Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 9.2

    CRITICAL
    CVE-2025-66630

    Fiber is an Express inspired web framework written in Go. Before 2.52.11, on Go versions prior to 1.24, the underlying crypto/rand implementation can return an error if secure randomness cannot be obtained. Because no error is returned by the Fiber v2 UUI... Read more

    Affected Products : fiber
    • Published: Feb. 09, 2026
    • Modified: Feb. 09, 2026
    • Vuln Type: Cryptography

  • 9.2

    CRITICAL
    CVE-2025-66277

    A link following vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to traverse the file system to unintended locations. We have already fixed the vulnerability in the... Read more

    Affected Products : quts_hero qts
    • Published: Feb. 11, 2026
    • Modified: Feb. 11, 2026
    • Vuln Type: Path Traversal

  • 9.2

    CRITICAL
    CVE-2025-24293

    # Active Storage allowed transformation methods potentially unsafe Active Storage attempts to prevent the use of potentially unsafe image transformation methods and parameters by default. The default allowed list contains three methods allow for th... Read more

    Affected Products : rails
    • Published: Jan. 30, 2026
    • Modified: Feb. 04, 2026
    • Vuln Type: Injection

  • 9.2

    CRITICAL
    CVE-2026-1723

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in TOTOLINK X6000R allows OS Command Injection.This issue affects X6000R: through V9.4.0cu.1498_B20250826.... Read more

    Affected Products : x6000r_firmware
    • Published: Jan. 30, 2026
    • Modified: Feb. 04, 2026
    • Vuln Type: Injection

  • 9.2

    CRITICAL
    CVE-2026-24804

    Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in coolsnowwolf lede (package/lean/mt/drivers/mt7603e/src/mt7603_wifi/common modules). This vulnerability is associated with program files bn_lib.C. This issue affects lede: through r25... Read more

    Affected Products :
    • Published: Jan. 27, 2026
    • Modified: Jan. 27, 2026
    • Vuln Type: Denial of Service

  • 9.1

    CRITICAL
    CVE-2026-22806

    vCluster Platform provides a Kubernetes platform for managing virtual clusters, multi-tenancy, and cluster sharing. Prior to versions 4.6.0, 4.5.4, 4.4.2, and 4.3.10, when an access key is created with a limited scope, the scope can be bypassed to access ... Read more

    Affected Products :
    • Published: Jan. 29, 2026
    • Modified: Feb. 04, 2026
    • Vuln Type: Authorization

  • 9.1

    CRITICAL
    CVE-2026-22264

    Suricata is a network IDS, IPS and NSM engine. Prior to version 8.0.3 and 7.0.14, an unsigned integer overflow can lead to a heap use-after-free condition when generating excessive amounts of alerts for a single packet. Versions 8.0.3 and 7.0.14 contain a... Read more

    Affected Products : suricata
    • Published: Jan. 27, 2026
    • Modified: Jan. 29, 2026
    • Vuln Type: Memory Corruption

  • 9.1

    CRITICAL
    CVE-2026-25751

    FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An information disclosure vulnerability in FUXA allows an unauthenticated, remote attacker to retrieve sensitive administrative database credentials. Exploitation allows an unauthen... Read more

    Affected Products : fuxa
    • Published: Feb. 06, 2026
    • Modified: Feb. 10, 2026
    • Vuln Type: Information Disclosure

  • 9.1

    CRITICAL
    CVE-2026-23966

    sm-crypto provides JavaScript implementations of the Chinese cryptographic algorithms SM2, SM3, and SM4. A private key recovery vulnerability exists in the SM2 decryption logic of sm-crypto prior to version 0.3.14. By interacting with the SM2 decryption i... Read more

    Affected Products :
    • Published: Jan. 22, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Cryptography

  • 9.1

    CRITICAL
    CVE-2026-24677

    FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, ecam_encoder_compress_h264 trusts server-controlled dimensions and does not validate the source buffer size, leading to an out-of-bounds read in sws_scale. This vulnerabilit... Read more

    Affected Products : freerdp
    • Published: Feb. 09, 2026
    • Modified: Feb. 10, 2026
    • Vuln Type: Memory Corruption

  • 9.1

    CRITICAL
    CVE-2026-25057

    MarkUs is a web application for the submission and grading of student assignments. Prior to 2.9.1, instructors are able to upload a zip file to create an assignment from an exported configuration (courses/<:course_id>/assignments/upload_config_files). The... Read more

    Affected Products : markus
    • Published: Feb. 09, 2026
    • Modified: Feb. 09, 2026
    • Vuln Type: Path Traversal

  • 9.1

    CRITICAL
    CVE-2026-22247

    GLPI is a free asset and IT management software package. From version 11.0.0 to before 11.0.5, a GLPI administrator can perform SSRF request through the Webhook feature. This issue has been patched in version 11.0.5.... Read more

    Affected Products : glpi
    • Published: Feb. 04, 2026
    • Modified: Feb. 06, 2026
    • Vuln Type: Server-Side Request Forgery

  • 9.1

    CRITICAL
    CVE-2026-1727

    The Agentspace service was affected by a vulnerability that exposed sensitive information due to the use of predictable Google Cloud Storage bucket names. These names were utilized for error logs and temporary staging during data imports from GCS and Clou... Read more

    Affected Products :
    • Published: Feb. 06, 2026
    • Modified: Feb. 09, 2026
    • Vuln Type: Information Disclosure

  • 9.1

    CRITICAL
    CVE-2026-20750

    Gitea does not properly validate project ownership in organization project operations. A user with project write access in one organization may be able to modify projects belonging to a different organization.... Read more

    Affected Products : gitea
    • Published: Jan. 22, 2026
    • Modified: Jan. 29, 2026
    • Vuln Type: Authorization

  • 9.1

    CRITICAL
    CVE-2026-22855

    FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a heap out-of-bounds read occurs in the smartcard SetAttrib path when cbAttrLen does not match the actual NDR buffer length. This vulnerability is fixed in 3.20.1.... Read more

    Affected Products : freerdp
    • Published: Jan. 14, 2026
    • Modified: Jan. 20, 2026
    • Vuln Type: Memory Corruption

  • 9.1

    CRITICAL
    CVE-2026-24736

    Squidex is an open source headless content management system and content management hub. Versions of the application up to and including 7.21.0 allow users to define "Webhooks" as actions within the Rules engine. The url parameter in the webhook configura... Read more

    Affected Products : squidex
    • Published: Jan. 27, 2026
    • Modified: Jan. 29, 2026
    • Vuln Type: Server-Side Request Forgery

  • 9.1

    CRITICAL
    CVE-2026-25643

    Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Prior to 0.16.4, a critical Remote Command Execution (RCE) vulnerability has been identified in the Frigate integration with go2rtc. The application does not sa... Read more

    Affected Products : frigate
    • Published: Feb. 06, 2026
    • Modified: Feb. 11, 2026
    • Vuln Type: Injection

  • 9.1

    CRITICAL
    CVE-2026-22482

    Server-Side Request Forgery (SSRF) vulnerability in wbolt.com IMGspider imgspider allows Server Side Request Forgery.This issue affects IMGspider: from n/a through <= 2.3.12.... Read more

    Affected Products : imgspider
    • Published: Jan. 22, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Server-Side Request Forgery

  • 9.1

    CRITICAL
    CVE-2025-14829

    The E-xact | Hosted Payment | WordPress plugin through 2.0 is vulnerable to arbitrary file deletion due to insufficient file path validation. This makes it possible for unauthenticated attackers to delete arbitrary files on the server.... Read more

    Affected Products :
    • Published: Jan. 13, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Path Traversal

  • 9.1

    CRITICAL
    CVE-2025-67647

    SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.49.5, SvelteKit is vulnerable to a server side request forgery (SSRF) and denial of service (DoS) under certain conditions. From 2.44.0 through 2.... Read more

    Affected Products : sveltekit adapter-node kit
    • Published: Jan. 15, 2026
    • Modified: Jan. 21, 2026
    • Vuln Type: Server-Side Request Forgery
Showing 20 of 5048 Results