Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 5.4

    MEDIUM
    CVE-2025-0192

    A stored Cross-site Scripting (XSS) vulnerability exists in the latest version of wandb/openui. The vulnerability is present in the edit HTML functionality, where an attacker can inject malicious scripts. When the modified HTML is shared with another user... Read more

    Affected Products :
    • Published: Mar. 20, 2025
    • Modified: Mar. 20, 2025
    • Vuln Type: Cross-Site Scripting

  • 6.5

    MEDIUM
    CVE-2025-0191

    A Denial of Service (DoS) vulnerability exists in the file upload feature of gaizhenbiao/chuanhuchatgpt version 20240914. The vulnerability is due to improper handling of form-data with a large filename in the file upload request. By sending a payload wit... Read more

    Affected Products : chuanhuchatgpt
    • Published: Mar. 20, 2025
    • Modified: Jul. 09, 2025
    • Vuln Type: Denial of Service

  • 7.5

    HIGH
    CVE-2025-0190

    In version 3.25.0 of aimhubio/aim, a denial of service vulnerability exists. By tracking a large number of `Text` objects and then querying them simultaneously through the web API, the Aim web server becomes unresponsive to other requests for an extended ... Read more

    Affected Products : aim
    • Published: Mar. 20, 2025
    • Modified: Mar. 28, 2025
    • Vuln Type: Denial of Service

  • 7.5

    HIGH
    CVE-2025-0189

    In version 3.25.0 of aimhubio/aim, the tracking server is vulnerable to a denial of service attack. The server overrides the maximum size for websocket messages, allowing very large images to be tracked. This causes the server to become unresponsive to ot... Read more

    Affected Products : aim
    • Published: Mar. 20, 2025
    • Modified: Mar. 28, 2025
    • Vuln Type: Denial of Service

  • 6.5

    MEDIUM
    CVE-2025-0188

    A Server-Side Request Forgery (SSRF) vulnerability was discovered in gaizhenbiao/chuanhuchatgpt version 20240914. The vulnerability allows an attacker to construct a response link by saving the response in a folder named after the SHA-1 hash of the target... Read more

    Affected Products : chuanhuchatgpt
    • Published: Mar. 20, 2025
    • Modified: Jul. 09, 2025
    • Vuln Type: Server-Side Request Forgery

  • 7.5

    HIGH
    CVE-2025-0187

    A Denial of Service (DoS) vulnerability was discovered in the file upload feature of gradio-app/gradio version 0.39.1. The vulnerability is due to improper handling of form-data with a large filename in the file upload request. By sending a payload with a... Read more

    Affected Products : gradio video
    • Published: Mar. 20, 2025
    • Modified: Aug. 01, 2025
    • Vuln Type: Denial of Service

  • 8.8

    HIGH
    CVE-2025-0185

    A vulnerability in the Dify Tools' Vanna module of the langgenius/dify repository allows for a Pandas Query Injection in the latest version. The vulnerability occurs in the function `vn.get_training_plan_generic(df_information_schema)`, which does not pro... Read more

    Affected Products : dify dify
    • Published: Mar. 20, 2025
    • Modified: Mar. 27, 2025
    • Vuln Type: Injection

  • 6.5

    MEDIUM
    CVE-2025-0184

    A Server-Side Request Forgery (SSRF) vulnerability was identified in langgenius/dify version 0.10.2. The vulnerability occurs in the 'Create Knowledge' section when uploading DOCX files. If an external relationship exists in the DOCX file, the reltype val... Read more

    Affected Products : dify dify
    • Published: Mar. 20, 2025
    • Modified: Jul. 15, 2025
    • Vuln Type: Server-Side Request Forgery

  • 5.4

    MEDIUM
    CVE-2025-0183

    A stored cross-site scripting (XSS) vulnerability exists in the Latex Proof-Reading Module of binary-husky/gpt_academic version 3.9.0. This vulnerability allows an attacker to inject malicious scripts into the `debug_log.html` file generated by the module... Read more

    Affected Products : gpt_academic
    • Published: Mar. 20, 2025
    • Modified: Aug. 01, 2025
    • Vuln Type: Cross-Site Scripting

  • 7.5

    HIGH
    CVE-2025-0182

    A vulnerability in danswer-ai/danswer version 0.9.0 allows for denial of service through memory exhaustion. The issue arises from the use of a vulnerable version of the starlette package (<=0.49) via fastapi, which was patched in fastapi version 0.115.3. ... Read more

    Affected Products : onyx
    • Published: Mar. 20, 2025
    • Modified: Mar. 20, 2025
    • Vuln Type: Denial of Service

  • 8.8

    HIGH
    CVE-2024-9920

    In version v12 of parisneo/lollms-webui, the 'Send file to AL' function allows uploading files with various extensions, including potentially dangerous ones like .py, .sh, .bat, and more. Attackers can exploit this by uploading files with malicious conten... Read more

    Affected Products : lollms_web_ui
    • Published: Mar. 20, 2025
    • Modified: Apr. 03, 2025
    • Vuln Type: Authentication

  • 8.4

    HIGH
    CVE-2024-9919

    A missing authentication check in the uninstall endpoint of parisneo/lollms-webui V13 allows attackers to perform unauthorized directory deletions. The /uninstall/{app_name} API endpoint does not call the check_access() function to verify the client_id, e... Read more

    Affected Products : lollms_web_ui
    • Published: Mar. 20, 2025
    • Modified: Jul. 09, 2025
    • Vuln Type: Authentication

  • 6.1

    MEDIUM
    CVE-2024-9900

    mudler/localai version v2.21.1 contains a Cross-Site Scripting (XSS) vulnerability in its search functionality. The vulnerability arises due to improper sanitization of user input, allowing the injection and execution of arbitrary JavaScript code. This ca... Read more

    Affected Products : localai
    • Published: Mar. 20, 2025
    • Modified: Apr. 04, 2025
    • Vuln Type: Cross-Site Scripting

  • 8.0

    HIGH
    CVE-2024-9847

    FlatPress CMS version latest is vulnerable to Cross-Site Request Forgery (CSRF) attacks that allow an attacker to enable or disable plugins on behalf of a victim user. The attacker can craft a malicious link or script that, when clicked by an authenticate... Read more

    Affected Products : flatpress
    • Published: Mar. 20, 2025
    • Modified: Jun. 24, 2025
    • Vuln Type: Cross-Site Request Forgery

  • 9.8

    CRITICAL
    CVE-2024-9701

    A Remote Code Execution (RCE) vulnerability has been identified in the Kedro ShelveStore class (version 0.19.8). This vulnerability allows an attacker to execute arbitrary Python code via deserialization of malicious payloads, potentially leading to a ful... Read more

    Affected Products :
    • Published: Mar. 20, 2025
    • Modified: Mar. 20, 2025
    • Vuln Type: Authentication

  • 7.5

    HIGH
    CVE-2024-9699

    A vulnerability in the file upload functionality of the FlatPress CMS admin panel (version latest) allows an attacker to upload a file with a JavaScript payload disguised as a filename. This can lead to a Cross-Site Scripting (XSS) attack if the uploaded ... Read more

    Affected Products : flatpress
    • Published: Mar. 20, 2025
    • Modified: Jun. 24, 2025
    • Vuln Type: Cross-Site Scripting

  • 6.5

    MEDIUM
    CVE-2024-9617

    An IDOR vulnerability in danswer-ai/danswer v0.3.94 allows an attacker to view any files. The application does not verify whether the attacker is the creator of the file, allowing the attacker to directly call the GET /api/chat/file/{file_id} interface to... Read more

    Affected Products : onyx
    • Published: Mar. 20, 2025
    • Modified: Mar. 20, 2025
    • Vuln Type: Authorization

  • 6.5

    MEDIUM
    CVE-2024-9612

    In danswer-ai/danswer v0.3.94, administrators can set the visibility of pages within a workspace, including the search page. When the search page is set to be invisible, regular users cannot view the search page or access its functionalities from the fron... Read more

    Affected Products : onyx
    • Published: Mar. 20, 2025
    • Modified: Apr. 03, 2025
    • Vuln Type: Authorization

  • 7.5

    HIGH
    CVE-2024-9606

    In berriai/litellm before version 1.44.12, the `litellm/litellm_core_utils/litellm_logging.py` file contains a vulnerability where the API key masking code only masks the first 5 characters of the key. This results in the leakage of almost the entire API ... Read more

    Affected Products : litellm
    • Published: Mar. 20, 2025
    • Modified: Apr. 07, 2025
    • Vuln Type: Information Disclosure

  • 7.1

    HIGH
    CVE-2024-9597

    A Path Traversal vulnerability exists in the `/wipe_database` endpoint of parisneo/lollms version v12, allowing an attacker to delete any directory on the system. The vulnerability arises from improper validation of the `key` parameter, which is used to c... Read more

    Affected Products : lollms lollms_web_ui
    • Published: Mar. 20, 2025
    • Modified: Mar. 20, 2025
    • Vuln Type: Path Traversal
Showing 20 of 291793 Results