Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 9.8

    CRITICAL
    CVE-2026-1125

    A weakness has been identified in D-Link DIR-823X 250416. Affected by this issue is the function sub_412E7C of the file /goform/set_wifidog_settings. Executing a manipulation of the argument wd_enable can lead to command injection. The attack can be execu... Read more

    Affected Products : dir-823x_firmware dir-823x
    • Published: Jan. 18, 2026
    • Modified: Jan. 30, 2026
    • Vuln Type: Injection

  • 5.5

    MEDIUM
    CVE-2025-46306

    The issue was addressed with improved bounds checks. This issue is fixed in macOS Tahoe 26, Keynote 15.1, iOS 26 and iPadOS 26. Processing a maliciously crafted Keynote file may disclose memory contents.... Read more

    Affected Products : macos iphone_os ipados keynote
    • Published: Jan. 28, 2026
    • Modified: Jan. 30, 2026
    • Vuln Type: Memory Corruption

  • 9.8

    CRITICAL
    CVE-2026-1414

    A vulnerability was determined in Sangfor Operation and Maintenance Security Management System up to 3.0.12. This impacts the function getInformation of the file /equipment/get_Information of the component HTTP POST Request Handler. Executing a manipulati... Read more

    • Published: Jan. 26, 2026
    • Modified: Jan. 30, 2026
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2026-1413

    A vulnerability was found in Sangfor Operation and Maintenance Security Management System up to 3.0.12. This affects the function portValidate of the file /fort/ip_and_port/port_validate of the component HTTP POST Request Handler. Performing a manipulatio... Read more

    • Published: Jan. 26, 2026
    • Modified: Jan. 30, 2026
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2026-1412

    A vulnerability has been found in Sangfor Operation and Maintenance Security Management System up to 3.0.12. The impacted element is an unknown function of the file /fort/audit/get_clip_img of the component HTTP POST Request Handler. Such manipulation of ... Read more

    • Published: Jan. 26, 2026
    • Modified: Jan. 30, 2026
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2026-1325

    A security flaw has been discovered in Sangfor Operation and Maintenance Security Management System up to 3.0.12. This affects the function edit_pwd_mall of the file /fort/login/edit_pwd_mall. The manipulation of the argument flag results in weak password... Read more

    • Published: Jan. 22, 2026
    • Modified: Jan. 30, 2026
    • Vuln Type: Authentication

  • 9.8

    CRITICAL
    CVE-2026-1324

    A vulnerability was identified in Sangfor Operation and Maintenance Management System up to 3.0.12. Affected by this issue is the function SessionController of the file /isomp-protocol/protocol/session of the component SSH Protocol Handler. The manipulati... Read more

    • Published: Jan. 22, 2026
    • Modified: Jan. 30, 2026
    • Vuln Type: Injection

  • 5.4

    MEDIUM
    CVE-2026-0901

    Inappropriate implementation in Blink in Google Chrome on Android prior to 144.0.7559.59 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: High)... Read more

    • Published: Jan. 20, 2026
    • Modified: Jan. 30, 2026
    • Vuln Type: Misconfiguration

  • 9.8

    CRITICAL
    CVE-2025-55251

    HCL AION is affected by an Unrestricted File Upload vulnerability. This can allow malicious file uploads, potentially resulting in unauthorized code execution or system compromise.... Read more

    Affected Products : aion
    • Published: Jan. 19, 2026
    • Modified: Jan. 30, 2026
    • Vuln Type: Misconfiguration

  • 5.3

    MEDIUM
    CVE-2025-55249

    HCL AION is affected by a Missing Security Response Headers vulnerability. The absence of standard security headers may weaken the application’s overall security posture and increase its susceptibility to common web-based attacks.... Read more

    Affected Products : aion
    • Published: Jan. 19, 2026
    • Modified: Jan. 30, 2026
    • Vuln Type: Misconfiguration

  • 5.3

    MEDIUM
    CVE-2025-52661

    HCL AION version 2 is affected by a JWT Token Expiry Too Long vulnerability. This may increase the risk of token misuse, potentially resulting in unauthorized access if the token is compromised.... Read more

    Affected Products : aion
    • Published: Jan. 19, 2026
    • Modified: Jan. 30, 2026
    • Vuln Type: Authentication

  • 9.8

    CRITICAL
    CVE-2025-52660

    HCL AION is affected by an Unrestricted File Upload vulnerability. This can allow malicious file uploads, potentially resulting in unauthorized code execution or system compromise.... Read more

    Affected Products : aion
    • Published: Jan. 19, 2026
    • Modified: Jan. 30, 2026
    • Vuln Type: Misconfiguration

  • 7.5

    HIGH
    CVE-2026-25128

    fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.3.6 through 5.3.3, a RangeError vulnerability exists in the numeric entity processing of fast-xm... Read more

    Affected Products : fast-xml-parser
    • Published: Jan. 30, 2026
    • Modified: Jan. 30, 2026
    • Vuln Type: Misconfiguration

  • 2.7

    LOW
    CVE-2026-25050

    Vendure is an open-source headless commerce platform. Prior to version 3.5.3, the `NativeAuthenticationStrategy.authenticate()` method is vulnerable to a timing attack that allows attackers to enumerate valid usernames (email addresses). In `packages/core... Read more

    Affected Products :
    • Published: Jan. 30, 2026
    • Modified: Jan. 30, 2026
    • Vuln Type: Authentication

  • 7.2

    HIGH
    CVE-2026-24855

    ChurchCRM is an open-source church management system. Versions prior to 6.7.2 have a Stored Cross-Site Scripting (XSS) vulnerability occurs in Create Events in Church Calendar. Users with low privileges can create XSS payloads in the Description field. Th... Read more

    Affected Products : churchcrm
    • Published: Jan. 30, 2026
    • Modified: Jan. 30, 2026
    • Vuln Type: Cross-Site Scripting

  • 8.8

    HIGH
    CVE-2026-24854

    ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in endpoint `/PaddleNumEditor.php` in ChurchCRM prior to version 6.7.2. Any authenticated user, including one with zero assigned permissions, can exploit SQL inject... Read more

    Affected Products : churchcrm
    • Published: Jan. 30, 2026
    • Modified: Jan. 30, 2026
    • Vuln Type: Injection

  • 7.5

    HIGH
    CVE-2026-1688

    A security vulnerability has been detected in itsourcecode Directory Management System 1.0. The affected element is an unknown function of the file /admin/index.php. The manipulation of the argument Username leads to sql injection. The attack can be initi... Read more

    Affected Products :
    • Published: Jan. 30, 2026
    • Modified: Jan. 30, 2026
    • Vuln Type: Injection

  • 7.5

    HIGH
    CVE-2026-1687

    A weakness has been identified in Tenda HG10 US_HG7_HG9_HG10re_300001138_en_xpon. Impacted is an unknown function of the file /boaform/formSamba of the component Boa Webserver. Executing a manipulation of the argument serverString can lead to command inje... Read more

    Affected Products :
    • Published: Jan. 30, 2026
    • Modified: Jan. 30, 2026
    • Vuln Type: Injection

  • 9.0

    HIGH
    CVE-2026-1686

    A security flaw has been discovered in Totolink A3600R 5.9c.4959. This issue affects the function setAppEasyWizardConfig in the library /lib/cste_modules/app.so. Performing a manipulation of the argument apcliSsid results in buffer overflow. It is possibl... Read more

    Affected Products : a3600r_firmware
    • Published: Jan. 30, 2026
    • Modified: Jan. 30, 2026
    • Vuln Type: Memory Corruption

  • 9.2

    CRITICAL
    CVE-2025-7964

    After receiving a malformed 802.15.4 MAC Data Request the Zigbee Coordinator sends a ‘network leave’ request to Zigbee router resulting in the Zigbee Router getting stuck in a non-rejoinable state. If a suitable parent is not available, the end device... Read more

    Affected Products :
    • Published: Jan. 30, 2026
    • Modified: Jan. 30, 2026
    • Vuln Type: Denial of Service
Showing 20 of 4239 Results