Latest CVE Feed
-
9.8
CRITICALCVE-2026-1129
A vulnerability was detected in Yonyou KSOA 9.0. This vulnerability affects unknown code of the file /worksheet/worksadd.jsp of the component HTTP GET Parameter Handler. The manipulation of the argument ID results in sql injection. The attack may be perfo... Read more
Affected Products : ksoa- Published: Jan. 19, 2026
- Modified: Feb. 10, 2026
- Vuln Type: Injection
-
9.8
CRITICALCVE-2026-2132
A security flaw has been discovered in code-projects Online Music Site 1.0. This issue affects some unknown processing of the file /Administrator/PHP/AdminUpdateCategory.php. The manipulation of the argument txtcat results in sql injection. The attack can... Read more
Affected Products : online_music_site- Published: Feb. 08, 2026
- Modified: Feb. 10, 2026
- Vuln Type: Injection
-
9.8
CRITICALCVE-2026-2133
A weakness has been identified in code-projects Online Music Site 1.0. Impacted is an unknown function of the file /Administrator/PHP/AdminUpdateCategory.php. This manipulation of the argument txtimage causes unrestricted upload. The attack is possible to... Read more
Affected Products : online_music_site- Published: Feb. 08, 2026
- Modified: Feb. 10, 2026
- Vuln Type: Misconfiguration
-
9.8
CRITICALCVE-2026-2171
A vulnerability was found in code-projects Online Student Management System 1.0. Affected is an unknown function of the file accounts.php of the component Login. Performing a manipulation of the argument username/password results in sql injection. The att... Read more
Affected Products : online_student_management_system- Published: Feb. 08, 2026
- Modified: Feb. 10, 2026
- Vuln Type: Injection
-
9.8
CRITICALCVE-2025-69431
The ZSPACE Q2C NAS contains a vulnerability related to incorrect symbolic link following. Attackers can format a USB drive to ext4, create a symbolic link to its root directory, insert the drive into the NAS device's slot, and then access the USB drive's ... Read more
- Published: Feb. 03, 2026
- Modified: Feb. 11, 2026
- Vuln Type: Path Traversal
-
9.8
CRITICALCVE-2023-54330
Inbit Messenger versions 4.6.0 to 4.9.0 contain a remote stack-based buffer overflow vulnerability that allows unauthenticated attackers to execute arbitrary code by sending malformed network packets. Attackers can craft a specially designed payload targe... Read more
Affected Products : inbit_messenger- Published: Jan. 13, 2026
- Modified: Jan. 30, 2026
- Vuln Type: Memory Corruption
-
9.8
CRITICALCVE-2026-22857
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a heap use-after-free occurs in irp_thread_func because the IRP is freed by irp->Complete() and then accessed again on the error path. This vulnerability is fixed in 3.20.1.... Read more
Affected Products : freerdp- Published: Jan. 14, 2026
- Modified: Jan. 20, 2026
- Vuln Type: Memory Corruption
-
9.8
CRITICALCVE-2026-23883
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, `xf_Pointer_New` frees `cursorPixels` on failure, then `pointer_free` calls `xf_Pointer_Free` and frees it again, triggering ASan UAF. A malicious server can trigger... Read more
Affected Products : freerdp- Published: Jan. 19, 2026
- Modified: Jan. 28, 2026
- Vuln Type: Memory Corruption
-
9.8
CRITICALCVE-2026-1413
A vulnerability was found in Sangfor Operation and Maintenance Security Management System up to 3.0.12. This affects the function portValidate of the file /fort/ip_and_port/port_validate of the component HTTP POST Request Handler. Performing a manipulatio... Read more
Affected Products : operation_and_maintenance_security_management_system- Published: Jan. 26, 2026
- Modified: Jan. 30, 2026
- Vuln Type: Injection
-
9.8
CRITICALCVE-2026-2248
METIS WIC devices (versions <= oscore 2.1.234-r18) expose a web-based shell at the /console endpoint that does not require authentication. Accessing this endpoint allows a remote attacker to execute arbitrary operating system commands with root (UID 0) pr... Read more
Affected Products :- Published: Feb. 11, 2026
- Modified: Feb. 11, 2026
- Vuln Type: Authentication
-
9.8
CRITICALCVE-2026-2090
A vulnerability was determined in SourceCodester Online Class Record System 1.0. This issue affects some unknown processing of the file /admin/message/search.php. Executing a manipulation of the argument term can lead to sql injection. The attack can be e... Read more
Affected Products : online_class_record_system- Published: Feb. 07, 2026
- Modified: Feb. 10, 2026
- Vuln Type: Injection
-
9.8
CRITICALCVE-2026-0760
Foundation Agents MetaGPT deserialize_message Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foundation Agents MetaGPT. Authenticatio... Read more
Affected Products :- Published: Jan. 23, 2026
- Modified: Jan. 26, 2026
-
9.8
CRITICALCVE-2025-14301
The Integration Opvius AI for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.3.0. This is due to the `process_table_bulk_actions()` function processing user-supplied file paths without authenticati... Read more
Affected Products :- Published: Jan. 14, 2026
- Modified: Jan. 14, 2026
- Vuln Type: Path Traversal
-
9.8
CRITICALCVE-2025-40554
SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that, if exploited, could allow an attacker to invoke specific actions within Web Help Desk.... Read more
Affected Products : web_help_desk- Published: Jan. 28, 2026
- Modified: Feb. 03, 2026
- Vuln Type: Authentication
-
9.8
CRITICALCVE-2025-50003
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Amuli amuli allows PHP Local File Inclusion.This issue affects Amuli: from n/a through <= 2.3.0.... Read more
Affected Products :- Published: Jan. 22, 2026
- Modified: Jan. 26, 2026
- Vuln Type: Path Traversal
-
9.8
CRITICALCVE-2026-1159
A weakness has been identified in itsourcecode Online Frozen Foods Ordering System 1.0. This issue affects some unknown processing of the file /order_online.php. Executing a manipulation of the argument product_name can lead to sql injection. The attack c... Read more
- Published: Jan. 19, 2026
- Modified: Feb. 06, 2026
- Vuln Type: Injection
-
9.8
CRITICALCVE-2026-1420
A flaw has been found in Tenda AC23 16.03.07.52. This impacts an unknown function of the file /goform/WifiExtraSet. This manipulation of the argument wpapsk_crypto causes buffer overflow. Remote exploitation of the attack is possible. The exploit has been... Read more
- Published: Jan. 26, 2026
- Modified: Jan. 28, 2026
- Vuln Type: Memory Corruption
-
9.8
CRITICALCVE-2025-66417
GLPI is a free asset and IT management software package. From 11.0.0, < 11.0.3, an unauthenticated user can perform a SQL injection through the inventory endpoint. This vulnerability is fixed in 11.0.3.... Read more
Affected Products : glpi- Published: Jan. 15, 2026
- Modified: Jan. 21, 2026
- Vuln Type: Injection
-
9.8
CRITICALCVE-2026-2089
A vulnerability was found in SourceCodester Online Class Record System 1.0. This vulnerability affects unknown code of the file /admin/subject/controller.php. Performing a manipulation of the argument ID results in sql injection. Remote exploitation of th... Read more
Affected Products : online_class_record_system- Published: Feb. 07, 2026
- Modified: Feb. 10, 2026
- Vuln Type: Injection
-
9.8
CRITICALCVE-2026-2088
A vulnerability has been found in PHPGurukul Beauty Parlour Management System 1.1. This affects an unknown part of the file /admin/accepted-appointment.php. Such manipulation of the argument delid leads to sql injection. The attack may be launched remotel... Read more
Affected Products : beauty_parlour_management_system- Published: Feb. 07, 2026
- Modified: Feb. 10, 2026
- Vuln Type: Injection