Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 9.8

    CRITICAL
    CVE-2025-4391

    The Echo RSS Feed Post Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the echo_generate_featured_image() function in all versions up to, and including, 5.4.8.1. This makes it possible for unau... Read more

    Affected Products : echo_rss_feed_post_generator
    • Published: May. 17, 2025
    • Modified: May. 19, 2025
    • Vuln Type: Authentication

  • 4.8

    MEDIUM
    CVE-2025-41429

    a-blog cms multiple versions neutralize logs improperly. If this vulnerability is exploited with CVE-2025-36560, a remote unauthenticated attacker may hijack a legitimate user's session.... Read more

    Affected Products : a-blog_cms
    • Published: May. 19, 2025
    • Modified: May. 19, 2025
    • Vuln Type: Misconfiguration

  • 9.8

    CRITICAL
    CVE-2025-46801

    Pgpool-II provided by PgPool Global Development Group contains an authentication bypass by primary weakness vulnerability. if the vulnerability is exploited, an attacker may be able to log in to the system as an arbitrary user, allowing them to read or ta... Read more

    Affected Products : pgpool-ii
    • Published: May. 19, 2025
    • Modified: May. 19, 2025
    • Vuln Type: Authentication

  • 8.6

    HIGH
    CVE-2025-4477

    The ThreatSonar Anti-Ransomware from TeamT5 has a Privilege Escalation vulnerability, allowing remote attackers with intermediate privileges to escalate their privileges to highest administrator level through a specific API.... Read more

    Affected Products : threatsonar_anti-ransomware
    • Published: May. 19, 2025
    • Modified: May. 19, 2025
    • Vuln Type: Authorization

  • 3.5

    LOW
    CVE-2025-48219

    O2 UK before 2025-05-19 allows subscribers to determine the Cell ID of other subscribers by initiating an IMS (IP Multimedia Subsystem) call and then reading the utran-cell-id-3gpp field of a Cellular-Network-Info SIP header, aka an ECI (E-UTRAN Cell Iden... Read more

    Affected Products :
    • Published: May. 18, 2025
    • Modified: May. 19, 2025
    • Vuln Type: Information Disclosure

  • 6.4

    MEDIUM
    CVE-2025-4610

    The WP-Members Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpmem_user_memberships shortcode in all versions up to, and including, 3.5.2 due to insufficient input sanitization and output escaping on ... Read more

    Affected Products : wp-members
    • Published: May. 17, 2025
    • Modified: May. 19, 2025
    • Vuln Type: Cross-Site Scripting

  • 3.1

    LOW
    CVE-2025-22233

    CVE-2024-38820 ensured Locale-independent, lowercase conversion for both the configured disallowedFields patterns and for request parameter names. However, there are still cases where it is possible to bypass the disallowedFields checks. Affected Spring ... Read more

    Affected Products : spring_framework
    • Published: May. 16, 2025
    • Modified: May. 19, 2025
    • Vuln Type: Authorization

  • 4.8

    MEDIUM
    CVE-2024-1958

    The WPB Show Core WordPress plugin before 2.7 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin or unauthenticated use... Read more

    Affected Products : wpb_show_core
    • Published: Apr. 08, 2024
    • Modified: May. 19, 2025

  • 6.1

    MEDIUM
    CVE-2024-1956

    The wpb-show-core WordPress plugin before 2.7 does not sanitise and escape the parameters before outputting it back in the response of an unauthenticated request, leading to a Reflected Cross-Site Scripting... Read more

    Affected Products : wpb_show_core
    • Published: Apr. 08, 2024
    • Modified: May. 19, 2025

  • 4.7

    MEDIUM
    CVE-2024-1292

    The WPB Show Core WordPress plugin before 2.7 does not sanitise and escape some parameters before outputting them back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin... Read more

    Affected Products : wpb_show_core
    • Published: Apr. 08, 2024
    • Modified: May. 19, 2025

  • 8.8

    HIGH
    CVE-2024-2016

    A vulnerability, which was classified as critical, was found in ZhiCms 4.0. Affected is the function index of the file app/manage/controller/setcontroller.php. The manipulation of the argument sitename leads to code injection. It is possible to launch the... Read more

    Affected Products : zhicms
    • Published: Mar. 21, 2024
    • Modified: May. 19, 2025

  • 9.8

    CRITICAL
    CVE-2023-48902

    An issue was discovered in tramyardg autoexpress version 1.3.0, allows unauthenticated remote attackers to escalate privileges, update car data, delete vehicles, and upload car images via authentication bypass in uploadCarImages.php.... Read more

    Affected Products : autoexpress
    • Published: Mar. 21, 2024
    • Modified: May. 19, 2025

  • 6.1

    MEDIUM
    CVE-2023-48903

    Stored Cross-Site Scripting (XSS) vulnerability in tramyardg autoexpress 1.3.0, allows remote unauthenticated attackers to inject arbitrary web script or HTML within parameter "imgType" via in uploadCarImages.php.... Read more

    Affected Products : autoexpress
    • Published: Mar. 21, 2024
    • Modified: May. 19, 2025

  • 9.8

    CRITICAL
    CVE-2023-48901

    A SQL injection vulnerability in tramyardg Autoexpress version 1.3.0, allows remote unauthenticated attackers to execute arbitrary SQL commands via the parameter "id" within the getPhotosByCarId function call in details.php.... Read more

    Affected Products : autoexpress
    • Published: Mar. 21, 2024
    • Modified: May. 19, 2025

  • 8.8

    HIGH
    CVE-2024-2015

    A vulnerability, which was classified as critical, has been found in ZhiCms 4.0. This issue affects the function getindexdata of the file app/index/controller/mcontroller.php. The manipulation of the argument key leads to sql injection. The attack may be ... Read more

    Affected Products : zhicms
    • Published: Mar. 21, 2024
    • Modified: May. 19, 2025

  • 7.5

    HIGH
    CVE-2024-24549

    Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until af... Read more

    Affected Products : fedora debian_linux tomcat
    • Published: Mar. 13, 2024
    • Modified: May. 19, 2025

  • 7.2

    HIGH
    CVE-2024-2568

    A vulnerability has been found in heyewei JFinalCMS 5.0.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /admin/div_data/delete?divId=9 of the component Custom Data Page. The manipulation leads to sql in... Read more

    Affected Products : jfinalcms
    • Published: Mar. 17, 2024
    • Modified: May. 19, 2025

  • 6.1

    MEDIUM
    CVE-2024-26466

    A DOM based cross-site scripting (XSS) vulnerability in the component /dom/ranges/Range-test-iframe.html of web-platform-tests/wpt before commit 938e843 allows attackers to execute arbitrary Javascript via sending a crafted URL.... Read more

    Affected Products : web-platform-tests
    • Published: Feb. 26, 2024
    • Modified: May. 19, 2025

  • 6.1

    MEDIUM
    CVE-2024-41693

    Mashov - CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)... Read more

    Affected Products : mashov
    • Published: Jul. 30, 2024
    • Modified: May. 19, 2025

  • 5.3

    MEDIUM
    CVE-2023-27043

    The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection m... Read more

    • Published: Apr. 19, 2023
    • Modified: May. 19, 2025
Showing 20 of 292803 Results