Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
6.5 MEDIUM
CVE-2025-15477 — The Bucketlister <= 0.1.5 - Authenticated (Contributor+) SQL Injection via `category` and…

The Bucketlister plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode `category` and `id` attributes in all versions up to, and including, 0.1.5 due to insufficient escaping…

Remote | Injection
Feb 07, 2026 Feb 09, 2026
Feb 07, 2026
Feb 09, 2026
4.3 MEDIUM
CVE-2025-15476 — The Bucketlister <= 0.1.5 - Missing Authorization to Authenticated (Subscriber+) Bucket L…

The The Bucketlister plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the bucketlister_do_admin_ajax() function in all versions up to, and …

Remote | Authorization
Feb 07, 2026 Feb 09, 2026
Feb 07, 2026
Feb 09, 2026
8.8 HIGH
CVE-2026-2078 — yeqifu warehouse Permission Management PermissionController.java deletePermission imprope…

A vulnerability was detected in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. This affects the function addPermission/updatePermission/deletePermission of the file dataset\repos\wa…

warehouse | Remote | Authorization
Feb 07, 2026 Feb 10, 2026
Feb 07, 2026
Feb 10, 2026
8.8 HIGH
CVE-2026-2077 — yeqifu warehouse Role Management RoleController.java deleteRole improper authorization

A security vulnerability has been detected in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. Affected by this issue is the function addRole/updateRole/deleteRole of the file dataset…

warehouse | Remote | Authorization
Feb 07, 2026 Feb 10, 2026
Feb 07, 2026
Feb 10, 2026
8.8 HIGH
CVE-2026-2076 — yeqifu warehouse User Management Endpoint UserController.java deleteUser improper authori…

A weakness has been identified in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. Affected by this vulnerability is the function addUser/updateUser/deleteUser of the file dataset\rep…

warehouse | Remote | Authorization
Feb 07, 2026 Feb 10, 2026
Feb 07, 2026
Feb 10, 2026
8.8 HIGH
CVE-2026-2075 — yeqifu warehouse Role-Permission Binding RoleController.java saveRolePermission access co…

A security flaw has been discovered in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. Affected is the function saveRolePermission of the file dataset\repos\warehouse\src\main\java\c…

warehouse | Remote | Authorization
Feb 07, 2026 Feb 10, 2026
Feb 07, 2026
Feb 10, 2026
5.5 MEDIUM
CVE-2025-15491 — Post Slides <= 1.0.1 - Contributor+ Local File Inclusion

The Post Slides WordPress plugin through 1.0.1 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as w…

Remote | Path Traversal
Feb 07, 2026 Feb 09, 2026
Feb 07, 2026
Feb 09, 2026
6.4 MEDIUM
CVE-2025-15267 — Bold Page Builder <= 5.5.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via…

The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's bt_bb_accordion_item shortcode in all versions up to, and including, 5.5.7 due to insufficient…

bold_page_builder | Remote | Cross-Site Scripting
Feb 07, 2026 Feb 09, 2026
Feb 07, 2026
Feb 09, 2026
6.4 MEDIUM
CVE-2025-13463 — Bold Page Builder <= 5.5.3 - Authenticated (Author+) Stored DOM-based Cross-Site Scriptin…

The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Post Grid component in all versions up to, and including, 5.5.3 due to insufficient input sanitization …

bold_page_builder | Remote | Cross-Site Scripting
Feb 07, 2026 Feb 09, 2026
Feb 07, 2026
Feb 09, 2026
6.4 MEDIUM
CVE-2025-12803 — Bold Builder <= 5.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via bt_b…

The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin 'bt_bb_tabs' shortcode in all versions up to, and including, 5.5.1 due to insufficient input san…

bold_page_builder | Remote | Cross-Site Scripting
Feb 07, 2026 Feb 09, 2026
Feb 07, 2026
Feb 09, 2026
6.4 MEDIUM
CVE-2025-12159 — Bold Page Builder <= 5.4.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via…

The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's bt_bb_raw_content shortcode in all versions up to, and including, 5.4.8 due to insufficient in…

bold_page_builder | Remote | Cross-Site Scripting
Feb 07, 2026 Feb 09, 2026
Feb 07, 2026
Feb 09, 2026
6.5 MEDIUM
CVE-2026-2074 — O2OA HTTP POST Request check xml external entity reference

A vulnerability was identified in O2OA up to 9.0.0. This impacts an unknown function of the file /x_program_center/jaxrs/mpweixin/check of the component HTTP POST Request Handler. The manipulation le…

o2oa | Remote | XML External Entity
Feb 07, 2026 Feb 17, 2026
Feb 07, 2026
Feb 17, 2026
9.8 CRITICAL
CVE-2026-2073 — itsourcecode School Management System index.php sql injection

A vulnerability was determined in itsourcecode School Management System 1.0. This affects an unknown function of the file /ramonsys/user/index.php. Executing a manipulation of the argument ID can lea…

school_management_system school_management_system | Remote | Injection
Feb 07, 2026 Feb 12, 2026
Feb 07, 2026
Feb 12, 2026
6.8 MEDIUM
CVE-2025-31990 — HCL DevOps Velocity is susceptible to a Denial of Service vulnerability

Rate limiting for certain API calls is not being enforced, making HCL Velocity vulnerable to Denial of Service (DoS) attacks. An attacker could flood the system with a large number of requests, over…

Remote | Denial of Service
Feb 07, 2026 Feb 09, 2026
Feb 07, 2026
Feb 09, 2026
9.0 HIGH
CVE-2026-2071 — UTT 进取 520W formP2PLimitConfig strcpy buffer overflow

A vulnerability was found in UTT 进取 520W 1.7.7-180627. The impacted element is the function strcpy of the file /goform/formP2PLimitConfig. Performing a manipulation of the argument except results in …

520w_firmware 520w | Remote | Memory Corruption
Feb 07, 2026 Feb 13, 2026
Feb 07, 2026
Feb 13, 2026
6.7 MEDIUM
CVE-2020-37171 — TapinRadio 2.12.3 - 'username' Denial of Service

TapinRadio 2.12.3 contains a denial of service vulnerability in the application proxy username configuration that allows local attackers to crash the application. Attackers can overwrite the username…

tapinradio | Denial of Service
Feb 07, 2026 Feb 19, 2026
Feb 07, 2026
Feb 19, 2026
6.7 MEDIUM
CVE-2020-37170 — TapinRadio 2.12.3 - 'address' Denial of Service

TapinRadio 2.12.3 contains a denial of service vulnerability in the application proxy address configuration that allows local attackers to crash the application. Attackers can overwrite the address f…

tapinradio | Denial of Service
Feb 07, 2026 Feb 19, 2026
Feb 07, 2026
Feb 19, 2026
6.9 MEDIUM
CVE-2020-37166 — AbsoluteTelnet 11.12 - 'SSH2/username' Denial of Service

AbsoluteTelnet 11.12 contains a denial of service vulnerability in the SSH2 username input field that allows local attackers to crash the application. Attackers can overwrite the username field with …

absolutetelnet | Denial of Service
Feb 07, 2026 Feb 19, 2026
Feb 07, 2026
Feb 19, 2026
6.7 MEDIUM
CVE-2020-37165 — AbsoluteTelnet 11.12 - "license name" Denial of Service

AbsoluteTelnet 11.12 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an oversized license name. Attackers can generate a 2500-character pa…

absolutetelnet | Denial of Service
Feb 07, 2026 Feb 19, 2026
Feb 07, 2026
Feb 19, 2026
6.7 MEDIUM
CVE-2020-37164 — AbsoluteTelnet 11.12 - "license entry" Denial of Service

AbsoluteTelnet 11.12 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an oversized license name. Attackers can generate a 2500-character pa…

absolutetelnet | Denial of Service
Feb 07, 2026 Feb 19, 2026
Feb 07, 2026
Feb 19, 2026
Showing 20 of 5134 Results