Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 5.3

    MEDIUM
    CVE-2025-14461

    The Xendit Payment plugin for WordPress is vulnerable to unauthorized order status manipulation in all versions up to, and including, 6.0.2. This is due to the plugin exposing a publicly accessible WooCommerce API callback endpoint (`wc_xendit_callback`) ... Read more

    Affected Products :
    • Published: Feb. 04, 2026
    • Modified: Feb. 04, 2026
    • Vuln Type: Authentication

  • 5.3

    MEDIUM
    CVE-2026-25562

    WeKan versions prior to 8.19 contain an information disclosure vulnerability in the attachments publication. Attachment metadata can be returned without properly scoping results to boards and cards accessible to the requesting user, potentially exposing a... Read more

    Affected Products :
    • Published: Feb. 07, 2026
    • Modified: Feb. 07, 2026
    • Vuln Type: Information Disclosure

  • 5.3

    MEDIUM
    CVE-2026-0808

    The Spin Wheel plugin for WordPress is vulnerable to client-side prize manipulation in all versions up to, and including, 2.1.0. This is due to the plugin trusting client-supplied prize selection data without server-side validation or randomization. This ... Read more

    Affected Products :
    • Published: Jan. 17, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Authorization

  • 5.3

    MEDIUM
    CVE-2023-38010

    IBM Cloud Pak System displays sensitive information in user messages that could aid in further attacks against the system.... Read more

    Affected Products : cloud_pak_system
    • Published: Feb. 04, 2026
    • Modified: Feb. 05, 2026
    • Vuln Type: Information Disclosure

  • 5.3

    MEDIUM
    CVE-2025-12825

    The User Registration Using Contact Form 7 plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_cf7_form_data' function in all versions up to, and including, 2.5. This makes it possible for unauth... Read more

    Affected Products :
    • Published: Jan. 17, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Authorization

  • 5.3

    MEDIUM
    CVE-2026-22645

    The application discloses all used components, versions and license information to unauthenticated actors, giving attackers the opportunity to target known security vulnerabilities of used components.... Read more

    Affected Products : incoming_goods_suite
    • Published: Jan. 15, 2026
    • Modified: Jan. 29, 2026
    • Vuln Type: Information Disclosure

  • 5.3

    MEDIUM
    CVE-2025-14078

    The PAYGENT for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.4.6. This is due to missing authorization checks on the paygent_check_webhook function combined with the paygent_permission_cal... Read more

    Affected Products :
    • Published: Jan. 17, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Authorization

  • 5.3

    MEDIUM
    CVE-2026-24117

    Rekor is a software supply chain transparency log. In versions 1.4.3 and below, attackers can trigger SSRF to arbitrary internal services because /api/v1/index/retrieve supports retrieving a public key via user-provided URL. Since the SSRF only can trigge... Read more

    Affected Products : rekor
    • Published: Jan. 22, 2026
    • Modified: Feb. 02, 2026
    • Vuln Type: Server-Side Request Forgery

  • 5.3

    MEDIUM
    CVE-2026-24474

    Dioxus Components is a shadcn-style component library for the Dioxus app framework. Prior to commit 41e4242ecb1062d04ae42a5215363c1d9fd4e23a, `use_animated_open` formats a string for `eval` with an `id` that can be user supplied. Commit 41e4242ecb1062d04a... Read more

    Affected Products :
    • Published: Jan. 24, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Injection

  • 5.3

    MEDIUM
    CVE-2026-0950

    The Spectra Gutenberg Blocks – Website Builder for the Block Editor plugin for WordPress is vulnerable to Information Disclosure in all versions up to, and including, 2.19.17. This is due to the plugin failing to check `post_password_required()` before re... Read more

    Affected Products :
    • Published: Feb. 03, 2026
    • Modified: Feb. 03, 2026
    • Vuln Type: Information Disclosure

  • 5.3

    MEDIUM
    CVE-2026-24140

    MyTube is a self-hosted downloader and player for several video websites. Versions 1.7.78 and below have a Mass Assignment vulnerability in the settings management functionality due to insufficient input validation. The application's saveSettings() functi... Read more

    Affected Products : mytube
    • Published: Jan. 24, 2026
    • Modified: Feb. 02, 2026
    • Vuln Type: Misconfiguration

  • 5.3

    MEDIUM
    CVE-2026-24903

    OrcaStatLLM Researcher is an LLM Based Research Paper Generator. A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Log Message in the Session Page in OrcaStatLLM-Researcher that allows attackers to inject and execute arbitrary JavaS... Read more

    Affected Products :
    • Published: Feb. 06, 2026
    • Modified: Feb. 06, 2026
    • Vuln Type: Cross-Site Scripting

  • 5.3

    MEDIUM
    CVE-2026-1310

    The Simple calendar for Elementor plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.6.6. This is due to missing capability checks on the `miga_ajax_editor_cal_delete` function that is hooked to the `miga_e... Read more

    Affected Products : simple_calendar_for_elementor
    • Published: Jan. 28, 2026
    • Modified: Jan. 29, 2026
    • Vuln Type: Authorization

  • 5.3

    MEDIUM
    CVE-2025-15510

    The NEX-Forms – Ultimate Forms Plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the NF5_Export_Forms class constructor in all versions up to, and including, 9.1.8. This makes it possible for unauthenti... Read more

    Affected Products : nex-forms
    • Published: Jan. 31, 2026
    • Modified: Feb. 03, 2026
    • Vuln Type: Authorization

  • 5.3

    MEDIUM
    CVE-2026-24036

    Horilla is a free and open source Human Resource Management System (HRMS). Versions 1.4.0 and above expose unpublished job postings through the /recruitment/recruitment-details// endpoint without authentication. The response includes draft job titles, des... Read more

    Affected Products : horilla
    • Published: Jan. 22, 2026
    • Modified: Jan. 29, 2026
    • Vuln Type: Authorization

  • 5.3

    MEDIUM
    CVE-2026-20080

    A vulnerability in the SSH service of Cisco IEC6400 Wireless Backhaul Edge Compute Software could allow an unauthenticated, remote attacker to cause the SSH service to stop responding. This vulnerability exists because the SSH service lacks effective f... Read more

    Affected Products :
    • Published: Jan. 21, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Denial of Service

  • 5.3

    MEDIUM
    CVE-2026-23831

    Rekor is a software supply chain transparency log. In versions 1.4.3 and below, the entry implementation can panic on attacker-controlled input when canonicalizing a proposed entry with an empty spec.message, causing nil Pointer Dereference. Function vali... Read more

    Affected Products : rekor
    • Published: Jan. 22, 2026
    • Modified: Feb. 02, 2026
    • Vuln Type: Supply Chain

  • 5.3

    MEDIUM
    CVE-2026-1801

    A flaw was found in libsoup, an HTTP client/server library. This HTTP Request Smuggling vulnerability arises from non-RFC-compliant parsing in the soup_filter_input_stream_read_line() logic, where libsoup accepts malformed chunk headers, such as lone line... Read more

    Affected Products :
    • Published: Feb. 03, 2026
    • Modified: Feb. 04, 2026
    • Vuln Type: Injection

  • 5.3

    MEDIUM
    CVE-2025-67083

    Directory traversal vulnerability in InvoicePlane through 1.6.3 allows unauthenticated attackers to read files from the server. The ability to read files and the file type depends on the web server and its configuration.... Read more

    Affected Products : invoiceplane
    • Published: Jan. 15, 2026
    • Modified: Jan. 22, 2026
    • Vuln Type: Path Traversal

  • 5.3

    MEDIUM
    CVE-2026-24997

    Missing Authorization vulnerability in Wired Impact Wired Impact Volunteer Management wired-impact-volunteer-management allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wired Impact Volunteer Management: from n/a ... Read more

    Affected Products :
    • Published: Feb. 03, 2026
    • Modified: Feb. 03, 2026
    • Vuln Type: Authorization
Showing 20 of 4567 Results