Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 6.1

    MEDIUM
    CVE-2025-4189

    The Audio Comments Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.4. This is due to missing or incorrect nonce validation on the 'audio-comments/audior-settings.php' page. This makes it po... Read more

    Affected Products :
    • Published: May. 17, 2025
    • Modified: May. 19, 2025
    • Vuln Type: Cross-Site Request Forgery

  • 9.8

    CRITICAL
    CVE-2025-4391

    The Echo RSS Feed Post Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the echo_generate_featured_image() function in all versions up to, and including, 5.4.8.1. This makes it possible for unau... Read more

    Affected Products : echo_rss_feed_post_generator
    • Published: May. 17, 2025
    • Modified: May. 19, 2025
    • Vuln Type: Authentication

  • 4.8

    MEDIUM
    CVE-2025-41429

    a-blog cms multiple versions neutralize logs improperly. If this vulnerability is exploited with CVE-2025-36560, a remote unauthenticated attacker may hijack a legitimate user's session.... Read more

    Affected Products : a-blog_cms
    • Published: May. 19, 2025
    • Modified: May. 19, 2025
    • Vuln Type: Misconfiguration

  • 9.2

    CRITICAL
    CVE-2025-36560

    Server-side request forgery vulnerability exists in a-blog cms multiple versions. If this vulnerability is exploited, a remote unauthenticated attacker may gain access to sensitive information by sending a specially crafted request.... Read more

    Affected Products : a-blog_cms
    • Published: May. 19, 2025
    • Modified: May. 19, 2025
    • Vuln Type: Server-Side Request Forgery

  • 9.8

    CRITICAL
    CVE-2025-46801

    Pgpool-II provided by PgPool Global Development Group contains an authentication bypass by primary weakness vulnerability. if the vulnerability is exploited, an attacker may be able to log in to the system as an arbitrary user, allowing them to read or ta... Read more

    Affected Products : pgpool-ii
    • Published: May. 19, 2025
    • Modified: May. 19, 2025
    • Vuln Type: Authentication

  • 0.0

    NA
    CVE-2025-37891

    In the Linux kernel, the following vulnerability has been resolved: ALSA: ump: Fix buffer overflow at UMP SysEx message conversion The conversion function from MIDI 1.0 to UMP packet contains an internal buffer to keep the incoming MIDI bytes, and its s... Read more

    Affected Products : linux_kernel
    • Published: May. 19, 2025
    • Modified: May. 19, 2025
    • Vuln Type: Memory Corruption

  • 8.6

    HIGH
    CVE-2025-4477

    The ThreatSonar Anti-Ransomware from TeamT5 has a Privilege Escalation vulnerability, allowing remote attackers with intermediate privileges to escalate their privileges to highest administrator level through a specific API.... Read more

    Affected Products : threatsonar_anti-ransomware
    • Published: May. 19, 2025
    • Modified: May. 19, 2025
    • Vuln Type: Authorization

  • 3.5

    LOW
    CVE-2025-48219

    O2 UK before 2025-05-19 allows subscribers to determine the Cell ID of other subscribers by initiating an IMS (IP Multimedia Subsystem) call and then reading the utran-cell-id-3gpp field of a Cellular-Network-Info SIP header, aka an ECI (E-UTRAN Cell Iden... Read more

    Affected Products :
    • Published: May. 18, 2025
    • Modified: May. 19, 2025
    • Vuln Type: Information Disclosure

  • 7.5

    HIGH
    CVE-2025-4846

    A vulnerability, which was classified as critical, was found in FreeFloat FTP Server 1.0. This affects an unknown part of the component MPUT Command Handler. The manipulation leads to buffer overflow. It is possible to initiate the attack remotely. The ex... Read more

    • Published: May. 18, 2025
    • Modified: May. 19, 2025
    • Vuln Type: Memory Corruption

  • 6.4

    MEDIUM
    CVE-2025-4610

    The WP-Members Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpmem_user_memberships shortcode in all versions up to, and including, 3.5.2 due to insufficient input sanitization and output escaping on ... Read more

    Affected Products : wp-members
    • Published: May. 17, 2025
    • Modified: May. 19, 2025
    • Vuln Type: Cross-Site Scripting

  • 3.1

    LOW
    CVE-2025-22233

    CVE-2024-38820 ensured Locale-independent, lowercase conversion for both the configured disallowedFields patterns and for request parameter names. However, there are still cases where it is possible to bypass the disallowedFields checks. Affected Spring ... Read more

    Affected Products : spring_framework
    • Published: May. 16, 2025
    • Modified: May. 19, 2025
    • Vuln Type: Authorization

  • 4.8

    MEDIUM
    CVE-2024-1958

    The WPB Show Core WordPress plugin before 2.7 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin or unauthenticated use... Read more

    Affected Products : wpb_show_core
    • Published: Apr. 08, 2024
    • Modified: May. 19, 2025

  • 6.1

    MEDIUM
    CVE-2024-1956

    The wpb-show-core WordPress plugin before 2.7 does not sanitise and escape the parameters before outputting it back in the response of an unauthenticated request, leading to a Reflected Cross-Site Scripting... Read more

    Affected Products : wpb_show_core
    • Published: Apr. 08, 2024
    • Modified: May. 19, 2025

  • 4.7

    MEDIUM
    CVE-2024-1292

    The WPB Show Core WordPress plugin before 2.7 does not sanitise and escape some parameters before outputting them back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin... Read more

    Affected Products : wpb_show_core
    • Published: Apr. 08, 2024
    • Modified: May. 19, 2025

  • 8.8

    HIGH
    CVE-2024-2016

    A vulnerability, which was classified as critical, was found in ZhiCms 4.0. Affected is the function index of the file app/manage/controller/setcontroller.php. The manipulation of the argument sitename leads to code injection. It is possible to launch the... Read more

    Affected Products : zhicms
    • Published: Mar. 21, 2024
    • Modified: May. 19, 2025

  • 9.8

    CRITICAL
    CVE-2023-48902

    An issue was discovered in tramyardg autoexpress version 1.3.0, allows unauthenticated remote attackers to escalate privileges, update car data, delete vehicles, and upload car images via authentication bypass in uploadCarImages.php.... Read more

    Affected Products : autoexpress
    • Published: Mar. 21, 2024
    • Modified: May. 19, 2025

  • 6.1

    MEDIUM
    CVE-2023-48903

    Stored Cross-Site Scripting (XSS) vulnerability in tramyardg autoexpress 1.3.0, allows remote unauthenticated attackers to inject arbitrary web script or HTML within parameter "imgType" via in uploadCarImages.php.... Read more

    Affected Products : autoexpress
    • Published: Mar. 21, 2024
    • Modified: May. 19, 2025

  • 9.8

    CRITICAL
    CVE-2023-48901

    A SQL injection vulnerability in tramyardg Autoexpress version 1.3.0, allows remote unauthenticated attackers to execute arbitrary SQL commands via the parameter "id" within the getPhotosByCarId function call in details.php.... Read more

    Affected Products : autoexpress
    • Published: Mar. 21, 2024
    • Modified: May. 19, 2025

  • 8.8

    HIGH
    CVE-2024-2015

    A vulnerability, which was classified as critical, has been found in ZhiCms 4.0. This issue affects the function getindexdata of the file app/index/controller/mcontroller.php. The manipulation of the argument key leads to sql injection. The attack may be ... Read more

    Affected Products : zhicms
    • Published: Mar. 21, 2024
    • Modified: May. 19, 2025

  • 7.5

    HIGH
    CVE-2024-24549

    Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until af... Read more

    Affected Products : fedora debian_linux tomcat
    • Published: Mar. 13, 2024
    • Modified: May. 19, 2025
Showing 20 of 291878 Results