Latest CVE Feed
-
7.2
HIGHCVE-2025-14997
The BuddyPress Xprofile Custom Field Types plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'delete_field' function in all versions up to, and including, 1.2.8. This makes it possible for authen... Read more
Affected Products :- Published: Jan. 06, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Path Traversal
-
7.2
HIGHCVE-2025-15055
The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'notes' and 'resource' parameters in all versions up to, and including, 5.3.4 due to insufficient input sanitization and output escaping. This makes it possib... Read more
Affected Products :- Published: Jan. 09, 2026
- Modified: Jan. 13, 2026
- Vuln Type: Cross-Site Scripting
-
7.2
HIGHCVE-2025-15197
A security flaw has been discovered in code-projects/anirbandutta9 Content Management System and News-Buzz 1.0. This vulnerability affects unknown code of the file /admin/editposts.php. Performing manipulation of the argument image results in unrestricted... Read more
- Published: Dec. 29, 2025
- Modified: Jan. 07, 2026
- Vuln Type: Misconfiguration
-
7.2
HIGHCVE-2025-66376
Zimbra Collaboration (ZCS) 10 before 10.0.18 and 10.1 before 10.1.13 allows Classic UI stored XSS via Cascading Style Sheets (CSS) @import directives in an HTML e-mail message.... Read more
Affected Products : collaboration- Published: Jan. 05, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Cross-Site Scripting
-
7.2
HIGHCVE-2025-15057
The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `fh` (fingerprint) parameter in all versions up to, and including, 5.3.3. This is due to insufficient input sanitization and output escaping on the fingerprin... Read more
Affected Products :- Published: Jan. 09, 2026
- Modified: Jan. 13, 2026
- Vuln Type: Cross-Site Scripting
-
7.2
HIGHCVE-2025-31510
In the portal in LemonLDAP::NG before 2.21.0, cross-site scripting (XSS) allows remote attackers to inject arbitrary web script or HTML (into the login page) via the tab parameter, for Choice authentication.... Read more
Affected Products :- Published: Jan. 16, 2026
- Modified: Jan. 26, 2026
- Vuln Type: Cross-Site Scripting
-
7.2
HIGHCVE-2025-14657
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4... Read more
Affected Products :- Published: Jan. 09, 2026
- Modified: Jan. 13, 2026
- Vuln Type: Authentication
-
7.2
HIGHCVE-2026-21856
The Tarkov Data Manager is a tool to manage the Tarkov item data. Prior to commit 9bdb3a75a98a7047b6d70144eb1da1655d6992a8, a time based blind SQL injection vulnerability in the webhook edit and scanner api endpoints that allow an authenticated attacker t... Read more
Affected Products :- Published: Jan. 07, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Injection
-
7.2
HIGHCVE-2025-66648
vega-functions provides function implementations for the Vega expression language. Prior to version 6.1.1, for sites that allow users to supply untrusted user input, malicious use of an internal function (not part of the public API) could be used to run u... Read more
Affected Products : vega- Published: Jan. 05, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Cross-Site Scripting
-
7.2
HIGHCVE-2025-37183
Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to perform SQL injection attacks. Successful exploitation could allow an attacker to execute arbitrary SQL commands on t... Read more
Affected Products : edgeconnect_sd-wan_orchestrator- Published: Jan. 14, 2026
- Modified: Jan. 20, 2026
- Vuln Type: Injection
-
7.2
HIGHCVE-2025-15442
A vulnerability was determined in CRMEB up to 5.6.1. This vulnerability affects unknown code of the file /adminapi/export/product_list. This manipulation of the argument cate_id causes sql injection. The attack may be initiated remotely. The exploit has b... Read more
Affected Products : crmeb- Published: Jan. 04, 2026
- Modified: Jan. 13, 2026
- Vuln Type: Injection
-
7.2
HIGHCVE-2026-22028
Preact, a lightweight web development framework, JSON serialization protection to prevent Virtual DOM elements from being constructed from arbitrary JSON. A regression introduced in Preact 10.26.5 caused this protection to be softened. In applications whe... Read more
Affected Products : preact- Published: Jan. 08, 2026
- Modified: Jan. 12, 2026
- Vuln Type: Injection
-
7.2
HIGHCVE-2025-15360
A vulnerability was determined in newbee-mall-plus 2.0.0. This impacts the function Upload of the file src/main/java/ltd/newbee/mall/controller/common/UploadController.java of the component Product Information Edit Page. This manipulation of the argument ... Read more
Affected Products : newbee-mall-plus- Published: Dec. 30, 2025
- Modified: Jan. 09, 2026
- Vuln Type: Misconfiguration
-
7.2
HIGHCVE-2026-0699
A vulnerability was found in code-projects Intern Membership Management System 1.0. This impacts an unknown function of the file /intern/admin/edit_activity.php. Performing a manipulation of the argument activity_id results in sql injection. Remote exploi... Read more
Affected Products : intern_membership_management_system- Published: Jan. 08, 2026
- Modified: Jan. 12, 2026
- Vuln Type: Injection
-
7.2
HIGHCVE-2025-15148
A flaw has been found in CmsEasy up to 7.7.7. Affected is the function savetemp_action in the library /lib/admin/template_admin.php of the component Backend Template Management Page. Executing manipulation of the argument content/tempdata can lead to code... Read more
Affected Products : cmseasy- Published: Dec. 28, 2025
- Modified: Jan. 06, 2026
- Vuln Type: Injection
-
7.2
HIGHCVE-2025-15143
A security flaw has been discovered in EyouCMS up to 1.7.6. The affected element is an unknown function of the file /application/admin/logic/FilemanagerLogic.php of the component Backend Template Management. The manipulation of the argument content result... Read more
Affected Products : eyoucms- Published: Dec. 28, 2025
- Modified: Dec. 30, 2025
- Vuln Type: Injection
-
7.2
HIGHCVE-2025-15262
A security flaw has been discovered in BiggiDroid Simple PHP CMS 1.0. This impacts an unknown function of the file /admin/edit.php of the component Site Logo Handler. Performing manipulation of the argument image results in unrestricted upload. Remote exp... Read more
Affected Products : simple_php_cms- Published: Dec. 30, 2025
- Modified: Jan. 15, 2026
- Vuln Type: Misconfiguration
-
7.2
HIGHCVE-2025-37181
Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to perform SQL injection attacks. Successful exploitation could allow an attacker to execute arbitrary SQL commands on t... Read more
Affected Products : edgeconnect_sd-wan_orchestrator- Published: Jan. 14, 2026
- Modified: Jan. 20, 2026
- Vuln Type: Injection
-
7.2
HIGHCVE-2025-14436
The Brevo for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘user_connection_id’ parameter in all versions up to, and including, 4.0.49 due to insufficient input sanitization and output escaping. This makes it possi... Read more
Affected Products :- Published: Jan. 08, 2026
- Modified: Jan. 13, 2026
- Vuln Type: Cross-Site Scripting
-
7.2
HIGHCVE-2025-64122
Insufficiently Protected Credentials vulnerability in Nuvation Energy Multi-Stack Controller (MSC) allows Signature Spoofing by Key Theft.This issue affects Multi-Stack Controller (MSC): through 2.5.1.... Read more
Affected Products :- Published: Jan. 02, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Cryptography