Latest CVE Feed
-
8.7
HIGHCVE-2020-36907
Aerohive HiveOS contains a denial of service vulnerability in the NetConfig UI that allows unauthenticated attackers to render the web interface unusable. Attackers can send a crafted HTTP request to the action.php5 script with specific parameters to trig... Read more
Affected Products :- Published: Jan. 06, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Denial of Service
-
6.4
MEDIUMCVE-2025-4776
The Phlox theme for WordPress is vulnerable to Stored Cross-Site Scripting via the `data-caption` HTML attribute in all versions up to, and including, 2.17.7 due to insufficient input sanitization and output escaping. This makes it possible for authentica... Read more
Affected Products : phlox- Published: Jan. 06, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Cross-Site Scripting
-
4.9
MEDIUMCVE-2025-13409
The Form Vibes – Database Manager for Forms plugin for WordPress is vulnerable to SQL Injection via the 'params' parameter in all versions up to, and including, 1.4.13 due to insufficient escaping on the user supplied parameter and lack of sufficient prep... Read more
Affected Products : form_vibes- Published: Jan. 06, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Injection
-
6.4
MEDIUMCVE-2025-46696
Dell Secure Connect Gateway (SCG) 5.0 Appliance and Application, version(s) versions 5.26 to 5.30, contain(s) an Execution with Unnecessary Privileges vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability... Read more
Affected Products :- Published: Jan. 06, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Authorization
-
9.8
CRITICALCVE-2020-36925
Arteco Web Client DVR/NVR contains a session hijacking vulnerability with insufficient session ID complexity that allows remote attackers to bypass authentication. Attackers can brute force session IDs within a specific numeric range to obtain valid sessi... Read more
Affected Products :- Published: Jan. 06, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Authentication
-
8.8
HIGHCVE-2020-36910
Cayin Signage Media Player 3.0 contains an authenticated remote command injection vulnerability in system.cgi and wizard_system.cgi pages. Attackers can exploit the 'NTP_Server_IP' parameter with default credentials to execute arbitrary shell commands as ... Read more
Affected Products :- Published: Jan. 06, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Injection
-
8.7
HIGHCVE-2026-0621
Anthropic's MCP TypeScript SDK versions up to and including 1.25.1 contain a regular expression denial of service (ReDoS) vulnerability in the UriTemplate class when processing RFC 6570 exploded array patterns. The dynamically generated regular expression... Read more
Affected Products :- Published: Jan. 05, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Denial of Service
-
5.3
MEDIUMCVE-2025-13215
The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.17.13 via the auxels_ajax_search due to insufficient restrictions on which posts can be included. This mak... Read more
Affected Products : shortcodes_and_extra_features_for_phlox_theme- Published: Jan. 06, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Information Disclosure
-
6.4
MEDIUMCVE-2025-14438
The Xagio SEO – AI Powered SEO plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.1.0.30 via the 'pixabayDownloadImage' function. This makes it possible for authenticated attackers, with Subscriber-le... Read more
Affected Products :- Published: Jan. 06, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Server-Side Request Forgery
-
8.4
HIGHCVE-2025-13744
An Improper Neutralization of Input During Web Page Generation vulnerability was identified in GitHub Enterprise Server that allowed attacker controlled HTML to be rendered by the Filter component (search) across GitHub that could be used to exfiltrate se... Read more
Affected Products : enterprise_server- Published: Jan. 06, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Cross-Site Scripting
-
7.1
HIGHCVE-2025-31642
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dasinfomedia WPCHURCH allows Reflected XSS.This issue affects WPCHURCH: from n/a through 2.7.0.... Read more
Affected Products :- Published: Jan. 07, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Cross-Site Scripting
-
5.3
MEDIUMCVE-2025-31051
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in EngoTheme Plant - Gardening & Houseplants WordPress Theme allows Retrieve Embedded Sensitive Data.This issue affects Plant - Gardening & Houseplants WordPress Them... Read more
Affected Products :- Published: Jan. 07, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Information Disclosure
-
9.8
CRITICALCVE-2025-60534
Blue Access Cobalt v02.000.195 suffers from an authentication bypass vulnerability, which allows an attacker to selectively proxy requests in order to operate functionality on the web application without the need to authenticate with legitimate credential... Read more
Affected Products :- Published: Jan. 06, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Authentication
-
5.9
MEDIUMCVE-2025-63082
Lack of input filtering leads to an XSS vector in the HTML filter code related to data URLs in img tags.... Read more
Affected Products : joomla\!- Published: Jan. 06, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Cross-Site Scripting
-
6.4
MEDIUMCVE-2025-14114
The 1180px Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' shortcode attribute in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for ... Read more
Affected Products :- Published: Jan. 07, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Cross-Site Scripting
-
7.8
HIGHCVE-2025-47388
Memory corruption while passing pages to DSP with an unaligned starting address.... Read more
Affected Products :- Published: Jan. 07, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Memory Corruption
-
9.3
CRITICALCVE-2026-0650
OpenFlagr versions prior to and including 1.1.18 contain an authentication bypass vulnerability in the HTTP middleware. Due to improper handling of path normalization in the whitelist logic, crafted requests can bypass authentication and access protected ... Read more
Affected Products :- Published: Jan. 07, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Authentication
-
6.5
MEDIUMCVE-2025-14901
The Bit Form – Contact Form Plugin plugin for WordPress is vulnerable to unauthorized workflow execution due to missing authorization in the triggerWorkFlow function in all versions up to, and including, 2.21.6. This is due to a logic flaw in the nonce ve... Read more
Affected Products :- Published: Jan. 07, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Authorization
-
2.9
LOWCVE-2025-31963
Improper authentication and missing CSRF protection in the local setup interface component in HCL BigFix IVR version 4.2 allows a local attacker to perform unauthorized configuration changes via unauthenticated administrative configuration requests.... Read more
Affected Products : bigfix_insights_for_vulnerability_remediation- Published: Jan. 07, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Authentication
-
6.4
MEDIUMCVE-2025-14626
The QR Code for WooCommerce order emails, PDF invoices, packing slips plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode in all versions up to, and including, 1.9.42 due to insufficient input sanitization and outp... Read more
Affected Products :- Published: Jan. 07, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Cross-Site Scripting