Latest CVE Feed
-
8.8
HIGHCVE-2026-0757
MCP Manager for Claude Desktop execute-command Command Injection Sandbox Escape Vulnerability. This vulnerability allows remote attackers to bypass the sandbox on affected installations of MCP Manager for Claude Desktop. User interaction is required to ex... Read more
Affected Products :- Published: Jan. 23, 2026
- Modified: Jan. 26, 2026
-
8.8
HIGHCVE-2025-15566
A security issue was discovered in ingress-nginx where the `nginx.ingress.kubernetes.io/auth-proxy-set-headers` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-ngin... Read more
Affected Products : ingress-nginx- Published: Feb. 06, 2026
- Modified: Feb. 06, 2026
- Vuln Type: Injection
-
8.8
HIGHCVE-2025-69099
Deserialization of Untrusted Data vulnerability in fuelthemes North north-wp allows Object Injection.This issue affects North: from n/a through <= 5.7.5.... Read more
Affected Products :- Published: Jan. 22, 2026
- Modified: Jan. 28, 2026
- Vuln Type: Injection
-
8.8
HIGHCVE-2026-24778
Ghost is an open source content management system. In Ghost versions 5.43.0 through 5.12.04 and 6.0.0 through 6.14.0, an attacker was able to craft a malicious link that, when accessed by an authenticated staff user or member, would execute JavaScript wit... Read more
- Published: Jan. 27, 2026
- Modified: Feb. 02, 2026
- Vuln Type: Cross-Site Scripting
-
8.8
HIGHCVE-2026-24763
OpenClaw (formerly Clawdbot) is a personal AI assistant you run on your own devices. Prior to 2026.1.29, a command injection vulnerability existed in OpenClaw’s Docker sandbox execution mechanism due to unsafe handling of the PATH environment variable wh... Read more
Affected Products :- Published: Feb. 02, 2026
- Modified: Feb. 03, 2026
- Vuln Type: Injection
-
8.8
HIGHCVE-2026-1548
A flaw has been found in Totolink A7000R 4.1cu.4154. This impacts the function CloudACMunualUpdateUserdata of the file /cgi-bin/cstecgi.cgi. This manipulation of the argument url causes command injection. The attack can be initiated remotely. The exploit ... Read more
- Published: Jan. 28, 2026
- Modified: Feb. 09, 2026
- Vuln Type: Injection
-
8.8
HIGHCVE-2026-1551
A weakness has been identified in itsourcecode School Management System 1.0. This affects an unknown part of the file /ramonsys/course/controller.php. Executing a manipulation of the argument ID can lead to sql injection. The attack can be executed remote... Read more
- Published: Jan. 29, 2026
- Modified: Feb. 02, 2026
- Vuln Type: Injection
-
8.8
HIGHCVE-2020-37117
jizhiCMS 1.6.7 contains a file download vulnerability in the admin plugins update endpoint that allows authenticated administrators to download arbitrary files. Attackers can exploit the vulnerability by sending crafted POST requests with malicious filepa... Read more
Affected Products : jizhicms- Published: Feb. 05, 2026
- Modified: Feb. 05, 2026
- Vuln Type: Path Traversal
-
8.8
HIGHCVE-2026-23622
Easy!Appointments is a self hosted appointment scheduler. In 1.5.2 and earlier, application/core/EA_Security.php::csrf_verify() only enforces CSRF for POST requests and returns early for non-POST methods. Several application endpoints perform state-changi... Read more
- Published: Jan. 15, 2026
- Modified: Jan. 28, 2026
- Vuln Type: Cross-Site Request Forgery
-
8.8
HIGHCVE-2026-24530
Missing Authorization vulnerability in sheepfish WebP Conversion webp-conversion allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WebP Conversion: from n/a through <= 2.1.... Read more
Affected Products :- Published: Jan. 23, 2026
- Modified: Jan. 28, 2026
- Vuln Type: Authorization
-
8.8
HIGHCVE-2020-37032
Wing FTP Server 6.3.8 contains a remote code execution vulnerability in its Lua-based web console that allows authenticated users to execute system commands. Attackers can leverage the console to send POST requests with malicious commands that trigger ope... Read more
Affected Products : wing_ftp_server- Published: Jan. 30, 2026
- Modified: Feb. 04, 2026
- Vuln Type: Injection
-
8.8
HIGHCVE-2025-66138
Missing Authorization vulnerability in merkulove Motionger for Elementor motionger-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Motionger for Elementor: from n/a through <= 2.0.4.... Read more
Affected Products :- Published: Jan. 22, 2026
- Modified: Jan. 26, 2026
- Vuln Type: Authorization
-
8.8
HIGHCVE-2019-25260
OXID eShop versions 6.x prior to 6.3.4 contains a SQL injection vulnerability in the 'sorting' parameter that allows attackers to insert malicious database content. Attackers can exploit the vulnerability by manipulating the sorting parameter to inject PH... Read more
Affected Products :- Published: Feb. 03, 2026
- Modified: Feb. 04, 2026
- Vuln Type: Injection
-
8.8
HIGHCVE-2026-22771
Envoy Gateway is an open source project for managing Envoy Proxy as a standalone or Kubernetes-based application gateway. Prior to 1.5.7 and 1.6.2, EnvoyExtensionPolicy Lua scripts executed by Envoy proxy can be used to leak the proxy's credentials. These... Read more
Affected Products : gateway- Published: Jan. 12, 2026
- Modified: Feb. 05, 2026
- Vuln Type: Information Disclosure
-
8.8
HIGHCVE-2026-24534
Missing Authorization vulnerability in uPress Booter booter-bots-crawlers-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Booter: from n/a through <= 1.5.7.... Read more
Affected Products :- Published: Jan. 23, 2026
- Modified: Jan. 26, 2026
- Vuln Type: Authorization
-
8.8
HIGHCVE-2021-47770
OpenPLC v3 contains an authenticated remote code execution vulnerability that allows attackers with valid credentials to inject malicious code through the hardware configuration interface. Attackers can upload a custom hardware layer with embedded reverse... Read more
Affected Products :- Published: Jan. 21, 2026
- Modified: Jan. 26, 2026
- Vuln Type: Injection
-
8.8
HIGHCVE-2026-24532
Missing Authorization vulnerability in SiteLock SiteLock Security sitelock allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SiteLock Security: from n/a through <= 5.0.2.... Read more
Affected Products :- Published: Jan. 23, 2026
- Modified: Jan. 26, 2026
- Vuln Type: Authorization
-
8.8
HIGHCVE-2026-23754
D-Link D-View 8 versions 2.0.1.107 and below contain an improper access control vulnerability in backend API endpoints. Any authenticated user can supply an arbitrary user_id value to retrieve sensitive credential data belonging to other users, including ... Read more
Affected Products : d-view_8- Published: Jan. 21, 2026
- Modified: Jan. 30, 2026
- Vuln Type: Authorization
-
8.8
HIGHCVE-2020-37110
60CycleCMS 2.5.2 contains an SQL injection vulnerability in news.php and common/lib.php that allows attackers to manipulate database queries through unvalidated user input. Attackers can exploit vulnerable query parameters like 'title' to inject malicious... Read more
Affected Products :- Published: Feb. 03, 2026
- Modified: Feb. 04, 2026
- Vuln Type: Injection
-
8.8
HIGHCVE-2025-36640
A vulnerability has been identified in the installation/uninstallation of the Nessus Agent Tray App on Windows Hosts which could lead to escalation of privileges.... Read more
Affected Products : nessus- Published: Jan. 13, 2026
- Modified: Jan. 14, 2026
- Vuln Type: Authorization