Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 5.4

    MEDIUM
    CVE-2025-46571

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.6.6, low privileged users can upload HTML files which contain JavaScript code via the `/api/v1/files/` backend endpoint. This endpoint re... Read more

    Affected Products : open_webui
    • Published: May. 05, 2025
    • Modified: Jun. 17, 2025
    • Vuln Type: Cross-Site Scripting

  • 7.5

    HIGH
    CVE-2025-46559

    Misskey is an open source, federated social media platform. Starting in version 12.31.0 and prior to version 2025.4.1, missing validation in `Mk:api` allows malicious AiScript code to access additional endpoints that it isn't designed to have access to. T... Read more

    Affected Products : misskey
    • Published: May. 05, 2025
    • Modified: Sep. 03, 2025
    • Vuln Type: Authorization

  • 6.1

    MEDIUM
    CVE-2025-46553

    @misskey-dev/summaly is a tool for getting a summary of a web page. Starting in version 3.0.1 and prior to version 5.2.1, a logic error in the main `summaly` function causes the `allowRedirects` option to never be passed to any plugins, and as a result, i... Read more

    Affected Products : misskey
    • Published: May. 05, 2025
    • Modified: Sep. 03, 2025
    • Vuln Type: Misconfiguration

  • 7.2

    HIGH
    CVE-2025-46340

    Misskey is an open source, federated social media platform. Starting in version 12.0.0 and prior to version 2025.4.1, due to an oversight in the validation performed in `UrlPreviewService` and `MkUrlPreview`, it is possible for an attacker to inject arbit... Read more

    Affected Products : misskey
    • Published: May. 05, 2025
    • Modified: Sep. 03, 2025
    • Vuln Type: Cross-Site Scripting

  • 8.6

    HIGH
    CVE-2025-46335

    Mobile Security Framework (MobSF) is a security research platform for mobile applications in Android, iOS and Windows Mobile. A Stored Cross-Site Scripting (XSS) vulnerability has been identified in MobSF versions up to and including 4.3.2. The vulnerabil... Read more

    Affected Products : mobile_security_framework
    • Published: May. 05, 2025
    • Modified: May. 28, 2025
    • Vuln Type: Cross-Site Scripting

  • 9.8

    CRITICAL
    CVE-2025-43852

    Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to unsafe deserialization. The model_choose variable takes user input (e.g. a path to a model) and passes it to the uvr functi... Read more

    • Published: May. 05, 2025
    • Modified: Aug. 01, 2025
    • Vuln Type: Misconfiguration

  • 9.8

    CRITICAL
    CVE-2025-43851

    Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to unsafe deserialization. The model_choose variable takes user input (e.g. a path to a model) and passes it to the uvr functi... Read more

    • Published: May. 05, 2025
    • Modified: Aug. 01, 2025

  • 9.8

    CRITICAL
    CVE-2025-43850

    Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to unsafe deserialization. The ckpt_dir variable takes user input (e.g. a path to a model) and passes it to the change_info fu... Read more

    • Published: May. 05, 2025
    • Modified: Aug. 01, 2025
    • Vuln Type: Misconfiguration

  • 9.8

    CRITICAL
    CVE-2025-43849

    Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to unsafe deserialization. The ckpt_a and cpkt_b variables take user input (e.g. a path to a model) and pass it to the merge f... Read more

    • Published: May. 05, 2025
    • Modified: Aug. 01, 2025
    • Vuln Type: Misconfiguration

  • 6.1

    MEDIUM
    CVE-2025-29573

    Cross-Site Scripting (XSS) vulnerability exists in Mezzanine CMS 6.0.0 in the "View Entries" feature within the Forms module.... Read more

    Affected Products : mezzanine
    • Published: May. 05, 2025
    • Modified: Jun. 16, 2025
    • Vuln Type: Cross-Site Scripting

  • 5.3

    MEDIUM
    CVE-2024-42213

    HCL BigFix Compliance is affected by inclusion of temporary files left in the production environment. An attacker might gain access to these files by indexing or retrieved via predictable URLs or misconfigured permissions, leading to information disclosu... Read more

    Affected Products : bigfix_compliance
    • Published: May. 05, 2025
    • Modified: Jun. 17, 2025
    • Vuln Type: Information Disclosure

  • 5.4

    MEDIUM
    CVE-2024-42212

    HCL BigFix Compliance is affected by an improper or missing SameSite attribute. This can lead to Cross-Site Request Forgery (CSRF) attacks, where a malicious site could trick a user's browser into making unintended requests using authenticated sessions.... Read more

    Affected Products : bigfix_compliance
    • Published: May. 05, 2025
    • Modified: Jun. 17, 2025
    • Vuln Type: Cross-Site Request Forgery

  • 8.8

    HIGH
    CVE-2025-4282

    A vulnerability has been found in SourceCodester/oretnom23 Stock Management System 1.0 and classified as problematic. This vulnerability affects unknown code of the file /classes/Users.php?f=save. The manipulation leads to cross-site request forgery. The ... Read more

    • Published: May. 05, 2025
    • Modified: May. 14, 2025
    • Vuln Type: Cross-Site Request Forgery

  • 8.8

    HIGH
    CVE-2025-4096

    Heap buffer overflow in HTML in Google Chrome prior to 136.0.7103.59 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)... Read more

    Affected Products : chrome edge_chromium
    • Published: May. 05, 2025
    • Modified: May. 28, 2025
    • Vuln Type: Memory Corruption

  • 9.8

    CRITICAL
    CVE-2025-4052

    Inappropriate implementation in DevTools in Google Chrome prior to 136.0.7103.59 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass discretionary access control via a crafted HTML page. (Chromium security severity: ... Read more

    Affected Products : chrome edge_chromium
    • Published: May. 05, 2025
    • Modified: May. 28, 2025
    • Vuln Type: Authorization

  • 6.3

    MEDIUM
    CVE-2025-4051

    Insufficient data validation in DevTools in Google Chrome prior to 136.0.7103.59 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass discretionary access control via a crafted HTML page. (Chromium security severity: ... Read more

    Affected Products : chrome edge_chromium
    • Published: May. 05, 2025
    • Modified: May. 28, 2025
    • Vuln Type: Authorization

  • 8.8

    HIGH
    CVE-2025-4050

    Out of bounds memory access in DevTools in Google Chrome prior to 136.0.7103.59 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: M... Read more

    Affected Products : chrome edge_chromium
    • Published: May. 05, 2025
    • Modified: May. 28, 2025
    • Vuln Type: Memory Corruption

  • 5.3

    MEDIUM
    CVE-2025-45239

    An issue in the restores method (DataBackup.php) of foxcms v2.0.6 allows attackers to execute a directory traversal.... Read more

    Affected Products : foxcms foxcms
    • Published: May. 05, 2025
    • Modified: Jun. 12, 2025
    • Vuln Type: Path Traversal

  • 9.1

    CRITICAL
    CVE-2025-45238

    foxcms v1.2.5 was discovered to contain an arbitrary file deletion vulnerability via the delRestoreSerie method.... Read more

    Affected Products : foxcms
    • Published: May. 05, 2025
    • Modified: Jun. 12, 2025
    • Vuln Type: Authorization

  • 7.5

    HIGH
    CVE-2025-45237

    Incorrect access control in the component /config/download of DBSyncer v2.0.6 allows attackers to access the JSON file containing sensitive account information, including the encrypted password.... Read more

    Affected Products : dbsyncer
    • Published: May. 05, 2025
    • Modified: Jun. 16, 2025
    • Vuln Type: Authorization
Showing 20 of 294282 Results