️ Medium Risk
Published on 02 Nov 2025, 12:15 UTC (only 2 hours ago)
CVE-2025-12597 Risk & Patch Advisory
A vulnerability was detected in SourceCodester Best House Rental Management System 1.0. Affected by this vulnerability is the function save_category of the file /admin_class.php. Performing manipulation of the argument Name results in sql injection. The attack can be initiated remotely. The exploit is now public and may be used.
Score: 4.7_/10 ⚠️ Medium Risk
Published on 02 Nov 2025, 12:15 UTC (only 2 hours ago)
CVE-2025-12596 Urgent Exploit Warning
A security vulnerability has been detected in Tenda AC23 16.03.07.52. Affected is the function saveParentControlInfo of the file /goform/saveParentControlInfo. Such manipulation of the argument Time leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used.
Score: 8.8_/10 ☠️ Severe Risk
Published on 02 Nov 2025, 11:15 UTC (only 3 hours ago)
CVE-2025-12595 Severe Vulnerability Alert
A weakness has been identified in Tenda AC23 16.03.07.52. This impacts the function formSetVirtualSer of the file /goform/SetVirtualServerCfg. This manipulation of the argument list causes buffer overflow. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited.
Score: 8.8_/10 ☠️ Severe Risk
Published on 02 Nov 2025, 10:15 UTC (only 4 hours ago)
CVE-2025-12594 Risk & Patch Advisory
A security flaw has been discovered in code-projects Simple Online Hotel Reservation System 2.0. This affects an unknown function of the file /admin/add_account.php. The manipulation of the argument Name results in sql injection. The attack may be performed from remote. The exploit has been released to the public and may be exploited.
Score: 4.7_/10 ⚠️ Medium Risk
Published on 02 Nov 2025, 09:15 UTC (only 5 hours ago)
CVE-2025-12593 Security Flaw Alert
A vulnerability was identified in code-projects Simple Online Hotel Reservation System 2.0. The impacted element is an unknown function of the file /admin/edit_room.php of the component Photo Handler. The manipulation leads to unrestricted upload. The attack is possible to be carried out remotely. The exploit is publicly available and might be used.
Score: 4.7_/10 ⚠️ Medium Risk
Published on 02 Nov 2025, 05:15 UTC (only 9 hours ago)
CVE-2025-12603 Technical Report
/etc/timezone can be Arbitrarily Written.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5. ⏳ Analysis in Progress 01 Nov 2025, 19:15 UTC (19 hours ago)
CVE-2025-12602 Security Notice
/etc/avahi/services/z9.service can be Arbitrarily Written.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5. ⏳ Analysis in Progress 01 Nov 2025, 19:15 UTC (19 hours ago)
CVE-2025-12601 Security Notice
Denial of Service Due to SlowLoris.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5. ⏳ Analysis in Progress 01 Nov 2025, 19:15 UTC (19 hours ago)
CVE-2025-12600 Security Notice
Web UI Malfunction when setting unexpected locale via API.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5. ⏳ Analysis in Progress 01 Nov 2025, 19:15 UTC (19 hours ago)
CVE-2025-12599 Technical Report
Multiple Devices are Sharing the Same Secrets for SDKSocket (TCP/5000).This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5. ⏳ Analysis in Progress 01 Nov 2025, 19:15 UTC (19 hours ago)
CVE-2025-36367 Urgent Exploit Warning
IBM i 7.6, 7.5, 7.4, 7.3, and 7.2 is vulnerable to privilege escalation caused by an invalid IBM i SQL services authorization check. A malicious actor can use the elevated privileges of another user profile to gain root access to the host operating system.
Score: 8.8_/10 ☠️ Severe Risk
Published on 01 Nov 2025, 12:15 UTC (only 1 day ago)
CVE-2025-6990 Severe Vulnerability Alert
The kallyas theme for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.24.0 via the `TH_PhpCode` pagebuilder widget. This is due to the theme not restricting access to the code editor widget for non-administrators. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.
Score: 8.8_/10 ☠️ Severe Risk
Published on 01 Nov 2025, 08:15 UTC (only 1 day ago)
CVE-2025-6988 High-Risk Security Alert
The kallyas theme for WordPress is vulnerable to Stored Cross-Site Scripting via several of the plugin's shortcodes in all versions up to, and including, 4.23.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Score: 6.4_/10 🔥 High Risk
Published on 01 Nov 2025, 08:15 UTC (only 1 day ago)
CVE-2025-6574 Severe Vulnerability Alert
The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and excluding, 6.1. This is due to the plugin not properly validating a user's identity prior to updating their details like email. This makes it possible for authenticated attackers, with subscriber-level access and above, to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
Score: 8.8_/10 ☠️ Severe Risk
Published on 01 Nov 2025, 07:15 UTC (only 1 day ago)
CVE-2025-12171 Immediate Threat Report
The RESTful Content Syndication plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ingest_image() function in versions 1.1.0 to 1.5.0. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. This requires the attacker have access to a defined third-party server as specified in the settings, so it is unlikely that this will be exploitable by contributor-level users, and more likely to be exploited by admini...
Score: 8.8_/10 ☠️ Severe Risk
Published on 01 Nov 2025, 07:15 UTC (only 1 day ago)
CVE-2025-12137 Security Flaw Alert
The Import WP – Export and Import CSV and XML files to WordPress plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 2.14.16. This is due to the plugin's REST API endpoint accepting arbitrary absolute file paths without proper validation in the 'attach_file()' function when handling 'file_local' actions. This makes it possible for authenticated attackers, with administrator-level access and above, to read arbitrary files on the server's filesystem, including sensitive configuration files and system files via the 'local_url' parameter.
Score: 4.9_/10 ⚠️ Medium Risk
Published on 01 Nov 2025, 07:15 UTC (only 1 day ago)
CVE-2025-11755 Immediate Threat Report
The WP Delicious – Recipe Plugin for Food Bloggers (formerly Delicious Recipes) plugin for WordPress is vulnerable to arbitrary file uploads when importing recipes via CSV in all versions up to, and including, 1.9.0. This flaw allows an attacker with at least Contributor-level permissions to upload a malicious PHP file by providing a remote URL during a recipe import process, leading to Remote Code Execution (RCE).
Score: 8.8_/10 ☠️ Severe Risk
Published on 01 Nov 2025, 07:15 UTC (only 1 day ago)
CVE-2025-11499 Critical Vulnerability Alert
The Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the set_featured_image_from_external_url() function in all versions up to, and including, 1.1.32. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible in configurations where unauthenticated users have been provided with a method for adding featured images, and the workflow trigger is created.
Score: 9.8_/10 ☠️ Critical Risk
Published on 01 Nov 2025, 07:15 UTC (only 1 day ago)
CVE-2025-10487 Critical Security Advisory
The Advanced Ads – Ad Manager & AdSense plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.0.12 via the select_one() function. This is due to the endpoint not properly restricting access to the AJAX endpoint or limiting the functions that can be called to safe functions. This makes it possible for unauthenticated attackers to call arbitrary functions beginning with get_the_ like get_the_excerpt which can make information exposure possible.
Score: 7.3_/10 🔥 Very High Risk
Published on 01 Nov 2025, 07:15 UTC (only 1 day ago)