Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 4.3

    MEDIUM
    CVE-2021-3986

    A vulnerability in janeczku/calibre-web allows unauthorized users to view the names of private shelves belonging to other users. This issue occurs in the file shelf.py at line 221, where the name of the shelf is exposed in an error message when a user att... Read more

    Affected Products : calibre-web
    • Published: Nov. 15, 2024
    • Modified: Nov. 19, 2024

  • 9.8

    CRITICAL
    CVE-2021-3902

    An improper restriction of external entities (XXE) vulnerability in dompdf/dompdf's SVG parser allows for Server-Side Request Forgery (SSRF) and deserialization attacks. This issue affects all versions prior to 2.0.0. The vulnerability can be exploited ev... Read more

    Affected Products : dompdf
    • Published: Nov. 15, 2024
    • Modified: Nov. 19, 2024

  • 5.4

    MEDIUM
    CVE-2021-3841

    sylius/sylius versions prior to 1.9.10, 1.10.11, and 1.11.2 are vulnerable to stored cross-site scripting (XSS) through SVG files. This vulnerability allows attackers to inject malicious scripts that can be executed in the context of the user's browser.... Read more

    Affected Products : sylius
    • Published: Nov. 15, 2024
    • Modified: Nov. 19, 2024

  • 9.8

    CRITICAL
    CVE-2021-3838

    DomPDF before version 2.0.0 is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the file_get_contents() function. An attacker who can upload files of any type to the server can pass in the phar:// protoco... Read more

    Affected Products : dompdf
    • Published: Nov. 15, 2024
    • Modified: Nov. 19, 2024

  • 8.8

    HIGH
    CVE-2021-3742

    A Server-Side Request Forgery (SSRF) vulnerability was discovered in chatwoot/chatwoot, affecting all versions prior to 2.5.0. The vulnerability allows an attacker to upload an SVG file containing a malicious SSRF payload. When the SVG file is used as an ... Read more

    Affected Products : chatwoot
    • Published: Nov. 15, 2024
    • Modified: Nov. 19, 2024

  • 7.8

    HIGH
    CVE-2021-3741

    A stored cross-site scripting (XSS) vulnerability was discovered in chatwoot/chatwoot, affecting all versions prior to 2.6. The vulnerability occurs when a user uploads an SVG file containing a malicious XSS payload in the profile settings. When the avata... Read more

    Affected Products : chatwoot
    • Published: Nov. 15, 2024
    • Modified: Nov. 19, 2024

  • 6.8

    MEDIUM
    CVE-2021-3740

    A Session Fixation vulnerability exists in chatwoot/chatwoot versions prior to 2.4.0. The application does not invalidate existing sessions on other devices when a user changes their password, allowing old sessions to persist. This can lead to unauthorize... Read more

    Affected Products : chatwoot
    • Published: Nov. 15, 2024
    • Modified: Jul. 10, 2025

  • 8.0

    HIGH
    CVE-2024-8979

    The Essential Addons for Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.0.9 via the 'init_content_lostpassword_... Read more

    Affected Products : essential_addons_for_elementor
    • Published: Nov. 15, 2024
    • Modified: Nov. 19, 2024

  • 5.7

    MEDIUM
    CVE-2024-8978

    The Essential Addons for Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.0.9 via the 'init_content_register_user... Read more

    Affected Products : essential_addons_for_elementor
    • Published: Nov. 15, 2024
    • Modified: Nov. 19, 2024

  • 8.8

    HIGH
    CVE-2024-10311

    The External Database Based Actions plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 0.1. This is due to a missing capability check in the 'edba_admin_handle' function. This makes it possible for authenticated ... Read more

    Affected Products : external_database_based_actions
    • Published: Nov. 15, 2024
    • Modified: Nov. 19, 2024

  • 7.5

    HIGH
    CVE-2024-45784

    Apache Airflow versions before 2.10.3 contain a vulnerability that could expose sensitive configuration variables in task logs. This vulnerability allows DAG authors to unintentionally or intentionally log sensitive configuration variables. Unauthorized u... Read more

    Affected Products : airflow
    • Published: Nov. 15, 2024
    • Modified: Jun. 03, 2025

  • 6.6

    MEDIUM
    CVE-2024-9529

    The Secure Custom Fields WordPress plugin before 6.3.9, Secure Custom Fields WordPress plugin before 6.3.6.3, Advanced Custom Fields Pro WordPress plugin before 6.3.9 does not prevent users from running arbitrary functions through its setting import funct... Read more

    Affected Products : advanced_custom_fields
    • Published: Nov. 15, 2024
    • Modified: Jun. 11, 2025

  • 6.4

    MEDIUM
    CVE-2024-8961

    The Essential Addons for Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘nomore_items_text’ parameter in all versions up to, and including, 6.0.7 ... Read more

    Affected Products : essential_addons_for_elementor
    • Published: Nov. 15, 2024
    • Modified: Nov. 19, 2024

  • 6.1

    MEDIUM
    CVE-2024-10825

    The Hide My WP Ghost – Security & Firewall plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the URL in all versions up to, and including, 5.3.01 due to insufficient input sanitization and output escaping. This makes it possible for... Read more

    Affected Products : hide_my_wp_ghost
    • Published: Nov. 15, 2024
    • Modified: Nov. 20, 2024

  • 5.9

    MEDIUM
    CVE-2024-10104

    The Jobs for WordPress plugin before 2.7.8 does not sanitise and escape some of its Job settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks... Read more

    Affected Products : jobs_for_wordpress
    • Published: Nov. 15, 2024
    • Modified: Apr. 11, 2025

  • 6.1

    MEDIUM
    CVE-2024-9356

    The Yotpo: Product & Photo Reviews for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'yotpo_user_email' and 'yotpo_user_name' parameters in all versions up to, and including, 1.7.8 due to insufficient input sanit... Read more

    Affected Products : yotpo
    • Published: Nov. 15, 2024
    • Modified: Nov. 20, 2024

  • 5.3

    MEDIUM
    CVE-2024-42499

    Improper limitation of a pathname to a restricted directory ('Path Traversal') issue exists in FitNesse releases prior to 20241026. If this vulnerability is exploited, an attacker may be able to know whether a file exists at a specific path, and/or obtain... Read more

    Affected Products :
    • Published: Nov. 15, 2024
    • Modified: Nov. 18, 2024

  • 6.1

    MEDIUM
    CVE-2024-39610

    Cross-site scripting vulnerability exists in FitNesse releases prior to 20241026. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who is using the product.... Read more

    Affected Products : fitnesse
    • Published: Nov. 15, 2024
    • Modified: Nov. 20, 2024

  • 7.2

    HIGH
    CVE-2024-10793

    The WP Activity Log plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user_id parameter in all versions up to, and including, 5.2.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthentica... Read more

    Affected Products : wp_activity_log
    • Published: Nov. 15, 2024
    • Modified: Nov. 19, 2024

  • 4.3

    MEDIUM
    CVE-2024-10582

    The Music Player for Elementor – Audio Player & Podcast Player plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the import_mpfe_template() function in all versions up to, and including, 2.4.1. Th... Read more

    Affected Products : music_player_for_elementor
    • Published: Nov. 15, 2024
    • Modified: Nov. 19, 2024
Showing 20 of 291712 Results