Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 6.8

    MEDIUM
    CVE-2024-53260

    Autolab is a course management service that enables auto-graded programming assignments. A user can modify their first and or last name to include a valid excel / spreadsheet formula. When an instructor downloads their course's roster and opens, this name... Read more

    Affected Products : autolab
    • Published: Nov. 27, 2024
    • Modified: Apr. 21, 2025

  • 6.4

    MEDIUM
    CVE-2024-8236

    The Elementor Website Builder – More than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter of the Icon widget in all versions up to, and including, 3.25.7 due to insufficient input sanitization ... Read more

    Affected Products : website_builder
    • Published: Nov. 26, 2024
    • Modified: Apr. 21, 2025

  • 4.7

    MEDIUM
    CVE-2024-43005

    A reflected cross-site scripting (XSS) vulnerability in the component dl_liuyan_save.php of ZZCMS v2023 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload.... Read more

    Affected Products : zzcms
    • Published: Aug. 16, 2024
    • Modified: Apr. 21, 2025

  • 5.4

    MEDIUM
    CVE-2024-43006

    A stored cross-site scripting (XSS) vulnerability exists in ZZCMS2023 in the ask/show.php file at line 21. An attacker can exploit this vulnerability by sending a specially crafted POST request to /user/ask_edit.php?action=add, which includes malicious Ja... Read more

    Affected Products : zzcms zzmcms
    • Published: Aug. 16, 2024
    • Modified: Apr. 21, 2025

  • 4.7

    MEDIUM
    CVE-2024-43009

    A reflected cross-site scripting (XSS) vulnerability exists in user/login.php at line 24 in ZZCMS 2023 and earlier. The application directly inserts the value of the HTTP_REFERER header into the HTML response without proper sanitization. An attacker can e... Read more

    Affected Products : zzcms
    • Published: Aug. 16, 2024
    • Modified: Apr. 21, 2025

  • 4.9

    MEDIUM
    CVE-2024-43011

    An arbitrary file deletion vulnerability exists in the admin/del.php file at line 62 in ZZCMS 2023 and earlier. Due to insufficient validation and sanitization of user input for file paths, an attacker can exploit this vulnerability by using directory tra... Read more

    Affected Products : zzcms
    • Published: Aug. 16, 2024
    • Modified: Apr. 21, 2025

  • 8.8

    HIGH
    CVE-2024-42612

    Pligg CMS v2.0.2 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/domain_management.php?whitelist_add... Read more

    Affected Products : pligg_cms
    • Published: Aug. 20, 2024
    • Modified: Apr. 21, 2025

  • 8.8

    HIGH
    CVE-2024-42619

    Pligg CMS v2.0.2 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/domain_management.php?id=0&list=whitelist&remove=pligg.com... Read more

    Affected Products : pligg_cms kliqqi_cms
    • Published: Aug. 20, 2024
    • Modified: Apr. 21, 2025

  • 7.2

    HIGH
    CVE-2024-42523

    publiccms V4.0.202302.e and before is vulnerable to Any File Upload via publiccms/admin/cmsTemplate/saveMetaData... Read more

    Affected Products : publiccms
    • Published: Aug. 23, 2024
    • Modified: Apr. 21, 2025

  • 9.1

    CRITICAL
    CVE-2024-42914

    A host header injection vulnerability exists in the forgot password functionality of ArrowCMS version 1.0.0. By sending a specially crafted host header in the forgot password request, it is possible to send password reset links to users which, once clicke... Read more

    Affected Products : arrowcms
    • Published: Aug. 23, 2024
    • Modified: Apr. 21, 2025

  • 4.8

    MEDIUM
    CVE-2024-40111

    A persistent (stored) cross-site scripting (XSS) vulnerability has been identified in Automad 2.0.0-alpha.4. This vulnerability enables an attacker to inject malicious JavaScript code into the template body. The injected code is stored within the flat fil... Read more

    Affected Products : automad
    • Published: Aug. 23, 2024
    • Modified: Apr. 21, 2025

  • 8.2

    HIGH
    CVE-2023-43650

    JumpServer is an open source bastion host. The verification code for resetting user's password is vulnerable to brute-force attacks due to the absence of rate limiting. JumpServer provides a feature allowing users to reset forgotten passwords. Affected us... Read more

    Affected Products : jumpserver
    • Published: Sep. 27, 2023
    • Modified: Apr. 21, 2025

  • 5.4

    MEDIUM
    CVE-2022-4837

    The CPO Companion WordPress plugin before 1.1.0 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks... Read more

    Affected Products : cpo_companion
    • Published: Jan. 30, 2023
    • Modified: Apr. 21, 2025

  • 6.1

    MEDIUM
    CVE-2022-4552

    The FL3R FeelBox WordPress plugin through 8.1 does not have CSRF check when updating its settings, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack... Read more

    Affected Products : fl3r_feelbox
    • Published: Jan. 30, 2023
    • Modified: Apr. 21, 2025

  • 4.4

    MEDIUM
    CVE-2025-2613

    The Login Manager – Design Login Page, View Login Activity, Limit Login Attempts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Custom logo and background URLs in all versions up to, and including, 2.0.5 due to insufficient input sa... Read more

    Affected Products :
    • Published: Apr. 18, 2025
    • Modified: Apr. 21, 2025
    • Vuln Type: Cross-Site Scripting

  • 9.3

    CRITICAL
    CVE-2025-39471

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Pantherius Modal Survey.This issue affects Modal Survey: from n/a through 2.0.2.0.1.... Read more

    Affected Products :
    • Published: Apr. 18, 2025
    • Modified: Apr. 21, 2025
    • Vuln Type: Injection

  • 8.7

    HIGH
    CVE-2025-32792

    SES safely executes third-party JavaScript 'strict' mode programs in compartments that have no excess authority in their global scope. Prior to version 1.12.0, web pages and web extensions using `ses` and the Compartment API to evaluate third-party code i... Read more

    Affected Products : ses
    • Published: Apr. 18, 2025
    • Modified: Apr. 21, 2025

  • 6.4

    MEDIUM
    CVE-2025-3275

    The Themesflat Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the TF E Slider widget in all versions up to, and including, 2.2.5 due to insufficient input sanitization and output escaping. This makes it possible... Read more

    Affected Products : themesflat_addons_for_elementor
    • Published: Apr. 19, 2025
    • Modified: Apr. 21, 2025
    • Vuln Type: Cross-Site Scripting

  • 7.5

    HIGH
    CVE-2025-2111

    The Insert Headers And Footers plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.1. This is due to missing or incorrect nonce validation on the 'custom_plugin_set_option' function. This makes it pos... Read more

    Affected Products :
    • Published: Apr. 19, 2025
    • Modified: Apr. 21, 2025
    • Vuln Type: Cross-Site Request Forgery

  • 4.8

    MEDIUM
    CVE-2025-3801

    A vulnerability was found in songquanpeng one-api up to 0.6.10. It has been classified as problematic. This affects an unknown part of the component System Setting Handler. The manipulation of the argument Homepage Content/About System/Footer leads to cro... Read more

    Affected Products :
    • Published: Apr. 19, 2025
    • Modified: Apr. 21, 2025
    • Vuln Type: Cross-Site Scripting
Showing 20 of 293355 Results