Latest CVE Feed
-
9.1
CRITICALCVE-2026-23966
sm-crypto provides JavaScript implementations of the Chinese cryptographic algorithms SM2, SM3, and SM4. A private key recovery vulnerability exists in the SM2 decryption logic of sm-crypto prior to version 0.3.14. By interacting with the SM2 decryption i... Read more
Affected Products :- Published: Jan. 22, 2026
- Modified: Jan. 26, 2026
- Vuln Type: Cryptography
-
9.1
CRITICALCVE-2026-24379
Authorization Bypass Through User-Controlled Key vulnerability in wpjobportal WP Job Portal wp-job-portal allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Job Portal: from n/a through <= 2.4.3.... Read more
Affected Products : wp_job_portal- Published: Jan. 22, 2026
- Modified: Jan. 26, 2026
- Vuln Type: Authorization
-
9.1
CRITICALCVE-2025-67944
Improper Control of Generation of Code ('Code Injection') vulnerability in Nelio Software Nelio AB Testing nelio-ab-testing allows Code Injection.This issue affects Nelio AB Testing: from n/a through <= 8.1.8.... Read more
Affected Products : nelio_ab_testing- Published: Jan. 22, 2026
- Modified: Jan. 28, 2026
- Vuln Type: Injection
-
9.1
CRITICALCVE-2025-55130
A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can es... Read more
Affected Products : node.js- Published: Jan. 20, 2026
- Modified: Feb. 03, 2026
- Vuln Type: Path Traversal
-
9.1
CRITICALCVE-2024-5986
A vulnerability in h2oai/h2o-3 version 3.46.0.1 allows remote attackers to write arbitrary data to any file on the server. This is achieved by exploiting the `/3/Parse` endpoint to inject attacker-controlled data as the header of an empty file, which is t... Read more
- Published: Feb. 02, 2026
- Modified: Feb. 03, 2026
- Vuln Type: Path Traversal
-
9.1
CRITICALCVE-2026-20912
Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized user... Read more
Affected Products : gitea- Published: Jan. 22, 2026
- Modified: Jan. 29, 2026
- Vuln Type: Authorization
-
9.1
CRITICALCVE-2026-20897
Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories.... Read more
Affected Products : gitea- Published: Jan. 22, 2026
- Modified: Jan. 29, 2026
- Vuln Type: Authorization
-
9.1
CRITICALCVE-2025-68472
MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 25.11.1, an unauthenticated path traversal in the file upload API lets any caller read arbitrary files from the server filesystem and move them into MindsDB’... Read more
Affected Products : mindsdb- Published: Jan. 12, 2026
- Modified: Jan. 27, 2026
- Vuln Type: Path Traversal
-
9.1
CRITICALCVE-2025-69990
phpgurukul News Portal Project V4.1 has an Arbitrary File Deletion Vulnerability in remove_file.php. The parameter file can cause any file to be deleted.... Read more
Affected Products : news_portal- Published: Jan. 13, 2026
- Modified: Jan. 16, 2026
- Vuln Type: Path Traversal
-
9.1
CRITICALCVE-2026-25137
The NixOs Odoo package is an open source ERP and CRM system. From 21.11 to before 25.11 and 26.05, every NixOS based Odoo setup publicly exposes the database manager without any authentication. This allows unauthorized actors to delete and download the en... Read more
Affected Products :- Published: Feb. 02, 2026
- Modified: Feb. 03, 2026
- Vuln Type: Authentication
-
9.1
CRITICALCVE-2025-69312
Unrestricted Upload of File with Dangerous Type vulnerability in Xpro Xpro Elementor Addons xpro-elementor-addons allows Upload a Web Shell to a Web Server.This issue affects Xpro Elementor Addons: from n/a through <= 1.4.19.1.... Read more
Affected Products : xpro_addons_for_elementor- Published: Jan. 22, 2026
- Modified: Jan. 27, 2026
- Vuln Type: Misconfiguration
-
9.1
CRITICALCVE-2026-22908
Uploading unvalidated container images may allow remote attackers to gain full access to the system, potentially compromising its integrity and confidentiality.... Read more
- Published: Jan. 15, 2026
- Modified: Jan. 23, 2026
- Vuln Type: Misconfiguration
-
9.1
CRITICALCVE-2026-22909
Certain system functions may be accessed without proper authorization, allowing attackers to start, stop, or delete installed applications, potentially disrupting system operations.... Read more
- Published: Jan. 15, 2026
- Modified: Jan. 23, 2026
- Vuln Type: Authorization
-
9.1
CRITICALCVE-2021-47811
Grocery Crud 1.6.4 contains a SQL injection vulnerability in the order_by parameter that allows remote attackers to manipulate database queries. Attackers can inject malicious SQL code through the order_by[] parameter in POST requests to the ajax_list end... Read more
Affected Products : grocery_crud- Published: Jan. 16, 2026
- Modified: Feb. 02, 2026
- Vuln Type: Injection
-
9.1
CRITICALCVE-2025-25176
Intermediate register values of secure workloads can be exfiltrated in workloads scheduled from applications running in the non-secure environment of a platform.... Read more
Affected Products : ddk- Published: Jan. 13, 2026
- Modified: Jan. 30, 2026
- Vuln Type: Information Disclosure
-
9.1
CRITICALCVE-2026-23722
WeGIA is a Web Manager for Charitable Institutions. Prior to 3.6.2, a Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the WeGIA system, specifically within the html/memorando/insere_despacho.php file. The application fails to properly... Read more
Affected Products : wegia- Published: Jan. 16, 2026
- Modified: Jan. 30, 2026
- Vuln Type: Cross-Site Scripting
-
9.1
CRITICALCVE-2025-64252
Server-Side Request Forgery (SSRF) vulnerability in Marco Milesi ANAC XML Viewer anac-xml-viewer allows Server Side Request Forgery.This issue affects ANAC XML Viewer: from n/a through <= 1.8.2.... Read more
Affected Products : anac_xml_viewer- Published: Jan. 22, 2026
- Modified: Jan. 28, 2026
- Vuln Type: Server-Side Request Forgery
-
9.1
CRITICALCVE-2026-25848
In JetBrains Hub before 2025.3.119807 authentication bypass allowing administrative actions was possible... Read more
Affected Products : hub- Published: Feb. 09, 2026
- Modified: Feb. 09, 2026
- Vuln Type: Authentication
-
9.1
CRITICALCVE-2025-70985
Incorrect access control in the update function of RuoYi v4.8.2 allows unauthorized attackers to arbitrarily modify data outside of their scope.... Read more
Affected Products : ruoyi- Published: Jan. 23, 2026
- Modified: Jan. 30, 2026
- Vuln Type: Authorization
-
9.1
CRITICALCVE-2025-51567
A SQL Injection was found in the /exam/user/profile.php page of kashipara Online Exam System V1.0, which allows remote attackers to execute arbitrary SQL command to get unauthorized database access via the rname, rcollage, rnumber, rgender and rpassword p... Read more
Affected Products : online_exam_system- Published: Jan. 12, 2026
- Modified: Jan. 16, 2026
- Vuln Type: Injection