Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 7.5

    HIGH
    CVE-2024-10907

    In lm-sys/fastchat Release v0.2.36, the server fails to handle excessive characters appended to the end of multipart boundaries. This flaw can be exploited by sending malformed multipart requests with arbitrary characters at the end of the boundary. Each ... Read more

    Affected Products : fastchat
    • Published: Mar. 20, 2025
    • Modified: Jul. 31, 2025
    • Vuln Type: Denial of Service

  • 8.1

    HIGH
    CVE-2024-10906

    In version 0.6.0 of eosphoros-ai/db-gpt, the `uvicorn` app created by `dbgpt_server` uses an overly permissive instance of `CORSMiddleware` which sets the `Access-Control-Allow-Origin` to `*` for all requests. This configuration makes all endpoints expose... Read more

    Affected Products : db-gpt
    • Published: Mar. 20, 2025
    • Modified: Jul. 17, 2025
    • Vuln Type: Cross-Site Request Forgery

  • 9.8

    CRITICAL
    CVE-2024-10902

    In eosphoros-ai/db-gpt version v0.6.0, the web API `POST /v1/personal/agent/upload` is vulnerable to Arbitrary File Upload with Path Traversal. This vulnerability allows unauthorized attackers to upload arbitrary files to the victim's file system at any l... Read more

    Affected Products : db-gpt
    • Published: Mar. 20, 2025
    • Modified: Jul. 17, 2025
    • Vuln Type: Path Traversal

  • 9.8

    CRITICAL
    CVE-2024-10901

    In eosphoros-ai/db-gpt version v0.6.0, the web API `POST /api/v1/editor/chart/run` allows execution of arbitrary SQL queries without any access control. This vulnerability can be exploited by attackers to perform Arbitrary File Write, enabling them to wri... Read more

    Affected Products : db-gpt
    • Published: Mar. 20, 2025
    • Modified: Jul. 17, 2025
    • Vuln Type: Authentication

  • 9.8

    CRITICAL
    CVE-2024-10835

    In eosphoros-ai/db-gpt version v0.6.0, the web API `POST /api/v1/editor/sql/run` allows execution of arbitrary SQL queries without any access control. This vulnerability can be exploited by attackers to perform Arbitrary File Write using DuckDB SQL, enabl... Read more

    Affected Products : db-gpt
    • Published: Mar. 20, 2025
    • Modified: Jul. 17, 2025
    • Vuln Type: Authentication

  • 9.1

    CRITICAL
    CVE-2024-10834

    eosphoros-ai/db-gpt version 0.6.0 contains a vulnerability in the RAG-knowledge endpoint that allows for arbitrary file write. The issue arises from the ability to pass an absolute path to a call to `os.path.join`, enabling an attacker to write files to a... Read more

    Affected Products : db-gpt
    • Published: Mar. 20, 2025
    • Modified: Jul. 17, 2025
    • Vuln Type: Path Traversal

  • 9.1

    CRITICAL
    CVE-2024-10833

    eosphoros-ai/db-gpt version 0.6.0 is vulnerable to an arbitrary file write through the knowledge API. The endpoint for uploading files as 'knowledge' is susceptible to absolute path traversal, allowing attackers to write files to arbitrary locations on th... Read more

    Affected Products : db-gpt
    • Published: Mar. 20, 2025
    • Modified: Jul. 17, 2025
    • Vuln Type: Path Traversal

  • 9.1

    CRITICAL
    CVE-2024-10831

    In eosphoros-ai/db-gpt version 0.6.0, the endpoint for uploading files is vulnerable to absolute path traversal. This vulnerability allows an attacker to upload arbitrary files to arbitrary locations on the target server. The issue arises because the `fil... Read more

    Affected Products : db-gpt
    • Published: Mar. 20, 2025
    • Modified: Jul. 17, 2025
    • Vuln Type: Path Traversal

  • 8.2

    HIGH
    CVE-2024-10830

    A Path Traversal vulnerability exists in the eosphoros-ai/db-gpt version 0.6.0 at the API endpoint `/v1/resource/file/delete`. This vulnerability allows an attacker to delete any file on the server by manipulating the `file_key` parameter. The `file_key` ... Read more

    Affected Products : db-gpt
    • Published: Mar. 20, 2025
    • Modified: Jul. 17, 2025
    • Vuln Type: Path Traversal

  • 7.5

    HIGH
    CVE-2024-10829

    A Denial of Service (DoS) vulnerability in the multipart request boundary processing mechanism of eosphoros-ai/db-gpt v0.6.0 allows unauthenticated attackers to cause excessive resource consumption. The server fails to handle excessive characters appended... Read more

    Affected Products : db-gpt
    • Published: Mar. 20, 2025
    • Modified: Jul. 17, 2025
    • Vuln Type: Denial of Service

  • 7.5

    HIGH
    CVE-2024-10821

    A Denial of Service (DoS) vulnerability in the multipart request boundary processing mechanism of the Invoke-AI server (version v5.0.1) allows unauthenticated attackers to cause excessive resource consumption. The server fails to handle excessive characte... Read more

    Affected Products :
    • Published: Mar. 20, 2025
    • Modified: Mar. 20, 2025
    • Vuln Type: Denial of Service

  • 8.8

    HIGH
    CVE-2024-10819

    A Cross-Site Request Forgery (CSRF) vulnerability in version 3.83 of binary-husky/gpt_academic allows an attacker to trick a user into uploading files without their consent, exploiting their session. This can lead to unauthorized file uploads and potentia... Read more

    Affected Products : gpt_academic
    • Published: Mar. 20, 2025
    • Modified: Jul. 14, 2025
    • Vuln Type: Cross-Site Request Forgery

  • 6.1

    MEDIUM
    CVE-2024-10812

    An open redirect vulnerability exists in binary-husky/gpt_academic version 3.83. The vulnerability occurs when a user is redirected to a URL specified by user-controlled input in the 'file' parameter without proper validation or sanitization. This can be ... Read more

    Affected Products : gpt_academic
    • Published: Mar. 20, 2025
    • Modified: Jul. 14, 2025
    • Vuln Type: Misconfiguration

  • 8.1

    HIGH
    CVE-2024-10762

    In lunary-ai/lunary before version 1.5.9, the /v1/evaluators/ endpoint allows users to delete evaluators of a project by sending a DELETE request. However, the route lacks proper access control, such as middleware to ensure that only users with appropriat... Read more

    Affected Products : lunary
    • Published: Mar. 20, 2025
    • Modified: Jul. 02, 2025
    • Vuln Type: Authorization

  • 6.1

    MEDIUM
    CVE-2024-10727

    A reflected cross-site scripting (XSS) vulnerability exists in phpipam/phpipam versions 1.5.0 through 1.6.0. The vulnerability arises when the application receives data in an HTTP request and includes that data within the immediate response in an unsafe m... Read more

    Affected Products : phpipam
    • Published: Mar. 20, 2025
    • Modified: Apr. 01, 2025
    • Vuln Type: Cross-Site Scripting

  • 5.4

    MEDIUM
    CVE-2024-10725

    A stored cross-site scripting (XSS) vulnerability exists in phpipam/phpipam version 1.5.2. This vulnerability allows an attacker to inject malicious scripts into the application, which are then executed in the context of other users who view the affected ... Read more

    Affected Products : phpipam
    • Published: Mar. 20, 2025
    • Modified: May. 28, 2025
    • Vuln Type: Cross-Site Scripting

  • 5.4

    MEDIUM
    CVE-2024-10724

    A stored cross-site scripting (XSS) vulnerability exists in phpipam/phpipam version 1.5.2, specifically in the Subnet NAT translations section when editing the Destination address. This vulnerability allows an attacker to execute malicious code. The issue... Read more

    Affected Products : phpipam
    • Published: Mar. 20, 2025
    • Modified: May. 28, 2025
    • Vuln Type: Cross-Site Scripting

  • 5.4

    MEDIUM
    CVE-2024-10723

    A stored cross-site scripting (XSS) vulnerability was discovered in phpipam/phpipam version 1.5.2. This vulnerability allows an attacker to inject malicious scripts into the destination address field of the NAT tool, which can be executed when a user inte... Read more

    Affected Products : phpipam
    • Published: Mar. 20, 2025
    • Modified: May. 28, 2025
    • Vuln Type: Cross-Site Scripting

  • 5.4

    MEDIUM
    CVE-2024-10722

    A stored cross-site scripting (XSS) vulnerability exists in phpipam/phpipam version 1.5.2. The vulnerability allows attackers to inject malicious scripts into the 'Description' field of custom fields in the 'IP RELATED MANAGEMENT' section. This can lead t... Read more

    Affected Products : phpipam
    • Published: Mar. 20, 2025
    • Modified: May. 28, 2025
    • Vuln Type: Cross-Site Scripting

  • 5.4

    MEDIUM
    CVE-2024-10721

    A stored cross-site scripting (XSS) vulnerability was discovered in phpipam/phpipam version 1.5.2. This vulnerability allows an attacker to inject malicious scripts into the application, which can be executed in the context of other users who view the aff... Read more

    Affected Products : phpipam
    • Published: Mar. 20, 2025
    • Modified: Apr. 01, 2025
    • Vuln Type: Cross-Site Scripting
Showing 20 of 293335 Results