Latest CVE Feed

Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
  • 5.4

    MEDIUM
    CVE-2026-24433

    Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) contain a stored cross-site scripting vulnerability in the user creation functionality. Insufficient input validation allows attacker-controlled script content to be stored and... Read more

    Affected Products : w30e_firmware w30e
    • Published: Jan. 26, 2026
    • Modified: Jan. 28, 2026
    • Vuln Type: Cross-Site Scripting
  • 5.4

    MEDIUM
    CVE-2026-25574

    Payload is a free and open source headless content management system. Prior to 3.74.0, a cross-collection Insecure Direct Object Reference (IDOR) vulnerability exists in the payload-preferences internal collection. In multi-auth collection environments us... Read more

    Affected Products : payload
    • Published: Feb. 06, 2026
    • Modified: Feb. 20, 2026
    • Vuln Type: Authorization
  • 5.4

    MEDIUM
    CVE-2026-23613

    GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the URI DNS Blocklist configuration page. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$pv1$TXB_URIs parameter to /Mail... Read more

    Affected Products : mailessentials
    • Published: Feb. 19, 2026
    • Modified: Feb. 20, 2026
    • Vuln Type: Cross-Site Scripting
  • 5.4

    MEDIUM
    CVE-2026-23611

    GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the IP Blocklist management page. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$pv1$txtIPDescription parameter to /Mail... Read more

    Affected Products : mailessentials
    • Published: Feb. 19, 2026
    • Modified: Feb. 20, 2026
    • Vuln Type: Cross-Site Scripting
  • 5.4

    MEDIUM
    CVE-2026-26345

    SPIP before 4.4.8 allows Cross-Site Scripting (XSS) in the public area for certain edge-case usage patterns. The echapper_html_suspect() function does not adequately detect all forms of malicious content, permitting an attacker to inject scripts that exec... Read more

    Affected Products : spip
    • Published: Feb. 19, 2026
    • Modified: Feb. 20, 2026
    • Vuln Type: Cross-Site Scripting
  • 5.4

    MEDIUM
    CVE-2026-23604

    GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Keyword Filtering rule creation workflow. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$pv1$TXB_RuleName parameter ... Read more

    Affected Products : mailessentials
    • Published: Feb. 19, 2026
    • Modified: Feb. 20, 2026
    • Vuln Type: Cross-Site Scripting
  • 5.4

    MEDIUM
    CVE-2026-23605

    GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Attachment Filtering rule creation workflow. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$pv1$TXB_RuleName paramet... Read more

    Affected Products : mailessentials
    • Published: Feb. 19, 2026
    • Modified: Feb. 20, 2026
    • Vuln Type: Cross-Site Scripting
  • 5.4

    MEDIUM
    CVE-2026-23606

    GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Advanced Content Filtering rule creation workflow. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$pv1$txtRuleName pa... Read more

    Affected Products : mailessentials
    • Published: Feb. 19, 2026
    • Modified: Feb. 20, 2026
    • Vuln Type: Cross-Site Scripting
  • 5.4

    MEDIUM
    CVE-2026-23607

    GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Anti-Spam Whitelist management interface. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$pv1$txtDescription paramete... Read more

    Affected Products : mailessentials
    • Published: Feb. 19, 2026
    • Modified: Feb. 20, 2026
    • Vuln Type: Cross-Site Scripting
  • 5.4

    MEDIUM
    CVE-2026-23609

    GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Perimeter SMTP Servers configuration page. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$pv3$txtDescription paramet... Read more

    Affected Products : mailessentials
    • Published: Feb. 19, 2026
    • Modified: Feb. 20, 2026
    • Vuln Type: Cross-Site Scripting
  • 5.4

    MEDIUM
    CVE-2026-23614

    GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Sender Policy Framework IP Exceptions interface. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$pv2$txtIPDescription... Read more

    Affected Products : mailessentials
    • Published: Feb. 19, 2026
    • Modified: Feb. 20, 2026
    • Vuln Type: Cross-Site Scripting
  • 5.4

    MEDIUM
    CVE-2026-23615

    GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Sender Policy Framework Email Exceptions interface. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$pv4$txtEmailDescr... Read more

    Affected Products : mailessentials
    • Published: Feb. 19, 2026
    • Modified: Feb. 20, 2026
    • Vuln Type: Cross-Site Scripting
  • 5.4

    MEDIUM
    CVE-2026-23618

    GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Spam Keyword Checking (Subject) conditions interface. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$pvSubject$TXB_S... Read more

    Affected Products : mailessentials
    • Published: Feb. 19, 2026
    • Modified: Feb. 20, 2026
    • Vuln Type: Cross-Site Scripting
  • 5.4

    MEDIUM
    CVE-2026-23619

    GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Local Domains settings page. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$Pv3$txtDescription parameter to /MailEss... Read more

    Affected Products : mailessentials
    • Published: Feb. 19, 2026
    • Modified: Feb. 20, 2026
    • Vuln Type: Cross-Site Scripting
  • 5.4

    MEDIUM
    CVE-2026-26059

    ChurchCRM is an open-source church management system. In versions prior to 6.8.2, it was possible for an authenticated user with permission to edit groups to store a JavaScript payload that would execute when the group was viewed in the Group View. Versio... Read more

    Affected Products : churchcrm
    • Published: Feb. 19, 2026
    • Modified: Feb. 20, 2026
    • Vuln Type: Cross-Site Scripting
  • 5.3

    MEDIUM
    CVE-2026-25374

    Missing Authorization vulnerability in raratheme Spa and Salon spa-and-salon allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Spa and Salon: from n/a through <= 1.3.2.... Read more

    Affected Products :
    • Published: Feb. 19, 2026
    • Modified: Feb. 19, 2026
    • Vuln Type: Authorization
  • 5.3

    MEDIUM
    CVE-2026-0679

    The Fortis for WooCommerce plugin for WordPress is vulnerable to authorization bypass due to an inverted nonce check in the 'check_fortis_notify_response' function in all versions up to, and including, 1.2.0. This makes it possible for unauthenticated att... Read more

    Affected Products :
    • Published: Feb. 04, 2026
    • Modified: Feb. 04, 2026
    • Vuln Type: Authorization
  • 5.3

    MEDIUM
    CVE-2026-22445

    Missing Authorization vulnerability in Proptech Plugin Apimo Connector apimo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Apimo Connector: from n/a through <= 2.6.4.... Read more

    Affected Products :
    • Published: Jan. 22, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Authorization
  • 5.3

    MEDIUM
    CVE-2026-25766

    Echo is a Go web framework. In versions 5.0.0 through 5.0.2 on Windows, Echo’s `middleware.Static` using the default filesystem allows path traversal via backslashes, enabling unauthenticated remote file read outside the static root. In `middleware/static... Read more

    Affected Products : echo
    • Published: Feb. 19, 2026
    • Modified: Feb. 20, 2026
    • Vuln Type: Path Traversal
  • 5.3

    MEDIUM
    CVE-2019-25447

    OrientDB 3.0.17 GA Community Edition contains cross-site request forgery vulnerabilities that allow attackers to perform unauthorized actions by crafting malicious requests to endpoints like /database/, /command/, and /document/. Attackers can create or d... Read more

    Affected Products : orientdb
    • Published: Feb. 20, 2026
    • Modified: Feb. 20, 2026
    • Vuln Type: Cross-Site Request Forgery
Showing 20 of 5169 Results