Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 10.0

    CRITICAL
    CVE-2025-68121

    During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a use... Read more

    Affected Products : go
    • Published: Feb. 05, 2026
    • Modified: Feb. 10, 2026
    • Vuln Type: Cryptography

  • 6.5

    MEDIUM
    CVE-2026-25957

    Cube is a semantic layer for building data applications. From 1.1.17 to before 1.5.13 and 1.4.2, it is possible to make the entire Cube API unavailable by submitting a specially crafted request to a Cube API endpoint. This vulnerability is fixed in 1.5.13... Read more

    Affected Products : cube.js
    • Published: Feb. 09, 2026
    • Modified: Feb. 10, 2026
    • Vuln Type: Denial of Service

  • 7.5

    HIGH
    CVE-2026-2268

    The Ninja Forms plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.14.0. This is due to the unsafe application of the `ninja_forms_merge_tags` filter to user-supplied input within repeater fields, ... Read more

    Affected Products : ninja_forms
    • Published: Feb. 10, 2026
    • Modified: Feb. 10, 2026
    • Vuln Type: Information Disclosure

  • 5.5

    MEDIUM
    CVE-2025-15314

    Tanium addressed an arbitrary file deletion vulnerability in end-user-cx.... Read more

    Affected Products : endpoint_end-user-cx
    • Published: Feb. 10, 2026
    • Modified: Feb. 10, 2026

  • 7.5

    HIGH
    CVE-2026-25961

    SumatraPDF is a multi-format reader for Windows. In 3.5.0 through 3.5.2, SumatraPDF's update mechanism disables TLS hostname verification (INTERNET_FLAG_IGNORE_CERT_CN_INVALID) and executes installers without signature checks. A network attacker with any ... Read more

    Affected Products : sumatrapdf
    • Published: Feb. 09, 2026
    • Modified: Feb. 10, 2026
    • Vuln Type: Misconfiguration

  • 9.0

    CRITICAL
    CVE-2026-25881

    SandboxJS is a JavaScript sandboxing library. Prior to 0.8.31, a sandbox escape vulnerability allows sandboxed code to mutate host built-in prototypes by laundering the isGlobal protection flag through array literal intermediaries. When a global prototype... Read more

    Affected Products : sandboxjs
    • Published: Feb. 09, 2026
    • Modified: Feb. 10, 2026
    • Vuln Type: Misconfiguration

  • 6.4

    MEDIUM
    CVE-2026-1922

    The The Events Calendar Shortcode & Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `ecs-list-events` shortcode `message` attribute in all versions up to, and including, 3.1.2 due to insufficient input sanitization... Read more

    Affected Products :
    • Published: Feb. 10, 2026
    • Modified: Feb. 10, 2026
    • Vuln Type: Cross-Site Scripting

  • 7.8

    HIGH
    CVE-2025-15319

    Tanium addressed a local privilege escalation vulnerability in Patch Endpoint Tools.... Read more

    Affected Products : endpoint_patch
    • Published: Feb. 09, 2026
    • Modified: Feb. 10, 2026
    • Vuln Type: Authorization

  • 8.1

    HIGH
    CVE-2026-25890

    File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to 2.57.1, an authenticated user can bypass the application's "Disallow" file path rules by modifying ... Read more

    Affected Products : filebrowser
    • Published: Feb. 09, 2026
    • Modified: Feb. 10, 2026
    • Vuln Type: Authorization

  • 8.8

    HIGH
    CVE-2026-25807

    ZAI Shell is an autonomous SysOps agent designed to navigate, repair, and secure complex environments. Prior to 9.0.3, the P2P terminal sharing feature (share start) opens a TCP socket on port 5757 without any authentication mechanism. Any remote attacker... Read more

    Affected Products :
    • Published: Feb. 09, 2026
    • Modified: Feb. 10, 2026
    • Vuln Type: Authentication

  • 7.8

    HIGH
    CVE-2026-25880

    SumatraPDF is a multi-format reader for Windows. In 3.5.2 and earlier, the PDF reader allows execution of a malicious binary (explorer.exe) located in the same directory as the opened PDF when the user clicks File → “Show in folder”. This behavior leads t... Read more

    Affected Products : sumatrapdf
    • Published: Feb. 09, 2026
    • Modified: Feb. 10, 2026
    • Vuln Type: Authentication

  • 5.3

    MEDIUM
    CVE-2026-25811

    PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the application derives the tenant identifier directly from the email domain provided by the user, without validating domain ownership or registration. This ... Read more

    Affected Products : placipy
    • Published: Feb. 09, 2026
    • Modified: Feb. 10, 2026
    • Vuln Type: Authentication

  • 8.7

    HIGH
    CVE-2026-25813

    PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, The application logs highly sensitive data directly to console output without masking or redaction.... Read more

    Affected Products : placipy
    • Published: Feb. 09, 2026
    • Modified: Feb. 10, 2026
    • Vuln Type: Information Disclosure

  • 7.2

    HIGH
    CVE-2026-0845

    The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'WCFM_S... Read more

    • Published: Feb. 10, 2026
    • Modified: Feb. 10, 2026
    • Vuln Type: Authorization

  • 7.5

    HIGH
    CVE-2026-25808

    Hollo is a federated single-user microblogging software designed to be federated through ActivityPub. Prior to 0.6.20 and 0.7.2, there is a security vulnerability where DMs and followers-only posts were exposed through the ActivityPub outbox endpoint with... Read more

    Affected Products :
    • Published: Feb. 09, 2026
    • Modified: Feb. 10, 2026
    • Vuln Type: Authorization

  • 6.7

    MEDIUM
    CVE-2025-15315

    Tanium addressed a local privilege escalation vulnerability in Tanium Module Server.... Read more

    Affected Products : moduleserver
    • Published: Feb. 09, 2026
    • Modified: Feb. 10, 2026
    • Vuln Type: Authentication

  • 8.7

    HIGH
    CVE-2026-2093

    Docpedia developed by Flowring has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read database contents.... Read more

    Affected Products :
    • Published: Feb. 10, 2026
    • Modified: Feb. 10, 2026
    • Vuln Type: Injection

  • 7.2

    HIGH
    CVE-2026-1866

    The Name Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via double HTML-entity encoding in all versions up to, and including, 1.32.0. This is due to the plugin's sanitization function calling `html_entity_decode()` before `wp_... Read more

    Affected Products : name_directory
    • Published: Feb. 10, 2026
    • Modified: Feb. 10, 2026
    • Vuln Type: Cross-Site Scripting

  • 6.3

    MEDIUM
    CVE-2024-52334

    A vulnerability has been identified in syngo.plaza VB30E (All versions < VB30E_HF07). The affected application does not encrypt the passwords properly. This could allow an attacker to recover the original passwords and might gain unauthorized access.... Read more

    Affected Products :
    • Published: Feb. 10, 2026
    • Modified: Feb. 10, 2026
    • Vuln Type: Cryptography

  • 7.6

    HIGH
    CVE-2025-40587

    A vulnerability has been identified in Polarion V2404 (All versions < V2404.5), Polarion V2410 (All versions < V2410.2). The affected application allows arbitrary JavaScript code be included in document titles. This could allow an authenticated remote att... Read more

    Affected Products :
    • Published: Feb. 10, 2026
    • Modified: Feb. 10, 2026
    • Vuln Type: Cross-Site Scripting
Showing 20 of 4659 Results