Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 5.3

    MEDIUM
    CVE-2025-14463

    The Payment Button for PayPal plugin for WordPress is vulnerable to unauthorized order creation in all versions up to, and including, 1.2.3.41. This is due to the plugin exposing a public AJAX endpoint (`wppaypalcheckout_ajax_process_order`) that processe... Read more

    Affected Products :
    • Published: Jan. 17, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Authentication

  • 6.5

    MEDIUM
    CVE-2026-1107

    A weakness has been identified in EyouCMS up to 1.7.1/5.0. Impacted is the function check_userinfo of the file Diyajax.php of the component Member Avatar Handler. Executing a manipulation of the argument viewfile can lead to unrestricted upload. The attac... Read more

    Affected Products : eyoucms
    • Published: Jan. 18, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Authentication

  • 5.5

    MEDIUM
    CVE-2026-1106

    A security flaw has been discovered in Chamilo LMS up to 2.0.0 Beta 1. This issue affects the function deleteLegal of the file src/CoreBundle/Controller/SocialController.php of the component Legal Consent Handler. Performing a manipulation of the argument... Read more

    Affected Products :
    • Published: Jan. 18, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Authorization

  • 5.9

    MEDIUM
    CVE-2025-12002

    The Feeds for YouTube Pro plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 2.6.0 via the 'sby_check_wp_submit' AJAX action. This is due to insufficient sanitization of user-supplied data and the use of that d... Read more

    Affected Products :
    • Published: Jan. 17, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Path Traversal

  • 8.7

    HIGH
    CVE-2026-23625

    OpenProject is an open-source, web-based project management software. Versions 16.3.0 through 16.6.4 are affected by a stored cross-site scripting vulnerability in the Roadmap view. OpenProject’s roadmap view renders the “Related work packages” list for e... Read more

    Affected Products : openproject
    • Published: Jan. 19, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Cross-Site Scripting

  • 4.6

    MEDIUM
    CVE-2026-0519

    In Secure Access 12.70 and prior to 14.20, the logging subsystem may write an unredacted authentication token to logs under certain configurations. Any party with access to those logs could read the token and reuse it to access an integrated system.... Read more

    Affected Products : secure_access
    • Published: Jan. 17, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Information Disclosure

  • 6.0

    MEDIUM
    CVE-2026-0517

    CVE-2026-0517 is a denial-of-service vulnerability in versions of Secure Access Server prior to 14.20. An attacker can send a specially crafted packet to a server and cause the server to crash... Read more

    Affected Products : secure_access
    • Published: Jan. 17, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Denial of Service

  • 7.3

    HIGH
    CVE-2026-23880

    OnboardLite is a comprehensive membership lifecycle platform built for student organizations at the University of Central Florida. Versions of the software prior to commit 1d32081a66f21bcf41df1ecb672490b13f6e429f have a stored cross-site scripting vulnera... Read more

    Affected Products :
    • Published: Jan. 19, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Cross-Site Scripting

  • 9.8

    CRITICAL
    CVE-2025-15403

    The RegistrationMagic plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 6.0.7.1. This is due to the 'add_menu' function is accessible via the 'rm_user_exists' AJAX action and allows arbitrary updates to the '... Read more

    Affected Products : registrationmagic
    • Published: Jan. 17, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Authorization

  • 2.2

    LOW
    CVE-2026-0682

    The Church Admin plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.28 due to insufficient validation of user-supplied URLs in the 'audio_url' parameter. This makes it possible for authenticated att... Read more

    Affected Products : church_admin
    • Published: Jan. 17, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Server-Side Request Forgery

  • 6.0

    MEDIUM
    CVE-2025-69198

    Pterodactyl is a free, open-source game server management panel. Pterodactyl implements rate limits that are applied to the total number of resources (e.g. databases, port allocations, or backups) that can exist for an individual server. These resource li... Read more

    Affected Products : panel
    • Published: Jan. 19, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Denial of Service

  • 9.0

    HIGH
    CVE-2026-1143

    A weakness has been identified in TOTOLINK A3700R 9.1.2u.5822_B20200513. This affects the function setWiFiEasyGuestCfg of the file /cgi-bin/cstecgi.cgi. Executing a manipulation of the argument ssid can lead to buffer overflow. The attack may be launched ... Read more

    Affected Products : a3700r_firmware
    • Published: Jan. 19, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Memory Corruption

  • 7.5

    HIGH
    CVE-2026-1145

    A flaw has been found in quickjs-ng quickjs up to 0.11.0. Affected by this vulnerability is the function js_typed_array_constructor_ta of the file quickjs.c. This manipulation causes heap-based buffer overflow. The attack is possible to be carried out rem... Read more

    Affected Products : quickjs
    • Published: Jan. 19, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Memory Corruption

  • 1.8

    LOW
    CVE-2025-55250

    HCL AION version 2 is affected by a Technical Error Disclosure vulnerability. This can expose sensitive technical details, potentially resulting in information disclosure or aiding further attacks.... Read more

    Affected Products :
    • Published: Jan. 19, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Information Disclosure

  • 7.5

    HIGH
    CVE-2026-1130

    A flaw has been found in Yonyou KSOA 9.0. This issue affects some unknown processing of the file /worksheet/worksadd_plan.jsp of the component HTTP GET Parameter Handler. This manipulation of the argument ID causes sql injection. It is possible to initiat... Read more

    Affected Products : ksoa
    • Published: Jan. 19, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Injection

  • 7.5

    HIGH
    CVE-2026-1131

    A vulnerability has been found in Yonyou KSOA 9.0. Impacted is an unknown function of the file /kmc/save_catalog.jsp of the component HTTP GET Parameter Handler. Such manipulation of the argument catalogid leads to sql injection. It is possible to launch ... Read more

    Affected Products : ksoa
    • Published: Jan. 19, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Injection

  • 5.3

    MEDIUM
    CVE-2026-23849

    File Browser provides a file managing interface within a specified directory and can be used to upload, delete, preview, rename, and edit files. Prior to version 2.55.0, the JSONAuth. Auth function contains a logic flaw that allows unauthenticated attacke... Read more

    Affected Products : filebrowser
    • Published: Jan. 19, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Authentication

  • 6.5

    MEDIUM
    CVE-2026-23848

    MyTube is a self-hosted downloader and player for several video websites. Prior to version 1.7.71, a rate limiting bypass via `X-Forwarded-For` header spoofing allows unauthenticated attackers to bypass IP-based rate limiting on general API endpoints. Att... Read more

    Affected Products :
    • Published: Jan. 19, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Misconfiguration

  • 7.6

    HIGH
    CVE-2026-1007

    Incorrect Authorization vulnerability in virtual gateway component in Devolutions Server allows attackers to bypass deny IP rules.This issue affects Server: from 2025.3.1 through 2025.3.12.... Read more

    Affected Products : devolutions_server
    • Published: Jan. 19, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Authorization

  • 8.5

    HIGH
    CVE-2026-0863

    Using string formatting and exception handling, an attacker may bypass n8n's python-task-executor sandbox restrictions and run arbitrary unrestricted Python code in the underlying operating system. The vulnerability can be exploited via the Code block by... Read more

    Affected Products : n8n
    • Published: Jan. 18, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Injection
Showing 20 of 4378 Results