Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 9.4

    HIGH
    CVE-2008-1454

    Unspecified vulnerability in Microsoft DNS in Windows 2000 SP4, Server 2003 SP1 and SP2, and Server 2008 allows remote attackers to conduct cache poisoning attacks via unknown vectors related to accepting "records from a response that is outside the remot... Read more

    • Published: Jul. 08, 2008
    • Modified: Apr. 09, 2025

  • 9.4

    CRITICAL
    CVE-2025-40746

    A vulnerability has been identified in SIMATIC RTLS Locating Manager (All versions < V3.2). Affected products do not properly validate input for a backup script. This could allow an authenticated remote attacker with high privileges in the application to ... Read more

    Affected Products : simatic_rtls_locating_manager
    • Published: Aug. 12, 2025
    • Modified: Aug. 20, 2025
    • Vuln Type: Misconfiguration

  • 9.4

    CRITICAL
    CVE-2025-8876

    Improper Input Validation vulnerability in N-able N-central allows OS Command Injection.This issue affects N-central: before 2025.3.1.... Read more

    Affected Products : n-central
    • Actively Exploited
    • Published: Aug. 14, 2025
    • Modified: Aug. 15, 2025
    • Vuln Type: Injection

  • 9.4

    CRITICAL
    CVE-2024-11167

    An improper access control vulnerability in danny-avila/librechat versions prior to 0.7.6 allows authenticated users to delete other users' prompts via the groupid parameter. This issue occurs because the endpoint does not verify whether the provided prom... Read more

    Affected Products : librechat
    • Published: Mar. 20, 2025
    • Modified: Jul. 15, 2025
    • Vuln Type: Authorization

  • 9.4

    CRITICAL
    CVE-2012-10040

    Openfiler v2.x contains a command injection vulnerability in the system.html page. The device parameter is used to instantiate a NetworkCard object, whose constructor in network.inc calls exec() with unsanitized input. An authenticated attacker can exploi... Read more

    Affected Products : openfiler
    • Published: Aug. 11, 2025
    • Modified: Aug. 11, 2025
    • Vuln Type: Injection

  • 9.4

    CRITICAL
    CVE-2025-34104

    An authenticated remote code execution vulnerability exists in Piwik (now Matomo) versions prior to 3.0.3 via the plugin upload mechanism. In vulnerable versions, an authenticated user with Superuser privileges can upload and activate a malicious plugin (... Read more

    Affected Products :
    • Published: Jul. 15, 2025
    • Modified: Jul. 15, 2025
    • Vuln Type: Authentication

  • 9.4

    CRITICAL
    CVE-2025-53946

    WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A SQL Injection vulnerability was identified in versions prior to 3.4.5 in the `id_funcionario` parameter of the `/html/saude/profile_paciente.php` en... Read more

    Affected Products : wegia
    • Published: Jul. 17, 2025
    • Modified: Jul. 30, 2025
    • Vuln Type: Injection

  • 9.4

    CRITICAL
    CVE-2025-54060

    WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A SQL Injection vulnerability was identified in versions prior to 3.4.6 in the `idatendido_familiares` parameter of the `/html/funcionario/dependente_... Read more

    Affected Products : wegia
    • Published: Jul. 17, 2025
    • Modified: Jul. 30, 2025
    • Vuln Type: Injection

  • 9.4

    CRITICAL
    CVE-2025-7783

    Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js. This issue affects form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3.... Read more

    Affected Products : form-data
    • Published: Jul. 18, 2025
    • Modified: Jul. 22, 2025
    • Vuln Type: Misconfiguration

  • 9.4

    CRITICAL
    CVE-2024-41790

    A vulnerability has been identified in SENTRON 7KT PAC1260 Data Manager (All versions). The web interface of affected devices does not sanitize the region parameter in specific POST requests. This could allow an authenticated remote attacker to execute ar... Read more

    Affected Products :
    • Published: Apr. 08, 2025
    • Modified: Apr. 08, 2025
    • Vuln Type: Authentication

  • 9.4

    CRITICAL
    CVE-2025-3114

    Code Execution via Malicious Files: Attackers can create specially crafted files with embedded code that may execute without adequate security validation, potentially leading to system compromise. Sandbox Bypass Vulnerability: A flaw in the TERR security... Read more

    Affected Products :
    • Published: Apr. 09, 2025
    • Modified: Apr. 15, 2025
    • Vuln Type: Misconfiguration

  • 9.4

    CRITICAL
    CVE-2025-36852

    A critical security vulnerability exists in remote cache extensions for common build systems utilizing bucket-based remote cache (such as those using Amazon S3, Google Cloud Storage, or similar object storage) that allows any contributor with pull request... Read more

    • Published: Jun. 10, 2025
    • Modified: Jun. 12, 2025
    • Vuln Type: Supply Chain

  • 9.4

    CRITICAL
    CVE-2025-48047

    An authenticated user can perform command injection via unsanitized input to the NetFax Server’s ping functionality via the /test.php endpoint.... Read more

    Affected Products :
    • Published: May. 29, 2025
    • Modified: May. 29, 2025
    • Vuln Type: Injection

  • 9.4

    CRITICAL
    CVE-2025-49008

    Atheos is a self-hosted browser-based cloud integrated development environment. Prior to version 6.0.4, improper use of `escapeshellcmd()` in `/components/codegit/traits/execute.php` allows argument injection, leading to arbitrary command execution. Atheo... Read more

    Affected Products :
    • Published: Jun. 05, 2025
    • Modified: Jun. 05, 2025
    • Vuln Type: Injection

  • 9.4

    CRITICAL
    CVE-2024-48849

    Missing Origin Validation in WebSockets vulnerability in FLXEON. Session management was not sufficient to prevent unauthorized HTTPS requests. This issue affects FLXEON: through <= 9.3.4.... Read more

    Affected Products :
    • Published: Jan. 29, 2025
    • Modified: Jan. 29, 2025
    • Vuln Type: Authentication

  • 9.4

    CRITICAL
    CVE-2025-22140

    WeGIA is a web manager for charitable institutions. A SQL Injection vulnerability was identified in the /html/funcionario/dependente_listar_um.php endpoint, specifically in the id_dependente parameter. This vulnerability allows attackers to execute arbitr... Read more

    Affected Products : wegia
    • Published: Jan. 08, 2025
    • Modified: Apr. 09, 2025
    • Vuln Type: Injection

  • 9.4

    CRITICAL
    CVE-2025-22141

    WeGIA is a web manager for charitable institutions. A SQL Injection vulnerability was identified in the /dao/verificar_recursos_cargo.php endpoint, specifically in the cargo parameter. This vulnerability allows attackers to execute arbitrary SQL commands,... Read more

    Affected Products : wegia
    • Published: Jan. 08, 2025
    • Modified: Apr. 09, 2025
    • Vuln Type: Injection

  • 9.4

    CRITICAL
    CVE-2025-22152

    Atheos is a self-hosted browser-based cloud IDE. Prior to v600, the $path and $target parameters are not properly validated across multiple components, allowing an attacker to read, modify, or execute arbitrary files on the server. These vulnerabilities c... Read more

    Affected Products :
    • Published: Jan. 10, 2025
    • Modified: Jan. 10, 2025
    • Vuln Type: Path Traversal

  • 9.4

    CRITICAL
    CVE-2024-42168

    HCL MyXalytics is affected by out-of-band resource load (HTTP) vulnerability. An attacker can deploy a web server that returns malicious content, and then induce the application to retrieve and process that content.... Read more

    Affected Products : dryice_myxalytics
    • Published: Jan. 11, 2025
    • Modified: May. 16, 2025
    • Vuln Type: Misconfiguration

  • 9.4

    CRITICAL
    CVE-2025-1980

    The Ready_ application's Profile section allows users to upload files of any type and extension without restriction. If the server is misconfigured, as it was by default when installed at the turn of 2021 and 2022, it can result in Remote Code Execution. ... Read more

    Affected Products :
    • Published: Apr. 16, 2025
    • Modified: Apr. 16, 2025
    • Vuln Type: Misconfiguration
Showing 20 of 293302 Results