Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 9.8

    CRITICAL
    CVE-2026-1056

    The Snow Monkey Forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'generate_user_dirpath' function in all versions up to, and including, 12.0.3. This makes it possible for unauthenticated a... Read more

    Affected Products :
    • Published: Jan. 28, 2026
    • Modified: Jan. 29, 2026
    • Vuln Type: Path Traversal

  • 9.8

    CRITICAL
    CVE-2026-1357

    The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Upload in versions up to and including 0.9.123. This is due to improper error handling in the RSA decryption process combined ... Read more

    Affected Products : migration\,_backup\,_staging
    • Published: Feb. 11, 2026
    • Modified: Feb. 11, 2026
    • Vuln Type: Authentication

  • 9.8

    CRITICAL
    CVE-2020-36964

    YATinyWinFTP contains a denial of service vulnerability that allows attackers to crash the FTP service by sending a 272-byte buffer with a trailing space. Attackers can exploit the service by connecting and sending a malformed command that triggers a buff... Read more

    Affected Products :
    • Published: Jan. 28, 2026
    • Modified: Jan. 29, 2026
    • Vuln Type: Denial of Service

  • 9.8

    CRITICAL
    CVE-2021-47900

    Gila CMS versions prior to 2.0.0 contain a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary system commands through manipulated HTTP headers. Attackers can inject PHP code in the User-Agent header with shell_e... Read more

    Affected Products :
    • Published: Jan. 27, 2026
    • Modified: Jan. 29, 2026
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2026-1118

    A vulnerability was detected in itsourcecode Society Management System 1.0. Impacted is an unknown function of the file /admin/add_activity.php. Performing a manipulation of the argument Title results in sql injection. It is possible to initiate the attac... Read more

    Affected Products : society_management_system
    • Published: Jan. 18, 2026
    • Modified: Feb. 04, 2026
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2020-37124

    B64dec 1.1.2 contains a buffer overflow vulnerability that allows attackers to execute arbitrary code by overwriting Structured Exception Handler (SEH) with crafted input. Attackers can leverage an egg hunter technique and carefully constructed payload to... Read more

    Affected Products :
    • Published: Feb. 05, 2026
    • Modified: Feb. 05, 2026
    • Vuln Type: Memory Corruption

  • 9.8

    CRITICAL
    CVE-2025-50002

    Unrestricted Upload of File with Dangerous Type vulnerability in Farost Energia energia allows Upload a Web Shell to a Web Server.This issue affects Energia: from n/a through <= 1.1.2.... Read more

    Affected Products :
    • Published: Jan. 22, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Misconfiguration

  • 9.8

    CRITICAL
    CVE-2026-22852

    FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a malicious RDP server can trigger a heap-buffer-overflow write in the FreeRDP client when processing Audio Input (AUDIN) format lists. audin_process_formats reuses callback... Read more

    Affected Products : freerdp
    • Published: Jan. 14, 2026
    • Modified: Jan. 20, 2026
    • Vuln Type: Memory Corruption

  • 9.8

    CRITICAL
    CVE-2025-60021

    Remote command injection vulnerability in heap profiler builtin service in Apache bRPC ((all versions < 1.15.0)) on all platforms allows attacker to inject remote command. Root Cause: The bRPC heap profiler built-in service (/pprof/heap) does not valid... Read more

    Affected Products : brpc
    • Published: Jan. 16, 2026
    • Modified: Jan. 21, 2026
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2026-0773

    Upsonic Cloudpickle Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Upsonic. Authentication is not required to exploit this vulnerabil... Read more

    Affected Products : upsonic
    • Published: Jan. 23, 2026
    • Modified: Jan. 26, 2026

  • 9.8

    CRITICAL
    CVE-2023-54330

    Inbit Messenger versions 4.6.0 to 4.9.0 contain a remote stack-based buffer overflow vulnerability that allows unauthenticated attackers to execute arbitrary code by sending malformed network packets. Attackers can craft a specially designed payload targe... Read more

    Affected Products : inbit_messenger
    • Published: Jan. 13, 2026
    • Modified: Jan. 30, 2026
    • Vuln Type: Memory Corruption

  • 9.8

    CRITICAL
    CVE-2021-47854

    DD-WRT version 45723 contains a buffer overflow vulnerability in the UPNP network discovery service that allows remote attackers to potentially execute arbitrary code. Attackers can send crafted M-SEARCH packets with oversized UUID payloads to trigger buf... Read more

    Affected Products :
    • Published: Jan. 21, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Memory Corruption

  • 9.8

    CRITICAL
    CVE-2026-1221

    PrismX MX100 AP controller developed by BROWAN COMMUNICATIONS has a Use of Hard-coded Credentials vulnerability, allowing unauthenticated remote attackers to log in to the database using hardcoded database credentials stored in the firmware.... Read more

    Affected Products :
    • Published: Jan. 20, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Authentication

  • 9.8

    CRITICAL
    CVE-2026-24515

    In libexpat before 2.7.4, XML_ExternalEntityParserCreate does not copy unknown encoding handler user data.... Read more

    Affected Products : libexpat
    • Published: Jan. 23, 2026
    • Modified: Feb. 05, 2026
    • Vuln Type: XML External Entity

  • 9.8

    CRITICAL
    CVE-2025-14533

    The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 0.9.2.1. This is due to the 'insert_user' function not restricting the roles with which a user can register. This makes i... Read more

    Affected Products : advanced_custom_fields_extended
    • Published: Jan. 20, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Authorization

  • 9.8

    CRITICAL
    CVE-2022-50894

    VIAVIWEB Wallpaper Admin 1.0 contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the img_id parameter. Attackers can send GET requests to edit_gallery_image.php with mali... Read more

    Affected Products : wallpaper_admin
    • Published: Jan. 13, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2025-65783

    An arbitrary file upload vulnerability in the /utils/uploadFile component of Hubert Imoveis e Administracao Ltda Hub v2.0 1.27.3 allows attackers to execute arbitrary code via uploading a crafted PDF file.... Read more

    Affected Products : hub
    • Published: Jan. 13, 2026
    • Modified: Feb. 05, 2026
    • Vuln Type: Authentication

  • 9.8

    CRITICAL
    CVE-2026-22582

    Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Salesforce Marketing Cloud Engagement (MicrositeUrl module) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: befor... Read more

    Affected Products :
    • Published: Jan. 24, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2026-1129

    A vulnerability was detected in Yonyou KSOA 9.0. This vulnerability affects unknown code of the file /worksheet/worksadd.jsp of the component HTTP GET Parameter Handler. The manipulation of the argument ID results in sql injection. The attack may be perfo... Read more

    Affected Products : ksoa
    • Published: Jan. 19, 2026
    • Modified: Feb. 10, 2026
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2026-22708

    Cursor is a code editor built for programming with AI. Prior to 2.3, hen the Cursor Agent is running in Auto-Run Mode with Allowlist mode enabled, certain shell built-ins can still be executed without appearing in the allowlist and without requiring user ... Read more

    Affected Products : cursor
    • Published: Jan. 14, 2026
    • Modified: Feb. 03, 2026
    • Vuln Type: Misconfiguration
Showing 20 of 4971 Results