Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 9.1

    CRITICAL
    CVE-2026-23722

    WeGIA is a Web Manager for Charitable Institutions. Prior to 3.6.2, a Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the WeGIA system, specifically within the html/memorando/insere_despacho.php file. The application fails to properly... Read more

    Affected Products : wegia
    • Published: Jan. 16, 2026
    • Modified: Jan. 30, 2026
    • Vuln Type: Cross-Site Scripting

  • 9.1

    CRITICAL
    CVE-2026-24874

    Access of Resource Using Incompatible Type ('Type Confusion') vulnerability in themrdemonized xray-monolith.This issue affects xray-monolith: before 2025.12.30.... Read more

    Affected Products :
    • Published: Jan. 27, 2026
    • Modified: Jan. 29, 2026
    • Vuln Type: Memory Corruption

  • 9.1

    CRITICAL
    CVE-2025-37168

    Arbitrary file deletion vulnerability have been identified in a system function of mobility conductors running AOS-8 operating system. Successful exploitation of this vulnerability could allow an unauthenticated remote malicious actor to delete arbitrary ... Read more

    Affected Products : arubaos
    • Published: Jan. 13, 2026
    • Modified: Jan. 23, 2026
    • Vuln Type: Path Traversal

  • 9.1

    CRITICAL
    CVE-2025-55130

    A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can es... Read more

    Affected Products : node.js
    • Published: Jan. 20, 2026
    • Modified: Feb. 03, 2026
    • Vuln Type: Path Traversal

  • 9.1

    CRITICAL
    CVE-2025-69990

    phpgurukul News Portal Project V4.1 has an Arbitrary File Deletion Vulnerability in remove_file.php. The parameter file can cause any file to be deleted.... Read more

    Affected Products : news_portal
    • Published: Jan. 13, 2026
    • Modified: Jan. 16, 2026
    • Vuln Type: Path Traversal

  • 9.1

    CRITICAL
    CVE-2026-23846

    Tugtainer is a self-hosted app for automating updates of Docker containers. In versions prior to 1.16.1, the password authentication mechanism transmits passwords via URL query parameters instead of the HTTP request body. This causes passwords to be logge... Read more

    Affected Products : tugtainer
    • Published: Jan. 19, 2026
    • Modified: Feb. 05, 2026
    • Vuln Type: Information Disclosure

  • 9.1

    CRITICAL
    CVE-2026-22858

    FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, global-buffer-overflow was observed in FreeRDP's Base64 decoding path. The root cause appears to be implementation-defined char signedness: on Arm/AArch64 builds, plain char... Read more

    Affected Products : freerdp
    • Published: Jan. 14, 2026
    • Modified: Jan. 20, 2026
    • Vuln Type: Memory Corruption

  • 9.1

    CRITICAL
    CVE-2025-67944

    Improper Control of Generation of Code ('Code Injection') vulnerability in Nelio Software Nelio AB Testing nelio-ab-testing allows Code Injection.This issue affects Nelio AB Testing: from n/a through <= 8.1.8.... Read more

    Affected Products : nelio_ab_testing
    • Published: Jan. 22, 2026
    • Modified: Jan. 28, 2026
    • Vuln Type: Injection

  • 9.1

    CRITICAL
    CVE-2026-25137

    The NixOs Odoo package is an open source ERP and CRM system. From 21.11 to before 25.11 and 26.05, every NixOS based Odoo setup publicly exposes the database manager without any authentication. This allows unauthorized actors to delete and download the en... Read more

    Affected Products :
    • Published: Feb. 02, 2026
    • Modified: Feb. 03, 2026
    • Vuln Type: Authentication

  • 9.1

    CRITICAL
    CVE-2025-64252

    Server-Side Request Forgery (SSRF) vulnerability in Marco Milesi ANAC XML Viewer anac-xml-viewer allows Server Side Request Forgery.This issue affects ANAC XML Viewer: from n/a through <= 1.8.2.... Read more

    Affected Products : anac_xml_viewer
    • Published: Jan. 22, 2026
    • Modified: Jan. 28, 2026
    • Vuln Type: Server-Side Request Forgery

  • 9.1

    CRITICAL
    CVE-2026-22909

    Certain system functions may be accessed without proper authorization, allowing attackers to start, stop, or delete installed applications, potentially disrupting system operations.... Read more

    Affected Products : tdc-x401gl_firmware tdc-x401gl
    • Published: Jan. 15, 2026
    • Modified: Jan. 23, 2026
    • Vuln Type: Authorization

  • 9.1

    CRITICAL
    CVE-2026-24346

    Use of well-known default credentials in Admin UI of EZCast Pro II version 1.17478.146 allows attackers to access protected areas in the web application... Read more

    • Published: Jan. 27, 2026
    • Modified: Feb. 05, 2026
    • Vuln Type: Authentication

  • 9.1

    CRITICAL
    CVE-2026-25848

    In JetBrains Hub before 2025.3.119807 authentication bypass allowing administrative actions was possible... Read more

    Affected Products : hub
    • Published: Feb. 09, 2026
    • Modified: Feb. 09, 2026
    • Vuln Type: Authentication

  • 9.1

    CRITICAL
    CVE-2025-51567

    A SQL Injection was found in the /exam/user/profile.php page of kashipara Online Exam System V1.0, which allows remote attackers to execute arbitrary SQL command to get unauthorized database access via the rname, rcollage, rnumber, rgender and rpassword p... Read more

    Affected Products : online_exam_system
    • Published: Jan. 12, 2026
    • Modified: Jan. 16, 2026
    • Vuln Type: Injection

  • 9.1

    CRITICAL
    CVE-2026-20897

    Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories.... Read more

    Affected Products : gitea
    • Published: Jan. 22, 2026
    • Modified: Jan. 29, 2026
    • Vuln Type: Authorization

  • 9.1

    CRITICAL
    CVE-2026-20912

    Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized user... Read more

    Affected Products : gitea
    • Published: Jan. 22, 2026
    • Modified: Jan. 29, 2026
    • Vuln Type: Authorization

  • 9.1

    CRITICAL
    CVE-2026-0491

    SAP Landscape Transformation allows an attacker with admin privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code/OS commands into the system, bypassing essential authorization ... Read more

    Affected Products :
    • Published: Jan. 13, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Injection

  • 9.1

    CRITICAL
    CVE-2026-22908

    Uploading unvalidated container images may allow remote attackers to gain full access to the system, potentially compromising its integrity and confidentiality.... Read more

    Affected Products : tdc-x401gl_firmware tdc-x401gl
    • Published: Jan. 15, 2026
    • Modified: Jan. 23, 2026
    • Vuln Type: Misconfiguration

  • 9.1

    CRITICAL
    CVE-2025-68472

    MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 25.11.1, an unauthenticated path traversal in the file upload API lets any caller read arbitrary files from the server filesystem and move them into MindsDB’... Read more

    Affected Products : mindsdb
    • Published: Jan. 12, 2026
    • Modified: Jan. 27, 2026
    • Vuln Type: Path Traversal

  • 9.1

    CRITICAL
    CVE-2025-69602

    A session fixation vulnerability exists in 66biolinks v62.0.0 by AltumCode, where the application does not regenerate the session identifier after successful authentication. As a result, the same session cookie value is reused for users logging in from th... Read more

    Affected Products : 66biolinks
    • Published: Jan. 28, 2026
    • Modified: Feb. 09, 2026
    • Vuln Type: Authentication
Showing 20 of 4811 Results