Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 7.4

    HIGH
    CVE-2024-11602

    A Cross-Origin Resource Sharing (CORS) vulnerability exists in feast-dev/feast version 0.40.0. The CORS configuration on the agentscope server does not properly restrict access to only trusted origins, allowing any external domain to make requests to the ... Read more

    Affected Products :
    • Published: Mar. 20, 2025
    • Modified: Mar. 20, 2025
    • Vuln Type: Misconfiguration

  • 7.5

    HIGH
    CVE-2024-11449

    A vulnerability in haotian-liu/llava version 1.2.0 (LLaVA-1.6) allows for Server-Side Request Forgery (SSRF) through the /run/predict endpoint. An attacker can gain unauthorized access to internal networks or the AWS metadata endpoint by sending crafted r... Read more

    • Published: Mar. 20, 2025
    • Modified: Jul. 14, 2025
    • Vuln Type: Server-Side Request Forgery

  • 6.1

    MEDIUM
    CVE-2024-11441

    A stored cross-site scripting (XSS) vulnerability exists in Serge version 0.9.0. The vulnerability is due to improper neutralization of input during web page generation in the chat prompt. An attacker can exploit this vulnerability by sending a crafted me... Read more

    Affected Products :
    • Published: Mar. 20, 2025
    • Modified: Mar. 20, 2025
    • Vuln Type: Cross-Site Scripting

  • 8.0

    HIGH
    CVE-2024-11302

    A missing check_access() function in the lollms_binding_infos module of the parisneo/lollms repository, version V14, allows attackers to add, modify, and remove bindings arbitrarily. This vulnerability affects the /install_binding and /reinstall_binding e... Read more

    Affected Products : lollms lollms_web_ui
    • Published: Mar. 20, 2025
    • Modified: Mar. 20, 2025
    • Vuln Type: Authorization

  • 6.5

    MEDIUM
    CVE-2024-11301

    In lunary-ai/lunary before version 1.6.3, the application allows the creation of evaluators without enforcing a unique constraint on the combination of projectId and slug. This allows an attacker to overwrite existing data by submitting a POST request wit... Read more

    Affected Products : lunary
    • Published: Mar. 20, 2025
    • Modified: Jul. 02, 2025
    • Vuln Type: Misconfiguration

  • 8.8

    HIGH
    CVE-2024-11300

    In lunary-ai/lunary before version 1.6.3, an improper access control vulnerability exists where a user can access prompt data of another user. This issue affects version 1.6.2 and the main branch. The vulnerability allows unauthorized users to view sensit... Read more

    Affected Products : lunary
    • Published: Mar. 20, 2025
    • Modified: Apr. 01, 2025
    • Vuln Type: Authorization

  • 6.5

    MEDIUM
    CVE-2024-11173

    An unhandled exception in the danny-avila/librechat repository, version git 600d217, can cause the server to crash, leading to a full denial of service. This issue occurs when certain API endpoints receive malformed input, resulting in an uncaught excepti... Read more

    Affected Products : librechat
    • Published: Mar. 20, 2025
    • Modified: Jul. 15, 2025
    • Vuln Type: Denial of Service

  • 7.5

    HIGH
    CVE-2024-11172

    A vulnerability in danny-avila/librechat version git a1647d7 allows an unauthenticated attacker to cause a denial of service by sending a crafted payload to the server. The middleware `checkBan` is not surrounded by a try-catch block, and an unhandled exc... Read more

    Affected Products : librechat
    • Published: Mar. 20, 2025
    • Modified: Jul. 15, 2025
    • Vuln Type: Denial of Service

  • 7.5

    HIGH
    CVE-2024-11171

    In danny-avila/librechat version git 0c2a583, there is an improper input validation vulnerability. The application uses multer middleware for handling multipart file uploads. When using in-memory storage (the default setting for multer), there is no limit... Read more

    Affected Products : librechat
    • Published: Mar. 20, 2025
    • Modified: Jul. 15, 2025
    • Vuln Type: Denial of Service

  • 8.8

    HIGH
    CVE-2024-11170

    A vulnerability in danny-avila/librechat version git 81f2936 allows for path traversal due to improper sanitization of file paths by the multer middleware. This can lead to arbitrary file write and potentially remote code execution. The issue is fixed in ... Read more

    Affected Products : librechat
    • Published: Mar. 20, 2025
    • Modified: Jul. 15, 2025
    • Vuln Type: Path Traversal

  • 7.5

    HIGH
    CVE-2024-11169

    An unhandled exception in danny-avila/librechat version 3c94ff2 can lead to a server crash. The issue occurs when the fs module throws an exception while handling file uploads. An unauthenticated user can trigger this exception by sending a specially craf... Read more

    Affected Products : librechat
    • Published: Mar. 20, 2025
    • Modified: Jul. 15, 2025
    • Vuln Type: Denial of Service

  • 9.4

    CRITICAL
    CVE-2024-11167

    An improper access control vulnerability in danny-avila/librechat versions prior to 0.7.6 allows authenticated users to delete other users' prompts via the groupid parameter. This issue occurs because the endpoint does not verify whether the provided prom... Read more

    Affected Products : librechat
    • Published: Mar. 20, 2025
    • Modified: Jul. 15, 2025
    • Vuln Type: Authorization

  • 7.5

    HIGH
    CVE-2024-11137

    An Insecure Direct Object Reference (IDOR) vulnerability exists in the `PATCH /v1/runs/:id/score` endpoint of lunary-ai/lunary version 1.6.0. This vulnerability allows an attacker to update the score data of any run by manipulating the id parameter in the... Read more

    Affected Products : lunary
    • Published: Mar. 20, 2025
    • Modified: Jul. 02, 2025
    • Vuln Type: Authorization

  • 9.6

    CRITICAL
    CVE-2024-11045

    A Cross-Site WebSocket Hijacking (CSWSH) vulnerability in automatic1111/stable-diffusion-webui version 1.10.0 allows an attacker to clone a malicious server extension from a GitHub repository. The vulnerability arises from the lack of proper validation on... Read more

    Affected Products : stable-diffusion-webui
    • Published: Mar. 20, 2025
    • Modified: Aug. 05, 2025
    • Vuln Type: Authentication

  • 6.1

    MEDIUM
    CVE-2024-11044

    An open redirect vulnerability in automatic1111/stable-diffusion-webui version 1.10.0 allows a remote unauthenticated attacker to redirect users to arbitrary websites via a specially crafted URL. This vulnerability can be exploited to conduct phishing att... Read more

    Affected Products : stable-diffusion-webui
    • Published: Mar. 20, 2025
    • Modified: Aug. 05, 2025
    • Vuln Type: Misconfiguration

  • 7.5

    HIGH
    CVE-2024-11043

    A Denial of Service (DoS) vulnerability was discovered in the /api/v1/boards/{board_id} endpoint of invoke-ai/invokeai version v5.0.2. This vulnerability occurs when an excessively large payload is sent in the board_name field during a PATCH request. By s... Read more

    Affected Products :
    • Published: Mar. 20, 2025
    • Modified: Mar. 20, 2025
    • Vuln Type: Denial of Service

  • 9.1

    CRITICAL
    CVE-2024-11042

    In invoke-ai/invokeai version v5.0.2, the web API `POST /api/v1/images/delete` is vulnerable to Arbitrary File Deletion. This vulnerability allows unauthorized attackers to delete arbitrary files on the server, potentially including critical or sensitive ... Read more

    Affected Products :
    • Published: Mar. 20, 2025
    • Modified: Mar. 20, 2025
    • Vuln Type: Path Traversal

  • 9.8

    CRITICAL
    CVE-2024-11041

    vllm-project vllm version v0.6.2 contains a vulnerability in the MessageQueue.dequeue() API function. The function uses pickle.loads to parse received sockets directly, leading to a remote code execution vulnerability. An attacker can exploit this by send... Read more

    Affected Products : vllm vllm
    • Published: Mar. 20, 2025
    • Modified: Jul. 31, 2025
    • Vuln Type: Misconfiguration

  • 8.8

    HIGH
    CVE-2024-11039

    A pickle deserialization vulnerability exists in the Latex English error correction plug-in function of binary-husky/gpt_academic versions up to and including 3.83. This vulnerability allows attackers to achieve remote command execution by deserializing u... Read more

    Affected Products : gpt_academic
    • Published: Mar. 20, 2025
    • Modified: Jul. 14, 2025
    • Vuln Type: Injection

  • 6.5

    MEDIUM
    CVE-2024-11037

    A path traversal vulnerability exists in binary-husky/gpt_academic at commit 679352d, which allows an attacker to bypass the blocked_paths protection and read the config.py file containing sensitive information such as the OpenAI API key. This vulnerabili... Read more

    Affected Products : gpt_academic
    • Published: Mar. 20, 2025
    • Modified: Jul. 31, 2025
    • Vuln Type: Path Traversal
Showing 20 of 293288 Results