Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 5.4

    MEDIUM
    CVE-2024-57438

    Insecure permissions in RuoYi v4.8.0 allows authenticated attackers to escalate privileges by assigning themselves higher level roles.... Read more

    Affected Products : ruoyi
    • Published: Jan. 29, 2025
    • Modified: May. 14, 2025
    • Vuln Type: Authorization

  • 6.5

    MEDIUM
    CVE-2024-57437

    RuoYi v4.8.0 was discovered to contain a SQL injection vulnerability via the orderby parameter at /monitor/online/list.... Read more

    Affected Products : ruoyi
    • Published: Jan. 29, 2025
    • Modified: May. 14, 2025
    • Vuln Type: Injection

  • 7.2

    HIGH
    CVE-2024-57436

    RuoYi v4.8.0 was discovered to allow unauthorized attackers to view the session ID of the admin in the system monitoring. This issue can allow attackers to impersonate Admin users via using a crafted cookie.... Read more

    Affected Products : ruoyi
    • Published: Jan. 29, 2025
    • Modified: May. 14, 2025
    • Vuln Type: Authentication

  • 6.3

    MEDIUM
    CVE-2024-54762

    Ruoyi v.4.7.9 and before contains an authenticated SQL injection vulnerability. This is because the filterKeyword method does not completely filter SQL injection keywords, resulting in the risk of SQL injection.... Read more

    Affected Products : ruoyi
    • Published: Jan. 09, 2025
    • Modified: May. 14, 2025
    • Vuln Type: Injection

  • 6.1

    MEDIUM
    CVE-2024-42900

    Ruoyi v4.7.9 and before was discovered to contain a cross-site scripting (XSS) vulnerability via the sql parameter of the createTable() function at /tool/gen/create.... Read more

    Affected Products : ruoyi
    • Published: Aug. 28, 2024
    • Modified: May. 14, 2025

  • 6.1

    MEDIUM
    CVE-2024-6511

    A vulnerability classified as problematic was found in y_project RuoYi up to 4.7.9. Affected by this vulnerability is the function isJsonRequest of the component Content-Type Handler. The manipulation of the argument HttpHeaders.CONTENT_TYPE leads to cros... Read more

    Affected Products : ruoyi
    • Published: Jul. 04, 2024
    • Modified: May. 14, 2025

  • 6.5

    MEDIUM
    CVE-2024-9355

    A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between... Read more

    • Published: Oct. 01, 2024
    • Modified: May. 14, 2025

  • 7.5

    HIGH
    CVE-2024-24981

    Improper input validation in PfrSmiUpdateFw driver in UEFI firmware for some Intel(R) Server M50FCP Family products may allow a privileged user to enable escalation of privilege via local access.... Read more

    Affected Products : server_board_s2600bp_firmware
    • Published: May. 16, 2024
    • Modified: May. 14, 2025

  • 7.5

    HIGH
    CVE-2024-29400

    An issue was discovered in RuoYi v4.5.1, allows attackers to obtain sensitive information via the status parameter.... Read more

    Affected Products : ruoyi
    • Published: Apr. 12, 2024
    • Modified: May. 14, 2025

  • 6.8

    MEDIUM
    CVE-2024-2907

    The AGCA WordPress plugin before 7.2.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for exam... Read more

    Affected Products : absolutely_glamorous_custom_admin
    • Published: Apr. 25, 2024
    • Modified: May. 14, 2025

  • 5.5

    MEDIUM
    CVE-2024-3048

    The Bannerlid WordPress plugin through 1.1.0 does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as administrators... Read more

    Affected Products : bannerlid
    • Published: Apr. 26, 2024
    • Modified: May. 14, 2025

  • 6.3

    MEDIUM
    CVE-2024-3188

    The WP Shortcodes Plugin — Shortcodes Ultimate WordPress plugin before 7.1.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributo... Read more

    Affected Products : shortcodes_ultimate
    • Published: Apr. 26, 2024
    • Modified: May. 14, 2025

  • 4.8

    MEDIUM
    CVE-2023-5971

    The Save as PDF Plugin by Pdfcrowd WordPress plugin before 3.2.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capabilit... Read more

    Affected Products : save_as_pdf
    • Published: May. 14, 2024
    • Modified: May. 14, 2025

  • 7.2

    HIGH
    CVE-2025-2170

    A Server-side request forgery (SSRF) vulnerability has been identified in the SMA1000 Appliance Work Place interface, which in specific conditions could potentially enable a remote unauthenticated attacker to cause the appliance to make requests to an uni... Read more

    Affected Products : sma1000_firmware sma1000
    • Published: Apr. 30, 2025
    • Modified: May. 14, 2025
    • Vuln Type: Server-Side Request Forgery

  • 6.1

    MEDIUM
    CVE-2025-22247

    VMware Tools contains an insecure file handling vulnerability. A malicious actor with non-administrative privileges on a guest VM may tamper the local files to trigger insecure file operations within that VM.... Read more

    Affected Products : tools
    • Published: May. 12, 2025
    • Modified: May. 14, 2025

  • 4.3

    MEDIUM
    CVE-2022-3151

    The WP Custom Cursors WordPress plugin before 3.0.1 does not have CSRF check in place when deleting cursors, which could allow attackers to made a logged in admin delete arbitrary cursors via a CSRF attack.... Read more

    Affected Products : wp_custom_cursors
    • EPSS Score: %0.07
    • Published: Oct. 17, 2022
    • Modified: May. 14, 2025

  • 7.2

    HIGH
    CVE-2022-3150

    The WP Custom Cursors WordPress plugin before 3.2 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privileged users such as admin... Read more

    • EPSS Score: %0.44
    • Published: Oct. 17, 2022
    • Modified: May. 14, 2025

  • 5.4

    MEDIUM
    CVE-2024-3239

    The Post Grid Gutenberg Blocks and WordPress Blog Plugin WordPress plugin before 4.0.2 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributo... Read more

    Affected Products : postx
    • Published: May. 14, 2024
    • Modified: May. 14, 2025

  • 4.8

    MEDIUM
    CVE-2024-3582

    The UnGallery WordPress plugin through 2.2.4 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack... Read more

    Affected Products : ungallery
    • Published: May. 14, 2024
    • Modified: May. 14, 2025

  • 6.1

    MEDIUM
    CVE-2024-3590

    The LetterPress WordPress plugin through 1.2.2 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks, such as delete arbitrary subscribers... Read more

    Affected Products : letterpress
    • Published: May. 14, 2024
    • Modified: May. 14, 2025
Showing 20 of 291722 Results