Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 8.3

    HIGH
    CVE-2025-29986

    Dell Common Event Enabler, version(s) CEE 9.0.0.0, contain(s) an Improper Restriction of Communication Channel to Intended Endpoints vulnerability in the Common Anti-Virus Agent (CAVA). An unauthenticated attacker with remote access could potentially expl... Read more

    Affected Products : common_event_enabler
    • Published: Apr. 08, 2025
    • Modified: Jul. 15, 2025
    • Vuln Type: Authorization

  • 9.8

    CRITICAL
    CVE-2024-4965

    ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in D-Link DAR-7000-40 V31R02B1413C and classified as critical. This issue affects some unknown processing of the file /useratte/resmanage.php. The manipulation of the argument load leads to os comm... Read more

    Affected Products : dar-7000_firmware dar-7000
    • Published: May. 16, 2024
    • Modified: Jul. 15, 2025

  • 5.5

    MEDIUM
    CVE-2025-48812

    Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information locally.... Read more

    • Published: Jul. 08, 2025
    • Modified: Jul. 15, 2025
    • Vuln Type: Information Disclosure

  • 6.5

    MEDIUM
    CVE-2024-11173

    An unhandled exception in the danny-avila/librechat repository, version git 600d217, can cause the server to crash, leading to a full denial of service. This issue occurs when certain API endpoints receive malformed input, resulting in an uncaught excepti... Read more

    Affected Products : librechat
    • Published: Mar. 20, 2025
    • Modified: Jul. 15, 2025
    • Vuln Type: Denial of Service

  • 7.5

    HIGH
    CVE-2024-1968

    In scrapy/scrapy, an issue was identified where the Authorization header is not removed during redirects that only change the scheme (e.g., HTTPS to HTTP) but remain within the same domain. This behavior contravenes the Fetch standard, which mandates the ... Read more

    Affected Products : scrapy
    • Published: May. 20, 2024
    • Modified: Jul. 15, 2025

  • 6.8

    MEDIUM
    CVE-2024-11850

    A stored cross-site scripting (XSS) vulnerability exists in the latest version of langgenius/dify. The vulnerability is due to improper validation and sanitization of user input in SVG markdown support within the chatbot feature. An attacker can exploit t... Read more

    Affected Products : dify dify
    • Published: Mar. 20, 2025
    • Modified: Jul. 15, 2025
    • Vuln Type: Cross-Site Scripting

  • 8.1

    HIGH
    CVE-2024-12039

    langgenius/dify version v0.10.1 contains a vulnerability where there are no limits applied to the number of code guess attempts for password reset. This allows an unauthenticated attacker to reset owner, admin, or other user passwords within a few hours b... Read more

    Affected Products : dify dify
    • Published: Mar. 20, 2025
    • Modified: Jul. 15, 2025
    • Vuln Type: Authentication

  • 4.3

    MEDIUM
    CVE-2024-6583

    A path traversal vulnerability exists in the latest version of stangirard/quivr. This vulnerability allows an attacker to upload files to arbitrary paths in an S3 bucket by manipulating the file path in the upload request.... Read more

    Affected Products : quivr
    • Published: Mar. 20, 2025
    • Modified: Jul. 15, 2025
    • Vuln Type: Path Traversal

  • 7.1

    HIGH
    CVE-2024-6854

    In h2oai/h2o-3 version 3.46.0, the endpoint for exporting models does not restrict the export location, allowing an attacker to export a model to any file in the server's file structure, thereby overwriting it. This vulnerability can be exploited to overw... Read more

    Affected Products : h2o h2o
    • Published: Mar. 20, 2025
    • Modified: Jul. 15, 2025
    • Vuln Type: Misconfiguration

  • 6.5

    MEDIUM
    CVE-2024-6863

    In h2oai/h2o-3 version 3.46.0, an endpoint exposing a custom EncryptionTool allows an attacker to encrypt any files on the target server with a key of their choosing. The chosen key can also be overwritten, resulting in ransomware-like behavior. This vuln... Read more

    Affected Products : h2o h2o
    • Published: Mar. 20, 2025
    • Modified: Jul. 15, 2025
    • Vuln Type: Misconfiguration

  • 7.5

    HIGH
    CVE-2024-7768

    A vulnerability in the `/3/ImportFiles` endpoint of h2oai/h2o-3 version 3.46.1 allows an attacker to cause a denial of service. The endpoint takes a single GET parameter, `path`, which can be recursively set to reference itself. This leads the server to r... Read more

    Affected Products : h2o h2o
    • Published: Mar. 20, 2025
    • Modified: Jul. 15, 2025
    • Vuln Type: Denial of Service

  • 8.8

    HIGH
    CVE-2024-8613

    A vulnerability in gaizhenbiao/chuanhuchatgpt version 20240802 allows attackers to access, copy, and delete other users' chat histories. This issue arises due to improper handling of session data and lack of access control mechanisms, enabling attackers t... Read more

    Affected Products : chuanhuchatgpt
    • Published: Mar. 20, 2025
    • Modified: Jul. 15, 2025
    • Vuln Type: Authorization

  • 8.2

    HIGH
    CVE-2024-8616

    In h2oai/h2o-3 version 3.46.0, the `/99/Models/{name}/json` endpoint allows for arbitrary file overwrite on the target server. The vulnerability arises from the `exportModelDetails` function in `ModelsHandler.java`, where the user-controllable `mexport.di... Read more

    Affected Products : h2o h2o
    • Published: Mar. 20, 2025
    • Modified: Jul. 15, 2025
    • Vuln Type: Path Traversal

  • 9.8

    CRITICAL
    CVE-2024-8954

    In composiohq/composio version 0.5.10, the API does not validate the `x-api-key` header's value during the authentication step. This vulnerability allows an attacker to bypass authentication by providing any random value in the `x-api-key` header, thereby... Read more

    Affected Products : composio
    • Published: Mar. 20, 2025
    • Modified: Jul. 15, 2025
    • Vuln Type: Authentication

  • 7.5

    HIGH
    CVE-2024-8955

    A Server-Side Request Forgery (SSRF) vulnerability exists in composiohq/composio version v0.4.4. This vulnerability allows an attacker to read the contents of any file in the system by exploiting the BROWSERTOOL_GOTO_PAGE and BROWSERTOOL_GET_PAGE_DETAILS ... Read more

    Affected Products : composio
    • Published: Mar. 20, 2025
    • Modified: Jul. 15, 2025
    • Vuln Type: Server-Side Request Forgery

  • 6.1

    MEDIUM
    CVE-2024-9308

    An open redirect vulnerability in haotian-liu/llava version v1.2.0 (LLaVA-1.6) allows a remote unauthenticated attacker to redirect users to arbitrary websites via a specially crafted URL. This can be exploited for phishing attacks, malware distribution, ... Read more

    • Published: Mar. 20, 2025
    • Modified: Jul. 15, 2025
    • Vuln Type: Misconfiguration

  • 9.3

    CRITICAL
    CVE-2024-9309

    A Server-Side Request Forgery (SSRF) vulnerability exists in the POST /worker_generate_stream API endpoint of the Controller API Server in haotian-liu/llava version v1.2.0 (LLaVA-1.6). This vulnerability allows attackers to exploit the victim Controller A... Read more

    • Published: Mar. 20, 2025
    • Modified: Jul. 15, 2025
    • Vuln Type: Server-Side Request Forgery

  • 9.8

    CRITICAL
    CVE-2025-7467

    A vulnerability, which was classified as critical, was found in code-projects Modern Bag 1.0. This affects an unknown part of the file /product-detail.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack r... Read more

    Affected Products : modern_bag
    • Published: Jul. 12, 2025
    • Modified: Jul. 15, 2025
    • Vuln Type: Injection

  • 9.0

    HIGH
    CVE-2025-7468

    A vulnerability has been found in Tenda FH1201 1.2.0.14 and classified as critical. This vulnerability affects the function fromSafeUrlFilter of the file /goform/fromSafeUrlFilter of the component HTTP POST Request Handler. The manipulation of the argumen... Read more

    Affected Products : fh1201_firmware fh1201
    • Published: Jul. 12, 2025
    • Modified: Jul. 15, 2025
    • Vuln Type: Memory Corruption

  • 6.5

    MEDIUM
    CVE-2025-0184

    A Server-Side Request Forgery (SSRF) vulnerability was identified in langgenius/dify version 0.10.2. The vulnerability occurs in the 'Create Knowledge' section when uploading DOCX files. If an external relationship exists in the DOCX file, the reltype val... Read more

    Affected Products : dify dify
    • Published: Mar. 20, 2025
    • Modified: Jul. 15, 2025
    • Vuln Type: Server-Side Request Forgery
Showing 20 of 291902 Results