Latest CVE Feed
-
9.0
CRITICALCVE-2025-68015
Improper Control of Generation of Code ('Code Injection') vulnerability in Vollstart Event Tickets with Ticket Scanner event-tickets-with-ticket-scanner allows Code Injection.This issue affects Event Tickets with Ticket Scanner: from n/a through <= 2.8.3.... Read more
Affected Products : event_tickets_with_ticket_scanner- Published: Jan. 22, 2026
- Modified: Jan. 28, 2026
- Vuln Type: Injection
-
9.0
CRITICALCVE-2025-30248
DLL hijacking in the WD Discovery Installer in Western Digital WD Discovery 5.2.730 on Windows allows a local attacker to execute arbitrary code via placement of a crafted dll in the installer's search path.... Read more
Affected Products : wd_discovery- Published: Jan. 26, 2026
- Modified: Jan. 27, 2026
- Vuln Type: Misconfiguration
-
9.0
CRITICALCVE-2026-24772
OpenProject is an open-source, web-based project management software. To enable the real time collaboration on documents, OpenProject 17.0 introduced a synchronization server. The OpenPrioject backend generates an authentication token that is currently va... Read more
Affected Products : openproject- Published: Jan. 28, 2026
- Modified: Feb. 12, 2026
- Vuln Type: Server-Side Request Forgery
-
9.0
HIGHCVE-2026-1328
A vulnerability was detected in Totolink NR1800X 9.1.0u.6279_B20210910. Impacted is the function setWizardCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. Performing a manipulation of the argument ssid results in buffer overflow... Read more
- Published: Jan. 22, 2026
- Modified: Jan. 29, 2026
- Vuln Type: Memory Corruption
-
9.0
CRITICALCVE-2026-23520
Arcane provides modern docker management. Prior to 1.13.0, Arcane has a command injection in the updater service. Arcane’s updater service supported lifecycle labels com.getarcaneapp.arcane.lifecycle.pre-update and com.getarcaneapp.arcane.lifecycle.post-u... Read more
Affected Products : arcane- Published: Jan. 15, 2026
- Modified: Feb. 05, 2026
- Vuln Type: Injection
-
8.9
HIGHCVE-2026-24932
The DDNS update function in ADM fails to properly validate the hostname of the DDNS server's TLS/SSL certificate. Although the connection uses HTTPS, an improper validated TLS/SSL certificates allows a remote attacker can intercept the communication to pe... Read more
Affected Products : data_master- Published: Feb. 03, 2026
- Modified: Feb. 03, 2026
- Vuln Type: Misconfiguration
-
8.9
HIGHCVE-2026-24895
FrankenPHP is a modern application server for PHP. Prior to 1.11.2, FrankenPHP’s CGI path splitting logic improperly handles Unicode characters during case conversion. The logic computes the split index (for finding .php) on a lowercased copy of the reque... Read more
Affected Products :- Published: Feb. 12, 2026
- Modified: Feb. 13, 2026
- Vuln Type: Path Traversal
-
8.9
HIGHCVE-2026-25990
Pillow is a Python imaging library. From 10.3.0 to before 12.1.1, n out-of-bounds write may be triggered when loading a specially crafted PSD image. This vulnerability is fixed in 12.1.1.... Read more
Affected Products : pillow- Published: Feb. 11, 2026
- Modified: Feb. 12, 2026
- Vuln Type: Memory Corruption
-
8.9
HIGHCVE-2025-11044
An Allocation of Resources Without Limits or Throttling vulnerability in the ANSL-Server component of B&R Automation Runtime versions prior to 6.5 and prior to R4.93 could be exploited by an unauthenti-cated attacker on the network to win a race condition... Read more
Affected Products :- Published: Jan. 19, 2026
- Modified: Jan. 26, 2026
- Vuln Type: Race Condition
-
8.9
HIGHCVE-2026-24933
The API communication component fails to validate the SSL/TLS certificate when sending HTTPS requests to the server. An improper certificates validation vulnerability allows an unauthenticated remote attacker can perform a Man-in-the-Middle (MitM) attack ... Read more
Affected Products : data_master- Published: Feb. 03, 2026
- Modified: Feb. 03, 2026
- Vuln Type: Cryptography
-
8.9
HIGHCVE-2026-24124
Dragonfly is an open source P2P-based file distribution and image acceleration system. In versions 2.4.1-rc.0 and below, the Job API endpoints (/api/v1/jobs) lack JWT authentication middleware and RBAC authorization checks in the routing configuration. Th... Read more
Affected Products : dragonfly- Published: Jan. 22, 2026
- Modified: Jan. 26, 2026
- Vuln Type: Authentication
-
8.8
HIGHCVE-2025-69180
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in themepassion Ultra Portfolio ultra-portfolio allows Blind SQL Injection.This issue affects Ultra Portfolio: from n/a through <= 6.7.... Read more
Affected Products :- Published: Jan. 22, 2026
- Modified: Jan. 26, 2026
- Vuln Type: Injection
-
8.8
HIGHCVE-2025-13062
The Supreme Modules Lite plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 2.5.62. This is due to insufficient file type validation detecting JSON files, allowing double extension files to bypass sanitizatio... Read more
Affected Products :- Published: Jan. 15, 2026
- Modified: Jan. 16, 2026
- Vuln Type: Misconfiguration
-
8.8
HIGHCVE-2021-47777
Build Smart ERP 21.0817 contains an unauthenticated SQL injection vulnerability in the 'eidValue' parameter of the login validation endpoint. Attackers can inject stacked SQL queries using payloads like ';WAITFOR DELAY '0:0:3'-- to manipulate database que... Read more
Affected Products :- Published: Jan. 15, 2026
- Modified: Jan. 16, 2026
- Vuln Type: Injection
-
8.8
HIGHCVE-2020-37110
60CycleCMS 2.5.2 contains an SQL injection vulnerability in news.php and common/lib.php that allows attackers to manipulate database queries through unvalidated user input. Attackers can exploit vulnerable query parameters like 'title' to inject malicious... Read more
Affected Products :- Published: Feb. 03, 2026
- Modified: Feb. 04, 2026
- Vuln Type: Injection
-
8.8
HIGHCVE-2025-67645
OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 7.0.4 have a broken access control in the Profile Edit endpoint. An authenticated normal user can modify the request parameters (pub... Read more
Affected Products : openemr- Published: Jan. 28, 2026
- Modified: Feb. 12, 2026
- Vuln Type: Authorization
-
8.8
HIGHCVE-2026-24954
Deserialization of Untrusted Data vulnerability in magepeopleteam WpEvently mage-eventpress allows Object Injection.This issue affects WpEvently: from n/a through <= 5.0.8.... Read more
Affected Products : event_manager_and_tickets_selling_for_woocommerce- Published: Feb. 03, 2026
- Modified: Feb. 03, 2026
- Vuln Type: Injection
-
8.8
HIGHCVE-2025-15347
The Creator LMS – The LMS for Creators, Coaches, and Trainers plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check in the get_items_permissions_check function in al... Read more
Affected Products :- Published: Jan. 20, 2026
- Modified: Jan. 26, 2026
- Vuln Type: Authorization
-
8.8
HIGHCVE-2026-24840
Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, a hardcoded credential in the provided installation script (located at https://dokploy.com/install.sh, line 154) uses a hardcoded password when creating the databa... Read more
Affected Products : dokploy- Published: Jan. 28, 2026
- Modified: Feb. 04, 2026
- Vuln Type: Misconfiguration
-
8.8
HIGHCVE-2026-2006
Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user to issue crafted queries that achieve a buffer overrun. That suffices to execute arbitrary code as the operating system user running the database. Ve... Read more
Affected Products : postgresql- Published: Feb. 12, 2026
- Modified: Feb. 12, 2026
- Vuln Type: Memory Corruption