Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 8.7

    HIGH
    CVE-2026-21905

    A Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in the SIP application layer gateway (ALG) of Juniper Networks Junos OS on SRX Series and MX Series with MX-SPC3 or MS-MPC allows an unauthenticated network-based attacker sending spec... Read more

    Affected Products : junos srx5600 srx5800 srx1500 srx300 srx320 srx340 srx345 srx380 srx4100 +18 more products
    • Published: Jan. 15, 2026
    • Modified: Jan. 23, 2026
    • Vuln Type: Denial of Service

  • 8.7

    HIGH
    CVE-2026-24136

    Saleor is an e-commerce platform. Versions 3.2.0 through 3.20.109, 3.21.0-a.0 through 3.21.44 and 3.22.0-a.0 through 3.22.28 have a n Insecure Direct Object Reference (IDOR) vulnerability that allows unauthenticated actors to extract sensitive information... Read more

    Affected Products : saleor
    • Published: Jan. 24, 2026
    • Modified: Feb. 12, 2026
    • Vuln Type: Information Disclosure

  • 8.7

    HIGH
    CVE-2021-47752

    AWebServer GhostBuilding 18 contains a denial of service vulnerability that allows remote attackers to overwhelm the server by sending multiple concurrent HTTP requests. Attackers can generate high-volume requests to multiple endpoints including /mysqladm... Read more

    Affected Products : awebserver
    • Published: Jan. 15, 2026
    • Modified: Jan. 23, 2026
    • Vuln Type: Denial of Service

  • 8.7

    HIGH
    CVE-2026-24133

    jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of the first argument of the addImage method results in denial of service. If given the possibility to pass unsanitized image data or URLs to the addImage method, a user can p... Read more

    Affected Products : jspdf
    • Published: Feb. 02, 2026
    • Modified: Feb. 03, 2026
    • Vuln Type: Denial of Service

  • 8.7

    HIGH
    CVE-2023-7335

    EduSoho versions prior to 22.4.7 contain an arbitrary file read vulnerability in the classroom-course-statistics export functionality. A remote, unauthenticated attacker can supply crafted path traversal sequences in the fileNames[] parameter to read arbi... Read more

    Affected Products :
    • Published: Jan. 22, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Path Traversal

  • 8.7

    HIGH
    CVE-2026-24740

    Dozzle is a realtime log viewer for docker containers. Prior to version 9.0.3, a flaw in Dozzle’s agent-backed shell endpoints allows a user restricted by label filters (for example, `label=env=dev`) to obtain an interactive root shell in out‑of‑scope con... Read more

    Affected Products : dozzle
    • Published: Jan. 27, 2026
    • Modified: Jan. 29, 2026
    • Vuln Type: Authorization

  • 8.7

    HIGH
    CVE-2026-24416

    OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contain a critical Time-Based Blind SQL Injection vulnerability in the article pricing completion handler. The application fails... Read more

    Affected Products : openstamanager
    • Published: Feb. 06, 2026
    • Modified: Feb. 09, 2026
    • Vuln Type: Injection

  • 8.7

    HIGH
    CVE-2025-14750

    The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable. A low-privileged user can modify the parameters and potentially manipulate account-level privileges.... Read more

    Affected Products : cmt-ctrl01_firmware
    • Published: Jan. 22, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Authorization

  • 8.7

    HIGH
    CVE-2025-14751

    A low-privileged user can bypass account credentials without confirming the user's current authentication state, which may lead to unauthorized privilege escalation.... Read more

    Affected Products : cmt-ctrl01_firmware
    • Published: Jan. 22, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Authentication

  • 8.7

    HIGH
    CVE-2020-37088

    School ERP Pro 1.0 contains a file disclosure vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the 'document' parameter in download.php. Attackers can access sensitive configuration files by supplying directory t... Read more

    Affected Products : school_erp_pro
    • Published: Feb. 03, 2026
    • Modified: Feb. 10, 2026
    • Vuln Type: Path Traversal

  • 8.7

    HIGH
    CVE-2026-21920

    An Unchecked Return Value vulnerability in the DNS module of Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS). If an SRX Series device configured for DNS processing, receives ... Read more

    Affected Products : junos srx5600 srx5800 srx1500 srx300 srx320 srx340 srx345 srx380 srx4100 +8 more products
    • Published: Jan. 15, 2026
    • Modified: Jan. 23, 2026
    • Vuln Type: Denial of Service

  • 8.7

    HIGH
    CVE-2026-21918

    A Double Free vulnerability in the flow processing daemon (flowd) of Juniper Networks Junos OS on SRX and MX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS). On all SRX and MX Series platforms, when during TCP s... Read more

    Affected Products : junos srx5600 srx5800 srx1500 srx300 srx320 srx340 srx345 srx380 srx4100 +18 more products
    • Published: Jan. 15, 2026
    • Modified: Jan. 23, 2026
    • Vuln Type: Memory Corruption

  • 8.7

    HIGH
    CVE-2026-23954

    Incus is a system container and virtual machine manager. Versions 6.21.0 and below allow a user with the ability to launch a container with a custom image (e.g a member of the ‘incus’ group) to use directory traversal or symbolic links in the templating f... Read more

    Affected Products : incus
    • Published: Jan. 22, 2026
    • Modified: Jan. 30, 2026
    • Vuln Type: Path Traversal

  • 8.7

    HIGH
    CVE-2021-47802

    Tenda D151 and D301 routers contain an unauthenticated configuration download vulnerability that allows remote attackers to retrieve router configuration files. Attackers can send a request to /goform/getimage endpoint to download configuration data inclu... Read more

    Affected Products : d151_firmware d151 d301_firmware d301
    • Published: Jan. 21, 2026
    • Modified: Feb. 02, 2026
    • Vuln Type: Information Disclosure

  • 8.7

    HIGH
    CVE-2020-37034

    HelloWeb 2.0 contains an arbitrary file download vulnerability that allows remote attackers to download system files by manipulating filepath and filename parameters. Attackers can send crafted GET requests to download.asp with directory traversal to acce... Read more

    Affected Products :
    • Published: Jan. 30, 2026
    • Modified: Feb. 03, 2026
    • Vuln Type: Path Traversal

  • 8.7

    HIGH
    CVE-2020-37093

    Netis E1+ 1.2.32533 contains an information disclosure vulnerability that allows unauthenticated attackers to retrieve WiFi passwords through the netcore_get.cgi endpoint. Attackers can send a GET request to the endpoint to extract sensitive network crede... Read more

    Affected Products :
    • Published: Feb. 03, 2026
    • Modified: Feb. 04, 2026
    • Vuln Type: Information Disclosure

  • 8.7

    HIGH
    CVE-2026-24480

    QGIS is a free, open source, cross platform geographical information system (GIS) The repository contains a GitHub Actions workflow called "pre-commit checks" that, before commit 76a693cd91650f9b4e83edac525e5e4f90d954e9, was vulnerable to remote code exec... Read more

    Affected Products :
    • Published: Jan. 27, 2026
    • Modified: Jan. 27, 2026
    • Vuln Type: Information Disclosure

  • 8.7

    HIGH
    CVE-2026-25495

    Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the element-indexes/get-elements endpoint is vulnerable to SQL Injection via the criteria[orderBy] parameter (JSON body). The a... Read more

    Affected Products : craft_cms
    • Published: Feb. 09, 2026
    • Modified: Feb. 09, 2026
    • Vuln Type: Injection

  • 8.7

    HIGH
    CVE-2026-0750

    Improper Verification of Cryptographic Signature vulnerability in Drupal Drupal Commerce Paybox Commerce Paybox on Drupal 7.X allows Authentication Bypass.This issue affects Drupal Commerce Paybox: from 7-x-1.0 through 7.X-1.5.... Read more

    Affected Products :
    • Published: Jan. 28, 2026
    • Modified: Jan. 29, 2026
    • Vuln Type: Authentication

  • 8.7

    HIGH
    CVE-2026-23953

    Incus is a system container and virtual machine manager. In versions 6.20.0 and below, a user with the ability to launch a container with a custom YAML configuration (e.g a member of the ‘incus’ group) can create an environment variable containing newline... Read more

    Affected Products : incus
    • Published: Jan. 22, 2026
    • Modified: Jan. 30, 2026
    • Vuln Type: Injection
Showing 20 of 4678 Results