Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 7.8

    HIGH
    CVE-2025-47346

    Memory corruption while processing a secure logging command in the trusted application.... Read more

    Affected Products :
    • Published: Jan. 07, 2026
    • Modified: Jan. 08, 2026
    • Vuln Type: Memory Corruption

  • 7.5

    HIGH
    CVE-2026-0669

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Wikimedia Foundation MediaWiki - CSS extension allows Path Traversal.This issue affects MediaWiki - CSS extension: 1.44, 1.43, 1.39.... Read more

    Affected Products :
    • Published: Jan. 07, 2026
    • Modified: Jan. 08, 2026
    • Vuln Type: Path Traversal

  • 5.3

    MEDIUM
    CVE-2026-0668

    Inefficient Regular Expression Complexity vulnerability in Wikimedia Foundation MediaWiki - VisualData Extension allows Regular Expression Exponential Blowup.This issue affects MediaWiki - VisualData Extension: 1.45.... Read more

    Affected Products :
    • Published: Jan. 07, 2026
    • Modified: Jan. 08, 2026
    • Vuln Type: Denial of Service

  • 9.3

    CRITICAL
    CVE-2026-0650

    OpenFlagr versions prior to and including 1.1.18 contain an authentication bypass vulnerability in the HTTP middleware. Due to improper handling of path normalization in the whitelist logic, crafted requests can bypass authentication and access protected ... Read more

    Affected Products :
    • Published: Jan. 07, 2026
    • Modified: Jan. 08, 2026
    • Vuln Type: Authentication

  • 4.3

    MEDIUM
    CVE-2025-14468

    The AMP for WP – Accelerated Mobile Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.9. This is due to inverted nonce verification logic in the amp_theme_ajaxcomments AJAX handler, which rejects ... Read more

    Affected Products : accelerated_mobile_pages
    • Published: Jan. 07, 2026
    • Modified: Jan. 08, 2026
    • Vuln Type: Cross-Site Request Forgery

  • 6.8

    MEDIUM
    CVE-2026-22537

    The lack of hardening of the system allows the user used to manage and maintain the charger to consult different files containing clear-text credentials or valuable information for an attacker.... Read more

    Affected Products :
    • Published: Jan. 07, 2026
    • Modified: Jan. 08, 2026
    • Vuln Type: Misconfiguration

  • 6.4

    MEDIUM
    CVE-2025-14053

    The Wish To Go plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in all versions up to, and including, 0.5.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it pos... Read more

    Affected Products :
    • Published: Jan. 07, 2026
    • Modified: Jan. 08, 2026
    • Vuln Type: Cross-Site Scripting

  • 4.3

    MEDIUM
    CVE-2025-13990

    The Mamurjor Employee Info plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing nonce validation on multiple administrative functions. This makes it possible for unauthenticat... Read more

    Affected Products :
    • Published: Jan. 07, 2026
    • Modified: Jan. 08, 2026
    • Vuln Type: Cross-Site Request Forgery

  • 6.5

    MEDIUM
    CVE-2025-14867

    The Flashcard plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 0.9 via the 'source' attribute of the 'flashcard' shortcode. This makes it possible for authenticated attackers, with contributor level access and abo... Read more

    Affected Products :
    • Published: Jan. 07, 2026
    • Modified: Jan. 08, 2026
    • Vuln Type: Path Traversal

  • 4.3

    MEDIUM
    CVE-2025-14904

    The Newsletter Email Subscribe plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.4. This is due to incorrect nonce validation on the nels_settings_page function. This makes it possible for unauthenticated... Read more

    Affected Products :
    • Published: Jan. 07, 2026
    • Modified: Jan. 08, 2026
    • Vuln Type: Cross-Site Request Forgery

  • 6.5

    MEDIUM
    CVE-2025-46434

    Missing Authorization vulnerability in POSIMYTH Innovation The Plus Addons for Elementor Pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Plus Addons for Elementor Pro: from n/a before 6.3.7.... Read more

    Affected Products : the_plus_addons_for_elementor
    • Published: Jan. 07, 2026
    • Modified: Jan. 08, 2026
    • Vuln Type: Authorization

  • 2.7

    LOW
    CVE-2025-12958

    The Rankology SEO and Analytics Tool plugin for WordPress is vulnerable to unauthorized modification of data due to an incorrect capability check on the 'rankology_code_block' page in all versions up to, and including, 2.0. This makes it possible for auth... Read more

    Affected Products :
    • Published: Jan. 07, 2026
    • Modified: Jan. 08, 2026
    • Vuln Type: Authorization

  • 4.3

    MEDIUM
    CVE-2025-69344

    Missing Authorization vulnerability in ThemeHunk Oneline Lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Oneline Lite: from n/a through 6.6.... Read more

    Affected Products :
    • Published: Jan. 07, 2026
    • Modified: Jan. 08, 2026
    • Vuln Type: Authorization

  • 7.5

    HIGH
    CVE-2025-13493

    The Latest Registered Users plugin for WordPress is vulnerable to unauthorized user data export in all versions up to, and including, 1.4. This is due to missing authorization and nonce validation in the rnd_handle_form_submit function hooked to both admi... Read more

    Affected Products :
    • Published: Jan. 07, 2026
    • Modified: Jan. 08, 2026
    • Vuln Type: Authorization

  • 6.4

    MEDIUM
    CVE-2025-13849

    The Cool YT Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'videoid' parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated... Read more

    Affected Products :
    • Published: Jan. 07, 2026
    • Modified: Jan. 08, 2026
    • Vuln Type: Cross-Site Scripting

  • 6.4

    MEDIUM
    CVE-2025-13667

    The WP Recipe Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Skill Level' input field in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user-supplied attributes. T... Read more

    Affected Products :
    • Published: Jan. 07, 2026
    • Modified: Jan. 08, 2026
    • Vuln Type: Cross-Site Scripting

  • 6.4

    MEDIUM
    CVE-2025-13841

    The Smart App Banners plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'size' and 'verticalalign' parameters of the 'app-store-download' shortcode in all versions up to, and including, 1.2 due to insufficient input sanitization an... Read more

    Affected Products :
    • Published: Jan. 07, 2026
    • Modified: Jan. 08, 2026
    • Vuln Type: Cross-Site Scripting

  • 4.9

    MEDIUM
    CVE-2025-14719

    The Relevanssi WordPress plugin before 4.26.0, Relevanssi Premium WordPress plugin before 2.29.0 do not sanitize and escape a parameter before using it in a SQL statement, allowing contributor and above roles to perform SQL injection attacks... Read more

    Affected Products : relevanssi
    • Published: Jan. 07, 2026
    • Modified: Jan. 08, 2026
    • Vuln Type: Injection

  • 5.3

    MEDIUM
    CVE-2026-22488

    Missing Authorization vulnerability in IdeaBox Creations Dashboard Welcome for Beaver Builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Dashboard Welcome for Beaver Builder: from n/a through 1.0.8.... Read more

    Affected Products :
    • Published: Jan. 08, 2026
    • Modified: Jan. 08, 2026
    • Vuln Type: Authorization

  • 9.8

    CRITICAL
    CVE-2025-62877

    Projects using the SUSE Virtualization (Harvester) environment may expose the OS default ssh login password  if they are using the 1.5.x or 1.6.x interactive installer to either create a new cluster or add new hosts to an existing cluster. The environmen... Read more

    Affected Products :
    • Published: Jan. 08, 2026
    • Modified: Jan. 08, 2026
    • Vuln Type: Misconfiguration
Showing 20 of 4351 Results