Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 9.8

    CRITICAL
    CVE-2021-25979

    Apostrophe CMS versions prior to 3.3.1 did not invalidate existing login sessions when disabling a user account or changing the password, creating a situation in which a device compromised by a third party could not be locked out by those means. As a miti... Read more

    Affected Products : apostrophecms
    • Published: Nov. 08, 2021
    • Modified: Nov. 21, 2024

  • 5.4

    MEDIUM
    CVE-2021-25978

    Apostrophe CMS versions between 2.63.0 to 3.3.1 are vulnerable to Stored XSS where an editor uploads an SVG file that contains malicious JavaScript onto the Images module, which triggers XSS once viewed.... Read more

    Affected Products : apostrophecms
    • Published: Nov. 07, 2021
    • Modified: Nov. 21, 2024

  • 5.4

    MEDIUM
    CVE-2021-25977

    In PiranhaCMS, versions 7.0.0 to 9.1.1 are vulnerable to stored XSS due to the page title improperly sanitized. By creating a page with a specially crafted page title, a low privileged user can trigger arbitrary JavaScript execution.... Read more

    Affected Products : piranha_cms
    • Published: Oct. 25, 2021
    • Modified: Nov. 21, 2024

  • 8.1

    HIGH
    CVE-2021-25976

    In PiranhaCMS, versions 4.0.0-alpha1 to 9.2.0 are vulnerable to cross-site request forgery (CSRF) when performing various actions supported by the management system, such as deleting a user, deleting a role, editing a post, deleting a media folder etc., w... Read more

    Affected Products : piranha_cms
    • Published: Nov. 16, 2021
    • Modified: Nov. 21, 2024

  • 5.4

    MEDIUM
    CVE-2021-25975

    In publify, versions v8.0 to v9.2.4 are vulnerable to stored XSS as a result of an unrestricted file upload. This issue allows a user with “publisher” role to inject malicious JavaScript via the uploaded html file.... Read more

    Affected Products : publify
    • Published: Nov. 10, 2021
    • Modified: Nov. 21, 2024

  • 5.4

    MEDIUM
    CVE-2021-25974

    In Publify, versions v8.0 to v9.2.4 are vulnerable to stored XSS. A user with a “publisher” role is able to inject and execute arbitrary JavaScript code while creating a page/article.... Read more

    Affected Products : publify
    • Published: Nov. 10, 2021
    • Modified: Nov. 21, 2024

  • 6.5

    MEDIUM
    CVE-2021-25973

    In Publify, 9.0.0.pre1 to 9.2.4 are vulnerable to Improper Access Control. “guest” role users can self-register even when the admin does not allow. This happens due to front-end restriction only.... Read more

    Affected Products : publify
    • Published: Nov. 02, 2021
    • Modified: Nov. 21, 2024

  • 4.9

    MEDIUM
    CVE-2021-25972

    In Camaleon CMS, versions 2.1.2.0 to 2.6.0, are vulnerable to Server-Side Request Forgery (SSRF) in the media upload feature, which allows admin users to fetch media files from external URLs but fails to validate URLs referencing to localhost or other int... Read more

    Affected Products : camaleon_cms
    • Published: Oct. 20, 2021
    • Modified: Nov. 21, 2024

  • 4.3

    MEDIUM
    CVE-2021-25971

    In Camaleon CMS, versions 2.0.1 to 2.6.0 are vulnerable to an Uncaught Exception. The app's media upload feature crashes permanently when an attacker with a low privileged access uploads a specially crafted .svg file... Read more

    Affected Products : camaleon_cms
    • Published: Oct. 20, 2021
    • Modified: Nov. 21, 2024

  • 8.8

    HIGH
    CVE-2021-25970

    Camaleon CMS 0.1.7 to 2.6.0 doesn’t terminate the active session of the users, even after the admin changes the user’s password. A user that was already logged in, will still have access to the application even after the password was changed.... Read more

    Affected Products : camaleon_cms
    • Published: Oct. 20, 2021
    • Modified: Nov. 21, 2024

  • 6.1

    MEDIUM
    CVE-2021-25969

    In Camaleon CMS application, versions 0.0.1 to 2.6.0 are vulnerable to stored XSS, that allows an unauthenticated attacker to store malicious scripts in the comments section of the post. These scripts are executed in a victim’s browser when they open the ... Read more

    Affected Products : camaleon_cms
    • Published: Oct. 20, 2021
    • Modified: Nov. 21, 2024

  • 5.4

    MEDIUM
    CVE-2021-25968

    In “OpenCMS”, versions 10.5.0 to 11.0.2 are affected by a stored XSS vulnerability that allows low privileged application users to store malicious scripts in the Sitemap functionality. These scripts are executed in a victim’s browser when they open the pa... Read more

    Affected Products : opencms
    • Published: Oct. 19, 2021
    • Modified: Nov. 21, 2024

  • 5.4

    MEDIUM
    CVE-2021-25967

    In CKAN, versions 2.9.0 to 2.9.3 are affected by a stored XSS vulnerability via SVG file upload of users’ profile picture. This allows low privileged application users to store malicious scripts in their profile picture. These scripts are executed in a vi... Read more

    Affected Products : ckan
    • Published: Dec. 01, 2021
    • Modified: Nov. 21, 2024

  • 8.8

    HIGH
    CVE-2021-25966

    In “Orchard core CMS” application, versions 1.0.0-beta1-3383 to 1.0.0 are vulnerable to an improper session termination after password change. When a password has been changed by the user or by an administrator, a user that was already logged in, will sti... Read more

    Affected Products : orchard_core
    • Published: Oct. 10, 2021
    • Modified: Nov. 21, 2024

  • 8.8

    HIGH
    CVE-2021-25965

    In Calibre-web, versions 0.6.0 to 0.6.13 are vulnerable to Cross-Site Request Forgery (CSRF). By luring an authenticated user to click on a link, an attacker can create a new user role with admin privileges and attacker-controlled credentials, allowing th... Read more

    Affected Products : calibre-web calibre-web
    • Published: Nov. 16, 2021
    • Modified: Nov. 21, 2024

  • 5.4

    MEDIUM
    CVE-2021-25964

    In “Calibre-web” application, v0.6.0 to v0.6.12, are vulnerable to Stored XSS in “Metadata”. An attacker that has access to edit the metadata information, can inject JavaScript payload in the description field. When a victim tries to open the file, XSS wi... Read more

    Affected Products : calibre-web calibre-web
    • Published: Oct. 04, 2021
    • Modified: Nov. 21, 2024

  • 6.1

    MEDIUM
    CVE-2021-25963

    In Shuup, versions 1.6.0 through 2.10.8 are vulnerable to reflected Cross-Site Scripting (XSS) that allows execution of arbitrary javascript code on a victim browser. This vulnerability exists due to the error page contents not escaped.... Read more

    Affected Products : shuup
    • Published: Sep. 30, 2021
    • Modified: Nov. 21, 2024

  • 8.8

    HIGH
    CVE-2021-25962

    “Shuup” application in versions 0.4.2 to 2.10.8 is affected by the “Formula Injection” vulnerability. A customer can inject payloads in the name input field in the billing address while buying a product. When a store administrator accesses the reports pag... Read more

    Affected Products : shuup
    • Published: Sep. 29, 2021
    • Modified: Nov. 21, 2024

  • 8.0

    HIGH
    CVE-2021-25961

    In “SuiteCRM” application, v7.1.7 through v7.10.31 and v7.11-beta through v7.11.20 fail to properly invalidate password reset links that is associated with a deleted user id, which makes it possible for account takeover of any newly created user with the ... Read more

    Affected Products : suitecrm
    • Published: Sep. 29, 2021
    • Modified: Nov. 21, 2024

  • 8.0

    HIGH
    CVE-2021-25960

    In “SuiteCRM” application, v7.11.18 through v7.11.19 and v7.10.29 through v7.10.31 are affected by “CSV Injection” vulnerability (Formula Injection). A low privileged attacker can use accounts module to inject payloads in the input fields. When an adminis... Read more

    Affected Products : suitecrm
    • Published: Sep. 29, 2021
    • Modified: Nov. 21, 2024
Showing 20 of 294193 Results