Latest CVE Feed
-
9.8
CRITICALCVE-2026-1178
A security vulnerability has been detected in Yonyou KSOA 9.0. Affected by this issue is some unknown functionality of the file /kmf/select.jsp of the component HTTP GET Parameter Handler. The manipulation of the argument folderid leads to sql injection. ... Read more
Affected Products : ksoa- Published: Jan. 19, 2026
- Modified: Feb. 05, 2026
-
9.8
CRITICALCVE-2026-22864
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.5.6, a prior patch aimed to block spawning Windows batch/shell files by returning an error when a spawned path’s extension matched .bat or .cmd. That check performs a case-sensitive compa... Read more
Affected Products : deno- Published: Jan. 15, 2026
- Modified: Jan. 21, 2026
- Vuln Type: Misconfiguration
-
9.8
CRITICALCVE-2026-1021
Police Statistics Database System developed by Gotac has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attacker to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.... Read more
Affected Products : police_statistics_database_system- Published: Jan. 16, 2026
- Modified: Jan. 23, 2026
- Vuln Type: Misconfiguration
-
9.8
CRITICALCVE-2025-15521
The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.5.0. This is due to the plugin not properly validating a user's ... Read more
Affected Products :- Published: Jan. 21, 2026
- Modified: Jan. 26, 2026
- Vuln Type: Authentication
-
9.8
CRITICALCVE-2026-22854
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a heap-buffer-overflow occurs in drive read when a server-controlled read length is used to read file data into an IRP output stream buffer without a hard upper bound, allow... Read more
Affected Products : freerdp- Published: Jan. 14, 2026
- Modified: Jan. 20, 2026
- Vuln Type: Memory Corruption
-
9.8
CRITICALCVE-2026-24531
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Prowess prowess allows PHP Local File Inclusion.This issue affects Prowess: from n/a through <= 2.3.... Read more
Affected Products :- Published: Jan. 23, 2026
- Modified: Jan. 26, 2026
- Vuln Type: Path Traversal
-
9.8
CRITICALCVE-2026-1423
A vulnerability was determined in code-projects Online Examination System 1.0. Affected by this issue is some unknown functionality of the file /admin_pic.php. Executing a manipulation can lead to unrestricted upload. The attack may be performed from remo... Read more
Affected Products : online_examination_system- Published: Jan. 26, 2026
- Modified: Jan. 28, 2026
- Vuln Type: Misconfiguration
-
9.8
CRITICALCVE-2026-2225
A flaw has been found in itsourcecode News Portal Project 1.0. This vulnerability affects unknown code of the file /admin/index.php of the component Administrator Login. This manipulation of the argument email causes sql injection. The attack can be initi... Read more
Affected Products : news_portal_project- Published: Feb. 09, 2026
- Modified: Feb. 11, 2026
- Vuln Type: Injection
-
9.8
CRITICALCVE-2020-37124
B64dec 1.1.2 contains a buffer overflow vulnerability that allows attackers to execute arbitrary code by overwriting Structured Exception Handler (SEH) with crafted input. Attackers can leverage an egg hunter technique and carefully constructed payload to... Read more
Affected Products :- Published: Feb. 05, 2026
- Modified: Feb. 05, 2026
- Vuln Type: Memory Corruption
-
9.8
CRITICALCVE-2023-54339
Webgrind 1.1 contains a remote command execution vulnerability that allows unauthenticated attackers to inject OS commands via the dataFile parameter in index.php. Attackers can execute arbitrary system commands by manipulating the dataFile parameter, suc... Read more
Affected Products : webgrind- Published: Jan. 13, 2026
- Modified: Feb. 03, 2026
- Vuln Type: Injection
-
9.8
CRITICALCVE-2026-0902
Inappropriate implementation in V8 in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium)... Read more
- Published: Jan. 20, 2026
- Modified: Jan. 29, 2026
- Vuln Type: Memory Corruption
-
9.8
CRITICALCVE-2026-23527
H3 is a minimal H(TTP) framework built for high performance and portability. Prior to 1.15.5, there is a critical HTTP Request Smuggling vulnerability. readRawBody is doing a strict case-sensitive check for the Transfer-Encoding header. It explicitly look... Read more
Affected Products : h3- Published: Jan. 15, 2026
- Modified: Jan. 23, 2026
- Vuln Type: Injection
-
9.8
CRITICALCVE-2026-0759
Katana Network Development Starter Kit executeCommand Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Katana Network Development Starter Kit. Authenti... Read more
Affected Products :- Published: Jan. 23, 2026
- Modified: Jan. 26, 2026
-
9.8
CRITICALCVE-2026-0756
github-kanban-mcp-server execAsync Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of github-kanban-mcp-server. Authentication is not required to exploit... Read more
Affected Products :- Published: Jan. 23, 2026
- Modified: Jan. 26, 2026
-
9.8
CRITICALCVE-2026-21227
Improper limitation of a pathname to a restricted directory ('path traversal') in Azure Logic Apps allows an unauthorized attacker to elevate privileges over a network.... Read more
Affected Products : azure_logic_apps- Published: Jan. 22, 2026
- Modified: Feb. 03, 2026
-
9.8
CRITICALCVE-2026-1130
A flaw has been found in Yonyou KSOA 9.0. This issue affects some unknown processing of the file /worksheet/worksadd_plan.jsp of the component HTTP GET Parameter Handler. This manipulation of the argument ID causes sql injection. It is possible to initiat... Read more
Affected Products : ksoa- Published: Jan. 19, 2026
- Modified: Feb. 10, 2026
- Vuln Type: Injection
-
9.8
CRITICALCVE-2026-21969
Vulnerability in the Oracle Agile Product Lifecycle Management for Process product of Oracle Supply Chain (component: Supplier Portal). The supported version that is affected is 6.2.4. Easily exploitable vulnerability allows unauthenticated attacker wit... Read more
Affected Products : agile_product_lifecycle_management_for_process- Published: Jan. 20, 2026
- Modified: Jan. 29, 2026
-
9.8
CRITICALCVE-2025-60021
Remote command injection vulnerability in heap profiler builtin service in Apache bRPC ((all versions < 1.15.0)) on all platforms allows attacker to inject remote command. Root Cause: The bRPC heap profiler built-in service (/pprof/heap) does not valid... Read more
Affected Products : brpc- Published: Jan. 16, 2026
- Modified: Jan. 21, 2026
- Vuln Type: Injection
-
9.8
CRITICALCVE-2025-37184
A vulnerability exists in an Orchestrator service that could allow an unauthenticated remote attacker to bypass multi-factor authentication requirements. Successful exploitation could allow an attacker to create an admin user account without the necessary... Read more
Affected Products : edgeconnect_sd-wan_orchestrator- Published: Jan. 14, 2026
- Modified: Jan. 20, 2026
- Vuln Type: Authentication
-
9.8
CRITICALCVE-2025-14502
The News and Blog Designer Bundle plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1 via the template parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php f... Read more
Affected Products :- Published: Jan. 14, 2026
- Modified: Jan. 14, 2026
- Vuln Type: Path Traversal