Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 7.0

    HIGH
    CVE-2024-9467

    A reflected XSS vulnerability in Palo Alto Networks Expedition enables execution of malicious JavaScript in the context of an authenticated Expedition user's browser if that user clicks on a malicious link, allowing phishing attacks that could lead to Exp... Read more

    • Published: Oct. 09, 2024
    • Modified: Oct. 15, 2024

  • 8.2

    HIGH
    CVE-2024-9466

    A cleartext storage of sensitive information vulnerability in Palo Alto Networks Expedition allows an authenticated attacker to reveal firewall usernames, passwords, and API keys generated using those credentials.... Read more

    • Published: Oct. 09, 2024
    • Modified: Oct. 17, 2024

  • 9.2

    CRITICAL
    CVE-2024-9465

    An SQL injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations, and device API keys. With this, attackers can also create... Read more

    • Actively Exploited
    • Published: Oct. 09, 2024
    • Modified: Nov. 15, 2024

  • 9.3

    CRITICAL
    CVE-2024-9464

    An OS command injection vulnerability in Palo Alto Networks Expedition allows an authenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API ke... Read more

    • Published: Oct. 09, 2024
    • Modified: Oct. 17, 2024

  • 9.9

    CRITICAL
    CVE-2024-9463

    An OS command injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API ... Read more

    • Actively Exploited
    • Published: Oct. 09, 2024
    • Modified: Nov. 15, 2024

  • 7.5

    HIGH
    CVE-2024-46307

    A loop hole in the payment logic of Sparkshop v1.16 allows attackers to arbitrarily modify the number of products.... Read more

    Affected Products : sparkshop
    • Published: Oct. 09, 2024
    • Modified: Oct. 15, 2024

  • 9.8

    CRITICAL
    CVE-2024-45746

    An issue was discovered in Trusted Firmware-M through 2.1.0. User provided (and controlled) mailbox messages contain a pointer to a list of input arguments (in_vec) and output arguments (out_vec). These list pointers are never validated. Each argument lis... Read more

    Affected Products :
    • Published: Oct. 09, 2024
    • Modified: Oct. 11, 2024

  • 7.5

    HIGH
    CVE-2024-43610

    Exposure of Sensitive Information to an Unauthorized Actor in Copilot Studio allows a unauthenticated attacker to view sensitive information through network attack vector... Read more

    Affected Products : copilot_studio
    • Published: Oct. 09, 2024
    • Modified: Jan. 10, 2025

  • 4.3

    MEDIUM
    CVE-2024-42988

    Lack of access control in ChallengeSolves (/api/v1/challenges/<challenge id>/solves) of CTFd v2.0.0 - v3.7.2 allows authenticated users to retrieve a list of users who have solved the challenge, regardless of the Account Visibility settings. The issue is ... Read more

    Affected Products :
    • Published: Oct. 09, 2024
    • Modified: Feb. 10, 2025

  • 8.0

    HIGH
    CVE-2024-46316

    DrayTek Vigor3900 v1.5.1.6 was discovered to contain a command injection vulnerability via the sub_2C920 function at /cgi-bin/mainfunction.cgi. This vulnerability allows attackers to execute arbitrary commands via supplying a crafted HTTP message.... Read more

    Affected Products : vigor3900_firmware vigor3900
    • Published: Oct. 09, 2024
    • Modified: Apr. 10, 2025

  • 7.5

    HIGH
    CVE-2024-46304

    A NULL pointer dereference in libcoap v4.3.5-rc2 and below allows a remote attacker to cause a denial of service via the coap_handle_request_put_block function in src/coap_block.c.... Read more

    Affected Products :
    • Published: Oct. 09, 2024
    • Modified: Oct. 10, 2024

  • 7.5

    HIGH
    CVE-2024-46292

    A buffer overflow in modsecurity v3.0.12 allows attackers to cause a Denial of Service (DoS) via a crafted input inserted into the name parameter. NOTE: this is disputed by the Supplier because it cannot be reproduced. Also, the product's documentation in... Read more

    Affected Products : modsecurity modsecurity
    • Published: Oct. 09, 2024
    • Modified: Jun. 17, 2025

  • 9.8

    CRITICAL
    CVE-2024-25825

    FydeOS for PC 17.1 R114, FydeOS for VMware 17.0 R114, FydeOS for You 17.1 R114, and OpenFyde R114 were discovered to be configured with the root password saved as a wildcard. This allows attackers to gain root access without a password.... Read more

    Affected Products :
    • Published: Oct. 09, 2024
    • Modified: Oct. 11, 2024

  • 7.8

    HIGH
    CVE-2024-9675

    A vulnerability was found in Buildah. Cache mounts do not properly validate that user-specified paths for the cache are within our cache directory, allowing a `RUN` instruction in a Container file to mount an arbitrary directory from the host (read/write)... Read more

    • Published: Oct. 09, 2024
    • Modified: Aug. 25, 2025

  • 5.3

    MEDIUM
    CVE-2024-9671

    A vulnerability was found in 3Scale. There is no auth mechanism to see a PDF invoice of a Developer user if the URL is known. Anyone can see the invoice if the URL is known or guessed.... Read more

    Affected Products : 3scale_api_management_platform
    • Published: Oct. 09, 2024
    • Modified: Dec. 04, 2024

  • 7.8

    HIGH
    CVE-2024-8048

    In Progress Telerik Reporting versions prior to 2024 Q3 (18.2.24.924), a code execution attack is possible using object injection via insecure expression evaluation.... Read more

    Affected Products : telerik_reporting
    • Published: Oct. 09, 2024
    • Modified: Oct. 15, 2024

  • 9.1

    CRITICAL
    CVE-2024-8015

    In Progress Telerik Report Server versions prior to 2024 Q3 (10.2.24.924), a remote code execution attack is possible through object injection via an insecure type resolution vulnerability.... Read more

    • Published: Oct. 09, 2024
    • Modified: Oct. 15, 2024

  • 8.8

    HIGH
    CVE-2024-8014

    In Progress Telerik Reporting versions prior to 2024 Q3 (18.2.24.924), a code execution attack is possible through object injection via an insecure type resolution vulnerability.... Read more

    Affected Products : telerik_reporting
    • Published: Oct. 09, 2024
    • Modified: Oct. 15, 2024

  • 7.8

    HIGH
    CVE-2024-7840

    In Progress Telerik Reporting versions prior to 2024 Q3 (18.2.24.924), a command injection attack is possible through improper neutralization of hyperlink elements.... Read more

    Affected Products : telerik_reporting
    • Published: Oct. 09, 2024
    • Modified: Oct. 15, 2024

  • 7.5

    HIGH
    CVE-2024-7294

    In Progress® Telerik® Report Server versions prior to 2024 Q3 (10.2.24.806), an HTTP DoS attack is possible on anonymous endpoints without rate limiting.... Read more

    • Published: Oct. 09, 2024
    • Modified: Oct. 15, 2024
Showing 20 of 294848 Results