Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 6.5

    MEDIUM
    CVE-2022-44795

    An issue was discovered in Object First Ootbi BETA build 1.0.7.712. A flaw was found in the Web Service, which could lead to local information disclosure. The command that creates the URL for the support bundle uses an insecure RNG. That can lead to predi... Read more

    Affected Products : object_first ootbi
    • Published: Nov. 07, 2022
    • Modified: Jun. 24, 2025

  • 9.8

    CRITICAL
    CVE-2022-44796

    An issue was discovered in Object First Ootbi BETA build 1.0.7.712. The authorization service has a flow that allows getting access to the Web UI without knowing credentials. For signing, the JWT token uses a secret key that is generated through a functio... Read more

    Affected Products : object_first ootbi
    • Published: Nov. 07, 2022
    • Modified: Jun. 24, 2025

  • 6.5

    MEDIUM
    CVE-2025-48942

    vLLM is an inference and serving engine for large language models (LLMs). In versions 0.8.0 up to but excluding 0.9.0, hitting the /v1/completions API with a invalid json_schema as a Guided Param kills the vllm server. This vulnerability is similar GHSA-... Read more

    Affected Products : vllm
    • Published: May. 30, 2025
    • Modified: Jun. 24, 2025
    • Vuln Type: Denial of Service

  • 6.5

    MEDIUM
    CVE-2025-48943

    vLLM is an inference and serving engine for large language models (LLMs). Version 0.8.0 up to but excluding 0.9.0 have a Denial of Service (ReDoS) that causes the vLLM server to crash if an invalid regex was provided while using structured output. This vu... Read more

    Affected Products : vllm
    • Published: May. 30, 2025
    • Modified: Jun. 24, 2025
    • Vuln Type: Denial of Service

  • 6.5

    MEDIUM
    CVE-2023-4527

    A flaw was found in glibc. When the getaddrinfo function is called with the AF_UNSPEC address family and the system is configured with no-aaaa mode via /etc/resolv.conf, a DNS response via TCP larger than 2048 bytes can potentially disclose stack contents... Read more

    • Published: Sep. 18, 2023
    • Modified: Jun. 24, 2025

  • 5.3

    MEDIUM
    CVE-2024-56946

    Denial of service in DNS-over-QUIC in Technitium DNS Server <= v13.2.2 allows remote attackers to permanently stop the server from accepting new DNS-over-QUIC connections by triggering unhandled exceptions in listener threads.... Read more

    Affected Products : dnsserver
    • Published: Feb. 03, 2025
    • Modified: Jun. 24, 2025
    • Vuln Type: Denial of Service

  • 7.3

    HIGH
    CVE-2025-1936

    jar: URLs retrieve local file content packaged in a ZIP archive. The null and everything after it was ignored when retrieving the content from the archive, but the fake extension after the null was used to determine the type of content. This could have be... Read more

    Affected Products : firefox firefox_esr thunderbird
    • Published: Mar. 04, 2025
    • Modified: Jun. 24, 2025
    • Vuln Type: Information Disclosure

  • 9.1

    CRITICAL
    CVE-2024-11705

    `NSC_DeriveKey` inadvertently assumed that the `phKey` parameter is always non-NULL. When it was passed as NULL, a segmentation fault (SEGV) occurred, leading to crashes. This behavior conflicted with the PKCS#11 v3.0 specification, which allows `phKey` t... Read more

    Affected Products : firefox thunderbird
    • Published: Nov. 26, 2024
    • Modified: Jun. 24, 2025

  • 9.8

    CRITICAL
    CVE-2024-11698

    A flaw in handling fullscreen transitions may have inadvertently caused the application to become stuck in fullscreen mode when a modal dialog was opened during the transition. This issue left users unable to exit fullscreen mode using standard actions li... Read more

    Affected Products : firefox firefox_esr thunderbird macos
    • Published: Nov. 26, 2024
    • Modified: Jun. 24, 2025

  • 5.4

    MEDIUM
    CVE-2024-11696

    The application failed to account for exceptions thrown by the `loadManifestFromFile` method during add-on signature verification. This flaw, triggered by an invalid or unsupported extension manifest, could have caused runtime errors that disrupted the si... Read more

    Affected Products : firefox firefox_esr thunderbird
    • Published: Nov. 26, 2024
    • Modified: Jun. 24, 2025

  • 6.1

    MEDIUM
    CVE-2024-11694

    Enhanced Tracking Protection's Strict mode may have inadvertently allowed a CSP `frame-src` bypass and DOM-based XSS through the Google SafeFrame shim in the Web Compatibility extension. This issue could have exposed users to malicious frames masquerading... Read more

    Affected Products : firefox firefox_esr thunderbird
    • Published: Nov. 26, 2024
    • Modified: Jun. 24, 2025

  • 8.8

    HIGH
    CVE-2024-11691

    Certain WebGL operations on Apple silicon M series devices could have lead to an out-of-bounds write and memory corruption due to a flaw in Apple's GPU driver. *This bug only affected the application on Apple M series hardware. Other platforms were unaf... Read more

    Affected Products : firefox firefox_esr thunderbird m1 m1_max m1_pro m1_ultra m2 m2_max m2_pro +8 more products
    • Published: Nov. 26, 2024
    • Modified: Jun. 24, 2025

  • 5.4

    MEDIUM
    CVE-2024-50637

    UnoPim 0.1.3 and below is vulnerable to Cross Site Scripting (XSS) in the Create User function. This allows attackers to perform XSS via an SVG document, which can be used to steal cookies.... Read more

    Affected Products : unopim
    • Published: Nov. 06, 2024
    • Modified: Jun. 24, 2025

  • 6.1

    MEDIUM
    CVE-2023-2142

    In Nunjucks versions prior to version 3.2.4, it was possible to bypass the restrictions which are provided by the autoescape functionality. If there are two user-controlled parameters on the same line used in the views, it was possible to inject cross ... Read more

    Affected Products : nunjucks
    • Published: Nov. 26, 2024
    • Modified: Jun. 24, 2025

  • 7.5

    HIGH
    CVE-2025-1975

    A vulnerability in the Ollama server version 0.5.11 allows a malicious user to cause a Denial of Service (DoS) attack by customizing the manifest content and spoofing a service. This is due to improper validation of array index access when downloading a m... Read more

    Affected Products : ollama
    • Published: May. 16, 2025
    • Modified: Jun. 24, 2025
    • Vuln Type: Denial of Service

  • 8.8

    HIGH
    CVE-2024-7297

    Langflow versions prior to 1.0.13 suffer from a Privilege Escalation vulnerability, allowing a remote and low privileged attacker to gain super admin privileges by performing a mass assignment request on the '/api/v1/users' endpoint.... Read more

    Affected Products : langflow
    • Published: Jul. 30, 2024
    • Modified: Jun. 24, 2025

  • 9.8

    CRITICAL
    CVE-2025-32966

    DataEase is an open-source BI tool alternative to Tableau. Prior to version 2.10.8, authenticated users can complete RCE through the backend JDBC link. This issue has been patched in version 2.10.8.... Read more

    Affected Products : dataease
    • Published: Apr. 23, 2025
    • Modified: Jun. 24, 2025
    • Vuln Type: Authentication

  • 8.4

    HIGH
    CVE-2024-54149

    Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Winter CMS prior to versions 1.2.7, 1.1.11, and 1.0.476 allow users with access to the CMS templates sections that modify Twig files to bypass the sandbox pl... Read more

    Affected Products : winter
    • Published: Dec. 09, 2024
    • Modified: Jun. 24, 2025

  • 7.5

    HIGH
    CVE-2024-28232

    Go package IceWhaleTech/CasaOS-UserService provides user management functionalities to CasaOS. The Casa OS Login page has disclosed the username enumeration vulnerability in the login page which was patched in version 0.4.7. This issue in CVE-2024-28232 h... Read more

    Affected Products : casaos casaos-userservice
    • Published: Apr. 01, 2024
    • Modified: Jun. 24, 2025

  • 8.1

    HIGH
    CVE-2024-48325

    Portabilis i-Educar 2.8.0 is vulnerable to SQL Injection in the "getDocuments" function of the "InstituicaoDocumentacaoController" class. The "instituicao_id" parameter in "/module/Api/InstituicaoDocumentacao?oper=get&resource=getDocuments&instituicao_id"... Read more

    Affected Products : i-educar
    • Published: Nov. 06, 2024
    • Modified: Jun. 24, 2025
Showing 20 of 293680 Results