Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 5.3

    MEDIUM
    CVE-2024-9686

    The Order Notification for Telegram plugin for WordPress is vulnerable to unauthorized test message sending due to a missing capability check on the 'nktgnfw_send_test_message' function in versions up to, and including, 1.0.1. This makes it possible for u... Read more

    Affected Products : order_notification_for_telegram
    • Published: Oct. 25, 2024
    • Modified: Nov. 06, 2024

  • 4.5

    MEDIUM
    CVE-2024-10372

    A vulnerability classified as problematic was found in chidiwilliams buzz 1.1.0. This vulnerability affects the function download_model of the file buzz/model_loader.py. The manipulation leads to insecure temporary file. It is possible to launch the attac... Read more

    Affected Products : buzz
    • Published: Oct. 25, 2024
    • Modified: Nov. 06, 2024

  • 6.4

    MEDIUM
    CVE-2024-10148

    The Awesome buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's btn2 shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This ma... Read more

    Affected Products : awesome_buttons
    • Published: Oct. 25, 2024
    • Modified: Nov. 06, 2024

  • 8.1

    HIGH
    CVE-2024-10011

    The BuddyPress plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 14.1.0 via the id parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform actions on f... Read more

    Affected Products : buddypress
    • Published: Oct. 25, 2024
    • Modified: Nov. 06, 2024

  • 9.3

    CRITICAL
    CVE-2024-51561

    This vulnerability exists in Aero due to improper implementation of OTP validation mechanism in certain API endpoints. An authenticated remote attacker could exploit this vulnerability by intercepting and manipulating the responses exchanged during the se... Read more

    Affected Products : aero wave_2.0
    • Published: Nov. 04, 2024
    • Modified: Nov. 06, 2024

  • 6.9

    MEDIUM
    CVE-2024-9147

    Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Bna Informatics PosPratik allows XSS Through HTTP Query Strings.This issue affects PosPratik: before v3.2.1.... Read more

    Affected Products : pospratik
    • Published: Nov. 04, 2024
    • Modified: Nov. 06, 2024

  • 8.8

    HIGH
    CVE-2024-51582

    Path Traversal: '.../...//' vulnerability in ThimPress WP Hotel Booking allows PHP Local File Inclusion.This issue affects WP Hotel Booking: from n/a through 2.1.4.... Read more

    Affected Products : wp_hotel_booking
    • Published: Nov. 04, 2024
    • Modified: Nov. 06, 2024

  • 10.0

    CRITICAL
    CVE-2024-50523

    Unrestricted Upload of File with Dangerous Type vulnerability in RainbowLink Inc. All Post Contact Form allows Upload a Web Shell to a Web Server.This issue affects All Post Contact Form: from n/a through 1.7.3.... Read more

    Affected Products : all_post_contact_form
    • Published: Nov. 04, 2024
    • Modified: Nov. 06, 2024

  • 7.5

    HIGH
    CVE-2024-48931

    ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the ZimaOS API endpoint `http://<Zima_Server_IP:PORT>/v3/file?token=<token>&files=<file_path>` is vulnerable to arbitra... Read more

    Affected Products : zimaos
    • Published: Oct. 24, 2024
    • Modified: Nov. 06, 2024

  • 9.8

    CRITICAL
    CVE-2024-7456

    A SQL injection vulnerability exists in the `/api/v1/external-users` route of lunary-ai/lunary version v1.4.2. The `order by` clause of the SQL query uses `sql.unsafe` without prior sanitization, allowing for SQL injection. The `orderByClause` variable is... Read more

    Affected Products : lunary
    • Published: Nov. 01, 2024
    • Modified: Nov. 06, 2024

  • 4.8

    MEDIUM
    CVE-2024-5578

    The Table of Contents Plus WordPress plugin through 2408 does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed... Read more

    Affected Products : table_of_contents_plus
    • Published: Nov. 05, 2024
    • Modified: Nov. 06, 2024

  • 10.0

    CRITICAL
    CVE-2024-50525

    Unrestricted Upload of File with Dangerous Type vulnerability in Helloprint Plug your WooCommerce into the largest catalog of customized print products from Helloprint allows Upload a Web Shell to a Web Server.This issue affects Plug your WooCommerce into... Read more

    Affected Products : helloprint
    • Published: Nov. 04, 2024
    • Modified: Nov. 06, 2024

  • 4.8

    MEDIUM
    CVE-2024-7876

    The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin WordPress plugin before 1.6.7.55 does not sanitise and escape some of its Appointment Type settings, which could allow high privilege users such as admin to perform Cross-Site ... Read more

    Affected Products : simply_schedule_appointments
    • Published: Nov. 05, 2024
    • Modified: Nov. 06, 2024

  • 4.8

    MEDIUM
    CVE-2024-7877

    The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin WordPress plugin before 1.6.7.55 does not sanitise and escape some of its Notification settings, which could allow high privilege users such as admin to perform Cross-Site Scri... Read more

    Affected Products : simply_schedule_appointments
    • Published: Nov. 05, 2024
    • Modified: Nov. 06, 2024

  • 8.8

    HIGH
    CVE-2024-9459

    Zohocorp ManageEngine Exchange Reporter Plus versions 5718 and prior are vulnerable to authenticated SQL Injection in reports module.... Read more

    • Published: Nov. 05, 2024
    • Modified: Nov. 06, 2024

  • 7.5

    HIGH
    CVE-2024-49357

    ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoints in ZimaOS, such as `http://<Server-IP>/v1/users/image?path=/var/lib/casaos/1/app_order.json` and `htt... Read more

    Affected Products : zimaos
    • Published: Oct. 24, 2024
    • Modified: Nov. 06, 2024

  • 5.3

    MEDIUM
    CVE-2024-49358

    ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoint `http://<Server-IP>/v1/users/login` in ZimaOS returns distinct responses based on whether a username e... Read more

    Affected Products : zimaos
    • Published: Oct. 24, 2024
    • Modified: Nov. 06, 2024

  • 7.5

    HIGH
    CVE-2024-49359

    ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoint `http://<Zima_Server_IP:PORT>/v2_1/file` in ZimaOS is vulnerable to a directory traversal attack, allo... Read more

    Affected Products : zimaos
    • Published: Oct. 24, 2024
    • Modified: Nov. 06, 2024

  • 8.4

    HIGH
    CVE-2024-47137

    in OpenHarmony v4.1.0 and prior versions allow a local attacker cause the common permission is upgraded to root and sensitive information leak through out-of-bounds write.... Read more

    Affected Products : openharmony
    • Published: Nov. 05, 2024
    • Modified: Nov. 06, 2024

  • 5.5

    MEDIUM
    CVE-2024-47402

    in OpenHarmony v4.0.0 and prior versions allow a local attacker cause DOS through out-of-bounds read.... Read more

    Affected Products : openharmony
    • Published: Nov. 05, 2024
    • Modified: Nov. 06, 2024
Showing 20 of 291141 Results