Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 9.8

    CRITICAL
    CVE-2026-0610

    SQL Injection vulnerability in remote-sessions in Devolutions Server.This issue affects Devolutions Server 2025.3.1 through 2025.3.12... Read more

    Affected Products : devolutions_server
    • Published: Jan. 19, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Injection

  • 5.3

    MEDIUM
    CVE-2025-12129

    The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient ... Read more

    Affected Products :
    • Published: Jan. 17, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Information Disclosure

  • 5.8

    MEDIUM
    CVE-2026-1111

    A vulnerability has been found in Sanluan PublicCMS up to 5.202506.d. This impacts the function Save of the file com/publiccms/controller/admin/sys/TaskTemplateAdminController.java of the component Task Template Management Handler. Such manipulation of th... Read more

    Affected Products : publiccms
    • Published: Jan. 18, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Path Traversal

  • 7.5

    HIGH
    CVE-2026-1121

    A vulnerability was found in Yonyou KSOA 9.0. This affects an unknown function of the file /worksheet/del_workplan.jsp of the component HTTP GET Parameter Handler. The manipulation of the argument ID results in sql injection. The attack can be launched re... Read more

    Affected Products : ksoa
    • Published: Jan. 18, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Injection

  • 5.1

    MEDIUM
    CVE-2026-1147

    A vulnerability was found in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. This affects an unknown part of the file /php/api_patient_schedule.php. Performing a manipulation of the argument Reason results in cross site scr... Read more

    • Published: Jan. 19, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Cross-Site Scripting

  • 5.3

    MEDIUM
    CVE-2025-12825

    The User Registration Using Contact Form 7 plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_cf7_form_data' function in all versions up to, and including, 2.5. This makes it possible for unauth... Read more

    Affected Products :
    • Published: Jan. 17, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Authorization

  • 7.5

    HIGH
    CVE-2026-1120

    A vulnerability has been found in Yonyou KSOA 9.0. The impacted element is an unknown function of the file /worksheet/del_work.jsp of the component HTTP GET Parameter Handler. The manipulation of the argument ID leads to sql injection. The attack can be i... Read more

    Affected Products : ksoa
    • Published: Jan. 18, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Injection

  • 5.1

    MEDIUM
    CVE-2026-1146

    A vulnerability has been found in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. Affected by this issue is some unknown functionality of the file /php/api_register_patient.php. Such manipulation of the argument firstName/l... Read more

    • Published: Jan. 19, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Cross-Site Scripting

  • 7.5

    HIGH
    CVE-2026-1122

    A vulnerability was determined in Yonyou KSOA 9.0. This impacts an unknown function of the file /worksheet/work_info.jsp of the component HTTP GET Parameter Handler. This manipulation of the argument ID causes sql injection. The attack may be initiated re... Read more

    Affected Products : ksoa
    • Published: Jan. 18, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Injection

  • 4.3

    MEDIUM
    CVE-2025-12168

    The Phrase TMS Integration for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_delete_log' AJAX endpoint in all versions up to, and including, 4.7.5. This makes it possibl... Read more

    Affected Products :
    • Published: Jan. 17, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Authorization

  • 4.4

    MEDIUM
    CVE-2026-0691

    The CM E-Mail Blacklist – Simple email filtering for safer registration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'black_email' parameter in all versions up to, and including, 1.6.2. This is due to insufficient input saniti... Read more

    Affected Products :
    • Published: Jan. 17, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Cross-Site Scripting

  • 7.7

    HIGH
    CVE-2026-23530

    FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0,`freerdp_bitmap_decompress_planar` does not validate `nSrcWidth`/`nSrcHeight` against `planar->maxWidth`/`maxHeight` before RLE decode. A malicious server can trigger... Read more

    Affected Products : freerdp
    • Published: Jan. 19, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Memory Corruption

  • 7.7

    HIGH
    CVE-2026-23531

    FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, in ClearCodec, when `glyphData` is present, `clear_decompress` calls `freerdp_image_copy_no_overlap` without validating the destination rectangle, allowing an out-of... Read more

    Affected Products : freerdp
    • Published: Jan. 19, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Memory Corruption

  • 5.3

    MEDIUM
    CVE-2026-1154

    A flaw has been found in SourceCodester E-Learning System 1.0. This impacts an unknown function of the file /admin/modules/lesson/index.php of the component Lesson Module Handler. Executing a manipulation of the argument Title/Description can lead to basi... Read more

    Affected Products : e-learning_system
    • Published: Jan. 19, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Cross-Site Scripting

  • 10.0

    CRITICAL
    CVE-2026-23800

    Incorrect Privilege Assignment vulnerability in Modular DS modular-connector allows Privilege Escalation.This issue affects Modular DS: from 2.5.2 before 2.6.0.... Read more

    Affected Products :
    • Published: Jan. 16, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Authorization

  • 7.7

    HIGH
    CVE-2026-23644

    esm.sh is a no-build content delivery network (CDN) for web development. Prior to Go pseeudoversion 0.0.0-20260116051925-c62ab83c589e, the software has a path traversal vulnerability due to an incomplete fix. `path.Clean` normalizes a path but does not pr... Read more

    Affected Products : esm.sh
    • Published: Jan. 18, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Path Traversal

  • 7.5

    HIGH
    CVE-2026-1124

    A security flaw has been discovered in Yonyou KSOA 9.0. Affected by this vulnerability is an unknown functionality of the file /worksheet/work_report.jsp of the component HTTP GET Parameter Handler. Performing a manipulation of the argument ID results in ... Read more

    Affected Products : ksoa
    • Published: Jan. 18, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Injection

  • 7.7

    HIGH
    CVE-2026-23533

    FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the RDPGFX ClearCodec decode path when maliciously crafted residual data causes out-of-bounds writes during color output... Read more

    Affected Products : freerdp
    • Published: Jan. 19, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Memory Corruption

  • 6.5

    MEDIUM
    CVE-2026-23848

    MyTube is a self-hosted downloader and player for several video websites. Prior to version 1.7.71, a rate limiting bypass via `X-Forwarded-For` header spoofing allows unauthenticated attackers to bypass IP-based rate limiting on general API endpoints. Att... Read more

    Affected Products :
    • Published: Jan. 19, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Misconfiguration

  • 5.5

    MEDIUM
    CVE-2026-1170

    A vulnerability was detected in birkir prime up to 0.4.0.beta.0. This issue affects some unknown processing of the file /graphql of the component GraphQL API. Performing a manipulation results in information disclosure. The attack may be initiated remotel... Read more

    Affected Products :
    • Published: Jan. 19, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Information Disclosure
Showing 20 of 4511 Results