Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 6.5

    MEDIUM
    CVE-2025-36427

    IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow a user to cause a denial of service due to insufficient validation of special elements in data query logic.... Read more

    Affected Products : db2
    • Published: Jan. 30, 2026
    • Modified: Feb. 11, 2026
    • Vuln Type: Denial of Service

  • 6.5

    MEDIUM
    CVE-2026-24829

    Out-of-bounds Write, Heap-based Buffer Overflow vulnerability in Is-Daouda is-Engine.This issue affects is-Engine: before 3.3.4.... Read more

    Affected Products :
    • Published: Jan. 27, 2026
    • Modified: Jan. 27, 2026
    • Vuln Type: Memory Corruption

  • 6.5

    MEDIUM
    CVE-2025-68039

    Missing Authorization vulnerability in Chris Simmons WP BackItUp wp-backitup allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP BackItUp: from n/a through <= 2.0.0.... Read more

    Affected Products : backup_and_restore_wordpress
    • Published: Jan. 22, 2026
    • Modified: Jan. 28, 2026
    • Vuln Type: Authorization

  • 6.5

    MEDIUM
    CVE-2026-23888

    pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's binary fetcher allows malicious packages to write files outside the intended extraction directory. The vulnerability has two attack vectors: (1) Malicious ZIP en... Read more

    Affected Products : pnpm
    • Published: Jan. 26, 2026
    • Modified: Jan. 28, 2026
    • Vuln Type: Path Traversal

  • 6.5

    MEDIUM
    CVE-2025-70091

    A cross-site scripting (XSS) vulnerability in the Customers function of OpenSourcePOS v3.4.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Phone Number parameter.... Read more

    Affected Products :
    • Published: Feb. 13, 2026
    • Modified: Feb. 13, 2026
    • Vuln Type: Cross-Site Scripting

  • 6.5

    MEDIUM
    CVE-2025-67939

    Missing Authorization vulnerability in Tickera Tickera tickera-event-ticketing-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tickera: from n/a through <= 3.5.6.2.... Read more

    Affected Products : tickera
    • Published: Jan. 22, 2026
    • Modified: Jan. 28, 2026
    • Vuln Type: Authorization

  • 6.5

    MEDIUM
    CVE-2026-1218

    A vulnerability was detected in Bjskzy Zhiyou ERP up to 11.0. Impacted is the function initRCForm of the file RichClientService.class of the component com.artery.richclient.RichClientService. Performing a manipulation results in xml external entity refere... Read more

    Affected Products : zhiyou_erp
    • Published: Jan. 20, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: XML External Entity

  • 6.5

    MEDIUM
    CVE-2026-24585

    Missing Authorization vulnerability in Hyyan Abo Fakher Hyyan WooCommerce Polylang Integration woo-poly-integration allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hyyan WooCommerce Polylang Integration: from n/a... Read more

    Affected Products :
    • Published: Jan. 23, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Authorization

  • 6.5

    MEDIUM
    CVE-2026-24361

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress LearnPress &#8211; Course Review learnpress-course-review allows Stored XSS.This issue affects LearnPress &#8211; Course Review: from n/a throu... Read more

    Affected Products :
    • Published: Jan. 22, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Cross-Site Scripting

  • 6.5

    MEDIUM
    CVE-2025-46699

    Dell Data Protection Advisor, versions prior to 19.12, contains an Improper Neutralization of Special Elements Used in a Template Engine vulnerability in the Server. A low privileged attacker with remote access could potentially exploit this vulnerability... Read more

    Affected Products : data_protection_advisor
    • Published: Jan. 23, 2026
    • Modified: Jan. 28, 2026
    • Vuln Type: Information Disclosure

  • 6.5

    MEDIUM
    CVE-2026-24617

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Daniel Iser Easy Modal easy-modal allows Stored XSS.This issue affects Easy Modal: from n/a through <= 2.1.0.... Read more

    Affected Products :
    • Published: Jan. 23, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Cross-Site Scripting

  • 6.5

    MEDIUM
    CVE-2026-20800

    Gitea's notification API does not re-validate repository access permissions when returning notification details. After a user's access to a private repository is revoked, they may still view issue and pull request titles through previously received notifi... Read more

    Affected Products : gitea
    • Published: Jan. 22, 2026
    • Modified: Jan. 29, 2026
    • Vuln Type: Authorization

  • 6.5

    MEDIUM
    CVE-2025-36115

    IBM Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0.00 through 5.2.0.12 does not disallow the session id after use which could allow an authenticated user to impersonate another user on the system.... Read more

    • Published: Jan. 20, 2026
    • Modified: Feb. 03, 2026
    • Vuln Type: Authentication

  • 6.5

    MEDIUM
    CVE-2026-24421

    phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below have flawed authorization logic which exposes the /api/setup/backup endpoint to any authenticated user despite their permissions. SetupController.php uses userIsAuthenticated() but ... Read more

    Affected Products : phpmyfaq
    • Published: Jan. 24, 2026
    • Modified: Jan. 30, 2026
    • Vuln Type: Authorization

  • 6.5

    MEDIUM
    CVE-2026-24565

    Insertion of Sensitive Information Into Sent Data vulnerability in bPlugins B Accordion b-accordion allows Retrieve Embedded Sensitive Data.This issue affects B Accordion: from n/a through <= 2.0.0.... Read more

    Affected Products :
    • Published: Jan. 23, 2026
    • Modified: Jan. 27, 2026
    • Vuln Type: Information Disclosure

  • 6.5

    MEDIUM
    CVE-2025-69315

    Missing Authorization vulnerability in NSquared Simply Schedule Appointments simply-schedule-appointments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simply Schedule Appointments: from n/a through <= 1.6.9.15... Read more

    Affected Products :
    • Published: Jan. 22, 2026
    • Modified: Jan. 27, 2026
    • Vuln Type: Authorization

  • 6.5

    MEDIUM
    CVE-2025-59355

    A vulnerability. When org.apache.linkis.metadata.util.HiveUtils.decode() fails to perform Base64 decoding, it records the complete input parameter string in the log via logger.error(str + "decode failed", e). If the input parameter contains sensitive inf... Read more

    Affected Products : linkis
    • Published: Jan. 19, 2026
    • Modified: Jan. 27, 2026
    • Vuln Type: Information Disclosure

  • 6.5

    MEDIUM
    CVE-2026-24420

    phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below allow an authenticated user without the dlattachment permission to download FAQ attachments due to a incomprehensive permissions check. The presence of a right key is improperly val... Read more

    Affected Products : phpmyfaq
    • Published: Jan. 24, 2026
    • Modified: Jan. 28, 2026
    • Vuln Type: Authorization

  • 6.5

    MEDIUM
    CVE-2026-21968

    Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. Easily exploitable vulnerability allows low privileged attacker with network ac... Read more

    Affected Products : mysql_server
    • Published: Jan. 20, 2026
    • Modified: Jan. 29, 2026

  • 6.5

    MEDIUM
    CVE-2026-20883

    Gitea's stopwatch API does not re-validate repository access permissions. After a user's access to a private repository is revoked, they may still view issue titles and repository names through previously started stopwatches.... Read more

    Affected Products : gitea
    • Published: Jan. 22, 2026
    • Modified: Jan. 29, 2026
    • Vuln Type: Authorization
Showing 20 of 4563 Results