Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
9.8 CRITICAL
CVE-2026-2684 — Tsinghua Unigroup Electronic Archives System uploadFile.html unrestricted upload

A vulnerability was determined in Tsinghua Unigroup Electronic Archives System up to 3.2.210802(62532). The impacted element is an unknown function of the file /Archive/ErecordManage/uploadFile.html.…

electronic_archives_system | Remote | Misconfiguration
Feb 19, 2026 Mar 03, 2026
Feb 19, 2026
Mar 03, 2026
7.3 HIGH
CVE-2026-25926 — Notepad++ has an Untrusted Search Path

Notepad++ is a free and open-source source code editor. An Unsafe Search Path vulnerability (CWE-426) exists in versions prior to 8.9.2 when launching Windows Explorer without an absolute executable …

notepad\+\+ | Misconfiguration
Feb 19, 2026 Feb 19, 2026
Feb 19, 2026
Feb 19, 2026
9.1 CRITICAL
CVE-2026-24126 — Weblate has an argument injection in management console

Weblate is a web based localization tool. Prior to 5.16.0, the SSH management console did not validate the passed input while adding the SSH host key, which could lead to an argument injection to `ss…

weblate | Remote | Injection
Feb 19, 2026 Feb 19, 2026
Feb 19, 2026
Feb 19, 2026
6.7 MEDIUM
CVE-2025-15585 — Fileflows MySQL Authenticated SQL Injection Vulnerability

Fileflows versions before 25.05.2 are affected by an authenticated SQL injection vulnerability in the library-file search function. Successful exploitation requires the system to use MySQL as the und…

Remote | Injection
Feb 19, 2026 Feb 19, 2026
Feb 19, 2026
Feb 19, 2026
5.3 MEDIUM
CVE-2026-2683 — Tsinghua Unigroup Electronic Archives System downLoad.html path traversal

A vulnerability was found in Tsinghua Unigroup Electronic Archives System 3.2.210802(62532). The affected element is an unknown function of the file /Using/Subject/downLoad.html. Performing a manipul…

electronic_archives_system | Remote | Path Traversal
Feb 18, 2026 Mar 03, 2026
Feb 18, 2026
Mar 03, 2026
9.8 CRITICAL
CVE-2026-2682 — Tsinghua Unigroup Electronic Archives System prinReport.html sql injection

A vulnerability has been found in Tsinghua Unigroup Electronic Archives System up to 3.2.210802(62532). Impacted is an unknown function of the file /mine/PublicReport/prinReport.html?token=java. Such…

electronic_archives_system | Remote | Injection
Feb 18, 2026 Mar 03, 2026
Feb 18, 2026
Mar 03, 2026
6.5 MEDIUM
CVE-2026-2676 — GoogTech sms-ssm API LoginInterceptor.java preHandle improper authorization

A weakness has been identified in GoogTech sms-ssm up to e8534c766fd13f5f94c01dab475d75f286918a8d. Affected by this issue is the function preHandle of the file LoginInterceptor.java of the component …

Remote | Authorization
Feb 18, 2026 Feb 19, 2026
Feb 18, 2026
Feb 19, 2026
4.4 MEDIUM
CVE-2026-26281 — InvoicePlane has Stored Cross-Site Scripting (XSS) Issue in Sumex Invoice View

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A stored cross-site scripting (XSS) vulnerability in the Sumex invoice view allows an authenticated…

invoiceplane | Remote | Cross-Site Scripting
Feb 18, 2026 Feb 20, 2026
Feb 18, 2026
Feb 20, 2026
5.4 MEDIUM
CVE-2026-26270 — InvoicePlane has Stored Cross-Site Scripting Issue in Identifier Formatting

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane (latest version) that allo…

invoiceplane | Remote | Cross-Site Scripting
Feb 18, 2026 Feb 20, 2026
Feb 18, 2026
Feb 20, 2026
4.8 MEDIUM
CVE-2026-25596 — InvoicePlane has Stored XSS via Product Unit Name in Invoice Item List

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane 1.7.0 via the Product Unit…

invoiceplane | Remote | Cross-Site Scripting
Feb 18, 2026 Feb 20, 2026
Feb 18, 2026
Feb 20, 2026
4.8 MEDIUM
CVE-2026-25595 — InvoicePlane has Stored XSS via Invoice Number in Invoice View and Dashboard

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane 1.7.0 via the Invoice Numb…

invoiceplane | Remote | Cross-Site Scripting
Feb 18, 2026 Feb 20, 2026
Feb 18, 2026
Feb 20, 2026
4.8 MEDIUM
CVE-2026-25594 — InvoicePlane has Stored XSS via Family Name in Product Form

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane 1.7.0 via the Family Name …

invoiceplane | Remote | Cross-Site Scripting
Feb 18, 2026 Feb 20, 2026
Feb 18, 2026
Feb 20, 2026
9.1 CRITICAL
CVE-2026-25548 — InvoicePlane Vulnerable to Remote Code Execution via Local File Inclusion and Log Poisoni…

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A critical Remote Code Execution (RCE) vulnerability exists in InvoicePlane 1.7.0 through a chained…

invoiceplane | Remote | Injection
Feb 18, 2026 Feb 20, 2026
Feb 18, 2026
Feb 20, 2026
7.5 HIGH
CVE-2026-24745 — InvoicePlane has a Stored Cross-Site Scripting (XSS) issue

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability occurs in the upload Login Logo functions of Invo…

invoiceplane | Remote | Cross-Site Scripting
Feb 18, 2026 Feb 20, 2026
Feb 18, 2026
Feb 20, 2026
4.7 MEDIUM
CVE-2025-15581 — Orthanc Authorization Logic Flaw

Orthanc versions before 1.12.10 are affected by an authorisation logic flaw in the application's HTTP Basic Authentication implementation. Successful exploitation could result in Privilege Escalati…

orthanc | Remote | Authentication
Feb 18, 2026 Feb 28, 2026
Feb 18, 2026
Feb 28, 2026
5.3 MEDIUM
CVE-2025-12812 — Cloud Suite and Privilege Access Service – SQL Injection

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in Delinea Inc. Cloud Suite and Privileged Access Service. Remediation: This issue is fixed in Cloud Suite: 25.1

Remote | Injection
Feb 18, 2026 Feb 19, 2026
Feb 18, 2026
Feb 19, 2026
6.9 MEDIUM
CVE-2025-12811 — Cloud Suite and Privilege Access Service– HTTP request smuggling vulnerability

Improper Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in Delinea Inc. Cloud Suite and Privileged Access Service. If you're not using the latest Server Suite agents, this f…

Remote | Misconfiguration
Feb 18, 2026 Feb 19, 2026
Feb 18, 2026
Feb 19, 2026
5.3 MEDIUM
CVE-2026-2672 — Tsinghua Unigroup Electronic Archives System downLoad download path traversal

A security flaw has been discovered in Tsinghua Unigroup Electronic Archives System 3.2.210802(62532). Affected by this vulnerability is the function Download of the file /Search/Subject/downLoad. Pe…

electronic_archives_system | Remote | Path Traversal
Feb 18, 2026 Mar 03, 2026
Feb 18, 2026
Mar 03, 2026
8.3 HIGH
CVE-2026-2670 — Advantech WISE-6610 Background Management openvpn_apply os command injection

A vulnerability was identified in Advantech WISE-6610 1.2.1_20251110. Affected is an unknown function of the file /cgi-bin/luci/admin/openvpn_apply of the component Background Management. Such manipu…

Remote | Injection
Feb 18, 2026 Feb 19, 2026
Feb 18, 2026
Feb 19, 2026
6.9 MEDIUM
CVE-2026-2669 — Rongzhitong Visual Integrated Command and Dispatch Platform User delete access control

A vulnerability was determined in Rongzhitong Visual Integrated Command and Dispatch Platform up to 20260206. This impacts an unknown function of the file /dm/dispatch/user/delete of the component Us…

visual_integrated_command_and_dispatch_platform | Remote | Authorization
Feb 18, 2026 Feb 26, 2026
Feb 18, 2026
Feb 26, 2026
Showing 20 of 5068 Results