Latest CVE Feed
-
9.2
CRITICALCVE-2025-59108
By default, the password for the Access Manager's web interface, is set to 'admin'. In the tested version changing the password was not enforced.... Read more
Affected Products :- Published: Jan. 26, 2026
- Modified: Jan. 26, 2026
- Vuln Type: Authentication
-
9.1
CRITICALCVE-2025-55130
A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can es... Read more
Affected Products : node.js- Published: Jan. 20, 2026
- Modified: Feb. 03, 2026
- Vuln Type: Path Traversal
-
9.1
CRITICALCVE-2026-24346
Use of well-known default credentials in Admin UI of EZCast Pro II version 1.17478.146 allows attackers to access protected areas in the web application... Read more
- Published: Jan. 27, 2026
- Modified: Feb. 05, 2026
- Vuln Type: Authentication
-
9.1
CRITICALCVE-2025-69312
Unrestricted Upload of File with Dangerous Type vulnerability in Xpro Xpro Elementor Addons xpro-elementor-addons allows Upload a Web Shell to a Web Server.This issue affects Xpro Elementor Addons: from n/a through <= 1.4.19.1.... Read more
Affected Products : xpro_addons_for_elementor- Published: Jan. 22, 2026
- Modified: Jan. 27, 2026
- Vuln Type: Misconfiguration
-
9.1
CRITICALCVE-2021-47811
Grocery Crud 1.6.4 contains a SQL injection vulnerability in the order_by parameter that allows remote attackers to manipulate database queries. Attackers can inject malicious SQL code through the order_by[] parameter in POST requests to the ajax_list end... Read more
Affected Products : grocery_crud- Published: Jan. 16, 2026
- Modified: Feb. 02, 2026
- Vuln Type: Injection
-
9.1
CRITICALCVE-2023-54337
Sysax Multi Server 6.95 contains a denial of service vulnerability in the administrative password field that allows attackers to crash the application. Attackers can overwrite the password field with 800 bytes of repeated characters to trigger an applicat... Read more
Affected Products : multi_server- Published: Jan. 13, 2026
- Modified: Jan. 26, 2026
- Vuln Type: Denial of Service
-
9.1
CRITICALCVE-2026-25160
Alist is a file list program that supports multiple storages, powered by Gin and Solidjs. Prior to version 3.57.0, the application disables TLS certificate verification by default for all outgoing storage driver communications, making the system vulnerabl... Read more
Affected Products :- Published: Feb. 04, 2026
- Modified: Feb. 05, 2026
- Vuln Type: Misconfiguration
-
9.1
CRITICALCVE-2026-24838
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to versions 9.13.10 and 10.2.0, module title supports richtext which could include scripts that would execute in certain scenarios. Versio... Read more
Affected Products : dotnetnuke- Published: Jan. 28, 2026
- Modified: Feb. 04, 2026
- Vuln Type: Cross-Site Scripting
-
9.1
CRITICALCVE-2026-0491
SAP Landscape Transformation allows an attacker with admin privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code/OS commands into the system, bypassing essential authorization ... Read more
Affected Products :- Published: Jan. 13, 2026
- Modified: Jan. 13, 2026
- Vuln Type: Injection
-
9.1
CRITICALCVE-2026-25643
Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Prior to 0.16.4, a critical Remote Command Execution (RCE) vulnerability has been identified in the Frigate integration with go2rtc. The application does not sa... Read more
Affected Products :- Published: Feb. 06, 2026
- Modified: Feb. 06, 2026
- Vuln Type: Injection
-
9.1
CRITICALCVE-2026-20897
Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories.... Read more
Affected Products : gitea- Published: Jan. 22, 2026
- Modified: Jan. 29, 2026
- Vuln Type: Authorization
-
9.1
CRITICALCVE-2026-20912
Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized user... Read more
Affected Products : gitea- Published: Jan. 22, 2026
- Modified: Jan. 29, 2026
- Vuln Type: Authorization
-
9.1
CRITICALCVE-2025-46651
Tiny File Manager through 2.6 contains a server-side request forgery (SSRF) vulnerability in the URL upload feature. Due to insufficient validation of user-supplied URLs, an attacker can send crafted requests to localhost by using http://www.127.0.0.1.exa... Read more
Affected Products :- Published: Feb. 03, 2026
- Modified: Feb. 05, 2026
- Vuln Type: Server-Side Request Forgery
-
9.1
CRITICALCVE-2025-68472
MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 25.11.1, an unauthenticated path traversal in the file upload API lets any caller read arbitrary files from the server filesystem and move them into MindsDB’... Read more
Affected Products : mindsdb- Published: Jan. 12, 2026
- Modified: Jan. 27, 2026
- Vuln Type: Path Traversal
-
9.1
CRITICALCVE-2025-11043
An Improper Certificate Validation vulnerability in the OPC-UA client and ANSL over TLS client used in Automation Studio versions before 6.5 could allow an unauthenticated attacker on the network to position themselves to intercept and interfere with data... Read more
Affected Products :- Published: Jan. 19, 2026
- Modified: Jan. 26, 2026
- Vuln Type: Authentication
-
9.1
CRITICALCVE-2026-24874
Access of Resource Using Incompatible Type ('Type Confusion') vulnerability in themrdemonized xray-monolith.This issue affects xray-monolith: before 2025.12.30.... Read more
Affected Products :- Published: Jan. 27, 2026
- Modified: Jan. 29, 2026
- Vuln Type: Memory Corruption
-
9.1
CRITICALCVE-2026-22908
Uploading unvalidated container images may allow remote attackers to gain full access to the system, potentially compromising its integrity and confidentiality.... Read more
- Published: Jan. 15, 2026
- Modified: Jan. 23, 2026
- Vuln Type: Misconfiguration
-
9.1
CRITICALCVE-2025-69990
phpgurukul News Portal Project V4.1 has an Arbitrary File Deletion Vulnerability in remove_file.php. The parameter file can cause any file to be deleted.... Read more
Affected Products : news_portal- Published: Jan. 13, 2026
- Modified: Jan. 16, 2026
- Vuln Type: Path Traversal
-
9.1
CRITICALCVE-2025-14829
The E-xact | Hosted Payment | WordPress plugin through 2.0 is vulnerable to arbitrary file deletion due to insufficient file path validation. This makes it possible for unauthenticated attackers to delete arbitrary files on the server.... Read more
Affected Products :- Published: Jan. 13, 2026
- Modified: Jan. 13, 2026
- Vuln Type: Path Traversal
-
9.1
CRITICALCVE-2026-25722
Claude Code is an agentic coding tool. Prior to version 2.0.57, Claude Code failed to properly validate directory changes when combined with write operations to protected folders. By using the cd command to navigate into sensitive directories like .claude... Read more
Affected Products : claude_code- Published: Feb. 06, 2026
- Modified: Feb. 09, 2026
- Vuln Type: Path Traversal