Latest CVE Feed
-
9.1
CRITICALCVE-2025-64252
Server-Side Request Forgery (SSRF) vulnerability in Marco Milesi ANAC XML Viewer anac-xml-viewer allows Server Side Request Forgery.This issue affects ANAC XML Viewer: from n/a through <= 1.8.2.... Read more
Affected Products : anac_xml_viewer- Published: Jan. 22, 2026
- Modified: Jan. 28, 2026
- Vuln Type: Server-Side Request Forgery
-
9.1
CRITICALCVE-2026-24736
Squidex is an open source headless content management system and content management hub. Versions of the application up to and including 7.21.0 allow users to define "Webhooks" as actions within the Rules engine. The url parameter in the webhook configura... Read more
Affected Products : squidex- Published: Jan. 27, 2026
- Modified: Feb. 12, 2026
- Vuln Type: Server-Side Request Forgery
-
9.1
CRITICALCVE-2026-1727
The Agentspace service was affected by a vulnerability that exposed sensitive information due to the use of predictable Google Cloud Storage bucket names. These names were utilized for error logs and temporary staging during data imports from GCS and Clou... Read more
Affected Products :- Published: Feb. 06, 2026
- Modified: Feb. 09, 2026
- Vuln Type: Information Disclosure
-
9.1
CRITICALCVE-2026-25137
The NixOs Odoo package is an open source ERP and CRM system. From 21.11 to before 25.11 and 26.05, every NixOS based Odoo setup publicly exposes the database manager without any authentication. This allows unauthorized actors to delete and download the en... Read more
Affected Products :- Published: Feb. 02, 2026
- Modified: Feb. 03, 2026
- Vuln Type: Authentication
-
9.1
CRITICALCVE-2026-22247
GLPI is a free asset and IT management software package. From version 11.0.0 to before 11.0.5, a GLPI administrator can perform SSRF request through the Webhook feature. This issue has been patched in version 11.0.5.... Read more
Affected Products : glpi- Published: Feb. 04, 2026
- Modified: Feb. 06, 2026
- Vuln Type: Server-Side Request Forgery
-
9.1
CRITICALCVE-2026-25643
Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Prior to 0.16.4, a critical Remote Command Execution (RCE) vulnerability has been identified in the Frigate integration with go2rtc. The application does not sa... Read more
Affected Products : frigate- Published: Feb. 06, 2026
- Modified: Feb. 11, 2026
- Vuln Type: Injection
-
9.1
CRITICALCVE-2026-23722
WeGIA is a Web Manager for Charitable Institutions. Prior to 3.6.2, a Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the WeGIA system, specifically within the html/memorando/insere_despacho.php file. The application fails to properly... Read more
Affected Products : wegia- Published: Jan. 16, 2026
- Modified: Jan. 30, 2026
- Vuln Type: Cross-Site Scripting
-
9.1
CRITICALCVE-2025-65128
A missing authentication mechanism in the web management API components of Shenzhen Zhibotong Electronics ZBT WE2001 23.09.27 allows unauthenticated attackers on the local network to modify router and network configurations. By invoking operations whose n... Read more
Affected Products :- Published: Feb. 11, 2026
- Modified: Feb. 12, 2026
- Vuln Type: Authentication
-
9.1
CRITICALCVE-2025-7659
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that could have allowed an unauthenticated user to steal tokens and access private repositories by abusing incomplete... Read more
Affected Products : gitlab- Published: Feb. 11, 2026
- Modified: Feb. 13, 2026
- Vuln Type: Authorization
-
9.1
CRITICALCVE-2026-25722
Claude Code is an agentic coding tool. Prior to version 2.0.57, Claude Code failed to properly validate directory changes when combined with write operations to protected folders. By using the cd command to navigate into sensitive directories like .claude... Read more
Affected Products : claude_code- Published: Feb. 06, 2026
- Modified: Feb. 09, 2026
- Vuln Type: Path Traversal
-
9.1
CRITICALCVE-2025-67944
Improper Control of Generation of Code ('Code Injection') vulnerability in Nelio Software Nelio AB Testing nelio-ab-testing allows Code Injection.This issue affects Nelio AB Testing: from n/a through <= 8.1.8.... Read more
Affected Products : nelio_ab_testing- Published: Jan. 22, 2026
- Modified: Jan. 28, 2026
- Vuln Type: Injection
-
9.1
CRITICALCVE-2025-68721
Axigen Mail Server before 10.5.57 contains an improper access control vulnerability in the WebAdmin interface. A delegated admin account with zero permissions can bypass access control checks and gain unauthorized access to the SSL Certificates management... Read more
Affected Products : axigen_mail_server- Published: Feb. 05, 2026
- Modified: Feb. 13, 2026
- Vuln Type: Authorization
-
9.1
CRITICALCVE-2025-69312
Unrestricted Upload of File with Dangerous Type vulnerability in Xpro Xpro Elementor Addons xpro-elementor-addons allows Upload a Web Shell to a Web Server.This issue affects Xpro Elementor Addons: from n/a through <= 1.4.19.1.... Read more
Affected Products : xpro_addons_for_elementor- Published: Jan. 22, 2026
- Modified: Jan. 27, 2026
- Vuln Type: Misconfiguration
-
9.1
CRITICALCVE-2025-57794
Explorance Blue versions prior to 8.14.9 contain an authenticated unrestricted file upload vulnerability in the administrative interface. The application does not adequately restrict uploaded file types, allowing malicious files to be uploaded and execute... Read more
Affected Products : blue- Published: Jan. 28, 2026
- Modified: Feb. 05, 2026
- Vuln Type: Misconfiguration
-
9.1
CRITICALCVE-2026-23846
Tugtainer is a self-hosted app for automating updates of Docker containers. In versions prior to 1.16.1, the password authentication mechanism transmits passwords via URL query parameters instead of the HTTP request body. This causes passwords to be logge... Read more
Affected Products : tugtainer- Published: Jan. 19, 2026
- Modified: Feb. 05, 2026
- Vuln Type: Information Disclosure
-
9.1
CRITICALCVE-2026-24679
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, The URBDRC client uses server-supplied interface numbers as array indices without bounds checks, causing an out-of-bounds read in libusb_udev_select_interface. This vulnerab... Read more
Affected Products : freerdp- Published: Feb. 09, 2026
- Modified: Feb. 10, 2026
- Vuln Type: Memory Corruption
-
9.1
CRITICALCVE-2026-25233
PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, logic bug in the roadmap role check allows non-lead maintainers to create, update, or delete roadmaps. This issue has been patched in version 1.33.0.... Read more
Affected Products : pearweb- Published: Feb. 03, 2026
- Modified: Feb. 05, 2026
- Vuln Type: Authorization
-
9.1
CRITICALCVE-2025-46651
Tiny File Manager through 2.6 contains a server-side request forgery (SSRF) vulnerability in the URL upload feature. Due to insufficient validation of user-supplied URLs, an attacker can send crafted requests to localhost by using http://www.127.0.0.1.exa... Read more
Affected Products : tiny_file_manager- Published: Feb. 03, 2026
- Modified: Feb. 10, 2026
- Vuln Type: Server-Side Request Forgery
-
9.1
CRITICALCVE-2026-24874
Access of Resource Using Incompatible Type ('Type Confusion') vulnerability in themrdemonized xray-monolith.This issue affects xray-monolith: before 2025.12.30.... Read more
Affected Products :- Published: Jan. 27, 2026
- Modified: Jan. 29, 2026
- Vuln Type: Memory Corruption
-
9.1
CRITICALCVE-2021-47811
Grocery Crud 1.6.4 contains a SQL injection vulnerability in the order_by parameter that allows remote attackers to manipulate database queries. Attackers can inject malicious SQL code through the order_by[] parameter in POST requests to the ajax_list end... Read more
Affected Products : grocery_crud- Published: Jan. 16, 2026
- Modified: Feb. 02, 2026
- Vuln Type: Injection