Latest CVE Feed
-
5.4
MEDIUMCVE-2026-1665
A command injection vulnerability exists in nvm (Node Version Manager) versions 0.40.3 and below. The nvm_download() function uses eval to execute wget commands, and the NVM_AUTH_HEADER environment variable was not sanitized in the wget code path (though ... Read more
Affected Products :- Published: Jan. 29, 2026
- Modified: Jan. 29, 2026
- Vuln Type: Injection
-
5.4
MEDIUMCVE-2026-23568
An out-of-bounds read vulnerability in the TeamViewer DEX Client (former 1E Client) - Content Distribution Service (NomadBranch.exe) prior version 26.1 for Windows allows an attacker on the adjacent network to cause information disclosure or denial-of-ser... Read more
Affected Products : digital_employee_experience- Published: Jan. 29, 2026
- Modified: Jan. 29, 2026
- Vuln Type: Information Disclosure
-
5.4
MEDIUMCVE-2026-23496
Pimcore Web2Print Tools Bundle adds tools for web-to-print use cases to Pimcore. Prior to 5.2.2 and 6.1.1, the application fails to enforce proper server-side authorization checks on the API endpoint responsible for managing "Favourite Output Channel Conf... Read more
- Published: Jan. 15, 2026
- Modified: Jan. 30, 2026
- Vuln Type: Authorization
-
5.4
MEDIUMCVE-2025-69353
Missing Authorization vulnerability in Proxy & VPN Blocker Proxy & VPN Blocker proxy-vpn-blocker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Proxy & VPN Blocker: from n/a through <= 3.5.3.... Read more
Affected Products :- Published: Jan. 06, 2026
- Modified: Jan. 20, 2026
- Vuln Type: Authorization
-
5.4
MEDIUMCVE-2026-24037
Horilla is a free and open source Human Resource Management System (HRMS). In version 1.4.0, the has_xss() function attempts to block XSS by matching input against a set of regex patterns. However, the regexes are incomplete and context-agnostic, making t... Read more
Affected Products : horilla- Published: Jan. 22, 2026
- Modified: Jan. 29, 2026
- Vuln Type: Cross-Site Scripting
-
5.4
MEDIUMCVE-2025-71165
Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the administrative interface within the Tools Status functionality. The path parameter is reflected into the HTML response without proper outpu... Read more
Affected Products : typesetter- Published: Jan. 14, 2026
- Modified: Jan. 21, 2026
- Vuln Type: Cross-Site Scripting
-
5.4
MEDIUMCVE-2025-14556
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Flag allows Cross-Site Scripting (XSS).This issue affects Flag: from 7.X-3.0 through 7.X-3.9.... Read more
Affected Products : flag- Published: Jan. 14, 2026
- Modified: Jan. 23, 2026
- Vuln Type: Cross-Site Scripting
-
5.4
MEDIUMCVE-2026-23476
FacturaScripts is open-source enterprise resource planning and accounting software. Prior to 2025.8, there a reflected XSS bug in FacturaScripts. The problem is in how error messages get displayed. Twig's | raw filter is used, which skips HTML escaping. W... Read more
Affected Products : facturascripts- Published: Feb. 02, 2026
- Modified: Feb. 02, 2026
- Vuln Type: Cross-Site Scripting
-
5.4
MEDIUMCVE-2026-24601
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Penci Pay Writer penci-pay-writer allows Stored XSS.This issue affects Penci Pay Writer: from n/a through <= 1.5.... Read more
Affected Products :- Published: Jan. 23, 2026
- Modified: Jan. 26, 2026
- Vuln Type: Cross-Site Scripting
-
5.4
MEDIUMCVE-2026-22382
Cross-Site Request Forgery (CSRF) vulnerability in Mikado-Themes PawFriends - Pet Shop and Veterinary WordPress Theme pawfriends allows Cross Site Request Forgery.This issue affects PawFriends - Pet Shop and Veterinary WordPress Theme: from n/a through <=... Read more
Affected Products :- Published: Jan. 22, 2026
- Modified: Jan. 27, 2026
- Vuln Type: Cross-Site Request Forgery
-
5.4
MEDIUMCVE-2026-24581
Missing Authorization vulnerability in WP Swings Points and Rewards for WooCommerce points-and-rewards-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Points and Rewards for WooCommerce: from n/a ... Read more
Affected Products : points_and_rewards_for_woocommerce- Published: Jan. 23, 2026
- Modified: Jan. 26, 2026
- Vuln Type: Authorization
-
5.4
MEDIUMCVE-2026-24595
Missing Authorization vulnerability in zohocrm Zoho CRM Lead Magnet zoho-crm-forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Zoho CRM Lead Magnet: from n/a through <= 1.8.1.5.... Read more
Affected Products :- Published: Jan. 23, 2026
- Modified: Jan. 26, 2026
- Vuln Type: Authorization
-
5.4
MEDIUMCVE-2025-63026
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Grand Restaurant Theme Elements for Elementor grandrestaurant-elementor allows Stored XSS.This issue affects Grand Restaurant Theme Elements f... Read more
Affected Products :- Published: Jan. 22, 2026
- Modified: Jan. 26, 2026
- Vuln Type: Cross-Site Scripting
-
5.4
MEDIUMCVE-2023-52212
Cross-Site Request Forgery (CSRF) vulnerability in Automattic WP Job Manager allows Cross Site Request Forgery.This issue affects WP Job Manager: from n/a through 2.0.0.... Read more
Affected Products :- Published: Jan. 05, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Cross-Site Request Forgery
-
5.4
MEDIUMCVE-2025-71164
Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the Editing component. The images parameter (submitted as images[] in a POST request) is reflected into an HTML href attribute without proper c... Read more
Affected Products : typesetter- Published: Jan. 14, 2026
- Modified: Jan. 21, 2026
- Vuln Type: Cross-Site Scripting
-
5.4
MEDIUMCVE-2026-23497
Frappe Learning Management System (LMS) is a learning system that helps users structure their content. In 2.44.0 and earlier, there is a stored XSS vulnerability where a specially crafted image filename could execute malicious JavaScript when rendered on ... Read more
Affected Products : learning- Published: Jan. 14, 2026
- Modified: Jan. 16, 2026
- Vuln Type: Cross-Site Scripting
-
5.4
MEDIUMCVE-2025-14854
The WP-CRM System plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on the wpcrm_get_email_recipients and wpcrm_system_ajax_task_change_status AJAX functions in all versions up to, and including, 3.4.5. This makes ... Read more
Affected Products :- Published: Jan. 14, 2026
- Modified: Jan. 14, 2026
- Vuln Type: Authorization
-
5.4
MEDIUMCVE-2025-49336
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pondol Pondol BBS pondol-bbs allows Stored XSS.This issue affects Pondol BBS: from n/a through <= 1.1.8.4.... Read more
Affected Products :- Published: Jan. 22, 2026
- Modified: Jan. 26, 2026
- Vuln Type: Cross-Site Scripting
-
5.4
MEDIUMCVE-2025-13919
Symantec Endpoint Protection, prior to 14.3 RU10 Patch 1, RU9 Patch 2, and RU8 Patch 3, may be susceptible to a COM Hijacking vulnerability, which is a type of issue whereby an attacker attempts to establish persistence and evade detection by hijacking CO... Read more
Affected Products :- Published: Jan. 28, 2026
- Modified: Jan. 30, 2026
- Vuln Type: Misconfiguration
-
5.4
MEDIUMCVE-2026-20958
Server-side request forgery (ssrf) in Microsoft Office SharePoint allows an authorized attacker to disclose information over a network.... Read more
- Published: Jan. 13, 2026
- Modified: Jan. 14, 2026