Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 9.1

    CRITICAL
    CVE-2024-10834

    eosphoros-ai/db-gpt version 0.6.0 contains a vulnerability in the RAG-knowledge endpoint that allows for arbitrary file write. The issue arises from the ability to pass an absolute path to a call to `os.path.join`, enabling an attacker to write files to a... Read more

    Affected Products : db-gpt
    • Published: Mar. 20, 2025
    • Modified: Jul. 17, 2025
    • Vuln Type: Path Traversal

  • 9.1

    CRITICAL
    CVE-2024-10833

    eosphoros-ai/db-gpt version 0.6.0 is vulnerable to an arbitrary file write through the knowledge API. The endpoint for uploading files as 'knowledge' is susceptible to absolute path traversal, allowing attackers to write files to arbitrary locations on th... Read more

    Affected Products : db-gpt
    • Published: Mar. 20, 2025
    • Modified: Jul. 17, 2025
    • Vuln Type: Path Traversal

  • 9.1

    CRITICAL
    CVE-2024-10831

    In eosphoros-ai/db-gpt version 0.6.0, the endpoint for uploading files is vulnerable to absolute path traversal. This vulnerability allows an attacker to upload arbitrary files to arbitrary locations on the target server. The issue arises because the `fil... Read more

    Affected Products : db-gpt
    • Published: Mar. 20, 2025
    • Modified: Jul. 17, 2025
    • Vuln Type: Path Traversal

  • 8.2

    HIGH
    CVE-2024-10830

    A Path Traversal vulnerability exists in the eosphoros-ai/db-gpt version 0.6.0 at the API endpoint `/v1/resource/file/delete`. This vulnerability allows an attacker to delete any file on the server by manipulating the `file_key` parameter. The `file_key` ... Read more

    Affected Products : db-gpt
    • Published: Mar. 20, 2025
    • Modified: Jul. 17, 2025
    • Vuln Type: Path Traversal

  • 7.5

    HIGH
    CVE-2024-10829

    A Denial of Service (DoS) vulnerability in the multipart request boundary processing mechanism of eosphoros-ai/db-gpt v0.6.0 allows unauthenticated attackers to cause excessive resource consumption. The server fails to handle excessive characters appended... Read more

    Affected Products : db-gpt
    • Published: Mar. 20, 2025
    • Modified: Jul. 17, 2025
    • Vuln Type: Denial of Service

  • 9.0

    CRITICAL
    CVE-2024-38648

    A hardcoded secret in Ivanti DSM before 2024.2 allows an authenticated attacker on an adjacent network to decrypt sensitive data including user credentials.... Read more

    Affected Products : desktop_\&_server_management
    • Published: Jul. 12, 2025
    • Modified: Jul. 17, 2025
    • Vuln Type: Cryptography

  • 8.1

    HIGH
    CVE-2024-2612

    If an attacker could find a way to trigger a particular code path in `SafeRefPtr`, it could have triggered a crash or potentially be leveraged to achieve code execution. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.... Read more

    Affected Products : firefox firefox_esr thunderbird
    • Published: Mar. 19, 2024
    • Modified: Jul. 17, 2025

  • 6.5

    MEDIUM
    CVE-2025-3780

    The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wcfm_redirect_to_setup function in all versio... Read more

    • Published: Jul. 09, 2025
    • Modified: Jul. 17, 2025
    • Vuln Type: Authorization

  • 6.4

    MEDIUM
    CVE-2025-5678

    The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘redirectURL’ parameter in all versions up to, and including, 3.5.10 due to insufficient input sanitization and ou... Read more

    Affected Products : gutenberg_blocks_with_ai
    • Published: Jul. 09, 2025
    • Modified: Jul. 17, 2025
    • Vuln Type: Cross-Site Scripting

  • 8.8

    HIGH
    CVE-2025-27889

    Wing FTP Server before 7.4.4 does not properly validate and sanitize the url parameter of the downloadpass.html endpoint, allowing injection of an arbitrary link. If a user clicks a crafted link, this discloses a cleartext password to the attacker.... Read more

    Affected Products : wing_ftp_server
    • Published: Jul. 10, 2025
    • Modified: Jul. 17, 2025
    • Vuln Type: Injection

  • 5.5

    MEDIUM
    CVE-2025-51651

    An authenticated arbitrary file download vulnerability in the component /admin/Backups.php of Mccms v2.7.0 allows attackers to download arbitrary files via a crafted GET request.... Read more

    Affected Products : mccms
    • Published: Jul. 14, 2025
    • Modified: Jul. 17, 2025
    • Vuln Type: Path Traversal

  • 6.6

    MEDIUM
    CVE-2025-47811

    In Wing FTP Server through 7.4.4, the administrative web interface (listening by default on port 5466) runs as root or SYSTEM by default. The web application itself offers several legitimate ways to execute arbitrary system commands (i.e., through the web... Read more

    Affected Products : wing_ftp_server
    • Published: Jul. 10, 2025
    • Modified: Jul. 17, 2025
    • Vuln Type: Authorization

  • 4.3

    MEDIUM
    CVE-2025-47813

    loginok.html in Wing FTP Server before 7.4.4 discloses the full local installation path of the application when using a long value in the UID cookie.... Read more

    Affected Products : wing_ftp_server
    • Published: Jul. 10, 2025
    • Modified: Jul. 17, 2025
    • Vuln Type: Information Disclosure

  • 8.0

    HIGH
    CVE-2025-28243

    An issue in Alteryx Server v.2023.1.1.460 allows HTML injection via a crafted script to the pages component.... Read more

    Affected Products : alteryx_server
    • Published: Jul. 10, 2025
    • Modified: Jul. 17, 2025
    • Vuln Type: Cross-Site Scripting

  • 6.4

    MEDIUM
    CVE-2025-5530

    The WPC Smart Compare for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'shortcode_btn' shortcode in all versions up to, and including, 6.4.6 due to insufficient input sanitization and output escaping on us... Read more

    Affected Products : wpc_smart_compare_for_woocommerce
    • Published: Jul. 11, 2025
    • Modified: Jul. 17, 2025
    • Vuln Type: Cross-Site Scripting

  • 6.4

    MEDIUM
    CVE-2025-6068

    The FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `data-caption-title` & `data-caption-description` HTML attributes in all versions up to, and i... Read more

    Affected Products : foogallery
    • Published: Jul. 11, 2025
    • Modified: Jul. 17, 2025
    • Vuln Type: Cross-Site Scripting

  • 7.2

    HIGH
    CVE-2025-6851

    The Broken Link Notifier plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.3.0 via the ajax_blinks() function which ultimately calls the check_url_status_code() function. This makes it possible for u... Read more

    Affected Products : broken_link_notifier
    • Published: Jul. 11, 2025
    • Modified: Jul. 17, 2025
    • Vuln Type: Server-Side Request Forgery

  • 6.5

    MEDIUM
    CVE-2022-47393

    An authenticated, remote attacker may use a Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple versions of multiple CODESYS products to force a denial-of-service situation.... Read more

    • EPSS Score: %0.44
    • Published: May. 15, 2023
    • Modified: Jul. 17, 2025

  • 6.5

    MEDIUM
    CVE-2022-47392

    An authenticated, remote attacker may use a improper input validation vulnerability in the CmpApp/CmpAppBP/CmpAppForce Components of multiple CODESYS products in multiple versions to read from an invalid address which can lead to a denial-of-service condi... Read more

    • EPSS Score: %0.26
    • Published: May. 15, 2023
    • Modified: Jul. 17, 2025

  • 7.5

    HIGH
    CVE-2022-47391

    In multiple CODESYS products in multiple versions an unauthorized, remote attacker may use a improper input validation vulnerability to read from invalid addresses leading to a denial of service.... Read more

    • EPSS Score: %0.47
    • Published: May. 15, 2023
    • Modified: Jul. 17, 2025
Showing 20 of 291526 Results