Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
9.8 CRITICAL
CVE-2026-2133 — code-projects Online Music Site AdminUpdateCategory.php unrestricted upload

A weakness has been identified in code-projects Online Music Site 1.0. Impacted is an unknown function of the file /Administrator/PHP/AdminUpdateCategory.php. This manipulation of the argument txtima…

online_music_site | Remote | Misconfiguration
Feb 08, 2026 Feb 10, 2026
Feb 08, 2026
Feb 10, 2026
9.8 CRITICAL
CVE-2026-2132 — code-projects Online Music Site AdminUpdateCategory.php sql injection

A security flaw has been discovered in code-projects Online Music Site 1.0. This issue affects some unknown processing of the file /Administrator/PHP/AdminUpdateCategory.php. The manipulation of the …

online_music_site | Remote | Injection
Feb 08, 2026 Feb 10, 2026
Feb 08, 2026
Feb 10, 2026
8.8 HIGH
CVE-2026-2131 — XixianLiang HarmonyOS-mcp-server input_text os command injection

A vulnerability was identified in XixianLiang HarmonyOS-mcp-server 0.1.0. This vulnerability affects the function input_text. The manipulation of the argument text leads to os command injection. Remo…

harmonyos_mcp_server | Remote | Injection
Feb 08, 2026 Mar 05, 2026
Feb 08, 2026
Mar 05, 2026
9.8 CRITICAL
CVE-2026-2130 — BurtTheCoder mcp-maigret search_username index.ts command injection

A vulnerability was determined in BurtTheCoder mcp-maigret up to 1.0.12. This affects an unknown part of the file src/index.ts of the component search_username. Executing a manipulation of the argume…

maigret_mcp_server | Remote | Injection
Feb 08, 2026 Mar 05, 2026
Feb 08, 2026
Mar 05, 2026
6.5 MEDIUM
CVE-2026-2209 — WeKan Custom Translation translationBody.js setCreateTranslation improper authorization

A vulnerability was detected in WeKan up to 8.18. The affected element is the function setCreateTranslation of the file client/components/settings/translationBody.js of the component Custom Translati…

wekan | Remote | Authorization
Feb 08, 2026 Feb 11, 2026
Feb 08, 2026
Feb 11, 2026
6.5 MEDIUM
CVE-2026-2208 — WeKan Rules rules.js RulesBleed authorization

A security vulnerability has been detected in WeKan up to 8.20. Impacted is an unknown function of the file server/publications/rules.js of the component Rules Handler. The manipulation leads to miss…

wekan | Remote | Authorization
Feb 08, 2026 Feb 11, 2026
Feb 08, 2026
Feb 11, 2026
6.9 MEDIUM
CVE-2026-2207 — WeKan Activity Publication activities.js LinkedBoardActivitiesBleed information disclosure

A weakness has been identified in WeKan up to 8.20. This issue affects some unknown processing of the file server/publications/activities.js of the component Activity Publication Handler. Executing a…

wekan | Remote | Information Disclosure
Feb 08, 2026 Feb 11, 2026
Feb 08, 2026
Feb 11, 2026
8.8 HIGH
CVE-2026-2206 — WeKan Administrative Repair fixDuplicateLists.js FixDuplicateBleed access control

A security flaw has been discovered in WeKan up to 8.20. This vulnerability affects unknown code of the file server/methods/fixDuplicateLists.js of the component Administrative Repair Handler. Perfor…

wekan | Remote | Authorization
Feb 08, 2026 Feb 11, 2026
Feb 08, 2026
Feb 11, 2026
5.3 MEDIUM
CVE-2026-2205 — WeKan Meteor Publication cards.js CardPubSubBleed information disclosure

A vulnerability was identified in WeKan up to 8.20. This affects an unknown part of the file server/publications/cards.js of the component Meteor Publication Handler. Such manipulation leads to infor…

wekan | Remote | Information Disclosure
Feb 08, 2026 Feb 11, 2026
Feb 08, 2026
Feb 11, 2026
8.3 HIGH
CVE-2026-2129 — D-Link DIR-823X set_ac_status os command injection

A vulnerability was found in D-Link DIR-823X 250416. Affected by this issue is some unknown functionality of the file /goform/set_ac_status. Performing a manipulation of the argument ac_ipaddr/ac_ips…

dir-823x_firmware dir-823x | Remote | Injection
Feb 08, 2026 Feb 11, 2026
Feb 08, 2026
Feb 11, 2026
8.8 HIGH
CVE-2025-15100 — JAY Login & Register <= 2.6.03 - Authenticated (Subscriber+) Privilege Escalation via jay…

The JAY Login & Register plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.6.03. This is due to the plugin allowing a user to update arbitrary user me…

Remote | Authorization
Feb 08, 2026 Feb 09, 2026
Feb 08, 2026
Feb 09, 2026
9.8 CRITICAL
CVE-2025-15027 — JAY Login & Register <= 2.6.03 - Unauthenticated Privilege Escalation via jay_login_regis…

The JAY Login & Register plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.6.03. This is due to the plugin allowing a user to update arbitrary user me…

Remote | Authorization
Feb 08, 2026 Feb 09, 2026
Feb 08, 2026
Feb 09, 2026
9.8 CRITICAL
CVE-2026-2122 — Xiaopi Panel WAF Firewall demo.php sql injection

A security flaw has been discovered in Xiaopi Panel up to 20260126. This impacts an unknown function of the file /demo.php of the component WAF Firewall. The manipulation of the argument ID results i…

panel | Remote | Injection
Feb 08, 2026 Mar 05, 2026
Feb 08, 2026
Mar 05, 2026
8.3 HIGH
CVE-2026-2120 — D-Link DIR-823X Configuration Parameter set_server_settings os command injection

A vulnerability was identified in D-Link DIR-823X 250416. This affects an unknown function of the file /goform/set_server_settings of the component Configuration Parameter Handler. The manipulation o…

dir-823x_firmware dir-823x | Remote | Injection
Feb 08, 2026 Feb 11, 2026
Feb 08, 2026
Feb 11, 2026
8.3 HIGH
CVE-2026-2118 — UTT HiPER 810 rehttpd formReleaseConnect sub_4407D4 command injection

A vulnerability was determined in UTT HiPER 810 1.7.4-141218. The impacted element is the function sub_4407D4 of the file /goform/formReleaseConnect of the component rehttpd. Executing a manipulation…

810_firmware 810 | Remote | Injection
Feb 08, 2026 Feb 13, 2026
Feb 08, 2026
Feb 13, 2026
9.8 CRITICAL
CVE-2026-2117 — itsourcecode Society Management System edit_activity.php sql injection

A vulnerability was found in itsourcecode Society Management System 1.0. The affected element is an unknown function of the file /admin/edit_activity.php. Performing a manipulation of the argument ac…

society_management_system | Remote | Injection
Feb 08, 2026 Feb 10, 2026
Feb 08, 2026
Feb 10, 2026
9.8 CRITICAL
CVE-2026-2116 — itsourcecode Society Management System edit_expenses.php sql injection

A vulnerability has been found in itsourcecode Society Management System 1.0. Impacted is an unknown function of the file /admin/edit_expenses.php. Such manipulation of the argument expenses_id leads…

society_management_system | Remote | Injection
Feb 08, 2026 Feb 10, 2026
Feb 08, 2026
Feb 10, 2026
9.8 CRITICAL
CVE-2026-2115 — itsourcecode Society Management System delete_expenses.php sql injection

A flaw has been found in itsourcecode Society Management System 1.0. This issue affects some unknown processing of the file /admin/delete_expenses.php. This manipulation of the argument expenses_id c…

society_management_system | Remote | Injection
Feb 07, 2026 Feb 10, 2026
Feb 07, 2026
Feb 10, 2026
9.8 CRITICAL
CVE-2026-2114 — itsourcecode Society Management System edit_admin.php sql injection

A vulnerability was detected in itsourcecode Society Management System 1.0. This vulnerability affects unknown code of the file /admin/edit_admin.php. The manipulation of the argument admin_id result…

society_management_system | Remote | Injection
Feb 07, 2026 Feb 10, 2026
Feb 07, 2026
Feb 10, 2026
8.8 HIGH
CVE-2026-25859 — WeKan < 8.20 Migration Functionality Insufficient Permission Checks

Wekan versions prior to 8.20 allow non-administrative users to access migration functionality due to insufficient permission checks, potentially resulting in unauthorized migration operations.

wekan | Remote | Authorization
Feb 07, 2026 Feb 10, 2026
Feb 07, 2026
Feb 10, 2026
Showing 20 of 5125 Results