Latest CVE Feed
-
8.7
HIGHCVE-2026-22867
LaSuite Doc is a collaborative note taking, wiki and documentation platform. From 3.8.0 to 4.3.0, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Interlinking feature. When a user creates a link to another document within the editor, the U... Read more
Affected Products :- Published: Jan. 15, 2026
- Modified: Jan. 16, 2026
- Vuln Type: Cross-Site Scripting
-
8.7
HIGHCVE-2026-24133
jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of the first argument of the addImage method results in denial of service. If given the possibility to pass unsanitized image data or URLs to the addImage method, a user can p... Read more
Affected Products : jspdf- Published: Feb. 02, 2026
- Modified: Feb. 03, 2026
- Vuln Type: Denial of Service
-
8.7
HIGHCVE-2026-24665
The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a stored Cross-Site Scripting (XSS) vulnerability allows authenticated students to inject malicious JavaScript into uploaded assignment... Read more
Affected Products : openeclass- Published: Feb. 03, 2026
- Modified: Feb. 04, 2026
- Vuln Type: Cross-Site Scripting
-
8.7
HIGHCVE-2026-0750
Improper Verification of Cryptographic Signature vulnerability in Drupal Drupal Commerce Paybox Commerce Paybox on Drupal 7.X allows Authentication Bypass.This issue affects Drupal Commerce Paybox: from 7-x-1.0 through 7.X-1.5.... Read more
Affected Products :- Published: Jan. 28, 2026
- Modified: Jan. 29, 2026
- Vuln Type: Authentication
-
8.7
HIGHCVE-2025-9279
A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles EtherNet/IP Step Limit Storm tests, the device reboots unexpectedly, causing the Link State Monitor to go down for several sec... Read more
- Published: Jan. 20, 2026
- Modified: Feb. 02, 2026
- Vuln Type: Denial of Service
-
8.7
HIGHCVE-2026-25923
my little forum is a PHP and MySQL based internet forum that displays the messages in classical threaded view. Prior to 20260208.1, the application fails to filter the phar:// protocol in URL validation, allowing attackers to upload a malicious Phar Polyg... Read more
Affected Products :- Published: Feb. 09, 2026
- Modified: Feb. 09, 2026
- Vuln Type: Injection
-
8.7
HIGHCVE-2025-14750
The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable. A low-privileged user can modify the parameters and potentially manipulate account-level privileges.... Read more
Affected Products : cmt-ctrl01_firmware- Published: Jan. 22, 2026
- Modified: Jan. 26, 2026
- Vuln Type: Authorization
-
8.7
HIGHCVE-2026-24417
OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contain a critical Time-Based Blind SQL Injection vulnerability in the global search functionality. The application fails to pro... Read more
Affected Products : openstamanager- Published: Feb. 06, 2026
- Modified: Feb. 09, 2026
- Vuln Type: Injection
-
8.7
HIGHCVE-2026-24416
OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contain a critical Time-Based Blind SQL Injection vulnerability in the article pricing completion handler. The application fails... Read more
Affected Products : openstamanager- Published: Feb. 06, 2026
- Modified: Feb. 09, 2026
- Vuln Type: Injection
-
8.7
HIGHCVE-2025-9280
A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. Fuzzing performed using Defensics causes the device to become unresponsive, requiring a reboot.... Read more
- Published: Jan. 20, 2026
- Modified: Feb. 02, 2026
- Vuln Type: Denial of Service
-
8.7
HIGHCVE-2026-24740
Dozzle is a realtime log viewer for docker containers. Prior to version 9.0.3, a flaw in Dozzle’s agent-backed shell endpoints allows a user restricted by label filters (for example, `label=env=dev`) to obtain an interactive root shell in out‑of‑scope con... Read more
Affected Products : dozzle- Published: Jan. 27, 2026
- Modified: Jan. 29, 2026
- Vuln Type: Authorization
-
8.7
HIGHCVE-2026-24678
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, A capture thread sends sample responses using a freed channel callback after a device channel close, leading to a use after free in ecam_channel_write. This vulnerability is... Read more
Affected Products :- Published: Feb. 09, 2026
- Modified: Feb. 09, 2026
- Vuln Type: Memory Corruption
-
8.6
HIGHCVE-2026-23949
jaraco.context, an open-source software package that provides some useful decorators and context managers, has a Zip Slip path traversal vulnerability in the `jaraco.context.tarball()` function starting in version 5.2.0 and prior to version 6.1.0. The vul... Read more
Affected Products :- Published: Jan. 20, 2026
- Modified: Jan. 26, 2026
- Vuln Type: Path Traversal
-
8.6
HIGHCVE-2026-23493
Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the http_error_log file stores the $_COOKIE and $_SERVER variables, which means sensitive information such as database passwords, cookie session data, and other ... Read more
Affected Products : pimcore- Published: Jan. 15, 2026
- Modified: Jan. 20, 2026
- Vuln Type: Information Disclosure
-
8.6
HIGHCVE-2026-25857
Tenda G300-F router firmware versio 16.01.14.2 and prior contain an OS command injection vulnerability in the WAN diagnostic functionality (formSetWanDiag). The implementation constructs a shell command that invokes curl and incorporates attacker-controll... Read more
Affected Products :- Published: Feb. 07, 2026
- Modified: Feb. 09, 2026
- Vuln Type: Injection
-
8.6
HIGHCVE-2025-7799
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Zirve Information Technologies Inc. E-Taxpayer Accounting Website allows Reflected XSS.This issue affects e-Taxpayer Accounting Website: through 0... Read more
Affected Products :- Published: Feb. 09, 2026
- Modified: Feb. 09, 2026
- Vuln Type: Cross-Site Scripting
-
8.6
HIGHCVE-2026-23516
CVAT is an open source interactive video and image annotation tool for computer vision. In versions 2.2.0 through 2.54.0, an attacker is able to execute arbitrary JavaScript in a victim user's CVAT UI session, provided that they are able to create a malic... Read more
- Published: Jan. 21, 2026
- Modified: Feb. 02, 2026
- Vuln Type: Cross-Site Scripting
-
8.6
HIGHCVE-2026-22229
A command injection vulnerability may be exploited after the admin's authentication via the import of a crafted VPN client configuration file on the TP-Link Archer BE230 v1.2. Successful exploitation could allow an attacker to gain full administrative con... Read more
- Published: Feb. 02, 2026
- Modified: Feb. 06, 2026
- Vuln Type: Injection
-
8.6
HIGHCVE-2025-41077
IDOR vulnerability has been found in Viafirma Inbox v4.5.13 that allows any authenticated user without privileges in the application to list all users, access and modify their data. This allows the user's email addresses to be modified and, subsequently, ... Read more
Affected Products : inbox- Published: Jan. 12, 2026
- Modified: Jan. 29, 2026
- Vuln Type: Authorization
-
8.6
HIGHCVE-2025-67963
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in ovatheme Movie Booking movie-booking allows Path Traversal.This issue affects Movie Booking: from n/a through <= 1.1.5.... Read more
Affected Products :- Published: Jan. 22, 2026
- Modified: Jan. 29, 2026
- Vuln Type: Path Traversal