Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 5.3

    MEDIUM
    CVE-2024-6839

    corydolphin/flask-cors version 4.0.1 contains an improper regex path matching vulnerability. The plugin prioritizes longer regex patterns over more specific ones when matching paths, which can lead to less restrictive CORS policies being applied to sensit... Read more

    Affected Products : flask-cors flask-cors
    • Published: Mar. 20, 2025
    • Modified: Aug. 01, 2025
    • Vuln Type: Misconfiguration

  • 5.3

    MEDIUM
    CVE-2024-6838

    In mlflow/mlflow version v2.13.2, a vulnerability exists that allows the creation or renaming of an experiment with a large number of integers in its name due to the lack of a limit on the experiment name. This can cause the MLflow UI panel to become unre... Read more

    Affected Products : mlflow
    • Published: Mar. 20, 2025
    • Modified: Apr. 01, 2025
    • Vuln Type: Denial of Service

  • 9.1

    CRITICAL
    CVE-2024-6829

    A vulnerability in aimhubio/aim version 3.19.3 allows an attacker to exploit the `tarfile.extractall()` function to extract the contents of a maliciously crafted tarfile to arbitrary locations on the host server. The attacker can control `repo.path` and `... Read more

    Affected Products : aim
    • Published: Mar. 20, 2025
    • Modified: Jul. 23, 2025
    • Vuln Type: Path Traversal

  • 7.5

    HIGH
    CVE-2024-6827

    Gunicorn version 21.2.0 does not properly validate the value of the 'Transfer-Encoding' header as specified in the RFC standards, which leads to the default fallback method of 'Content-Length,' making it vulnerable to TE.CL request smuggling. This vulnera... Read more

    Affected Products : gunicorn
    • Published: Mar. 20, 2025
    • Modified: Mar. 20, 2025
    • Vuln Type: Misconfiguration

  • 8.8

    HIGH
    CVE-2024-6825

    BerriAI/litellm version 1.40.12 contains a vulnerability that allows remote code execution. The issue exists in the handling of the 'post_call_rules' configuration, where a callback function can be added. The provided value is split at the final '.' mark,... Read more

    Affected Products : litellm
    • Published: Mar. 20, 2025
    • Modified: Jul. 15, 2025
    • Vuln Type: Authentication

  • 4.3

    MEDIUM
    CVE-2024-6583

    A path traversal vulnerability exists in the latest version of stangirard/quivr. This vulnerability allows an attacker to upload files to arbitrary paths in an S3 bucket by manipulating the file path in the upload request.... Read more

    Affected Products : quivr
    • Published: Mar. 20, 2025
    • Modified: Jul. 15, 2025
    • Vuln Type: Path Traversal

  • 6.3

    MEDIUM
    CVE-2024-6577

    In the latest version of pytorch/serve, the script 'upload_results_to_s3.sh' references the S3 bucket 'benchmarkai-metrics-prod' without ensuring its ownership or confirming its accessibility. This could lead to potential security vulnerabilities or unaut... Read more

    Affected Products :
    • Published: Mar. 20, 2025
    • Modified: Mar. 20, 2025
    • Vuln Type: Misconfiguration

  • 5.3

    MEDIUM
    CVE-2024-6483

    A vulnerability in the `runs/delete-batch` endpoint of aimhubio/aim version 3.19.3 allows for arbitrary file or directory deletion through path traversal. The endpoint does not mitigate path traversal when handling user-specified run-names, which are used... Read more

    Affected Products : aim
    • Published: Mar. 20, 2025
    • Modified: Jul. 23, 2025
    • Vuln Type: Path Traversal

  • 9.1

    CRITICAL
    CVE-2024-5752

    A path traversal vulnerability exists in stitionai/devika, specifically in the project creation functionality. In the affected version beacf6edaa205a5a5370525407a6db45137873b3, the project name is not validated, allowing an attacker to create a project wi... Read more

    Affected Products : devika
    • Published: Mar. 20, 2025
    • Modified: Mar. 20, 2025
    • Vuln Type: Path Traversal

  • 9.1

    CRITICAL
    CVE-2024-4990

    In yiisoft/yii2 version 2.0.48, the base Component class contains a vulnerability where the `__set()` magic method does not validate that the value passed is a valid Behavior class name or configuration. This allows an attacker to instantiate arbitrary cl... Read more

    Affected Products : yii
    • Published: Mar. 20, 2025
    • Modified: Apr. 01, 2025
    • Vuln Type: Authentication

  • 8.1

    HIGH
    CVE-2024-4023

    A stored cross-site scripting (XSS) vulnerability exists in flatpressblog/flatpress version 1.3. When a user uploads a file with a `.xsig` extension and directly accesses this file, the server responds with a Content-type of application/octet-stream, lead... Read more

    Affected Products : flatpress
    • Published: Mar. 20, 2025
    • Modified: Jun. 23, 2025
    • Vuln Type: Cross-Site Scripting

  • 7.1

    HIGH
    CVE-2024-2292

    Due to a lack of access control, unauthorized users are able to view and modify information pertaining to other users.... Read more

    Affected Products :
    • Published: Mar. 20, 2025
    • Modified: Mar. 20, 2025
    • Vuln Type: Authorization

  • 4.3

    MEDIUM
    CVE-2024-13060

    A vulnerability in AnythingLLM Docker version 1.3.1 allows users with 'Default' permission to access other users' profile pictures by changing the 'id' parameter in the user cookie. This issue is present in versions prior to 1.3.1.... Read more

    Affected Products : anythingllm anythingllm_docker
    • Published: Mar. 20, 2025
    • Modified: Apr. 01, 2025
    • Vuln Type: Authorization

  • 7.1

    HIGH
    CVE-2024-12911

    A vulnerability in the `default_jsonalyzer` function of the `JSONalyzeQueryEngine` in the run-llama/llama_index repository allows for SQL injection via prompt injection. This can lead to arbitrary file creation and Denial-of-Service (DoS) attacks. The vul... Read more

    Affected Products : llamaindex
    • Published: Mar. 20, 2025
    • Modified: Jul. 30, 2025
    • Vuln Type: Injection

  • 5.9

    MEDIUM
    CVE-2024-12910

    A vulnerability in the `KnowledgeBaseWebReader` class of the run-llama/llama_index repository, version latest, allows an attacker to cause a Denial of Service (DoS) by controlling a URL variable to contain the root URL. This leads to infinite recursive ca... Read more

    Affected Products : llamaindex
    • Published: Mar. 20, 2025
    • Modified: Apr. 01, 2025
    • Vuln Type: Denial of Service

  • 10.0

    CRITICAL
    CVE-2024-12909

    A vulnerability in the FinanceChatLlamaPack of the run-llama/llama_index repository, versions up to v0.12.3, allows for SQL injection in the `run_sql_query` function of the `database_agent`. This vulnerability can be exploited by an attacker to inject arb... Read more

    Affected Products : llamaindex
    • Published: Mar. 20, 2025
    • Modified: Jul. 30, 2025
    • Vuln Type: Injection

  • 7.5

    HIGH
    CVE-2024-12886

    An Out-Of-Memory (OOM) vulnerability exists in the `ollama` server version 0.3.14. This vulnerability can be triggered when a malicious API server responds with a gzip bomb HTTP response, leading to the `ollama` server crashing. The vulnerability is prese... Read more

    Affected Products : ollama
    • Published: Mar. 20, 2025
    • Modified: Mar. 20, 2025
    • Vuln Type: Denial of Service

  • 7.5

    HIGH
    CVE-2024-12882

    comfyanonymous/comfyui version v0.2.4 suffers from a non-blind Server-Side Request Forgery (SSRF) vulnerability. This vulnerability can be exploited by combining the REST APIs `POST /internal/models/download` and `GET /view`, allowing attackers to abuse t... Read more

    Affected Products : comfyui
    • Published: Mar. 20, 2025
    • Modified: Aug. 01, 2025
    • Vuln Type: Server-Side Request Forgery

  • 8.1

    HIGH
    CVE-2024-12880

    A vulnerability in infiniflow/ragflow version RAGFlow-0.13.0 allows for partial account takeover via insecure data querying. The issue arises from the way tenant IDs are handled in the application. If a user has access to multiple tenants, they can manipu... Read more

    Affected Products : ragflow
    • Published: Mar. 20, 2025
    • Modified: Jul. 14, 2025
    • Vuln Type: Authorization

  • 5.4

    MEDIUM
    CVE-2024-12871

    An XSS vulnerability in infiniflow/ragflow version 0.12.0 allows an attacker to upload a malicious PDF file to the knowledge base. When the file is viewed within Ragflow, the payload is executed in the context of the user's browser. This can lead to sessi... Read more

    Affected Products : ragflow
    • Published: Mar. 20, 2025
    • Modified: Apr. 01, 2025
    • Vuln Type: Cross-Site Scripting
Showing 20 of 291794 Results