Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 4.9

    MEDIUM
    CVE-2024-10708

    The System Dashboard WordPress plugin before 2.8.15 does not validate user input used in a path, which could allow high privilege users such as admin to perform path traversal attacks an read arbitrary files on the server... Read more

    Affected Products : system_dashboard
    • Published: Dec. 10, 2024
    • Modified: May. 17, 2025

  • 9.8

    CRITICAL
    CVE-2022-38946

    Arbitrary File Upload vulnerability in Doctor-Appointment version 1.0 in /Frontend/signup_com.php, allows attackers to execute arbitrary code.... Read more

    Affected Products : doctor-appointment
    • Published: Dec. 09, 2024
    • Modified: May. 17, 2025

  • 9.8

    CRITICAL
    CVE-2022-38947

    SQL Injection vulnerability in Flipkart-Clone-PHP version 1.0 in entry.php in product_title parameter, allows attackers to execute arbitrary code.... Read more

    Affected Products : flipkart-clone-php
    • Published: Dec. 09, 2024
    • Modified: May. 17, 2025

  • 4.3

    MEDIUM
    CVE-2024-10480

    The 3DPrint Lite WordPress plugin before 2.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack.... Read more

    Affected Products : 3dprint_lite
    • Published: Dec. 06, 2024
    • Modified: May. 17, 2025

  • 4.8

    MEDIUM
    CVE-2024-10893

    The WP Booking Calendar WordPress plugin before 10.6.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disal... Read more

    Affected Products : wp_booking_calendar
    • Published: Dec. 03, 2024
    • Modified: May. 17, 2025

  • 6.1

    MEDIUM
    CVE-2024-9934

    The Wp-ImageZoom WordPress plugin through 1.1.0 does not sanitise and escape some parameters before outputting them back in a page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin... Read more

    Affected Products : wp_image_zoom wp-imagezoom
    • Published: Nov. 06, 2024
    • Modified: May. 17, 2025

  • 4.8

    MEDIUM
    CVE-2024-8378

    The Safe SVG WordPress plugin before 2.2.6 has its sanitisation code is only running for paths that call wp_handle_upload, but not for example for code that uses wp_handle_sideload which is often used to upload attachments via raw POST data.... Read more

    Affected Products : safe_svg
    • Published: Nov. 07, 2024
    • Modified: May. 17, 2025

  • 6.4

    MEDIUM
    CVE-2024-10000

    The Masteriyo LMS – eLearning and Online Course Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the question's content parameter in all versions up to, and including, 1.13.3 due to insufficient input sanitizatio... Read more

    Affected Products : masteriyo
    • Published: Oct. 29, 2024
    • Modified: May. 17, 2025

  • 8.8

    HIGH
    CVE-2024-10008

    The Masteriyo LMS – eLearning and Online Course Builder for WordPress plugin for WordPress is vulnerable to unauthorized user profile modification due to missing authorization checks on the /wp-json/masteriyo/v1/users/$id REST API endpoint in all versions... Read more

    Affected Products : masteriyo
    • Published: Oct. 29, 2024
    • Modified: May. 17, 2025

  • 6.5

    MEDIUM
    CVE-2024-51242

    A Server-Side Request Forgery (SSRF) vulnerability has been identified in eladmin 2.7 and earlier in ServerDeployController.java. The manipulation of the HTTP Body ip parameter leads to SSRF.... Read more

    Affected Products : eladmin
    • Published: Oct. 30, 2024
    • Modified: May. 17, 2025

  • 7.6

    HIGH
    CVE-2024-5429

    The Logo Slider WordPress plugin before 4.1.0 does not validate and escape some of its Slider Settings before outputting them back in attributes, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks... Read more

    Affected Products : gs_logo_slider logo_slider logo_slider
    • Published: Oct. 17, 2024
    • Modified: May. 17, 2025

  • 9.8

    CRITICAL
    CVE-2024-48411

    itsourcecode Online Tours and Travels Management System v1.0 is vulnerable to SQL Injection (SQLI) via a crafted payload to the val-email parameter in forget_password.php.... Read more

    • Published: Oct. 15, 2024
    • Modified: May. 17, 2025

  • 7.8

    HIGH
    CVE-2025-26601

    A use-after-free flaw was found in X.Org and Xwayland. When changing an alarm, the values of the change mask are evaluated one after the other, changing the trigger values as requested, and eventually, SyncInitTrigger() is called. If one of the changes tr... Read more

    • Published: Feb. 25, 2025
    • Modified: May. 16, 2025
    • Vuln Type: Memory Corruption

  • 7.8

    HIGH
    CVE-2025-26600

    A use-after-free flaw was found in X.Org and Xwayland. When a device is removed while still frozen, the events queued for that device remain while the device is freed. Replaying the events will cause a use-after-free.... Read more

    • Published: Feb. 25, 2025
    • Modified: May. 16, 2025
    • Vuln Type: Memory Corruption

  • 6.5

    MEDIUM
    CVE-2025-22872

    The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse ... Read more

    Affected Products : networking
    • Published: Apr. 16, 2025
    • Modified: May. 16, 2025

  • 7.3

    HIGH
    CVE-2025-22235

    EndpointRequest.to() creates a matcher for null/** if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed. Your application may be affected by this if all the following conditions are met: * You use Sprin... Read more

    Affected Products : spring_boot
    • Published: Apr. 28, 2025
    • Modified: May. 16, 2025
    • Vuln Type: Misconfiguration

  • 5.3

    MEDIUM
    CVE-2025-1493

    IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 12.1.0 through 12.1.1 could allow an authenticated user to cause a denial of service due to concurrent execution of shared resources.... Read more

    Affected Products : db2
    • Published: May. 05, 2025
    • Modified: May. 16, 2025
    • Vuln Type: Denial of Service

  • 5.0

    MEDIUM
    CVE-2024-8654

    MongoDB Server may access non-initialized region of memory leading to unexpected behaviour when zero arguments are called in internal aggregation stage. This issue affected MongoDB Server v6.0 version 6.0.3.... Read more

    Affected Products : mongodb
    • Published: Sep. 10, 2024
    • Modified: May. 16, 2025

  • 6.7

    MEDIUM
    CVE-2024-8207

    In certain highly specific configurations of the host system and MongoDB server binary installation on Linux Operating Systems, it may be possible for a unintended actor with host-level access to cause the MongoDB Server binary to load unintended actor-co... Read more

    Affected Products : linux_kernel mongodb
    • Published: Aug. 27, 2024
    • Modified: May. 16, 2025

  • 6.9

    MEDIUM
    CVE-2023-3726

    OCSInventory allow stored email template with special characters that lead to a Stored cross-site Scripting.... Read more

    Affected Products : ocsinventory-ocsreports
    • EPSS Score: %0.08
    • Published: Jan. 04, 2024
    • Modified: May. 16, 2025
Showing 20 of 292275 Results