Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 8.1

    HIGH
    CVE-2024-4023

    A stored cross-site scripting (XSS) vulnerability exists in flatpressblog/flatpress version 1.3. When a user uploads a file with a `.xsig` extension and directly accesses this file, the server responds with a Content-type of application/octet-stream, lead... Read more

    Affected Products : flatpress
    • Published: Mar. 20, 2025
    • Modified: Jun. 23, 2025
    • Vuln Type: Cross-Site Scripting

  • 7.1

    HIGH
    CVE-2024-2292

    Due to a lack of access control, unauthorized users are able to view and modify information pertaining to other users.... Read more

    Affected Products :
    • Published: Mar. 20, 2025
    • Modified: Mar. 20, 2025
    • Vuln Type: Authorization

  • 4.3

    MEDIUM
    CVE-2024-13060

    A vulnerability in AnythingLLM Docker version 1.3.1 allows users with 'Default' permission to access other users' profile pictures by changing the 'id' parameter in the user cookie. This issue is present in versions prior to 1.3.1.... Read more

    Affected Products : anythingllm anythingllm_docker
    • Published: Mar. 20, 2025
    • Modified: Apr. 01, 2025
    • Vuln Type: Authorization

  • 7.1

    HIGH
    CVE-2024-12911

    A vulnerability in the `default_jsonalyzer` function of the `JSONalyzeQueryEngine` in the run-llama/llama_index repository allows for SQL injection via prompt injection. This can lead to arbitrary file creation and Denial-of-Service (DoS) attacks. The vul... Read more

    Affected Products : llamaindex
    • Published: Mar. 20, 2025
    • Modified: Jul. 30, 2025
    • Vuln Type: Injection

  • 5.9

    MEDIUM
    CVE-2024-12910

    A vulnerability in the `KnowledgeBaseWebReader` class of the run-llama/llama_index repository, version latest, allows an attacker to cause a Denial of Service (DoS) by controlling a URL variable to contain the root URL. This leads to infinite recursive ca... Read more

    Affected Products : llamaindex
    • Published: Mar. 20, 2025
    • Modified: Apr. 01, 2025
    • Vuln Type: Denial of Service

  • 10.0

    CRITICAL
    CVE-2024-12909

    A vulnerability in the FinanceChatLlamaPack of the run-llama/llama_index repository, versions up to v0.12.3, allows for SQL injection in the `run_sql_query` function of the `database_agent`. This vulnerability can be exploited by an attacker to inject arb... Read more

    Affected Products : llamaindex
    • Published: Mar. 20, 2025
    • Modified: Jul. 30, 2025
    • Vuln Type: Injection

  • 7.5

    HIGH
    CVE-2024-12886

    An Out-Of-Memory (OOM) vulnerability exists in the `ollama` server version 0.3.14. This vulnerability can be triggered when a malicious API server responds with a gzip bomb HTTP response, leading to the `ollama` server crashing. The vulnerability is prese... Read more

    Affected Products : ollama
    • Published: Mar. 20, 2025
    • Modified: Mar. 20, 2025
    • Vuln Type: Denial of Service

  • 7.5

    HIGH
    CVE-2024-12882

    comfyanonymous/comfyui version v0.2.4 suffers from a non-blind Server-Side Request Forgery (SSRF) vulnerability. This vulnerability can be exploited by combining the REST APIs `POST /internal/models/download` and `GET /view`, allowing attackers to abuse t... Read more

    Affected Products : comfyui
    • Published: Mar. 20, 2025
    • Modified: Aug. 01, 2025
    • Vuln Type: Server-Side Request Forgery

  • 8.1

    HIGH
    CVE-2024-12880

    A vulnerability in infiniflow/ragflow version RAGFlow-0.13.0 allows for partial account takeover via insecure data querying. The issue arises from the way tenant IDs are handled in the application. If a user has access to multiple tenants, they can manipu... Read more

    Affected Products : ragflow
    • Published: Mar. 20, 2025
    • Modified: Jul. 14, 2025
    • Vuln Type: Authorization

  • 5.4

    MEDIUM
    CVE-2024-12871

    An XSS vulnerability in infiniflow/ragflow version 0.12.0 allows an attacker to upload a malicious PDF file to the knowledge base. When the file is viewed within Ragflow, the payload is executed in the context of the user's browser. This can lead to sessi... Read more

    Affected Products : ragflow
    • Published: Mar. 20, 2025
    • Modified: Apr. 01, 2025
    • Vuln Type: Cross-Site Scripting

  • 5.4

    MEDIUM
    CVE-2024-12870

    A stored cross-site scripting (XSS) vulnerability exists in infiniflow/ragflow, affecting the latest commit on the main branch (cec2080). The vulnerability allows an attacker to upload HTML/XML files that can host arbitrary JavaScript payloads. These file... Read more

    Affected Products : ragflow
    • Published: Mar. 20, 2025
    • Modified: Mar. 20, 2025
    • Vuln Type: Cross-Site Scripting

  • 4.3

    MEDIUM
    CVE-2024-12869

    In infiniflow/ragflow version v0.12.0, there is an improper authentication vulnerability that allows a user to view another user's invite list. This can lead to a privacy breach where users' personal or private information, such as email addresses or user... Read more

    Affected Products : ragflow
    • Published: Mar. 20, 2025
    • Modified: Apr. 01, 2025
    • Vuln Type: Authentication

  • 7.5

    HIGH
    CVE-2024-12866

    A local file inclusion vulnerability exists in netease-youdao/qanything version v2.0.0. This vulnerability allows an attacker to read arbitrary files on the file system, which can lead to remote code execution by retrieving private SSH keys, reading priva... Read more

    Affected Products : qanything qanything
    • Published: Mar. 20, 2025
    • Modified: Aug. 01, 2025
    • Vuln Type: Path Traversal

  • 7.5

    HIGH
    CVE-2024-12864

    A Denial of Service (DoS) vulnerability was discovered in the file upload feature of netease-youdao/qanything version v2.0.0. The vulnerability is due to improper handling of form-data with a large filename in the file upload request. An attacker can expl... Read more

    Affected Products : qanything qanything
    • Published: Mar. 20, 2025
    • Modified: Aug. 01, 2025
    • Vuln Type: Denial of Service

  • 7.5

    HIGH
    CVE-2024-12779

    A Server-Side Request Forgery (SSRF) vulnerability exists in infiniflow/ragflow version 0.12.0. The vulnerability is present in the `POST /v1/llm/add_llm` and `POST /v1/conversation/tts` endpoints. Attackers can specify an arbitrary URL as the `api_base` ... Read more

    Affected Products : ragflow
    • Published: Mar. 20, 2025
    • Modified: Apr. 01, 2025
    • Vuln Type: Server-Side Request Forgery

  • 7.5

    HIGH
    CVE-2024-12778

    A vulnerability in aimhubio/aim version 3.25.0 allows for a denial of service (DoS) attack. The issue arises when a large number of tracked metrics are retrieved simultaneously from the Aim web API, causing the web server to become unresponsive. The root ... Read more

    Affected Products : aim
    • Published: Mar. 20, 2025
    • Modified: Jul. 18, 2025
    • Vuln Type: Denial of Service

  • 5.9

    MEDIUM
    CVE-2024-12777

    A vulnerability in aimhubio/aim version 3.25.0 allows for a denial of service through the misuse of the sshfs-client. The tracking server, which is single-threaded, can be made unresponsive by requesting it to connect to an unresponsive socket via sshfs. ... Read more

    Affected Products : aim
    • Published: Mar. 20, 2025
    • Modified: Jul. 18, 2025
    • Vuln Type: Denial of Service

  • 8.1

    HIGH
    CVE-2024-12776

    In langgenius/dify v0.10.1, the `/forgot-password/resets` endpoint does not verify the password reset code, allowing an attacker to reset the password of any user, including administrators. This vulnerability can lead to a complete compromise of the appli... Read more

    Affected Products : dify dify
    • Published: Mar. 20, 2025
    • Modified: Jul. 14, 2025
    • Vuln Type: Authentication

  • 6.5

    MEDIUM
    CVE-2024-12775

    langgenius/dify version 0.10.1 contains a Server-Side Request Forgery (SSRF) vulnerability in the test functionality for the Create Custom Tool option via the REST API `POST /console/api/workspaces/current/tool-provider/api/test/pre`. Attackers can set th... Read more

    Affected Products : dify dify
    • Published: Mar. 20, 2025
    • Modified: Jul. 14, 2025
    • Vuln Type: Server-Side Request Forgery

  • 7.5

    HIGH
    CVE-2024-12766

    parisneo/lollms-webui version V13 (feather) suffers from a Server-Side Request Forgery (SSRF) vulnerability in the `POST /api/proxy` REST API. Attackers can exploit this vulnerability to abuse the victim server's credentials to access unauthorized web res... Read more

    Affected Products : lollms_web_ui
    • Published: Mar. 20, 2025
    • Modified: Jul. 08, 2025
    • Vuln Type: Server-Side Request Forgery
Showing 20 of 293304 Results