Latest CVE Feed
-
4.3
MEDIUMCVE-2026-24776
OpenProject is an open-source, web-based project management software. Prior to 17.0.2, the drag&drop handler moving an agenda item to a different section was not properly checking if the target meeting section is part of the same meeting (or is the backlo... Read more
Affected Products : openproject- Published: Feb. 06, 2026
- Modified: Feb. 06, 2026
- Vuln Type: Authorization
-
5.3
MEDIUMCVE-2026-24903
OrcaStatLLM Researcher is an LLM Based Research Paper Generator. A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Log Message in the Session Page in OrcaStatLLM-Researcher that allows attackers to inject and execute arbitrary JavaS... Read more
Affected Products :- Published: Feb. 06, 2026
- Modified: Feb. 06, 2026
- Vuln Type: Cross-Site Scripting
-
10.0
CRITICALCVE-2026-25520
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, The return values of functions aren't wrapped. Object.values/Object.entries can be used to get an Array containing the host's Function constructor, by using Array.prototype.at you can obtain t... Read more
Affected Products :- Published: Feb. 06, 2026
- Modified: Feb. 06, 2026
- Vuln Type: Authentication
-
8.5
HIGHCVE-2019-25302
Acer Launch Manager 6.1.7600.16385 contains an unquoted service path vulnerability in the DsiWMIService that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in C:\Program Files (x86)\Launch ... Read more
Affected Products :- Published: Feb. 06, 2026
- Modified: Feb. 06, 2026
- Vuln Type: Misconfiguration
-
6.3
MEDIUMCVE-2026-2065
A security flaw has been discovered in Flycatcher Toys smART Pixelator 2.0. Affected by this issue is some unknown functionality of the component Bluetooth Low Energy Interface. Performing a manipulation results in missing authentication. The attack can o... Read more
Affected Products :- Published: Feb. 06, 2026
- Modified: Feb. 06, 2026
- Vuln Type: Authentication
-
9.0
HIGHCVE-2026-2067
A security vulnerability has been detected in UTT 进取 520W 1.7.7-180627. This vulnerability affects the function strcpy of the file /goform/formTimeGroupConfig. The manipulation of the argument year1 leads to buffer overflow. The attack may be initiated re... Read more
Affected Products :- Published: Feb. 06, 2026
- Modified: Feb. 06, 2026
- Vuln Type: Memory Corruption
-
5.9
MEDIUMCVE-2026-25556
MuPDF versions 1.23.0 through 1.27.0 contain a double-free vulnerability in fz_fill_pixmap_from_display_list() when an exception occurs during display list rendering. The function accepts a caller-owned fz_pixmap pointer but incorrectly drops the pixmap i... Read more
Affected Products :- Published: Feb. 06, 2026
- Modified: Feb. 06, 2026
- Vuln Type: Memory Corruption
-
6.6
MEDIUMCVE-2026-25650
MCP Salesforce Connector is a Model Context Protocol (MCP) server implementation for Salesforce integration. Prior to 0.1.10, arbitrary attribute access leads to disclosure of Salesforce auth token. This vulnerability is fixed in 0.1.10.... Read more
Affected Products :- Published: Feb. 06, 2026
- Modified: Feb. 06, 2026
- Vuln Type: Information Disclosure
-
8.7
HIGHCVE-2026-24419
OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contain a critical Error-Based SQL Injection vulnerability in the Prima Nota (Journal Entry) module's add.php file. The applicat... Read more
Affected Products :- Published: Feb. 06, 2026
- Modified: Feb. 06, 2026
- Vuln Type: Injection
-
6.8
MEDIUMCVE-2026-25727
time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally de... Read more
Affected Products : time- Published: Feb. 06, 2026
- Modified: Feb. 06, 2026
- Vuln Type: Denial of Service
-
4.6
MEDIUMCVE-2026-25647
Lute is a structured Markdown engine supporting Go and JavaScript. Lute 1.7.6 and earlier (as used in SiYuan before) has a Stored Cross-Site Scripting (XSS) vulnerability in the Markdown rendering engine. An attacker can inject malicious JavaScript into a... Read more
Affected Products : siyuan- Published: Feb. 06, 2026
- Modified: Feb. 06, 2026
- Vuln Type: Cross-Site Scripting
-
7.5
HIGHCVE-2026-2060
A vulnerability was found in code-projects Simple Blood Donor Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /simpleblooddonor/editcampaignform.php. Performing a manipulation of the argument ID results in sql... Read more
Affected Products : simple_blood_donor_management_system- Published: Feb. 06, 2026
- Modified: Feb. 06, 2026
- Vuln Type: Injection
-
9.4
CRITICALCVE-2026-1709
A flaw was found in Keylime. The Keylime registrar, since version 7.12.0, does not enforce client-side Transport Layer Security (TLS) authentication. This authentication bypass vulnerability allows unauthenticated clients with network access to perform ad... Read more
Affected Products : keylime- Published: Feb. 06, 2026
- Modified: Feb. 06, 2026
- Vuln Type: Authentication
-
7.1
HIGHCVE-2019-25300
thejshen Globitek CMS 1.4 contains a SQL injection vulnerability that allows attackers to manipulate database queries through the 'id' GET parameter. Attackers can exploit boolean-based, time-based, and UNION-based SQL injection techniques to potentially ... Read more
Affected Products :- Published: Feb. 06, 2026
- Modified: Feb. 06, 2026
- Vuln Type: Injection
-
7.7
HIGHCVE-2025-13523
Mattermost Confluence plugin version <1.7.0 fails to properly escape user-controlled display names in HTML template rendering which allows authenticated Confluence users with malicious display names to execute arbitrary JavaScript in victim browsers via s... Read more
Affected Products : confluence- Published: Feb. 06, 2026
- Modified: Feb. 06, 2026
- Vuln Type: Cross-Site Scripting
-
7.5
HIGHCVE-2026-2057
A vulnerability was detected in SourceCodester Medical Center Portal Management System 1.0. This affects an unknown function of the file /login.php. The manipulation of the argument User results in sql injection. The attack can be executed remotely. The e... Read more
Affected Products :- Published: Feb. 06, 2026
- Modified: Feb. 06, 2026
- Vuln Type: Injection
-
7.1
HIGHCVE-2019-25303
TheJshen ContentManagementSystem 1.04 contains a SQL injection vulnerability that allows attackers to manipulate database queries through the 'id' GET parameter. Attackers can exploit boolean-based, time-based, and UNION-based SQL injection techniques to ... Read more
Affected Products :- Published: Feb. 06, 2026
- Modified: Feb. 06, 2026
- Vuln Type: Injection
-
1.1
LOWCVE-2026-24050
Zulip is an open-source team collaboration tool. From 5.0 to before 11.5, some administrative actions on the user profile were susceptible to stored XSS in group names or channel names. Exploiting these vulnerabilities required the user explicitly interac... Read more
Affected Products : zulip- Published: Feb. 06, 2026
- Modified: Feb. 06, 2026
- Vuln Type: Cross-Site Scripting
-
9.3
CRITICALCVE-2025-64111
Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, due to the insufficient patch for CVE-2024-56731, it's still possible to update files in the .git directory and achieve remote command execution. This issue has been patched in v... Read more
Affected Products : gogs- Published: Feb. 06, 2026
- Modified: Feb. 06, 2026
- Vuln Type: Injection
-
7.8
HIGHCVE-2026-23740
Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, when ast_coredumper writes its gdb init and output files to a directory that is world-writable (for example /tmp)... Read more
Affected Products : asterisk- Published: Feb. 06, 2026
- Modified: Feb. 06, 2026
- Vuln Type: Misconfiguration