Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
9.8 CRITICAL
CVE-2026-25858 — macrozheng mall <= 1.0.3 Unauthenticated Password Reset via OTP Disclosure

macrozheng mall version 1.0.3 and prior contains an authentication vulnerability in the mall-portal password reset workflow that allows an unauthenticated attacker to reset arbitrary user account pas…

newbee-mall mall | Remote | Authentication
Feb 07, 2026 Mar 05, 2026
Feb 07, 2026
Mar 05, 2026
8.8 HIGH
CVE-2026-25857 — Tenda G300-F Command Injection via formSetWanDiag

Tenda G300-F router firmware version 16.01.14.2 and prior contain an OS command injection vulnerability in the WAN diagnostic functionality (formSetWanDiag). The implementation constructs a shell com…

rx9_pro_firmware g300-f_firmware g300-f | Remote | Injection
Feb 07, 2026 Mar 05, 2026
Feb 07, 2026
Mar 05, 2026
7.1 HIGH
CVE-2026-25568 — WeKan < 8.19 allowPrivateOnly Setting Enforcement Bypass

WeKan versions prior to 8.19 contain an authorization logic vulnerability where the instance configuration setting allowPrivateOnly is not sufficiently enforced at board creation time. When allowPriv…

wekan | Remote | Authorization
Feb 07, 2026 Feb 10, 2026
Feb 07, 2026
Feb 10, 2026
5.3 MEDIUM
CVE-2026-25567 — WeKan < 8.19 Card Comment Author Spoofing via User-controlled authorId

WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in the card comment creation API. The endpoint accepts an authorId from the request body, allowing an authenticated use…

wekan | Remote | Authentication
Feb 07, 2026 Feb 10, 2026
Feb 07, 2026
Feb 10, 2026
7.1 HIGH
CVE-2026-25566 — WeKan < 8.19 Cross-board Card Move Without Destination Authorization

WeKan versions prior to 8.19 contain an authorization vulnerability in card move logic. A user can specify a destination board/list/swimlane without adequate authorization checks for the destination …

wekan | Remote | Authorization
Feb 07, 2026 Feb 18, 2026
Feb 07, 2026
Feb 18, 2026
7.1 HIGH
CVE-2026-25565 — WeKan < 8.19 Read-only Board Roles Can Update Cards

WeKan versions prior to 8.19 contain an authorization vulnerability where certain card update API paths validate only board read access rather than requiring write permission. This can allow users wi…

wekan | Remote | Authorization
Feb 07, 2026 Feb 10, 2026
Feb 07, 2026
Feb 10, 2026
7.5 HIGH
CVE-2026-25564 — WeKan < 8.19 Checklist Deletion IDOR via Missing Relationship Validation

WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in checklist creation and related checklist routes. The implementation does not verify that the supplied cardId belongs…

wekan | Remote | Authorization
Feb 07, 2026 Feb 10, 2026
Feb 07, 2026
Feb 10, 2026
7.5 HIGH
CVE-2026-25563 — WeKan < 8.19 Checklist Creation Cross-Board IDOR

WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in checklist creation and related checklist routes. The implementation does not verify that the supplied cardId belongs…

wekan | Remote | Authorization
Feb 07, 2026 Feb 10, 2026
Feb 07, 2026
Feb 10, 2026
5.3 MEDIUM
CVE-2026-25562 — WeKan < 8.19 Attachments Publication Information Disclosure

WeKan versions prior to 8.19 contain an information disclosure vulnerability in the attachments publication. Attachment metadata can be returned without properly scoping results to boards and cards a…

wekan | Remote | Information Disclosure
Feb 07, 2026 Feb 10, 2026
Feb 07, 2026
Feb 10, 2026
7.5 HIGH
CVE-2026-25561 — WeKan < 8.19 Attachment Upload Object Relationship Validation Bypass

WeKan versions prior to 8.19 contain an authorization weakness in the attachment upload API. The API does not fully validate that provided identifiers (such as boardId, cardId, swimlaneId, and listId…

wekan | Remote | Authorization
Feb 07, 2026 Feb 10, 2026
Feb 07, 2026
Feb 10, 2026
9.8 CRITICAL
CVE-2026-25560 — WeKan < 8.19 LDAP Authentication Filter Injection

WeKan versions prior to 8.19 contain an LDAP filter injection vulnerability in LDAP authentication. User-supplied username input is incorporated into LDAP search filters and DN-related values without…

wekan | Remote | Injection
Feb 07, 2026 Feb 10, 2026
Feb 07, 2026
Feb 10, 2026
5.5 MEDIUM
CVE-2025-15564 — Mapnik value.cpp operator divide by zero

A vulnerability has been found in Mapnik up to 4.2.0. This vulnerability affects the function mapnik::detail::mod<...>::operator of the file src/value.cpp. The manipulation leads to divide by zero. T…

mapnik | Denial of Service
Feb 07, 2026 Feb 28, 2026
Feb 07, 2026
Feb 28, 2026
9.8 CRITICAL
CVE-2026-2113 — yuan1994 tpadmin WebUploader preview.php deserialization

A security vulnerability has been detected in yuan1994 tpadmin up to 1.3.12. This affects an unknown part in the library /public/static/admin/lib/webuploader/0.1.5/server/preview.php of the component…

tpadmin | Remote | Injection
Feb 07, 2026 Mar 05, 2026
Feb 07, 2026
Mar 05, 2026
5.3 MEDIUM
CVE-2026-2111 — JeecgBoot Retrieval-Augmented Generation edit path traversal

A weakness has been identified in JeecgBoot up to 3.9.0. Affected by this issue is some unknown functionality of the file /airag/knowledge/doc/edit of the component Retrieval-Augmented Generation Mod…

jeecg_boot | Remote | Path Traversal
Feb 07, 2026 Mar 03, 2026
Feb 07, 2026
Mar 03, 2026
8.1 HIGH
CVE-2026-2110 — Tasin1025 SwiftBuy login.php excessive authentication

A security flaw has been discovered in Tasin1025 SwiftBuy up to 0f5011372e8d1d7edfd642d57d721c9fadc54ec7. Affected by this vulnerability is an unknown functionality of the file /login.php. Performing…

swiftbuy | Remote | Authentication
Feb 07, 2026 Mar 05, 2026
Feb 07, 2026
Mar 05, 2026
8.1 HIGH
CVE-2026-2109 — jsbroks COCO Annotator Delete Category undo improper authorization

A vulnerability was identified in jsbroks COCO Annotator up to 0.11.1. Affected is an unknown function of the file /api/undo/ of the component Delete Category Handler. Such manipulation of the argume…

coco_annotator | Remote | Authorization
Feb 07, 2026 Feb 27, 2026
Feb 07, 2026
Feb 27, 2026
7.5 HIGH
CVE-2026-2108 — jsbroks COCO Annotator Endpoint long_task denial of service

A vulnerability was determined in jsbroks COCO Annotator up to 0.11.1. This impacts an unknown function of the file /api/info/long_task of the component Endpoint. This manipulation causes denial of s…

coco_annotator | Remote | Denial of Service
Feb 07, 2026 Feb 27, 2026
Feb 07, 2026
Feb 27, 2026
8.8 HIGH
CVE-2026-2107 — yeqifu warehouse Log Info LoginfoController.java batchDeleteLoginfo improper authorization

A vulnerability was found in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. This affects the function loadAllLoginfo/deleteLoginfo/batchDeleteLoginfo of the file dataset\repos\wareh…

warehouse | Remote | Authorization
Feb 07, 2026 Feb 10, 2026
Feb 07, 2026
Feb 10, 2026
8.8 HIGH
CVE-2026-2106 — yeqifu warehouse Notice Management NoticeController.java batchDeleteNotice improper autho…

A vulnerability has been found in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. The impacted element is the function addNotice/updateNotice/deleteNotice/batchDeleteNotice of the fi…

warehouse | Remote | Authorization
Feb 07, 2026 Feb 10, 2026
Feb 07, 2026
Feb 10, 2026
8.8 HIGH
CVE-2026-2105 — yeqifu warehouse Department Management DeptController.java deleteDept improper authorizat…

A flaw has been found in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. The affected element is the function addDept/updateDept/deleteDept of the file dataset\repos\warehouse\src\ma…

warehouse | Remote | Authorization
Feb 07, 2026 Feb 10, 2026
Feb 07, 2026
Feb 10, 2026
Showing 20 of 5125 Results