Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 9.8

    CRITICAL
    CVE-2025-53928

    MaxKB is an open-source AI assistant for enterprise. Prior to versions 1.10.9-lts and 2.0.0, a Remote Command Execution vulnerability exists in the MCP call. Versions 1.10.9-lts and 2.0.0 fix the issue.... Read more

    Affected Products : maxkb
    • Published: Jul. 17, 2025
    • Modified: Aug. 02, 2025

  • 6.3

    MEDIUM
    CVE-2025-53927

    MaxKB is an open-source AI assistant for enterprise. Prior to version 2.0.0, the sandbox design rules can be bypassed because MaxKB only restricts the execution permissions of files in a specific directory. Therefore, an attacker can use the `shutil.copy2... Read more

    Affected Products : maxkb
    • Published: Jul. 17, 2025
    • Modified: Aug. 02, 2025
    • Vuln Type: Misconfiguration

  • 8.8

    HIGH
    CVE-2025-6993

    The Ultimate WP Mail plugin for WordPress is vulnerable to Privilege Escalation due to improper authorization within the get_email_log_details() AJAX handler in versions 1.0.17 to 1.3.6. The handler reads the client-supplied post_id and retrieves the corr... Read more

    Affected Products : ultimate_wp_mail
    • Published: Jul. 16, 2025
    • Modified: Aug. 02, 2025
    • Vuln Type: Authorization

  • 5.5

    MEDIUM
    CVE-2025-30483

    Dell ECS versions prior to 3.8.1.5/ ObjectScale version 4.0.0.0 contains an Insertion of Sensitive Information into Log File vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information di... Read more

    Affected Products : elastic_cloud_storage objectscale
    • Published: Jul. 15, 2025
    • Modified: Aug. 02, 2025
    • Vuln Type: Information Disclosure

  • 8.8

    HIGH
    CVE-2025-7504

    The Friends plugin for WordPress is vulnerable to PHP Object Injection in version 3.5.1 via deserialization of untrusted input of the query_vars parameter This makes it possible for authenticated attackers, with subscriber-level access and above, to injec... Read more

    Affected Products : friends
    • Published: Jul. 12, 2025
    • Modified: Aug. 02, 2025
    • Vuln Type: Authentication

  • 5.4

    MEDIUM
    CVE-2025-2793

    IBM Sterling B2B Integrator 6.0.0.0 through 6.1.2.6, 6.2.0.0 through 6.2.0.4, IBM Sterling File Gateway 6.0.0.0 through 6.1.2.6, and 6.2.0.0 through 6.2.0.4 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to emb... Read more

    • Published: Jul. 08, 2025
    • Modified: Aug. 02, 2025
    • Vuln Type: Cross-Site Scripting

  • 4.3

    MEDIUM
    CVE-2025-2827

    IBM Sterling File Gateway 6.0.0.0 through 6.1.2.6, and 6.2.0.0 through 6.2.0.4 could disclose sensitive installation directory information to an authenticated user that could be used in further attacks against the system.... Read more

    • Published: Jul. 08, 2025
    • Modified: Aug. 02, 2025
    • Vuln Type: Information Disclosure

  • 6.4

    MEDIUM
    CVE-2025-3630

    IBM Sterling B2B Integrator 6.0.0.0 through 6.1.2.6, 6.2.0.0 through 6.2.0.4, IBM Sterling File Gateway 6.0.0.0 through 6.1.2.6, and 6.2.0.0 through 6.2.0.4 is vulnerable to stored cross-site scripting. This vulnerability allows authenticated users to ... Read more

    • Published: Jul. 08, 2025
    • Modified: Aug. 02, 2025
    • Vuln Type: Cross-Site Scripting

  • 7.5

    HIGH
    CVE-2025-3262

    A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the huggingface/transformers repository, specifically in version 4.49.0. The vulnerability is due to inefficient regular expression complexity in the `SETTING_RE` variable with... Read more

    Affected Products : transformers
    • Published: Jul. 07, 2025
    • Modified: Aug. 02, 2025
    • Vuln Type: Denial of Service

  • 5.3

    MEDIUM
    CVE-2025-7078

    A vulnerability classified as problematic was found in 07FLYCMS, 07FLY-CMS and 07FlyCRM up to 1.3.9. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been ... Read more

    • Published: Jul. 06, 2025
    • Modified: Aug. 01, 2025
    • Vuln Type: Cross-Site Request Forgery

  • 5.4

    MEDIUM
    CVE-2025-45809

    BerriAI litellm v1.65.4 was discovered to contain a SQL injection vulnerability via the /key/block endpoint.... Read more

    Affected Products : litellm
    • Published: Jul. 03, 2025
    • Modified: Aug. 01, 2025
    • Vuln Type: Injection

  • 9.0

    HIGH
    CVE-2025-6337

    A vulnerability was found in TOTOLINK A3002R and A3002RU 3.0.0-B20230809.1615/4.0.0-B20230531.1404. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /boafrm/formTmultiAP of the component HTTP POST Re... Read more

    • Published: Jun. 20, 2025
    • Modified: Aug. 01, 2025
    • Vuln Type: Memory Corruption

  • 6.1

    MEDIUM
    CVE-2025-49149

    Dify is an open-source LLM app development platform. In version 1.2.0, there is insufficient filtering of user input by web applications. Attackers can use website vulnerabilities to inject malicious script code into web pages. This may result in a cross-... Read more

    Affected Products : dify
    • Published: Jun. 17, 2025
    • Modified: Aug. 01, 2025
    • Vuln Type: Cross-Site Scripting

  • 9.8

    CRITICAL
    CVE-2025-32800

    Conda-build contains commands and tools to build conda packages. Prior to version 25.3.0, the pyproject.toml lists conda-index as a Python dependency. This package is not published in PyPI. An attacker could claim this namespace and upload arbitrary (mali... Read more

    Affected Products : conda-build
    • Published: Jun. 16, 2025
    • Modified: Aug. 01, 2025
    • Vuln Type: Supply Chain

  • 8.8

    HIGH
    CVE-2025-4613

    Path traversal in Google Web Designer's template handling versions prior to 16.3.0.0407 on Windows allows attacker to achieve remote code execution by tricking users into downloading a malicious ad template... Read more

    Affected Products : windows web_designer
    • Published: Jun. 12, 2025
    • Modified: Aug. 01, 2025
    • Vuln Type: Path Traversal

  • 5.3

    MEDIUM
    CVE-2025-3855

    A vulnerability was found in CodeCanyon RISE Ultimate Project Manager 3.8.2 and classified as problematic. Affected by this issue is some unknown functionality of the file /index.php/team_members/save_profile_image/ of the component Profile Picture Handle... Read more

    Affected Products : rise_ultimate_project_manager
    • Published: Apr. 22, 2025
    • Modified: Aug. 01, 2025
    • Vuln Type: Misconfiguration

  • 7.6

    HIGH
    CVE-2025-43862

    Dify is an open-source LLM app development platform. Prior to version 0.6.12, a normal user is able to access and modify APP orchestration, even though the web UI of APP orchestration is not presented for a normal user. This access control flaw allows non... Read more

    Affected Products : dify
    • Published: Apr. 25, 2025
    • Modified: Aug. 01, 2025
    • Vuln Type: Authorization

  • 6.5

    MEDIUM
    CVE-2025-1194

    A Regular Expression Denial of Service (ReDoS) vulnerability was identified in the huggingface/transformers library, specifically in the file `tokenization_gpt_neox_japanese.py` of the GPT-NeoX-Japanese model. The vulnerability occurs in the SubWordJapane... Read more

    Affected Products : transformers
    • Published: Apr. 29, 2025
    • Modified: Aug. 01, 2025
    • Vuln Type: Denial of Service

  • 7.8

    HIGH
    CVE-2025-0217

    BeyondTrust Privileged Remote Access (PRA) versions prior to 25.1 are vulnerable to a local authentication bypass. A local authenticated attacker can view the connection details of a ShellJump session that was initiated with external tools, allowing unaut... Read more

    Affected Products : privileged_remote_access
    • Published: May. 05, 2025
    • Modified: Aug. 01, 2025
    • Vuln Type: Authentication

  • 9.1

    CRITICAL
    CVE-2025-46726

    Langroid is a framework for building large-language-model-powered applications. Prior to version 0.53.4, a LLM application leveraging `XMLToolMessage` class may be exposed to untrusted XML input that could result in DoS and/or exposing local files with se... Read more

    Affected Products : langroid
    • Published: May. 05, 2025
    • Modified: Aug. 01, 2025
    • Vuln Type: Denial of Service
Showing 20 of 291401 Results