Latest Critical CVEs
Updates on the latest high and critical severity vulnerabilities.
-
CVE-2025-31479 - GitHub Get-Workflow-Version-Action Token Truncation Vulnerability
CVE ID :CVE-2025-31479
Published : April 2, 2025, 10:15 p.m. | 9 hours, 12 minutes ago
Description :canonical/get-workflow-version-action is a GitHub composite action to get commit SHA that GitHub Actions reusable workflow was called with. Prior to 1.0.1, if the get-workflow-version-action step fails, the exception output may include the GITHUB_TOKEN. If the full token is included in the exception output, GitHub will automatically redact the secret from the GitHub Actions logs. However, the token may be truncated—causing part of the GITHUB_TOKEN to be displayed in plaintext in the GitHub Actions logs. Anyone with read access to the GitHub repository can view GitHub Actions logs. For public repositories, anyone can view the GitHub Actions logs. The opportunity to exploit this vulnerability is limited—the GITHUB_TOKEN is automatically revoked when the job completes. However, there is an opportunity for an attack in the time between the GITHUB_TOKEN being displayed in the logs and the completion of the job. Users using the github-token input are impacted. This vulnerability is fixed in 1.0.1.
Severity: 8.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-31722 - Jenkins Templating Engine Plugin Sandbox Bypass
CVE ID :CVE-2025-31722
Published : April 2, 2025, 3:15 p.m. | 16 hours, 11 minutes ago
Description :In Jenkins Templating Engine Plugin 2.5.3 and earlier, libraries defined in folders are not subject to sandbox protection, allowing attackers with Item/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2024-45064 - STMicroelectronics X-CUBE-AZRTOS-WL Buffer Overflow Vulnerability
CVE ID :CVE-2024-45064
Published : April 2, 2025, 2:15 p.m. | 17 hours, 12 minutes ago
Description :A buffer overflow vulnerability exists in the FileX Internal RAM interface functionality of STMicroelectronics X-CUBE-AZRTOS-WL 2.0.0. A specially crafted set of network packets can lead to code execution. An attacker can send a sequence of requests to trigger this vulnerability.
Severity: 8.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-3063 - WordPress Shopper Approved Reviews Privilege Escalation
CVE ID :CVE-2025-3063
Published : April 2, 2025, 10:15 a.m. | 21 hours, 12 minutes ago
Description :The Shopper Approved Reviews plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the ajax_callback_update_sa_option() function in versions 2.0 to 2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-2005 - WordPress Front End Users Arbitrary File Upload Vulnerability
CVE ID :CVE-2025-2005
Published : April 2, 2025, 10:15 a.m. | 21 hours, 12 minutes ago
Description :The Front End Users plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the file uploads field of the registration form in all versions up to, and including, 3.2.32. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2024-39780 - ROS dynparam YAML Deserialization Vulnerability (Arbitrary Code Execution)
CVE ID :CVE-2024-39780
Published : April 2, 2025, 8:15 a.m. | 23 hours, 12 minutes ago
Description :A YAML deserialization vulnerability was found in the Robot Operating System (ROS) 'dynparam', a command-line tool for getting, setting, and deleting parameters of a dynamically configurable node, affecting ROS distributions Noetic and earlier. The issue is caused by the use of the yaml.load() function in the 'set' and 'get' verbs, and allows for the creation of arbitrary Python objects. Through this flaw, a local or remote user can craft and execute arbitrary Python code. This issue has now been fixed for ROS Noetic via commit 3d93ac13603438323d7e9fa74e879e45c5fe2e8e.
Severity: 8.4 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2023-40714 - Fortinet FortiSIEM Path Traversal Privilege Escalation
CVE ID :CVE-2023-40714
Published : April 2, 2025, 8:15 a.m. | 23 hours, 12 minutes ago
Description :A relative path traversal in Fortinet FortiSIEM versions 7.0.0, 6.7.0 through 6.7.2, 6.6.0 through 6.6.3, 6.5.1, 6.5.0 allows attacker to escalate privilege via uploading certain GUI elements
Severity: 9.9 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-25060 - AssetView Unauthenticated File Access and Deletion Vulnerability
CVE ID :CVE-2025-25060
Published : April 2, 2025, 4:15 a.m. | 1 day, 3 hours ago
Description :Missing authentication for critical function vulnerability exists in AssetView and AssetView CLOUD. If exploited, the files on the server where the product is running may be obtained and/or deleted by a remote unauthenticated attacker.
Severity: 8.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-3067 - Google Chrome Android Custom Tabs Privilege Escalation Vulnerability
CVE ID :CVE-2025-3067
Published : April 2, 2025, 1:15 a.m. | 1 day, 6 hours ago
Description :Inappropriate implementation in Custom Tabs in Google Chrome on Android prior to 135.0.7049.52 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform privilege escalation via a crafted app. (Chromium security severity: Medium)
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-3066 - Google Chrome Use-After-Free in Navigations Vulnerability
CVE ID :CVE-2025-3066
Published : April 2, 2025, 1:15 a.m. | 1 day, 6 hours ago
Description :Use after free in Navigations in Google Chrome prior to 135.0.7049.52 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-31619 - Actionwear SQL Injection
CVE ID :CVE-2025-31619
Published : April 1, 2025, 9:15 p.m. | 1 day, 10 hours ago
Description :Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in marcoingraiti Actionwear products sync allows SQL Injection. This issue affects Actionwear products sync: from n/a through 2.3.3.
Severity: 8.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-31612 - Sabuj Kundu CBX Poll Object Injection Vulnerability
CVE ID :CVE-2025-31612
Published : April 1, 2025, 9:15 p.m. | 1 day, 10 hours ago
Description :Deserialization of Untrusted Data vulnerability in Sabuj Kundu CBX Poll allows Object Injection. This issue affects CBX Poll: from n/a through 1.2.7.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-31579 - EXEIdeas International WP AutoKeyword SQL Injection
CVE ID :CVE-2025-31579
Published : April 1, 2025, 9:15 p.m. | 1 day, 10 hours ago
Description :Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in EXEIdeas International WP AutoKeyword allows SQL Injection. This issue affects WP AutoKeyword: from n/a through 1.0.
Severity: 9.3 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-31564 - Aitool Ai Auto Tool Content Writing Assistant (Gemini Writer, ChatGPT) SQL Injection Vulnerability
CVE ID :CVE-2025-31564
Published : April 1, 2025, 9:15 p.m. | 1 day, 10 hours ago
Description :Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in aitool Ai Auto Tool Content Writing Assistant (Gemini Writer, ChatGPT ) All in One allows Blind SQL Injection. This issue affects Ai Auto Tool Content Writing Assistant (Gemini Writer, ChatGPT ) All in One: from n/a through 2.1.7.
Severity: 8.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-31561 - M. Tuhin Ultimate Push Notifications SQL Injection
CVE ID :CVE-2025-31561
Published : April 1, 2025, 9:15 p.m. | 1 day, 10 hours ago
Description :Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in M. Tuhin Ultimate Push Notifications allows SQL Injection. This issue affects Ultimate Push Notifications: from n/a through 1.1.8.
Severity: 8.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-31553 - WordPress Factory Advanced WooCommerce SQL Injection
CVE ID :CVE-2025-31553
Published : April 1, 2025, 9:15 p.m. | 1 day, 10 hours ago
Description :Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPFactory Advanced WooCommerce Product Sales Reporting allows SQL Injection. This issue affects Advanced WooCommerce Product Sales Reporting: from n/a through 3.1.
Severity: 9.3 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-31552 - RSVPMarker SQL Injection
CVE ID :CVE-2025-31552
Published : April 1, 2025, 9:15 p.m. | 1 day, 10 hours ago
Description :Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in davidfcarr RSVPMarker allows SQL Injection. This issue affects RSVPMarker : from n/a through 11.4.8.
Severity: 9.3 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-31551 - Salesmate.io Salesmate Add-On for Gravity Forms SQL Injection
CVE ID :CVE-2025-31551
Published : April 1, 2025, 9:15 p.m. | 1 day, 10 hours ago
Description :Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Salesmate.io Salesmate Add-On for Gravity Forms allows SQL Injection. This issue affects Salesmate Add-On for Gravity Forms: from n/a through 2.0.3.
Severity: 9.3 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-31534 - Shopperdotcom Shopper SQL Injection
CVE ID :CVE-2025-31534
Published : April 1, 2025, 9:15 p.m. | 1 day, 10 hours ago
Description :Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in shopperdotcom Shopper allows SQL Injection. This issue affects Shopper: from n/a through 3.2.5.
Severity: 9.3 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-31531 - Click5 SQL Injection Vulnerability
CVE ID :CVE-2025-31531
Published : April 1, 2025, 9:15 p.m. | 1 day, 10 hours ago
Description :Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in click5 History Log by click5 allows SQL Injection. This issue affects History Log by click5: from n/a through 1.0.13.
Severity: 9.3 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...