Latest CVE Feed
-
7.1
HIGHCVE-2026-25568
WeKan versions prior to 8.19 contain an authorization logic vulnerability where the instance configuration setting allowPrivateOnly is not sufficiently enforced at board creation time. When allowPrivateOnly is enabled, users can still create public boards... Read more
Affected Products : wekan- Published: Feb. 07, 2026
- Modified: Feb. 10, 2026
- Vuln Type: Authorization
-
7.1
HIGHCVE-2026-24779
vLLM is an inference and serving engine for large language models (LLMs). Prior to version 0.14.1, a Server-Side Request Forgery (SSRF) vulnerability exists in the `MediaConnector` class within the vLLM project's multimodal feature set. The load_from_url ... Read more
Affected Products : vllm- Published: Jan. 27, 2026
- Modified: Jan. 30, 2026
- Vuln Type: Server-Side Request Forgery
-
7.1
HIGHCVE-2020-37115
GUnet OpenEclass 1.7.3 stores user credentials in plaintext, allowing administrators to view all registered users' usernames and passwords without encryption. This vulnerability exposes sensitive information and increases the risk of credential theft and ... Read more
Affected Products : open_eclass_platform- Published: Feb. 03, 2026
- Modified: Feb. 10, 2026
- Vuln Type: Information Disclosure
-
7.1
HIGHCVE-2020-36968
M/Monit 3.7.4 contains an authentication vulnerability that allows authenticated attackers to retrieve user password hashes through an administrative API endpoint. Attackers can send requests to the /api/1/admin/users/list and /api/1/admin/users/get endpo... Read more
Affected Products : m\/monit- Published: Jan. 28, 2026
- Modified: Feb. 03, 2026
- Vuln Type: Authentication
-
7.1
HIGHCVE-2019-25347
thesystem App 1.0 contains a SQL injection vulnerability that allows attackers to bypass authentication by manipulating the username parameter. Attackers can inject malicious SQL code like ' or '1=1 to the username field to gain unauthorized access to use... Read more
Affected Products :- Published: Feb. 12, 2026
- Modified: Feb. 13, 2026
- Vuln Type: Injection
-
7.1
HIGHCVE-2026-1514
Official Document Management System developed by 2100 Technology has a Incorrect Authorization vulnerability, allowing authenticated remote attackers to modify front-end code to read all official documents.... Read more
Affected Products :- Published: Jan. 28, 2026
- Modified: Jan. 29, 2026
- Vuln Type: Authorization
-
7.1
HIGHCVE-2025-69218
Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, moderators can access the `top_uploads` admin report which should be restricted to admins only. This report displays direct URLs to all upload... Read more
Affected Products : discourse- Published: Jan. 28, 2026
- Modified: Jan. 30, 2026
- Vuln Type: Authorization
-
7.1
HIGHCVE-2021-47921
Free Photo & Video Vault 0.0.2 contains a directory traversal web vulnerability that allows remote attackers to manipulate application path requests and access sensitive system files. Attackers can exploit the vulnerability without privileges to retrieve ... Read more
Affected Products :- Published: Feb. 01, 2026
- Modified: Feb. 03, 2026
- Vuln Type: Path Traversal
-
7.1
HIGHCVE-2026-0918
The Tapo C220 v1 and C520WS v2 cameras’ HTTP service does not safely handle POST requests containing an excessively large Content-Length header. The resulting failed memory allocation triggers a NULL pointer dereference, causing the main service process t... Read more
Affected Products :- Published: Jan. 27, 2026
- Modified: Feb. 10, 2026
- Vuln Type: Denial of Service
-
7.1
HIGHCVE-2025-11743
A denial-of-service security issue in the affected product. The security issue occurs when a malformed CIP forward open message is sent. This could result in a major nonrecoverable fault a restart is required to recover.... Read more
Affected Products : compactlogix_5370_firmware- Published: Jan. 20, 2026
- Modified: Jan. 26, 2026
- Vuln Type: Denial of Service
-
7.1
HIGHCVE-2025-14911
User-controlled chunkSize metadata from MongoDB lacks appropriate validation allowing malformed GridFS metadata to overflow the bounding container.... Read more
Affected Products :- Published: Jan. 27, 2026
- Modified: Jan. 29, 2026
- Vuln Type: Information Disclosure
-
7.1
HIGHCVE-2020-37053
Navigate CMS 2.8.7 contains an authenticated SQL injection vulnerability that allows attackers to leak database information by manipulating the 'sidx' parameter in comments. Attackers can exploit the vulnerability to extract user activation keys by using ... Read more
Affected Products : navigate_cms- Published: Jan. 30, 2026
- Modified: Feb. 13, 2026
- Vuln Type: Injection
-
7.1
HIGHCVE-2025-69056
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e-plugins Hotel Listing hotel-listing allows Reflected XSS.This issue affects Hotel Listing: from n/a through <= 1.4.0.... Read more
Affected Products : hotel_directory- Published: Jan. 22, 2026
- Modified: Jan. 28, 2026
- Vuln Type: Cross-Site Scripting
-
7.1
HIGHCVE-2026-1315
By sending crafted files to the firmware update endpoint of Tapo C220 v1 and C520WS v2, the device terminates core system services before verifying authentication or firmware integrity. An unauthenticated attacker can trigger a persistent denial of servic... Read more
Affected Products :- Published: Jan. 27, 2026
- Modified: Jan. 29, 2026
- Vuln Type: Denial of Service
-
7.1
HIGHCVE-2026-22444
The "create core" API of Apache Solr 8.6 through 9.10.0 lacks sufficient input validation on some API parameters, which can cause Solr to check the existence of and attempt to read file-system paths that should be disallowed by Solr's "allowPaths" securi... Read more
Affected Products : solr- Published: Jan. 21, 2026
- Modified: Jan. 27, 2026
- Vuln Type: Path Traversal
-
7.1
HIGHCVE-2025-69054
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in highwarden Super Logos Showcase superlogoshowcase-wp allows Reflected XSS.This issue affects Super Logos Showcase: from n/a through <= 2.8.... Read more
Affected Products :- Published: Jan. 22, 2026
- Modified: Jan. 27, 2026
- Vuln Type: Cross-Site Scripting
-
7.1
HIGHCVE-2025-67964
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in favethemes Homey Core homey-core allows Reflected XSS.This issue affects Homey Core: from n/a through <= 2.4.3.... Read more
Affected Products :- Published: Jan. 22, 2026
- Modified: Jan. 29, 2026
- Vuln Type: Cross-Site Scripting
-
7.1
HIGHCVE-2025-67620
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CleverSoft Anon anon2x allows Reflected XSS.This issue affects Anon: from n/a through <= 2.2.10.... Read more
Affected Products :- Published: Jan. 22, 2026
- Modified: Jan. 29, 2026
- Vuln Type: Cross-Site Scripting
-
7.1
HIGHCVE-2025-67960
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in purethemes WorkScout-Core workscout-core allows Reflected XSS.This issue affects WorkScout-Core: from n/a through <= 1.7.06.... Read more
Affected Products : workscout_core- Published: Jan. 22, 2026
- Modified: Jan. 29, 2026
- Vuln Type: Cross-Site Scripting
-
7.1
HIGHCVE-2020-37005
TimeClock Software 1.01 contains an authenticated time-based SQL injection vulnerability that allows attackers to enumerate valid usernames by manipulating the 'notes' parameter. Attackers can inject conditional time delays in the add_entry.php endpoint t... Read more
Affected Products :- Published: Jan. 29, 2026
- Modified: Jan. 29, 2026
- Vuln Type: Injection