Latest CVE Feed
-
8.3
HIGHCVE-2026-23851
SiYuan is a personal knowledge management system. Versions prior to 3.5.4 contain a logic vulnerability in the /api/file/globalCopyFiles endpoint. The function allows authenticated users to copy files from any location on the server's filesystem into the ... Read more
Affected Products : siyuan- Published: Jan. 19, 2026
- Modified: Jan. 30, 2026
- Vuln Type: Path Traversal
-
8.3
HIGHCVE-2025-69199
Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Prior to version 1.12.0, websockets within wings lack proper rate limiting and throttling. As a result a malicious user can open a large number of connect... Read more
- Published: Jan. 19, 2026
- Modified: Feb. 02, 2026
- Vuln Type: Denial of Service
-
8.2
HIGHCVE-2025-59023
Crafted delegations or IP fragments can poison cached delegations in Recursor.... Read more
Affected Products : recursor- Published: Feb. 09, 2026
- Modified: Feb. 09, 2026
- Vuln Type: Misconfiguration
-
8.2
HIGHCVE-2026-24430
Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) disclose sensitive account credentials in cleartext within HTTP responses generated by the maintenance interface. Because the management interface is accessible over unencrypte... Read more
- Published: Jan. 26, 2026
- Modified: Jan. 28, 2026
- Vuln Type: Information Disclosure
-
8.2
HIGHCVE-2026-24843
melange allows users to build apk packages using declarative pipelines. In version 0.11.3 to before 0.40.3, an attacker who can influence the tar stream from a QEMU guest VM could write files outside the intended workspace directory on the host. The retri... Read more
Affected Products :- Published: Feb. 04, 2026
- Modified: Feb. 05, 2026
- Vuln Type: Path Traversal
-
8.2
HIGHCVE-2026-1803
A weakness has been identified in Ziroom ZHOME A0101 1.0.1.0. Impacted is an unknown function of the component Dropbear SSH Service. This manipulation causes use of default credentials. Remote exploitation of the attack is possible. The complexity of an a... Read more
Affected Products :- Published: Feb. 03, 2026
- Modified: Feb. 04, 2026
- Vuln Type: Authentication
-
8.2
HIGHCVE-2025-69047
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in magentech MaxShop sw_maxshop allows PHP Local File Inclusion.This issue affects MaxShop: from n/a through <= 3.6.20.... Read more
Affected Products :- Published: Jan. 22, 2026
- Modified: Jan. 29, 2026
- Vuln Type: Path Traversal
-
8.2
HIGHCVE-2025-20080
Null pointer dereference in the firmware for some Intel(R) AMT and Intel(R) Standard Manageability within Ring 0: Kernel may allow a denial of service. Network adversary with an unauthenticated user combined with a high complexity attack may enable denial... Read more
Affected Products :- Published: Feb. 10, 2026
- Modified: Feb. 10, 2026
- Vuln Type: Denial of Service
-
8.2
HIGHCVE-2025-1395
Generation of Error Message Containing Sensitive Information vulnerability in Codriapp Innovation and Software Technologies Inc. HeyGarson allows Fuzzing for application mapping.This issue affects HeyGarson: through 30012026. NOTE: The vendor was contact... Read more
Affected Products :- Published: Jan. 30, 2026
- Modified: Feb. 04, 2026
- Vuln Type: Information Disclosure
-
8.2
HIGHCVE-2026-24842
node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a mal... Read more
Affected Products : tar- Published: Jan. 28, 2026
- Modified: Feb. 02, 2026
- Vuln Type: Path Traversal
-
8.2
HIGHCVE-2026-25235
PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, predictable verification hashes may allow attackers to guess verification tokens and potentially verify election account requests without authorization. This... Read more
Affected Products : pearweb- Published: Feb. 03, 2026
- Modified: Feb. 05, 2026
- Vuln Type: Authentication
-
8.2
HIGHCVE-2025-69077
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Hobo hobo allows PHP Local File Inclusion.This issue affects Hobo: from n/a through <= 1.0.10.... Read more
Affected Products :- Published: Jan. 22, 2026
- Modified: Jan. 29, 2026
- Vuln Type: Injection
-
8.2
HIGHCVE-2026-1117
A vulnerability in the `lollms_generation_events.py` component of parisneo/lollms version 5.9.0 allows unauthenticated access to sensitive Socket.IO events. The `add_events` function registers event handlers such as `generate_text`, `cancel_generation`, `... Read more
- Published: Feb. 02, 2026
- Modified: Feb. 03, 2026
- Vuln Type: Authentication
-
8.2
HIGHCVE-2026-24400
AssertJ provides Fluent testing assertions for Java and the Java Virtual Machine (JVM). Starting in version 1.4.0 and prior to version 3.27.7, an XML External Entity (XXE) vulnerability exists in `org.assertj.core.util.xml.XmlStringPrettyFormatter`: the `... Read more
Affected Products :- Published: Jan. 26, 2026
- Modified: Jan. 27, 2026
- Vuln Type: XML External Entity
-
8.2
HIGHCVE-2026-1953
Nukegraphic CMS v3.1.2 contains a stored cross-site scripting (XSS) vulnerability in the user profile edit functionality at /ngc-cms/user-edit-profile.php. The application fails to properly sanitize user input in the name field before storing it in the da... Read more
Affected Products :- Published: Feb. 05, 2026
- Modified: Feb. 05, 2026
- Vuln Type: Cross-Site Scripting
-
8.2
HIGHCVE-2026-21990
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure wh... Read more
Affected Products : vm_virtualbox- Published: Jan. 20, 2026
- Modified: Jan. 29, 2026
-
8.2
HIGHCVE-2026-22548
When a BIG-IP Advanced WAF or ASM security policy is configured on a virtual server, undisclosed requests along with conditions beyond the attacker's control can cause the bd process to terminate. Note: Software versions which have reached End of Technic... Read more
Affected Products : big-ip_access_policy_manager- Published: Feb. 04, 2026
- Modified: Feb. 04, 2026
- Vuln Type: Denial of Service
-
8.2
HIGHCVE-2026-1642
A vulnerability exists in NGINX OSS and NGINX Plus when configured to proxy to upstream Transport Layer Security (TLS) servers. An attacker with a man-in-the-middle (MITM) position on the upstream server side—along with conditions beyond the attacker's co... Read more
- Published: Feb. 04, 2026
- Modified: Feb. 05, 2026
- Vuln Type: Misconfiguration
-
8.2
HIGHCVE-2026-1610
A vulnerability was found in Tenda AX12 Pro V2 16.03.49.24_cn. Affected by this issue is some unknown functionality of the component Telnet Service. Performing a manipulation results in hard-coded credentials. The attack is possible to be carried out remo... Read more
Affected Products :- Published: Jan. 29, 2026
- Modified: Feb. 04, 2026
- Vuln Type: Authentication
-
8.2
HIGHCVE-2026-21956
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure wh... Read more
Affected Products : vm_virtualbox- Published: Jan. 20, 2026
- Modified: Jan. 29, 2026