Latest CVE Feed
-
6.5
MEDIUMCVE-2026-24666
The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a Cross-Site Request Forgery (CSRF) vulnerability in multiple teacher-restricted endpoints allows attackers to induce authenticated tea... Read more
- Published: Feb. 03, 2026
- Modified: Feb. 10, 2026
- Vuln Type: Cross-Site Request Forgery
-
6.5
MEDIUMCVE-2025-14947
The All-in-One Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `ajax_callback_create_bunny_stream_video`, `ajax_callback_get_bunny_stream_video`, and `ajax_callback_delete_bunn... Read more
Affected Products : all-in-one_video_gallery- Published: Jan. 23, 2026
- Modified: Jan. 26, 2026
- Vuln Type: Authorization
-
6.5
MEDIUMCVE-2025-68006
Insertion of Sensitive Information Into Sent Data vulnerability in Deetronix Booking Ultra Pro booking-ultra-pro allows Retrieve Embedded Sensitive Data.This issue affects Booking Ultra Pro: from n/a through <= 1.1.23.... Read more
Affected Products :- Published: Jan. 22, 2026
- Modified: Jan. 29, 2026
- Vuln Type: Information Disclosure
-
6.5
MEDIUMCVE-2025-36366
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow a user to cause a denial of service by executing a query that invokes the JSON_Object scalar function, which may trigger an unhandled exception leading to abnormal server termin... Read more
Affected Products : db2- Published: Jan. 30, 2026
- Modified: Feb. 05, 2026
- Vuln Type: Denial of Service
-
6.5
MEDIUMCVE-2026-2548
A flaw has been found in WAYOS FBM-220G 24.10.19. This affects the function sub_40F820 of the file rc. Executing a manipulation of the argument upnp_waniface/upnp_ssdp_interval/upnp_max_age can lead to command injection. The attack can be executed remotel... Read more
Affected Products :- Published: Feb. 16, 2026
- Modified: Feb. 16, 2026
- Vuln Type: Injection
-
6.5
MEDIUMCVE-2025-15317
Tanium addressed an uncontrolled resource consumption vulnerability in Tanium Server.... Read more
Affected Products : server- Published: Feb. 09, 2026
- Modified: Feb. 10, 2026
- Vuln Type: Denial of Service
-
6.5
MEDIUMCVE-2026-25479
Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, in litestar.middleware.allowed_hosts, allowlist entries are compiled into regex patterns in a way that allows regex metacharacters to retain special meaning (e.g., . m... Read more
Affected Products : litestar- Published: Feb. 09, 2026
- Modified: Feb. 09, 2026
- Vuln Type: Misconfiguration
-
6.5
MEDIUMCVE-2026-1623
A weakness has been identified in Totolink A7000R 4.1cu.4154. Impacted is the function setUpgradeFW of the file /cgi-bin/cstecgi.cgi. This manipulation of the argument FileName causes command injection. The attack can be initiated remotely. The exploit ha... Read more
- Published: Jan. 29, 2026
- Modified: Feb. 10, 2026
- Vuln Type: Injection
-
6.5
MEDIUMCVE-2026-1235
The WP eCommerce WordPress plugin through 3.15.1 unserializes user input via ajax actions, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog.... Read more
Affected Products :- Published: Feb. 11, 2026
- Modified: Feb. 11, 2026
- Vuln Type: Injection
-
6.5
MEDIUMCVE-2025-67261
Abacre Retail Point of Sale 14.0.0.396 is vulnerable to content-based blind SQL injection. The vulnerability exists in the Search function of the Orders page.... Read more
Affected Products : retail_point_of_sale- Published: Jan. 20, 2026
- Modified: Jan. 30, 2026
- Vuln Type: Injection
-
6.5
MEDIUMCVE-2026-1625
A vulnerability was detected in D-Link DWR-M961 1.1.47. The impacted element is the function sub_4250E0 of the file /boafrm/formSmsManage of the component SMS Message. Performing a manipulation of the argument action_value results in command injection. Th... Read more
Affected Products : dwr-m961_firmware- Published: Jan. 29, 2026
- Modified: Feb. 04, 2026
- Vuln Type: Injection
-
6.5
MEDIUMCVE-2026-24845
malcontent discovers supply-chain compromises through. context, differential analysis, and YARA. Starting in version 0.10.0 and prior to version 1.20.3, malcontent could be made to expose Docker registry credentials if it scanned a specially crafted OCI i... Read more
Affected Products :- Published: Jan. 29, 2026
- Modified: Feb. 04, 2026
- Vuln Type: Supply Chain
-
6.5
MEDIUMCVE-2025-15400
The Pix para Woocommerce WordPress plugin through 2.13.3 allows any authenticated user to trigger AJAX actions that reset payment gateway configuration options without capability or nonce checks. This permits any authenticated users, such as subscribers ... Read more
Affected Products :- Published: Feb. 11, 2026
- Modified: Feb. 11, 2026
- Vuln Type: Authentication
-
6.5
MEDIUMCVE-2026-2562
A vulnerability was determined in JingDong JD Cloud Box AX6600 up to 4.5.1.r4533. This impacts the function cast_streen of the file /jdcapi of the component jdcweb_rpc. Executing a manipulation of the argument File can lead to Remote Privilege Escalation.... Read more
Affected Products :- Published: Feb. 16, 2026
- Modified: Feb. 16, 2026
- Vuln Type: Authorization
-
6.5
MEDIUMCVE-2025-59355
A vulnerability. When org.apache.linkis.metadata.util.HiveUtils.decode() fails to perform Base64 decoding, it records the complete input parameter string in the log via logger.error(str + "decode failed", e). If the input parameter contains sensitive inf... Read more
Affected Products : linkis- Published: Jan. 19, 2026
- Modified: Jan. 27, 2026
- Vuln Type: Information Disclosure
-
6.5
MEDIUMCVE-2025-10464
Insecure Storage of Sensitive Information vulnerability in Birtech Information Technologies Industry and Trade Ltd. Co. Senseway allows Retrieve Embedded Sensitive Data.This issue affects Senseway: through 09022026. NOTE: The vendor was contacted early a... Read more
Affected Products :- Published: Feb. 09, 2026
- Modified: Feb. 09, 2026
- Vuln Type: Information Disclosure
-
6.5
MEDIUMCVE-2026-23848
MyTube is a self-hosted downloader and player for several video websites. Prior to version 1.7.71, a rate limiting bypass via `X-Forwarded-For` header spoofing allows unauthenticated attackers to bypass IP-based rate limiting on general API endpoints. Att... Read more
Affected Products : mytube- Published: Jan. 19, 2026
- Modified: Feb. 02, 2026
- Vuln Type: Misconfiguration
-
6.5
MEDIUMCVE-2026-23890
pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's bin linking allows malicious npm packages to create executable shims or symlinks outside of `node_modules/.bin`. Bin names starting with `@` bypass validation, a... Read more
Affected Products : pnpm- Published: Jan. 26, 2026
- Modified: Jan. 28, 2026
- Vuln Type: Path Traversal
-
6.5
MEDIUMCVE-2026-23889
pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's tarball extraction allows malicious packages to write files outside the package directory on Windows. The path normalization only checks for `./` but not `.\`. O... Read more
- Published: Jan. 26, 2026
- Modified: Jan. 28, 2026
- Vuln Type: Path Traversal
-
6.5
MEDIUMCVE-2025-2668
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 is vulnerable to a denial of service as the server may crash when an authenticated user creates a specially crafted query.... Read more
Affected Products : db2- Published: Jan. 30, 2026
- Modified: Feb. 05, 2026
- Vuln Type: Denial of Service