Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 9.8

    CRITICAL
    CVE-2026-1176

    A security flaw has been discovered in itsourcecode School Management System 1.0. Affected is an unknown function of the file /subject/index.php. Performing a manipulation of the argument ID results in sql injection. It is possible to initiate the attack ... Read more

    • Published: Jan. 19, 2026
    • Modified: Feb. 02, 2026
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2026-1423

    A vulnerability was determined in code-projects Online Examination System 1.0. Affected by this issue is some unknown functionality of the file /admin_pic.php. Executing a manipulation can lead to unrestricted upload. The attack may be performed from remo... Read more

    Affected Products : online_examination_system
    • Published: Jan. 26, 2026
    • Modified: Jan. 28, 2026
    • Vuln Type: Misconfiguration

  • 9.8

    CRITICAL
    CVE-2026-23760

    SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability in the password reset API. The force-reset-password endpoint permits anonymous requests and fails to verify the existing password or a reset token when re... Read more

    Affected Products : smartermail
    • Actively Exploited
    • Published: Jan. 22, 2026
    • Modified: Jan. 27, 2026
    • Vuln Type: Authentication

  • 9.8

    CRITICAL
    CVE-2025-69559

    code-projects Computer Book Store 1.0 is vulnerable to File Upload in admin_add.php.... Read more

    Affected Products : computer_book_store
    • Published: Jan. 27, 2026
    • Modified: Feb. 03, 2026
    • Vuln Type: Misconfiguration

  • 9.8

    CRITICAL
    CVE-2020-37069

    Konica Minolta FTP Utility 1.0 contains a buffer overflow vulnerability in the NLST command that allows attackers to overwrite system registers. Attackers can send an oversized buffer of 1500 'A' characters to crash the FTP server and potentially execute ... Read more

    Affected Products :
    • Published: Feb. 03, 2026
    • Modified: Feb. 04, 2026
    • Vuln Type: Memory Corruption

  • 9.8

    CRITICAL
    CVE-2025-69562

    code-projects Mobile Shop Management System 1.0 is vulnerable to SQL Injection in /insertmessage.php via the userid parameter.... Read more

    Affected Products : mobile_shop_management_system
    • Published: Jan. 27, 2026
    • Modified: Feb. 03, 2026
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2026-21969

    Vulnerability in the Oracle Agile Product Lifecycle Management for Process product of Oracle Supply Chain (component: Supplier Portal). The supported version that is affected is 6.2.4. Easily exploitable vulnerability allows unauthenticated attacker wit... Read more

    • Published: Jan. 20, 2026
    • Modified: Jan. 29, 2026

  • 9.8

    CRITICAL
    CVE-2026-1545

    A weakness has been identified in itsourcecode School Management System 1.0. The affected element is an unknown function of the file /course/index.php. Executing a manipulation of the argument ID can lead to sql injection. The attack may be performed from... Read more

    • Published: Jan. 28, 2026
    • Modified: Feb. 02, 2026
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2026-2158

    A vulnerability was detected in code-projects Student Web Portal 1.0. This impacts an unknown function of the file /check_user.php. Performing a manipulation of the argument Username results in sql injection. It is possible to initiate the attack remotely... Read more

    Affected Products : student_web_portal
    • Published: Feb. 08, 2026
    • Modified: Feb. 11, 2026
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2026-23524

    Laravel Reverb provides a real-time WebSocket communication backend for Laravel applications. In versions 1.6.3 and below, Reverb passes data from the Redis channel directly into PHP’s unserialize() function without restricting which classes can be instan... Read more

    Affected Products : laravel
    • Published: Jan. 21, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Memory Corruption

  • 9.8

    CRITICAL
    CVE-2022-25369

    An issue was discovered in Dynamicweb before 9.12.8. An attacker can add a new administrator user without authentication. This flaw exists due to a logic issue when determining if the setup phases of the product can be run again. Once an attacker is authe... Read more

    Affected Products :
    • Published: Jan. 23, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Authentication

  • 9.8

    CRITICAL
    CVE-2026-22709

    vm2 is an open source vm/sandbox for Node.js. In vm2 prior to version 3.10.2, `Promise.prototype.then` `Promise.prototype.catch` callback sanitization can be bypassed. This allows attackers to escape the sandbox and run arbitrary code. In lib/setup-sandbo... Read more

    Affected Products : vm2
    • Published: Jan. 26, 2026
    • Modified: Jan. 27, 2026
    • Vuln Type: Misconfiguration

  • 9.8

    CRITICAL
    CVE-2026-1160

    A security vulnerability has been detected in PHPGurukul Directory Management System 1.0. Impacted is an unknown function of the file /index.php of the component Search. The manipulation of the argument searchdata leads to sql injection. The attack may be... Read more

    Affected Products : directory_management_system
    • Published: Jan. 19, 2026
    • Modified: Feb. 06, 2026
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2021-47854

    DD-WRT version 45723 contains a buffer overflow vulnerability in the UPNP network discovery service that allows remote attackers to potentially execute arbitrary code. Attackers can send crafted M-SEARCH packets with oversized UUID payloads to trigger buf... Read more

    Affected Products :
    • Published: Jan. 21, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Memory Corruption

  • 9.8

    CRITICAL
    CVE-2020-37002

    Ajenti 2.1.36 contains an authentication bypass vulnerability that allows remote attackers to execute arbitrary commands after successful login. Attackers can leverage the /api/terminal/create endpoint to send a netcat reverse shell payload targeting a sp... Read more

    Affected Products :
    • Published: Jan. 29, 2026
    • Modified: Jan. 29, 2026
    • Vuln Type: Authentication

  • 9.8

    CRITICAL
    CVE-2020-37012

    Tea LaTex 1.0 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary shell commands through the /api.php endpoint. Attackers can craft a malicious LaTeX payload with shell commands that are executed when ... Read more

    Affected Products :
    • Published: Jan. 29, 2026
    • Modified: Jan. 29, 2026
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2020-37010

    BearShare Lite 5.2.5 contains a buffer overflow vulnerability in the Advanced Search keywords input that allows attackers to execute arbitrary code. Attackers can craft a specially designed payload to overwrite the EIP register and execute shellcode by pa... Read more

    Affected Products :
    • Published: Jan. 29, 2026
    • Modified: Jan. 29, 2026
    • Vuln Type: Memory Corruption

  • 9.8

    CRITICAL
    CVE-2026-23975

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in uxper Golo golo allows PHP Local File Inclusion.This issue affects Golo: from n/a through < 1.7.5.... Read more

    Affected Products : golo
    • Published: Jan. 22, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Path Traversal

  • 9.8

    CRITICAL
    CVE-2025-49055

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in kamleshyadav WP Lead Capturing Pages wp-lead-capture allows Blind SQL Injection.This issue affects WP Lead Capturing Pages: from n/a through <= 2.5.... Read more

    Affected Products :
    • Published: Jan. 22, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2020-36997

    BacklinkSpeed 2.4 contains a buffer overflow vulnerability that allows attackers to corrupt the Structured Exception Handler (SEH) chain through malicious file import. Attackers can craft a specially designed payload file to overwrite SEH addresses, poten... Read more

    Affected Products :
    • Published: Jan. 29, 2026
    • Modified: Jan. 29, 2026
    • Vuln Type: Memory Corruption
Showing 20 of 4600 Results