Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 7.1

    HIGH
    CVE-2024-28199

    phlex is an open source framework for building object-oriented views in Ruby. There is a potential cross-site scripting (XSS) vulnerability that can be exploited via maliciously crafted user data. This was due to improper case-sensitivity in the code that... Read more

    Affected Products : phlex
    • Published: Mar. 11, 2024
    • Modified: Apr. 23, 2025

  • 9.8

    CRITICAL
    CVE-2023-45600

    A CWE-613 “Insufficient Session Expiration” vulnerability in the web application, due to the session cookie “sessionid” lasting two weeks, facilitates session hijacking attacks against victims. This issue affects: AiLux imx6 bundle below version imx6_1.0.... Read more

    Affected Products : imx6
    • Published: Mar. 05, 2024
    • Modified: Apr. 23, 2025

  • 5.4

    MEDIUM
    CVE-2022-4765

    The Portfolio for Elementor WordPress plugin before 2.3.1 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripti... Read more

    Affected Products : portfolio_for_elementor
    • Published: Jan. 30, 2023
    • Modified: Apr. 23, 2025

  • 6.1

    MEDIUM
    CVE-2025-29512

    Cross-Site Scripting (XSS) vulnerability in NodeBB v4.0.4 and before allows remote attackers to store arbitrary code and potentially render the blacklist IP functionality unusable until content is removed via the database.... Read more

    Affected Products : nodebb
    • Published: Apr. 18, 2025
    • Modified: Apr. 23, 2025
    • Vuln Type: Cross-Site Scripting

  • 6.1

    MEDIUM
    CVE-2024-1720

    The User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Display Name' parameter in all versions up to, and including, 3.1.4 due to insuffici... Read more

    • Published: Mar. 07, 2024
    • Modified: Apr. 23, 2025

  • 6.1

    MEDIUM
    CVE-2025-29513

    Cross-Site Scripting (XSS) vulnerability in NodeBB v4.0.4 and before allows remote attackers to store arbitrary code in the admin API Access token generator.... Read more

    Affected Products : nodebb
    • Published: Apr. 18, 2025
    • Modified: Apr. 23, 2025
    • Vuln Type: Cross-Site Scripting

  • 8.8

    HIGH
    CVE-2023-5798

    The Assistant WordPress plugin before 1.4.4 does not validate a parameter before making a request to it via wp_remote_get(), which could allow users with a role as low as Editor to perform SSRF attacks... Read more

    Affected Products : assistant
    • Published: Oct. 26, 2023
    • Modified: Apr. 23, 2025

  • 5.3

    MEDIUM
    CVE-2023-5561

    WordPress does not properly restrict which user fields are searchable via the REST API, allowing unauthenticated attackers to discern the email addresses of users who have published public posts on an affected website via an Oracle style attack... Read more

    Affected Products : wordpress
    • Published: Oct. 16, 2023
    • Modified: Apr. 23, 2025

  • 4.3

    MEDIUM
    CVE-2023-5519

    The EventPrime WordPress plugin before 3.2.0 does not have CSRF checks when creating bookings, which could allow attackers to make logged in users create unwanted bookings via CSRF attacks.... Read more

    Affected Products : eventprime
    • Published: Oct. 31, 2023
    • Modified: Apr. 23, 2025

  • 4.8

    MEDIUM
    CVE-2023-5243

    The Login Screen Manager WordPress plugin through 3.5.2 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disa... Read more

    Affected Products : login_screen_manager
    • Published: Oct. 31, 2023
    • Modified: Apr. 23, 2025

  • 4.8

    MEDIUM
    CVE-2023-5229

    The E2Pdf WordPress plugin before 1.20.20 does not sanitize and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed... Read more

    Affected Products : e2pdf
    • Published: Oct. 31, 2023
    • Modified: Apr. 23, 2025

  • 5.3

    MEDIUM
    CVE-2023-5177

    The Vrm 360 3D Model Viewer WordPress plugin through 1.2.1 exposes the full path of a file when putting in a non-existent file in a parameter of the shortcode.... Read more

    Affected Products : vrm360
    • Published: Oct. 16, 2023
    • Modified: Apr. 23, 2025

  • 5.4

    MEDIUM
    CVE-2023-5167

    The User Activity Log Pro WordPress plugin before 2.3.4 does not properly escape recorded User-Agents in the user activity logs dashboard, which may allow visitors to conduct Stored Cross-Site Scripting attacks.... Read more

    Affected Products : user_activity_log
    • Published: Oct. 16, 2023
    • Modified: Apr. 23, 2025

  • 7.5

    HIGH
    CVE-2023-5133

    This user-activity-log-pro WordPress plugin before 2.3.4 retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate its value. This may be used to hide the source of malicious traffic.... Read more

    Affected Products : user_activity_log
    • Published: Oct. 16, 2023
    • Modified: Apr. 23, 2025

  • 8.1

    HIGH
    CVE-2023-5098

    The Campaign Monitor Forms by Optin Cat WordPress plugin before 2.5.6 does not prevent users with low privileges (like subscribers) from overwriting any options on a site with the string "true", which could lead to a variety of outcomes, including DoS.... Read more

    Affected Products : campaign_monitor_optin_cat
    • Published: Oct. 31, 2023
    • Modified: Apr. 23, 2025

  • 5.3

    MEDIUM
    CVE-2023-5089

    The Defender Security WordPress plugin before 4.1.0 does not prevent redirects to the login page via the auth_redirect WordPress function, allowing an unauthenticated visitor to access the login page, even when the hide login page functionality of the plu... Read more

    Affected Products : defender_security
    • Published: Oct. 16, 2023
    • Modified: Apr. 23, 2025

  • 5.4

    MEDIUM
    CVE-2023-5087

    The Page Builder: Pagelayer WordPress plugin before 1.7.8 doesn't prevent attackers with author privileges and higher from inserting malicious JavaScript inside a post's header or footer code.... Read more

    Affected Products : pagelayer
    • Published: Oct. 16, 2023
    • Modified: Apr. 23, 2025

  • 7.5

    HIGH
    CVE-2023-5003

    The Active Directory Integration / LDAP Integration WordPress plugin before 4.1.10 stores sensitive LDAP logs in a buffer file when an administrator wants to export said logs. Unfortunately, this log file is never removed, and remains accessible to any us... Read more

    • Published: Oct. 16, 2023
    • Modified: Apr. 23, 2025

  • 9.8

    CRITICAL
    CVE-2023-51771

    In MicroHttpServer (aka Micro HTTP Server) through a8ab029, _ParseHeader in lib/server.c allows a one-byte recv buffer overflow via a long URI.... Read more

    Affected Products : micro_http_server
    • Published: Dec. 25, 2023
    • Modified: Apr. 23, 2025

  • 9.8

    CRITICAL
    CVE-2023-51707

    MotionPro in Array ArrayOS AG before 9.4.0.505 on AG and vxAG allows remote command execution via crafted packets. AG and vxAG 9.3.0.259.x are unaffected.... Read more

    Affected Products : arrayos_ag vxag ag
    • Published: Dec. 22, 2023
    • Modified: Apr. 23, 2025
Showing 20 of 293620 Results