Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 9.9

    CRITICAL
    CVE-2025-67084

    File upload vulnerability in InvoicePlane through 1.6.3 allows authenticated attackers to upload arbitrary PHP files into attachments, which can later be executed remotely, leading to Remote Code Execution (RCE).... Read more

    Affected Products : invoiceplane
    • Published: Jan. 15, 2026
    • Modified: Jan. 22, 2026
    • Vuln Type: Injection

  • 9.9

    CRITICAL
    CVE-2025-68909

    Unrestricted Upload of File with Dangerous Type vulnerability in blazethemes Blogistic blogistic allows Using Malicious Files.This issue affects Blogistic: from n/a through <= 1.0.5.... Read more

    Affected Products :
    • Published: Jan. 22, 2026
    • Modified: Jan. 28, 2026
    • Vuln Type: Misconfiguration

  • 9.9

    CRITICAL
    CVE-2025-62056

    Unrestricted Upload of File with Dangerous Type vulnerability in blazethemes News Event news-event.This issue affects News Event: from n/a through <= 1.0.1.... Read more

    Affected Products :
    • Published: Jan. 22, 2026
    • Modified: Jan. 27, 2026
    • Vuln Type: Misconfiguration

  • 9.9

    CRITICAL
    CVE-2026-0488

    An authenticated attacker in SAP CRM and SAP S/4HANA (Scripting Editor) could exploit a flaw in a generic function module call and execute unauthorized critical functionalities, which includes the ability to execute an arbitrary SQL statement. This leads ... Read more

    Affected Products :
    • Published: Feb. 10, 2026
    • Modified: Feb. 10, 2026
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2025-69874

    nanotar through 0.2.0 has a path traversal vulnerability in parseTar() and parseTarGzip() that allows remote attackers to write arbitrary files outside the intended extraction directory via a crafted tar archive containing path traversal sequence.... Read more

    Affected Products :
    • Published: Feb. 11, 2026
    • Modified: Feb. 12, 2026
    • Vuln Type: Path Traversal

  • 9.8

    CRITICAL
    CVE-2026-2248

    METIS WIC devices (versions <= oscore 2.1.234-r18) expose a web-based shell at the /console endpoint that does not require authentication. Accessing this endpoint allows a remote attacker to execute arbitrary operating system commands with root (UID 0) pr... Read more

    Affected Products :
    • Published: Feb. 11, 2026
    • Modified: Feb. 11, 2026
    • Vuln Type: Authentication

  • 9.8

    CRITICAL
    CVE-2026-2018

    A flaw has been found in itsourcecode School Management System 1.0. This affects an unknown part of the file /ramonsys/settings/controller.php. This manipulation of the argument ID causes sql injection. It is possible to initiate the attack remotely. The ... Read more

    • Published: Feb. 06, 2026
    • Modified: Feb. 10, 2026
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2026-2012

    A vulnerability was determined in itsourcecode Student Management System 1.0. The impacted element is an unknown function of the file /ramonsys/facultyloading/index.php. This manipulation of the argument ID causes sql injection. The attack may be initiate... Read more

    • Published: Feb. 06, 2026
    • Modified: Feb. 10, 2026
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2020-37176

    Torrent 3GP Converter 1.51 contains a stack overflow vulnerability that allows attackers to execute arbitrary code by overwriting Structured Exception Handler (SEH) registers. Attackers can craft a malicious payload targeting the application's registratio... Read more

    Affected Products :
    • Published: Feb. 11, 2026
    • Modified: Feb. 12, 2026
    • Vuln Type: Memory Corruption

  • 9.8

    CRITICAL
    CVE-2025-14892

    The Prime Listing Manager WordPress plugin through 1.1 allows an attacker to gain administrative access without having any kind of account on the targeted site and perform unauthorized actions due to a hardcoded secret.... Read more

    Affected Products :
    • Published: Feb. 12, 2026
    • Modified: Feb. 12, 2026
    • Vuln Type: Authentication

  • 9.8

    CRITICAL
    CVE-2026-24858

    An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.5, FortiAnalyzer 7.4.0 through 7.4.9, FortiAnalyzer 7.2.0 through 7.2.11, FortiAnalyzer 7.0.0 through 7.0.15, For... Read more

    • Actively Exploited
    • Published: Jan. 27, 2026
    • Modified: Jan. 29, 2026
    • Vuln Type: Authentication

  • 9.8

    CRITICAL
    CVE-2026-23906

    Affected Products and Versions * Apache Druid * Affected Versions: 0.17.0 through 35.x (all versions prior to 36.0.0) * Prerequisites: * druid-basic-security extension enabled * LDAP authenticator configured * Underlying LDAP server permi... Read more

    Affected Products : druid
    • Published: Feb. 10, 2026
    • Modified: Feb. 12, 2026
    • Vuln Type: Authentication

  • 9.8

    CRITICAL
    CVE-2026-1729

    The AdForest theme for WordPress is vulnerable to authentication bypass in all versions up to, and including, 6.0.12. This is due to the plugin not properly verifying a user's identity prior to authenticating them through the 'sb_login_user_with_otp_fun' ... Read more

    Affected Products : adforest
    • Published: Feb. 12, 2026
    • Modified: Feb. 12, 2026
    • Vuln Type: Authentication

  • 9.8

    CRITICAL
    CVE-2025-14014

    Unrestricted Upload of File with Dangerous Type vulnerability in NTN Information Processing Services Computer Software Hardware Industry and Trade Ltd. Co. Smart Panel allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Smar... Read more

    Affected Products :
    • Published: Feb. 12, 2026
    • Modified: Feb. 12, 2026
    • Vuln Type: Authorization

  • 9.8

    CRITICAL
    CVE-2020-37186

    Chevereto 3.13.4 Core contains a remote code execution vulnerability that allows attackers to inject malicious code during database configuration installation. Attackers can manipulate the database table prefix parameter to write a PHP shell file and exec... Read more

    Affected Products :
    • Published: Feb. 11, 2026
    • Modified: Feb. 12, 2026
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2020-37183

    Allok RM RMVB to AVI MPEG DVD Converter 3.6.1217 contains a stack overflow vulnerability that allows attackers to execute arbitrary code by overwriting Structured Exception Handler (SEH) registers. Attackers can craft a malicious payload in the License Na... Read more

    Affected Products :
    • Published: Feb. 11, 2026
    • Modified: Feb. 12, 2026
    • Vuln Type: Memory Corruption

  • 9.8

    CRITICAL
    CVE-2020-37181

    Torrent FLV Converter 1.51 Build 117 contains a stack overflow vulnerability that allows attackers to overwrite Structured Exception Handler (SEH) through a malicious registration code input. Attackers can craft a payload with specific offsets and partial... Read more

    Affected Products :
    • Published: Feb. 11, 2026
    • Modified: Feb. 12, 2026
    • Vuln Type: Memory Corruption

  • 9.8

    CRITICAL
    CVE-2020-37153

    ASTPP 4.0.1 contains multiple vulnerabilities including cross-site scripting and command injection in SIP device configuration and plugin management interfaces. Attackers can exploit these flaws to inject system commands, hijack administrator sessions, an... Read more

    Affected Products :
    • Published: Feb. 11, 2026
    • Modified: Feb. 12, 2026
    • Vuln Type: Cross-Site Scripting

  • 9.8

    CRITICAL
    CVE-2026-25875

    PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, The admin authorization middleware trusts client-controlled JWT claims (role and scope) without enforcing server-side role verification.... Read more

    Affected Products : placipy
    • Published: Feb. 09, 2026
    • Modified: Feb. 11, 2026
    • Vuln Type: Authorization

  • 9.8

    CRITICAL
    CVE-2025-65875

    An arbitrary file upload vulnerability in the AddFont() function of FPDF v1.86 and earlier allows attackers to execute arbitrary code via uploading a crafted PHP file.... Read more

    Affected Products : fpdf
    • Published: Feb. 03, 2026
    • Modified: Feb. 11, 2026
    • Vuln Type: Authentication
Showing 20 of 5083 Results