Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 5.3

    MEDIUM
    CVE-2025-4329

    A vulnerability was found in 74CMS up to 3.33.0. It has been rated as problematic. Affected by this issue is the function index of the file /index.php/index/download/index. The manipulation of the argument url leads to path traversal. The attack may be la... Read more

    Affected Products : 74cms
    • Published: May. 06, 2025
    • Modified: Jun. 12, 2025
    • Vuln Type: Path Traversal

  • 9.9

    CRITICAL
    CVE-2025-49113

    Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.... Read more

    Affected Products : webmail roundcube
    • Published: Jun. 02, 2025
    • Modified: Jun. 12, 2025
    • Vuln Type: Authentication

  • 7.8

    HIGH
    CVE-2024-8012

    An authentication bypass weakness in the message broker service of Ivanti Workspace Control before version 2025.2 (10.19.0.0) allows a local authenticated attacker to escalate their privileges.... Read more

    Affected Products : workspace_control
    • Published: Sep. 10, 2024
    • Modified: Jun. 12, 2025

  • 8.8

    HIGH
    CVE-2024-44107

    DLL hijacking in the management console of Ivanti Workspace Control before version 2025.2 (10.19.0.0) allows a local authenticated attacker to escalate their privileges and achieve arbitrary code execution.... Read more

    Affected Products : workspace_control
    • Published: Sep. 10, 2024
    • Modified: Jun. 12, 2025

  • 8.8

    HIGH
    CVE-2024-44106

    Insufficient server-side controls in the management console of Ivanti Workspace Control before version 2025.2 (10.19.0.0) allows a local authenticated attacker to escalate their privileges.... Read more

    Affected Products : workspace_control
    • Published: Sep. 10, 2024
    • Modified: Jun. 12, 2025

  • 8.2

    HIGH
    CVE-2024-44105

    Cleartext transmission of sensitive information in the management console of Ivanti Workspace Control before version 2025.2 (10.19.0.0) allows a local authenticated attacker to obtain OS credentials.... Read more

    Affected Products : workspace_control
    • Published: Sep. 10, 2024
    • Modified: Jun. 12, 2025

  • 8.8

    HIGH
    CVE-2024-44104

    An incorrectly implemented authentication scheme that is subjected to a spoofing attack in the management console of Ivanti Workspace Control before version 2025.2 (10.19.0.0) allows a local authenticated attacker to escalate their privileges.... Read more

    Affected Products : workspace_control
    • Published: Sep. 10, 2024
    • Modified: Jun. 12, 2025

  • 8.8

    HIGH
    CVE-2024-44103

    DLL hijacking in the management console of Ivanti Workspace Control before version 2025.2 (10.19.0.0) allows a local authenticated attacker to escalate their privileges.... Read more

    Affected Products : workspace_control
    • Published: Sep. 10, 2024
    • Modified: Jun. 12, 2025

  • 9.8

    CRITICAL
    CVE-2025-44073

    SeaCMS v13.3 was discovered to contain a SQL injection vulnerability via the component admin_comment_news.php.... Read more

    Affected Products : seacms
    • Published: May. 06, 2025
    • Modified: Jun. 12, 2025
    • Vuln Type: Injection

  • 4.7

    MEDIUM
    CVE-2024-12595

    The AHAthat Plugin WordPress plugin through 1.6 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers... Read more

    Affected Products : ahathat
    • Published: Jan. 02, 2025
    • Modified: Jun. 12, 2025
    • Vuln Type: Cross-Site Scripting

  • 4.8

    MEDIUM
    CVE-2024-11645

    The float block WordPress plugin through 1.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for... Read more

    Affected Products : float_block
    • Published: Dec. 27, 2024
    • Modified: Jun. 12, 2025

  • 4.8

    MEDIUM
    CVE-2024-11605

    The wp-publications WordPress plugin through 1.2 does not escape filenames before outputting them back in the page, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capabilit... Read more

    Affected Products : wp-publications
    • Published: Dec. 27, 2024
    • Modified: Jun. 12, 2025

  • 6.1

    MEDIUM
    CVE-2024-10103

    In the process of testing the MailPoet WordPress plugin before 5.3.2, a vulnerability was found that allows you to implement Stored XSS on behalf of the editor by embedding malicious script, which entails account takeover backdoor... Read more

    Affected Products : mailpoet mailpoet
    • Published: Nov. 19, 2024
    • Modified: Jun. 12, 2025

  • 4.8

    MEDIUM
    CVE-2024-6270

    The Community Events WordPress plugin before 1.5.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowe... Read more

    Affected Products : community_events
    • Published: Aug. 05, 2024
    • Modified: Jun. 12, 2025

  • 7.2

    HIGH
    CVE-2024-11269

    The AHAthat Plugin WordPress plugin through 1.6 does not sanitize and escape a parameter before using it in a SQL statement, allowing Admin to perform SQL injection attacks.... Read more

    Affected Products : ahathat
    • Published: May. 15, 2025
    • Modified: Jun. 12, 2025
    • Vuln Type: Injection

  • 8.8

    HIGH
    CVE-2024-11267

    The JSP Store Locator WordPress plugin through 1.0 does not sanitize and escape a parameter before using it in a SQL statement, allowing user with Contributor to perform SQL injection attacks.... Read more

    Affected Products : jsp_store_locator
    • Published: May. 15, 2025
    • Modified: Jun. 12, 2025
    • Vuln Type: Injection

  • 4.1

    MEDIUM
    CVE-2025-2048

    The Lana Downloads Manager WordPress plugin before 1.10.0 does not validate user input used in a path, which could allow users with an admin role to perform path traversal attacks and download arbitrary files on the server... Read more

    Affected Products : lana_downloads_manager
    • Published: Apr. 01, 2025
    • Modified: Jun. 12, 2025
    • Vuln Type: Path Traversal

  • 6.1

    MEDIUM
    CVE-2024-12736

    The BU Section Editing WordPress plugin through 0.9.9 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.... Read more

    Affected Products : bu_section_editing
    • Published: Jan. 09, 2025
    • Modified: Jun. 12, 2025
    • Vuln Type: Cross-Site Scripting

  • 5.3

    MEDIUM
    CVE-2024-11606

    The Tabs Shortcode WordPress plugin through 2.0.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform... Read more

    Affected Products : tabs_shortcode
    • Published: Jan. 07, 2025
    • Modified: Jun. 12, 2025
    • Vuln Type: Cross-Site Scripting

  • 6.1

    MEDIUM
    CVE-2024-8085

    The PeoplePond WordPress plugin through 1.1.9 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.... Read more

    Affected Products : peoplepond
    • Published: May. 15, 2025
    • Modified: Jun. 12, 2025
    • Vuln Type: Cross-Site Request Forgery
Showing 20 of 293584 Results