Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 7.5

    HIGH
    CVE-2026-25650

    MCP Salesforce Connector is a Model Context Protocol (MCP) server implementation for Salesforce integration. Prior to 0.1.10, arbitrary attribute access leads to disclosure of Salesforce auth token. This vulnerability is fixed in 0.1.10.... Read more

    Affected Products : mcp_salesforce_connector
    • Published: Feb. 06, 2026
    • Modified: Feb. 24, 2026
    • Vuln Type: Information Disclosure

  • 5.4

    MEDIUM
    CVE-2026-25647

    Lute is a structured Markdown engine supporting Go and JavaScript. Lute 1.7.6 and earlier (as used in SiYuan before) has a Stored Cross-Site Scripting (XSS) vulnerability in the Markdown rendering engine. An attacker can inject malicious JavaScript into a... Read more

    Affected Products : siyuan
    • Published: Feb. 06, 2026
    • Modified: Feb. 24, 2026
    • Vuln Type: Cross-Site Scripting

  • 5.4

    MEDIUM
    CVE-2026-1769

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Xerox CentreWare on Windows allows Stored XSS.This issue affects CentreWare: through 7.0.6.  Consider upgrading Xerox® CentreWare Web® to v7.2.2... Read more

    Affected Products : windows centreware_web
    • Published: Feb. 06, 2026
    • Modified: Feb. 24, 2026
    • Vuln Type: Cross-Site Scripting

  • 8.2

    HIGH
    CVE-2026-23989

    REVA is an interoperability platform. Prior to 2.42.3 and 2.40.3, a bug in the GRPC authorization middleware of the "Reva" component of OpenCloud allows a malicious user to bypass the scope verification of a public link. By exploiting this via the the "ar... Read more

    Affected Products : opencloud_reva
    • Published: Feb. 06, 2026
    • Modified: Feb. 24, 2026
    • Vuln Type: Authorization

  • 5.4

    MEDIUM
    CVE-2026-24903

    OrcaStatLLM Researcher is an LLM Based Research Paper Generator. A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Log Message in the Session Page in OrcaStatLLM-Researcher that allows attackers to inject and execute arbitrary JavaS... Read more

    Affected Products : orcastatllm_researcher
    • Published: Feb. 06, 2026
    • Modified: Feb. 24, 2026
    • Vuln Type: Cross-Site Scripting

  • 8.8

    HIGH
    CVE-2026-24851

    OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.8.5 to v1.11.2 ( openfga-0.2.22<= Helm chart <= openfga-0.2.51, v.1.8.5 <= docker <= v.1.11.2) are vulnerable to im... Read more

    Affected Products : openfga helm_charts
    • Published: Feb. 06, 2026
    • Modified: Feb. 24, 2026
    • Vuln Type: Authorization

  • 5.3

    MEDIUM
    CVE-2026-26745

    OpenSourcePOS 3.4.1 has a second order SQL Injection vulnerability in the handling of the currency_symbol configuration field. Although the input is initially stored without immediate execution, it is later concatenated into a dynamically constructed SQL ... Read more

    Affected Products : open_source_point_of_sale
    • Published: Feb. 20, 2026
    • Modified: Feb. 24, 2026
    • Vuln Type: Injection

  • 8.8

    HIGH
    CVE-2026-2822

    A security vulnerability has been detected in JeecgBoot up to 3.9.1. The affected element is an unknown function of the file /jeecgboot/sys/dict/loadDict/airag_app,1,create_by of the component Backend Interface. Such manipulation of the argument keyword l... Read more

    Affected Products : jeecg_boot
    • Published: Feb. 20, 2026
    • Modified: Feb. 24, 2026
    • Vuln Type: Injection

  • 7.2

    HIGH
    CVE-2019-25454

    phpMoAdmin 1.1.5 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the collection parameter. Attackers can send GET requests to moadmin.php with script payloads in the co... Read more

    Affected Products : phpmoadmin
    • Published: Feb. 20, 2026
    • Modified: Feb. 24, 2026
    • Vuln Type: Cross-Site Scripting

  • 6.1

    MEDIUM
    CVE-2019-25453

    phpMoAdmin 1.1.5 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the newdb parameter. Attackers can craft URLs with JavaScript payloads in the newdb parameter of moa... Read more

    Affected Products : phpmoadmin
    • Published: Feb. 20, 2026
    • Modified: Feb. 24, 2026
    • Vuln Type: Cross-Site Scripting

  • 9.8

    CRITICAL
    CVE-2026-2690

    A flaw has been found in itsourcecode Event Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/ajax.php?action=login of the component Admin Login. This manipulation of the argument Username causes sql inje... Read more

    Affected Products : event_management_system
    • Published: Feb. 19, 2026
    • Modified: Feb. 24, 2026
    • Vuln Type: Injection

  • 8.8

    HIGH
    CVE-2026-26746

    OpenSourcePOS 3.4.1 contains a Local File Inclusion (LFI) vulnerability in the Sales.php::getInvoice() function. An attacker can read arbitrary files on the web server by manipulating the Invoice Type configuration. This issue can be chained with the file... Read more

    Affected Products : open_source_point_of_sale
    • Published: Feb. 20, 2026
    • Modified: Feb. 24, 2026
    • Vuln Type: Path Traversal

  • 6.1

    MEDIUM
    CVE-2025-62326

    HCL Digital Experience is susceptible to stored cross-site scripting (XSS) in the administrative user interface which would require elevated privileges to exploit.... Read more

    Affected Products : digital_experience
    • Published: Feb. 20, 2026
    • Modified: Feb. 24, 2026
    • Vuln Type: Cross-Site Scripting

  • 9.8

    CRITICAL
    CVE-2026-2689

    A vulnerability was detected in itsourcecode Event Management System 1.0. Affected is an unknown function of the file /admin/manage_booking.php. The manipulation of the argument ID results in sql injection. The attack may be performed from remote. The exp... Read more

    Affected Products : event_management_system
    • Published: Feb. 19, 2026
    • Modified: Feb. 24, 2026
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2019-25364

    MailCarrier 2.51 contains a buffer overflow vulnerability in the POP3 USER command that allows remote attackers to execute arbitrary code. Attackers can send a crafted oversized buffer to the POP3 service, overwriting memory and potentially gaining remote... Read more

    Affected Products : mailcarrier
    • Published: Feb. 18, 2026
    • Modified: Feb. 24, 2026
    • Vuln Type: Memory Corruption

  • 6.2

    MEDIUM
    CVE-2019-25326

    ipPulse 1.92 contains a denial of service vulnerability that allows local attackers to crash the application by providing an oversized input in the Enter Key field. Attackers can generate a 256-byte buffer of repeated 'A' characters to trigger an applicat... Read more

    Affected Products : ippulse
    • Published: Feb. 18, 2026
    • Modified: Feb. 24, 2026
    • Vuln Type: Denial of Service

  • 8.0

    HIGH
    CVE-2025-70329

    TOTOLink X5000R v9.1.0cu_2415_B20250515 contains an OS command injection vulnerability in the setIptvCfg handler of the /usr/sbin/lighttpd executable. The vlanVidLan1 (and other vlanVidLanX) parameters are retrieved via Uci_Get_Str and passed to the CsteS... Read more

    Affected Products : x5000r_firmware x5000r
    • Published: Feb. 23, 2026
    • Modified: Feb. 24, 2026
    • Vuln Type: Injection

  • 7.5

    HIGH
    CVE-2025-69700

    Tenda FH1203 V2.0.1.6 contains a stack-based buffer overflow vulnerability in the modify_add_client_prio function, which is reachable via the formSetClientPrio CGI handler.... Read more

    Affected Products : fh1203_firmware fh1203
    • Published: Feb. 23, 2026
    • Modified: Feb. 24, 2026
    • Vuln Type: Memory Corruption

  • 9.8

    CRITICAL
    CVE-2026-24853

    Caido is a web security auditing toolkit. Prior to 0.55.0, Caido blocks non whitelisted domains to reach out through the 8080 port, and shows Host/IP is not allowed to connect to Caido on all endpoints. But this is bypassable by injecting a X-Forwarded-Ho... Read more

    Affected Products : caido
    • Published: Feb. 13, 2026
    • Modified: Feb. 24, 2026
    • Vuln Type: Server-Side Request Forgery

  • 0.0

    NA
    CVE-2025-46320

    A cross-site scripting (XSS) vulnerability in a FileMaker WebDirect custom homepage could lead to unauthorized access and remote code execution. This vulnerability has been fully addressed in FileMaker Server 22.0.4 and FileMaker Server 21.1.7.... Read more

    Affected Products :
    • Published: Feb. 24, 2026
    • Modified: Feb. 24, 2026
    • Vuln Type: Cross-Site Scripting
Showing 20 of 4808 Results