Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
7.5 HIGH
CVE-2025-11754 — Cookie Banner, Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCP…

The GDPR Cookie Consent plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'gdpr/v1/settings' REST API endpoint in all versions up to, and incl…

Remote | Authentication
Feb 19, 2026 Feb 19, 2026
Feb 19, 2026
Feb 19, 2026
6.5 MEDIUM
CVE-2025-11725 — Aruba HiSpeed Cache <= 3.0.2 - Missing Authorization to Unauthenticated Plugin's Settings…

The Aruba HiSpeed Cache plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability checks on the multiple functions in all versions up to, and including, 3.0.…

aruba_hispeed_cache | Remote | Authorization
Feb 19, 2026 Feb 19, 2026
Feb 19, 2026
Feb 19, 2026
6.1 MEDIUM
CVE-2025-11706 — Aruba HiSpeed Cache <= 3.0.2 - Reflected Cross-Site Scripting

The Aruba HiSpeed Cache plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the dbstatus parameter in all versions up to, and including, 3.0.2 due to insufficient input sanitizat…

aruba_hispeed_cache | Remote | Cross-Site Scripting
Feb 19, 2026 Feb 19, 2026
Feb 19, 2026
Feb 19, 2026
10.0 HIGH
CVE-2026-2686 — SECCN Dingcheng G10 session_login.cgi qq os command injection

A security vulnerability has been detected in SECCN Dingcheng G10 3.1.0.181203. This impacts the function qq of the file /cgi-bin/session_login.cgi. The manipulation of the argument User leads to os …

Remote | Injection
Feb 19, 2026 Feb 19, 2026
Feb 19, 2026
Feb 19, 2026
9.8 CRITICAL
CVE-2026-2684 — Tsinghua Unigroup Electronic Archives System uploadFile.html unrestricted upload

A vulnerability was determined in Tsinghua Unigroup Electronic Archives System up to 3.2.210802(62532). The impacted element is an unknown function of the file /Archive/ErecordManage/uploadFile.html.…

electronic_archives_system | Remote | Misconfiguration
Feb 19, 2026 Mar 03, 2026
Feb 19, 2026
Mar 03, 2026
7.3 HIGH
CVE-2026-25926 — Notepad++ has an Untrusted Search Path

Notepad++ is a free and open-source source code editor. An Unsafe Search Path vulnerability (CWE-426) exists in versions prior to 8.9.2 when launching Windows Explorer without an absolute executable …

notepad\+\+ | Misconfiguration
Feb 19, 2026 Feb 19, 2026
Feb 19, 2026
Feb 19, 2026
9.1 CRITICAL
CVE-2026-24126 — Weblate has an argument injection in management console

Weblate is a web based localization tool. Prior to 5.16.0, the SSH management console did not validate the passed input while adding the SSH host key, which could lead to an argument injection to `ss…

weblate | Remote | Injection
Feb 19, 2026 Feb 19, 2026
Feb 19, 2026
Feb 19, 2026
6.7 MEDIUM
CVE-2025-15585 — Fileflows MySQL Authenticated SQL Injection Vulnerability

Fileflows versions before 25.05.2 are affected by an authenticated SQL injection vulnerability in the library-file search function. Successful exploitation requires the system to use MySQL as the und…

Remote | Injection
Feb 19, 2026 Feb 19, 2026
Feb 19, 2026
Feb 19, 2026
5.3 MEDIUM
CVE-2026-2683 — Tsinghua Unigroup Electronic Archives System downLoad.html path traversal

A vulnerability was found in Tsinghua Unigroup Electronic Archives System 3.2.210802(62532). The affected element is an unknown function of the file /Using/Subject/downLoad.html. Performing a manipul…

electronic_archives_system | Remote | Path Traversal
Feb 18, 2026 Mar 03, 2026
Feb 18, 2026
Mar 03, 2026
9.8 CRITICAL
CVE-2026-2682 — Tsinghua Unigroup Electronic Archives System prinReport.html sql injection

A vulnerability has been found in Tsinghua Unigroup Electronic Archives System up to 3.2.210802(62532). Impacted is an unknown function of the file /mine/PublicReport/prinReport.html?token=java. Such…

electronic_archives_system | Remote | Injection
Feb 18, 2026 Mar 03, 2026
Feb 18, 2026
Mar 03, 2026
6.5 MEDIUM
CVE-2026-2676 — GoogTech sms-ssm API LoginInterceptor.java preHandle improper authorization

A weakness has been identified in GoogTech sms-ssm up to e8534c766fd13f5f94c01dab475d75f286918a8d. Affected by this issue is the function preHandle of the file LoginInterceptor.java of the component …

Remote | Authorization
Feb 18, 2026 Feb 19, 2026
Feb 18, 2026
Feb 19, 2026
4.4 MEDIUM
CVE-2026-26281 — InvoicePlane has Stored Cross-Site Scripting (XSS) Issue in Sumex Invoice View

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A stored cross-site scripting (XSS) vulnerability in the Sumex invoice view allows an authenticated…

invoiceplane | Remote | Cross-Site Scripting
Feb 18, 2026 Feb 20, 2026
Feb 18, 2026
Feb 20, 2026
5.4 MEDIUM
CVE-2026-26270 — InvoicePlane has Stored Cross-Site Scripting Issue in Identifier Formatting

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane (latest version) that allo…

invoiceplane | Remote | Cross-Site Scripting
Feb 18, 2026 Feb 20, 2026
Feb 18, 2026
Feb 20, 2026
4.8 MEDIUM
CVE-2026-25596 — InvoicePlane has Stored XSS via Product Unit Name in Invoice Item List

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane 1.7.0 via the Product Unit…

invoiceplane | Remote | Cross-Site Scripting
Feb 18, 2026 Feb 20, 2026
Feb 18, 2026
Feb 20, 2026
4.8 MEDIUM
CVE-2026-25595 — InvoicePlane has Stored XSS via Invoice Number in Invoice View and Dashboard

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane 1.7.0 via the Invoice Numb…

invoiceplane | Remote | Cross-Site Scripting
Feb 18, 2026 Feb 20, 2026
Feb 18, 2026
Feb 20, 2026
4.8 MEDIUM
CVE-2026-25594 — InvoicePlane has Stored XSS via Family Name in Product Form

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane 1.7.0 via the Family Name …

invoiceplane | Remote | Cross-Site Scripting
Feb 18, 2026 Feb 20, 2026
Feb 18, 2026
Feb 20, 2026
9.1 CRITICAL
CVE-2026-25548 — InvoicePlane Vulnerable to Remote Code Execution via Local File Inclusion and Log Poisoni…

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A critical Remote Code Execution (RCE) vulnerability exists in InvoicePlane 1.7.0 through a chained…

invoiceplane | Remote | Injection
Feb 18, 2026 Feb 20, 2026
Feb 18, 2026
Feb 20, 2026
7.5 HIGH
CVE-2026-24745 — InvoicePlane has a Stored Cross-Site Scripting (XSS) issue

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability occurs in the upload Login Logo functions of Invo…

invoiceplane | Remote | Cross-Site Scripting
Feb 18, 2026 Feb 20, 2026
Feb 18, 2026
Feb 20, 2026
4.7 MEDIUM
CVE-2025-15581 — Orthanc Authorization Logic Flaw

Orthanc versions before 1.12.10 are affected by an authorisation logic flaw in the application's HTTP Basic Authentication implementation. Successful exploitation could result in Privilege Escalati…

orthanc | Remote | Authentication
Feb 18, 2026 Feb 28, 2026
Feb 18, 2026
Feb 28, 2026
5.3 MEDIUM
CVE-2025-12812 — Cloud Suite and Privilege Access Service – SQL Injection

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in Delinea Inc. Cloud Suite and Privileged Access Service. Remediation: This issue is fixed in Cloud Suite: 25.1

Remote | Injection
Feb 18, 2026 Feb 19, 2026
Feb 18, 2026
Feb 19, 2026
Showing 20 of 5066 Results