Latest CVE Feed
-
5.4
MEDIUMCVE-2025-66140
Missing Authorization vulnerability in merkulove Uper for Elementor uper-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Uper for Elementor: from n/a through <= 1.0.5.... Read more
Affected Products :- Published: Jan. 22, 2026
- Modified: Jan. 27, 2026
- Vuln Type: Authorization
-
5.4
MEDIUMCVE-2026-22253
Soft Serve is a self-hostable Git server for the command line. Prior to version 0.11.2, an authorization bypass in the LFS lock deletion endpoint allows any authenticated user with repository write access to delete locks owned by other users by setting th... Read more
Affected Products : soft_serve- Published: Jan. 08, 2026
- Modified: Feb. 02, 2026
- Vuln Type: Authorization
-
5.4
MEDIUMCVE-2026-22426
Authorization Bypass Through User-Controlled Key vulnerability in Elated-Themes Sweet Jane sweetjane allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sweet Jane: from n/a through <= 1.2.... Read more
Affected Products :- Published: Jan. 22, 2026
- Modified: Jan. 26, 2026
- Vuln Type: Authorization
-
5.4
MEDIUMCVE-2026-22916
An attacker with low privileges may be able to trigger critical system functions such as reboot or factory reset without proper restrictions, potentially leading to service disruption or loss of configuration.... Read more
- Published: Jan. 15, 2026
- Modified: Jan. 23, 2026
- Vuln Type: Authorization
-
5.4
MEDIUMCVE-2025-36397
IBM Application Gateway 23.10 through 25.09 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site.... Read more
Affected Products : application_gateway- Published: Jan. 20, 2026
- Modified: Jan. 26, 2026
- Vuln Type: Cross-Site Scripting
-
5.4
MEDIUMCVE-2025-22725
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in loopus WP Virtual Assistant VirtualAssistant allows Stored XSS.This issue affects WP Virtual Assistant: from n/a through <= 3.0.... Read more
Affected Products :- Published: Jan. 08, 2026
- Modified: Jan. 20, 2026
- Vuln Type: Cross-Site Scripting
-
5.4
MEDIUMCVE-2026-1421
A vulnerability has been found in code-projects Online Examination System 1.0. Affected is an unknown function of the component Add Pages. Such manipulation leads to cross site scripting. The attack can be executed remotely. The exploit has been disclosed... Read more
Affected Products : online_examination_system- Published: Jan. 26, 2026
- Modified: Jan. 28, 2026
- Vuln Type: Cross-Site Scripting
-
5.4
MEDIUMCVE-2025-14001
The WP Duplicate Page plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the 'duplicateBulkHandle' and 'duplicateBulkHandleHPOS' functions in all versions up to, and including, 1.8. This makes it po... Read more
Affected Products : wp_duplicate_page- Published: Jan. 13, 2026
- Modified: Jan. 13, 2026
- Vuln Type: Authorization
-
5.3
MEDIUMCVE-2026-1431
The Booking Calendar plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the wpbc_ajax_WPBC_FLEXTIMELINE_NAV() function in all versions up to, and including, 10.14.13. This makes it possible for unauthent... Read more
Affected Products : booking_calendar- Published: Jan. 31, 2026
- Modified: Feb. 03, 2026
- Vuln Type: Authorization
-
5.3
MEDIUMCVE-2025-13985
Incorrect Authorization vulnerability in Drupal Entity Share allows Forceful Browsing.This issue affects Entity Share: from 0.0.0 before 3.13.0.... Read more
Affected Products :- Published: Jan. 28, 2026
- Modified: Jan. 29, 2026
- Vuln Type: Authorization
-
5.3
MEDIUMCVE-2025-15548
Some VX800v v1.0 web interface endpoints transmit sensitive information over unencrypted HTTP due to missing application layer encryption, allowing a network adjacent attacker to intercept this traffic and compromise its confidentiality.... Read more
Affected Products :- Published: Jan. 29, 2026
- Modified: Feb. 04, 2026
- Vuln Type: Cryptography
-
5.3
MEDIUMCVE-2025-68659
Discourse is an open source discussion platform. Versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 have an application level denial of service vulnerabilityin the username change functionality at try.discourse.org. The vulnerability allows attac... Read more
Affected Products : discourse- Published: Jan. 28, 2026
- Modified: Jan. 30, 2026
- Vuln Type: Denial of Service
-
5.3
MEDIUMCVE-2026-22447
Missing Authorization vulnerability in Select-Themes Prowess prowess allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Prowess: from n/a through <= 1.8.1.... Read more
Affected Products :- Published: Jan. 22, 2026
- Modified: Jan. 28, 2026
- Vuln Type: Authorization
-
5.3
MEDIUMCVE-2025-12810
Improper Authentication vulnerability in Delinea Inc. Secret Server On-Prem (RPC Password Rotation modules).This issue affects Secret Server On-Prem: 11.8.1, 11.9.6, 11.9.25. A secret with "change password on check in" enabled automatically checks in eve... Read more
Affected Products :- Published: Jan. 27, 2026
- Modified: Jan. 29, 2026
- Vuln Type: Authentication
-
5.3
MEDIUMCVE-2026-22263
Suricata is a network IDS, IPS and NSM engine. Starting in version 8.0.0 and prior to version 8.0.3, inefficiency in http1 headers parsing can lead to slowdown over multiple packets. Version 8.0.3 patches the issue. No known workarounds are available.... Read more
Affected Products : suricata- Published: Jan. 27, 2026
- Modified: Jan. 29, 2026
- Vuln Type: Denial of Service
-
5.3
MEDIUMCVE-2026-24806
Improper Control of Generation of Code ('Code Injection') vulnerability in liuyueyi quick-media (plugins/svg-plugin/batik-codec-fix/src/main/java/org/apache/batik/ext/awt/image/codec/png modules). This vulnerability is associated with program files PNGIma... Read more
Affected Products :- Published: Jan. 27, 2026
- Modified: Jan. 27, 2026
- Vuln Type: Injection
-
5.3
MEDIUMCVE-2026-1213
All versions of askbot before and including 0.12.2 allow an attacker authenticated with normal user permissions to modify the profile picture of other application users.This issue affects askbot: 0.12.2.... Read more
Affected Products : askbot- Published: Jan. 27, 2026
- Modified: Jan. 27, 2026
- Vuln Type: Authorization
-
5.3
MEDIUMCVE-2026-25234
PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability in category deletion can allow an attacker with access to the category manager workflow to inject SQL via a category id. This i... Read more
Affected Products : pearweb- Published: Feb. 03, 2026
- Modified: Feb. 04, 2026
- Vuln Type: Injection
-
5.3
MEDIUMCVE-2020-36906
P5 FNIP-8x16A FNIP-4xSH 1.0.20 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user consent. Attackers can craft malicious web pages to add new admin users, change passwords, and modify s... Read more
Affected Products :- Published: Jan. 06, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Cross-Site Request Forgery
-
5.3
MEDIUMCVE-2026-1745
A vulnerability was determined in SourceCodester Medical Certificate Generator App 1.0. This affects an unknown part. This manipulation causes cross-site request forgery. Remote exploitation of the attack is possible. The exploit has been publicly disclos... Read more
Affected Products : medical_certificate_generator_app- Published: Feb. 02, 2026
- Modified: Feb. 03, 2026
- Vuln Type: Cross-Site Request Forgery