Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 9.4

    CRITICAL
    CVE-2024-47062

    Navidrome is an open source web-based music collection server and streamer. Navidrome automatically adds parameters in the URL to SQL queries. This can be exploited to access information by adding parameters like `password=...` in the URL (ORM Leak). Furt... Read more

    Affected Products : navidrome
    • Published: Sep. 20, 2024
    • Modified: Aug. 26, 2025

  • 9.4

    CRITICAL
    CVE-2025-34055

    An OS command injection vulnerability exists in AVTECH DVR, NVR, and IP camera devices within the adcommand.cgi endpoint, which interfaces with the ActionD daemon. Authenticated users can invoke the DoShellCmd operation, passing arbitrary input via the st... Read more

    Affected Products :
    • Published: Jul. 01, 2025
    • Modified: Jul. 03, 2025
    • Vuln Type: Injection

  • 9.4

    CRITICAL
    CVE-2025-34056

    An OS command injection vulnerability exists in AVTECH IP camera, DVR, and NVR devices via the PwdGrp.cgi endpoint, which handles user and group management operations. Authenticated users can supply input through the pwd or grp parameters, which are direc... Read more

    Affected Products :
    • Published: Jul. 01, 2025
    • Modified: Jul. 03, 2025
    • Vuln Type: Injection

  • 9.4

    CRITICAL
    CVE-2025-34074

    An authenticated remote code execution vulnerability exists in Lucee’s administrative interface due to insecure design in the scheduled task functionality. An administrator with access to /lucee/admin/web.cfm can configure a scheduled job to retrieve a re... Read more

    Affected Products :
    • Published: Jul. 02, 2025
    • Modified: Jul. 03, 2025
    • Vuln Type: Authentication

  • 9.4

    CRITICAL
    CVE-2025-48952

    NetAlertX is a network, presence scanner, and alert framework. Prior to version 25.6.7, a vulnerability in the authentication logic allows users to bypass password verification using SHA-256 magic hashes, due to loose comparison in PHP. In vulnerable vers... Read more

    Affected Products : netalertx
    • Published: Jul. 04, 2025
    • Modified: Aug. 06, 2025
    • Vuln Type: Authentication

  • 9.4

    CRITICAL
    CVE-2025-6793

    Marvell QConvergeConsole QLogicDownloadImpl Directory Traversal Arbitrary File Deletion and Information Disclosure Vulnerability. This vulnerability allows remote attackers to delete arbitrary files and disclose sensitive information on affected installat... Read more

    Affected Products : qconvergeconsole
    • Published: Jul. 07, 2025
    • Modified: Jul. 14, 2025
    • Vuln Type: Path Traversal

  • 9.4

    CRITICAL
    CVE-2024-13955

    2nd Order SQL injection vulnerabilities in ASPECT allow unintended access and manipulation of database repositories if administrator credentials become compromised.This issue affects ASPECT-Enterprise: through 3.*; NEXUS Series: through 3.*; MATRIX Series... Read more

    Affected Products :
    • Published: May. 22, 2025
    • Modified: May. 23, 2025
    • Vuln Type: Injection

  • 9.4

    CRITICAL
    CVE-2025-46816

    goshs is a SimpleHTTPServer written in Go. Starting in version 0.3.4 and prior to version 1.0.5, running goshs without arguments makes it possible for anyone to execute commands on the server. The function `dispatchReadPump` does not checks the option cli... Read more

    Affected Products :
    • Published: May. 06, 2025
    • Modified: May. 07, 2025
    • Vuln Type: Authentication

  • 9.4

    CRITICAL
    CVE-2025-26605

    WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. A SQL Injection vulnerability was discovered in the WeGIA application, `deletar_cargo.php` endpoint. This vulnerability could allow an authorized attacker to e... Read more

    Affected Products : wegia
    • Published: Feb. 18, 2025
    • Modified: Apr. 10, 2025
    • Vuln Type: Injection

  • 9.4

    CRITICAL
    CVE-2025-26614

    WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. A SQL Injection vulnerability was discovered in the WeGIA application, `deletar_documento.php` endpoint. This vulnerability allow an authorized attacker to exe... Read more

    Affected Products : wegia
    • Published: Feb. 18, 2025
    • Modified: Feb. 28, 2025
    • Vuln Type: Injection

  • 9.4

    CRITICAL
    CVE-2025-24901

    WeGIA is a Web Manager for Charitable Institutions. A SQL Injection vulnerability was discovered in the WeGIA application, `deletar_permissao.php` endpoint. This vulnerability could allow an authorized attacker to execute arbitrary SQL queries, allowing a... Read more

    Affected Products : wegia
    • Published: Feb. 03, 2025
    • Modified: Feb. 13, 2025
    • Vuln Type: Injection

  • 9.4

    CRITICAL
    CVE-2025-24958

    WeGIA is a Web Manager for Charitable Institutions. A SQL Injection vulnerability was discovered in the WeGIA application, `salvar_tag.php` endpoint. This vulnerability could allow an authorized attacker to execute arbitrary SQL queries, allowing access t... Read more

    Affected Products : wegia
    • Published: Feb. 03, 2025
    • Modified: Feb. 13, 2025
    • Vuln Type: Injection

  • 9.4

    CRITICAL
    CVE-2023-5878

    Honeywell OneWireless Wireless Device Manager (WDM) for the following versions R310.x, R320.x, R321.x, R322.1, R322.2, R323.x, R330.1 contains a command injection vulnerability. An attacker who is authenticated could use the firmware update process to p... Read more

    Affected Products :
    • Published: Feb. 06, 2025
    • Modified: Feb. 18, 2025
    • Vuln Type: Injection

  • 9.4

    CRITICAL
    CVE-2024-13872

    Bitdefender Box, versions 1.3.11.490 through 1.3.11.505, uses the insecure HTTP protocol to download assets over the Internet to update and restart daemons and detection rules on the devices. Updates can be remotely triggered through the /set_temp_token A... Read more

    Affected Products : box_firmware box
    • Published: Mar. 12, 2025
    • Modified: Jul. 30, 2025
    • Vuln Type: Misconfiguration

  • 9.4

    CRITICAL
    CVE-2025-2304

    A Privilege Escalation through a Mass Assignment exists in Camaleon CMS When a user wishes to change his password, the 'updated_ajax' method of the UsersController is called. The vulnerability stems from the use of the dangerous permit! method, which all... Read more

    Affected Products : camaleon_cms
    • Published: Mar. 14, 2025
    • Modified: Mar. 14, 2025
    • Vuln Type: Authorization

  • 9.4

    CRITICAL
    CVE-2025-3659

    Improper authentication handling was identified in a set of HTTP POST requests affecting the following product families: * Digi PortServer TS - prior to and including 82000747_AA, build date 06/17/2022 * Digi One SP/Digi One SP IA/Digi One IA - ... Read more

    Affected Products : portserver_ts_firmware
    • Published: May. 12, 2025
    • Modified: May. 13, 2025
    • Vuln Type: Authentication

  • 9.4

    CRITICAL
    CVE-2025-22248

    The bitnami/pgpool Docker image, and the bitnami/postgres-ha k8s chart, under default configurations, comes with an 'repmgr' user that allows unauthenticated access to the database inside the cluster. The PGPOOL_SR_CHECK_USER is the user that Pgpool itsel... Read more

    Affected Products : bitnami bitnami_popool bitnami\/pgpool
    • Published: May. 13, 2025
    • Modified: Jul. 18, 2025
    • Vuln Type: Authentication

  • 9.4

    CRITICAL
    CVE-2025-47788

    Atheos is a self-hosted browser-based cloud IDE. Prior to v602, similar to GHSA-rgjm-6p59-537v/CVE-2025-22152, the `$target` parameter in `/controller.php` was not properly validated, which could allow an attacker to execute arbitrary files on the server ... Read more

    Affected Products :
    • Published: May. 15, 2025
    • Modified: May. 19, 2025
    • Vuln Type: Path Traversal

  • 9.4

    CRITICAL
    CVE-2025-34024

    An OS command injection vulnerability exists in the Edimax EW-7438RPn firmware version 1.13 and prior via the mp.asp form handler. The /goform/mp endpoint improperly handles user-supplied input to the command parameter. An authenticated attacker can injec... Read more

    Affected Products :
    • Published: Jun. 20, 2025
    • Modified: Jun. 23, 2025
    • Vuln Type: Injection

  • 9.4

    CRITICAL
    CVE-2025-34029

    An OS command injection vulnerability exists in the Edimax EW-7438RPn Mini firmware version 1.13 and prior via the syscmd.asp form handler. The /goform/formSysCmd endpoint exposes a system command interface through the sysCmd parameter. A remote authentic... Read more

    Affected Products :
    • Published: Jun. 20, 2025
    • Modified: Jun. 23, 2025
    • Vuln Type: Injection
Showing 20 of 291783 Results