Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 9.8

    CRITICAL
    CVE-2024-48590

    Inflectra SpiraTeam 7.2.00 is vulnerable to Server-Side Request Forgery (SSRF) via the NewsReaderService. This allows an attacker to escalate privileges and obtain sensitive information.... Read more

    Affected Products : spirateam
    • Published: Mar. 20, 2025
    • Modified: Apr. 01, 2025
    • Vuln Type: Server-Side Request Forgery

  • 7.5

    HIGH
    CVE-2025-29101

    Tenda AC8V4.0 V16.03.34.06 was discovered to contain a stack overflow via the deviceid parameter in the get_parentControl_list_Info function.... Read more

    Affected Products : ac8_firmware ac8
    • Published: Mar. 20, 2025
    • Modified: Mar. 25, 2025
    • Vuln Type: Memory Corruption

  • 7.5

    HIGH
    CVE-2025-2539

    The File Away plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ajax() function in all versions up to, and including, 3.9.9.0.1. This makes it possible for unauthenticated attackers, leveraging the ... Read more

    Affected Products : file_away
    • Published: Mar. 20, 2025
    • Modified: Aug. 11, 2025
    • Vuln Type: Authorization

  • 9.0

    CRITICAL
    CVE-2025-2311

    Incorrect Use of Privileged APIs, Cleartext Transmission of Sensitive Information, Insufficiently Protected Credentials vulnerability in Sechard Information Technologies SecHard allows Authentication Bypass, Interface Manipulation, Authentication Abuse, H... Read more

    Affected Products :
    • Published: Mar. 20, 2025
    • Modified: Mar. 21, 2025
    • Vuln Type: Authentication

  • 5.8

    MEDIUM
    CVE-2025-27888

    Severity: medium (5.8) / important Server-Side Request Forgery (SSRF), Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache Druid. This issue af... Read more

    Affected Products : druid
    • Published: Mar. 20, 2025
    • Modified: Jul. 14, 2025
    • Vuln Type: Server-Side Request Forgery

  • 6.4

    MEDIUM
    CVE-2025-1802

    The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘marker_title’, 'notification_content', and 'stt_button_text' parameters in all versions up to, and including, 2.8.3 due to insufficient ... Read more

    Affected Products : ht_mega
    • Published: Mar. 20, 2025
    • Modified: Mar. 26, 2025
    • Vuln Type: Cross-Site Scripting

  • 7.6

    HIGH
    CVE-2024-13923

    The Order Export & Order Import for WooCommerce plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.6.0 via the validate_file() function. This makes it possible for authenticated attackers, with Admini... Read more

    • Published: Mar. 20, 2025
    • Modified: Mar. 26, 2025
    • Vuln Type: Server-Side Request Forgery

  • 6.5

    MEDIUM
    CVE-2024-13922

    The Order Export & Order Import for WooCommerce plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the admin_log_page() function in all versions up to, and including, 2.6.0. This makes it possible for... Read more

    • Published: Mar. 20, 2025
    • Modified: Mar. 26, 2025
    • Vuln Type: Path Traversal

  • 7.2

    HIGH
    CVE-2024-13921

    The Order Export & Order Import for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.6.0 via deserialization of untrusted input from the 'form_data' parameter. This makes it possible for authen... Read more

    • Published: Mar. 20, 2025
    • Modified: Mar. 26, 2025
    • Vuln Type: Authentication

  • 4.9

    MEDIUM
    CVE-2024-13920

    The Order Export & Order Import for WooCommerce plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.6.0 via the download_file() function. This makes it possible for authenticated attackers, with Administrator-... Read more

    • Published: Mar. 20, 2025
    • Modified: Mar. 27, 2025
    • Vuln Type: Path Traversal

  • 7.5

    HIGH
    CVE-2024-13558

    The NP Quote Request for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.9.179 due to missing validation on a user controlled key. This makes it possible for unauthenticated attack... Read more

    Affected Products : np_quote_request_for_woocommerce
    • Published: Mar. 20, 2025
    • Modified: Mar. 27, 2025
    • Vuln Type: Authorization

  • 8.8

    HIGH
    CVE-2025-1796

    A vulnerability in langgenius/dify v0.10.1 allows an attacker to take over any account, including administrator accounts, by exploiting a weak pseudo-random number generator (PRNG) used for generating password reset codes. The application uses `random.ran... Read more

    Affected Products : dify dify
    • Published: Mar. 20, 2025
    • Modified: Jul. 16, 2025
    • Vuln Type: Authentication

  • 5.5

    MEDIUM
    CVE-2025-1474

    In mlflow/mlflow version 2.18, an admin is able to create a new user account without setting a password. This vulnerability could lead to security risks, as accounts without passwords may be susceptible to unauthorized access. Additionally, this issue vio... Read more

    Affected Products : mlflow
    • Published: Mar. 20, 2025
    • Modified: Mar. 27, 2025
    • Vuln Type: Authentication

  • 7.1

    HIGH
    CVE-2025-1473

    A Cross-Site Request Forgery (CSRF) vulnerability exists in the Signup feature of mlflow/mlflow versions 2.17.0 to 2.20.1. This vulnerability allows an attacker to create a new account, which may be used to perform unauthorized actions on behalf of the ma... Read more

    Affected Products : mlflow
    • Published: Mar. 20, 2025
    • Modified: Aug. 05, 2025
    • Vuln Type: Cross-Site Request Forgery

  • 7.5

    HIGH
    CVE-2025-1451

    A vulnerability in parisneo/lollms-webui v13 arises from the server's handling of multipart boundaries in file uploads. The server does not limit or validate the length of the boundary or the characters appended to it, allowing an attacker to craft reques... Read more

    Affected Products : lollms_web_ui
    • Published: Mar. 20, 2025
    • Modified: Mar. 27, 2025
    • Vuln Type: Denial of Service

  • 8.8

    HIGH
    CVE-2025-1040

    AutoGPT versions 0.3.4 and earlier are vulnerable to a Server-Side Template Injection (SSTI) that could lead to Remote Code Execution (RCE). The vulnerability arises from the improper handling of user-supplied format strings in the `AgentOutputBlock` impl... Read more

    Affected Products : autogpt autogpt_platform
    • Published: Mar. 20, 2025
    • Modified: Aug. 05, 2025
    • Vuln Type: Injection

  • 8.1

    HIGH
    CVE-2025-0628

    An improper authorization vulnerability exists in the main-latest version of BerriAI/litellm. When a user with the role 'internal_user_viewer' logs into the application, they are provided with an overly privileged API key. This key can be used to access a... Read more

    Affected Products : litellm
    • Published: Mar. 20, 2025
    • Modified: Mar. 20, 2025
    • Vuln Type: Authorization

  • 5.9

    MEDIUM
    CVE-2025-0508

    A vulnerability in the SageMaker Workflow component of aws/sagemaker-python-sdk allows for the possibility of MD5 hash collisions in all versions. This can lead to workflows being inadvertently replaced due to the reuse of results from different configura... Read more

    Affected Products :
    • Published: Mar. 20, 2025
    • Modified: Mar. 20, 2025
    • Vuln Type: Cryptography

  • 7.5

    HIGH
    CVE-2025-0454

    A Server-Side Request Forgery (SSRF) vulnerability was identified in the Requests utility of significant-gravitas/autogpt versions prior to v0.4.0. The vulnerability arises due to a hostname confusion between the `urlparse` function from the `urllib.parse... Read more

    Affected Products : autogpt autogpt_platform
    • Published: Mar. 20, 2025
    • Modified: Aug. 05, 2025
    • Vuln Type: Server-Side Request Forgery

  • 7.5

    HIGH
    CVE-2025-0453

    In mlflow/mlflow version 2.17.2, the `/graphql` endpoint is vulnerable to a denial of service attack. An attacker can create large batches of queries that repeatedly request all runs from a given experiment. This can tie up all the workers allocated by ML... Read more

    Affected Products : mlflow
    • Published: Mar. 20, 2025
    • Modified: Apr. 02, 2025
    • Vuln Type: Denial of Service
Showing 20 of 291779 Results