Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 5.3

    MEDIUM
    CVE-2026-25415

    Missing Authorization vulnerability in iqonicdesign WPBookit Pro wpbookit-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPBookit Pro: from n/a through <= 1.6.18.... Read more

    Affected Products :
    • Published: Feb. 19, 2026
    • Modified: Feb. 19, 2026
    • Vuln Type: Authorization

  • 5.3

    MEDIUM
    CVE-2026-1733

    A vulnerability was identified in Zhong Bang CRMEB up to 5.6.3. This affects the function detail/tidyOrder of the file /api/store_integral/order/detail/:uni. The manipulation of the argument order_id leads to improper authorization. The attack can be init... Read more

    Affected Products : crmeb
    • Published: Feb. 01, 2026
    • Modified: Feb. 11, 2026
    • Vuln Type: Authorization

  • 5.3

    MEDIUM
    CVE-2026-1391

    The Vzaar Media Management plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping on the $_SERVER['PHP_SELF'] variable. This makes it possib... Read more

    Affected Products :
    • Published: Jan. 28, 2026
    • Modified: Jan. 29, 2026
    • Vuln Type: Cross-Site Scripting

  • 5.3

    MEDIUM
    CVE-2025-13985

    Incorrect Authorization vulnerability in Drupal Entity Share allows Forceful Browsing.This issue affects Entity Share: from 0.0.0 before 3.13.0.... Read more

    Affected Products : entity_share
    • Published: Jan. 28, 2026
    • Modified: Feb. 06, 2026
    • Vuln Type: Authorization

  • 5.3

    MEDIUM
    CVE-2023-38017

    IBM Cloud Pak System is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.... Read more

    Affected Products : cloud_pak_system
    • Published: Feb. 04, 2026
    • Modified: Feb. 05, 2026
    • Vuln Type: Cross-Site Scripting

  • 5.3

    MEDIUM
    CVE-2025-13930

    The Checkout Field Manager (Checkout Manager) for WooCommerce plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 7.8.5. This is due to the plugin not properly verifying that a user is authorized to delete an attac... Read more

    Affected Products :
    • Published: Feb. 19, 2026
    • Modified: Feb. 19, 2026
    • Vuln Type: Authorization

  • 5.3

    MEDIUM
    CVE-2026-24027

    Crafted zones can lead to increased incoming network traffic.... Read more

    Affected Products : recursor
    • Published: Feb. 09, 2026
    • Modified: Feb. 09, 2026
    • Vuln Type: Denial of Service

  • 5.3

    MEDIUM
    CVE-2020-37096

    Edimax EW-7438RPn 1.13 contains a cross-site request forgery vulnerability in the MAC filtering configuration interface. Attackers can craft malicious web pages to trick users into adding unauthorized MAC addresses to the device's filtering rules without ... Read more

    Affected Products :
    • Published: Feb. 03, 2026
    • Modified: Feb. 04, 2026
    • Vuln Type: Cross-Site Request Forgery

  • 5.3

    MEDIUM
    CVE-2026-1801

    A flaw was found in libsoup, an HTTP client/server library. This HTTP Request Smuggling vulnerability arises from non-RFC-compliant parsing in the soup_filter_input_stream_read_line() logic, where libsoup accepts malformed chunk headers, such as lone line... Read more

    Affected Products :
    • Published: Feb. 03, 2026
    • Modified: Feb. 04, 2026
    • Vuln Type: Injection

  • 5.3

    MEDIUM
    CVE-2025-7630

    Improper Restriction of Excessive Authentication Attempts, Improper Authentication vulnerability in Doruk Communication and Automation Industry and Trade Inc. Wispotter allows Password Brute Forcing, Brute Force.This issue affects Wispotter: from 1.0 befo... Read more

    Affected Products :
    • Published: Feb. 18, 2026
    • Modified: Feb. 18, 2026
    • Vuln Type: Authentication

  • 5.3

    MEDIUM
    CVE-2026-25023

    Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in mdedev Run Contests, Raffles, and Giveaways with ContestsWP contest-code-checker allows Retrieve Embedded Sensitive Data.This issue affects Run Contests, Raffles, ... Read more

    Affected Products :
    • Published: Feb. 03, 2026
    • Modified: Feb. 03, 2026
    • Vuln Type: Information Disclosure

  • 5.3

    MEDIUM
    CVE-2026-1371

    The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.9.5. This is due to missing authorization checks in the `ajax_coupon_details()` function, whi... Read more

    Affected Products : tutor_lms
    • Published: Feb. 03, 2026
    • Modified: Feb. 03, 2026
    • Vuln Type: Authorization

  • 5.3

    MEDIUM
    CVE-2026-24366

    Missing Authorization vulnerability in YITHEMES YITH WooCommerce Request A Quote yith-woocommerce-request-a-quote allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects YITH WooCommerce Request A Quote: from n/a through... Read more

    Affected Products : yith_woocommerce_request_a_quote
    • Published: Jan. 22, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Authorization

  • 5.3

    MEDIUM
    CVE-2026-25123

    Homarr is an open-source dashboard. Prior to 1.52.0, a public (unauthenticated) tRPC endpoint widget.app.ping accepts an arbitrary url and performs a server-side request to that URL. This allows an unauthenticated attacker to trigger outbound HTTP request... Read more

    Affected Products : homarr
    • Published: Feb. 06, 2026
    • Modified: Feb. 18, 2026
    • Vuln Type: Server-Side Request Forgery

  • 5.3

    MEDIUM
    CVE-2026-1657

    The EventPrime plugin for WordPress is vulnerable to unauthorized image file upload in all versions up to, and including, 4.2.8.4. This is due to the plugin registering the upload_file_media AJAX action as publicly accessible (nopriv-enabled) without impl... Read more

    Affected Products : eventprime
    • Published: Feb. 17, 2026
    • Modified: Feb. 18, 2026
    • Vuln Type: Authentication

  • 5.3

    MEDIUM
    CVE-2020-37106

    Business Live Chat Software 1.0 contains a cross-site request forgery vulnerability that allows attackers to change user account roles without authentication. Attackers can craft a malicious HTML form to modify user privileges by submitting a POST request... Read more

    Affected Products :
    • Published: Feb. 07, 2026
    • Modified: Feb. 09, 2026
    • Vuln Type: Cross-Site Request Forgery

  • 5.3

    MEDIUM
    CVE-2026-20676

    This issue was addressed through improved state management. This issue is fixed in iOS 26.3 and iPadOS 26.3, Safari 26.3, macOS Tahoe 26.3, visionOS 26.3. A website may be able to track users through Safari web extensions.... Read more

    Affected Products : macos iphone_os safari ipados visionos
    • Published: Feb. 11, 2026
    • Modified: Feb. 17, 2026
    • Vuln Type: Misconfiguration

  • 5.3

    MEDIUM
    CVE-2026-2205

    A vulnerability was identified in WeKan up to 8.20. This affects an unknown part of the file server/publications/cards.js of the component Meteor Publication Handler. Such manipulation leads to information disclosure. The attack may be performed from remo... Read more

    Affected Products : wekan
    • Published: Feb. 08, 2026
    • Modified: Feb. 11, 2026
    • Vuln Type: Information Disclosure

  • 5.3

    MEDIUM
    CVE-2026-25386

    Missing Authorization vulnerability in Elementor Ally pojo-accessibility allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ally: from n/a through <= 4.0.2.... Read more

    Affected Products :
    • Published: Feb. 19, 2026
    • Modified: Feb. 19, 2026
    • Vuln Type: Authorization

  • 5.3

    MEDIUM
    CVE-2025-14629

    The Alchemist Ajax Upload plugin for WordPress is vulnerable to unauthorized media file deletion due to a missing capability check on the 'delete_file' function in all versions up to, and including, 1.1. This makes it possible for unauthenticated attacker... Read more

    Affected Products :
    • Published: Jan. 24, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Authorization
Showing 20 of 4958 Results