Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 5.3

    MEDIUM
    CVE-2025-14886

    The Japanized for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `order` REST API endpoint in all versions up to, and including, 2.7.17. This makes it possible for unauthenticat... Read more

    Affected Products : japanized_for_woocommerce
    • Published: Jan. 09, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Authorization

  • 7.2

    HIGH
    CVE-2025-15055

    The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'notes' and 'resource' parameters in all versions up to, and including, 5.3.4 due to insufficient input sanitization and output escaping. This makes it possib... Read more

    Affected Products :
    • Published: Jan. 09, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Cross-Site Scripting

  • 7.2

    HIGH
    CVE-2025-15057

    The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `fh` (fingerprint) parameter in all versions up to, and including, 5.3.3. This is due to insufficient input sanitization and output escaping on the fingerprin... Read more

    Affected Products :
    • Published: Jan. 09, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Cross-Site Scripting

  • 8.8

    HIGH
    CVE-2025-69194

    A security issue was discovered in GNU Wget2 when handling Metalink documents. The application fails to properly validate file paths provided in Metalink <file name> elements. An attacker can abuse this behavior to write files to unintended locations on t... Read more

    Affected Products :
    • Published: Jan. 09, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Path Traversal

  • 6.4

    MEDIUM
    CVE-2025-13862

    The Menu Card plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `category` parameter in all versions up to, and including, 0.8.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated a... Read more

    Affected Products :
    • Published: Jan. 09, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Cross-Site Scripting

  • 6.4

    MEDIUM
    CVE-2025-13908

    The The Tooltip plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'the_tooltip' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. ... Read more

    Affected Products :
    • Published: Jan. 09, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Cross-Site Scripting

  • 5.3

    MEDIUM
    CVE-2026-0817

    Missing Authorization vulnerability in Wikimedia Foundation MediaWiki - CampaignEvents extension allows Privilege Abuse.This issue affects MediaWiki - CampaignEvents extension: 1.45, 1.44, 1.43, 1.39.... Read more

    Affected Products :
    • Published: Jan. 09, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Authorization

  • 9.8

    CRITICAL
    CVE-2025-69542

    A Command Injection Vulnerability has been discovered in the DHCP daemon service of D-Link DIR895LA1 v102b07. The vulnerability exists in the lease renewal processing logic where the DHCP hostname parameter is directly concatenated into a system command w... Read more

    Affected Products :
    • Published: Jan. 09, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Injection

  • 8.2

    HIGH
    CVE-2026-21409

    Improper authorization vulnerability exists in RICOH Streamline NX 3.5.1 to 24R3. If a man-in-the-middle attack is conducted on the communication between the affected product and its user, and some crafted request is processed by the product, the user's r... Read more

    Affected Products :
    • Published: Jan. 09, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Authorization

  • 9.8

    CRITICAL
    CVE-2025-14736

    The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.28.25. This is due to insufficient validation of user-supplied role values in the 'validate_value', 'pre_update_value', and... Read more

    Affected Products : frontend_admin
    • Published: Jan. 09, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Authentication

  • 5.5

    MEDIUM
    CVE-2026-0731

    A vulnerability has been found in TOTOLINK WA1200 5.9c.2914. The impacted element is an unknown function of the file cstecgi.cgi of the component HTTP Request Handler. The manipulation leads to null pointer dereference. The attack is possible to be carrie... Read more

    Affected Products :
    • Published: Jan. 08, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Memory Corruption

  • 7.5

    HIGH
    CVE-2025-15464

    Exported Activity allows external applications to gain application context and directly launch Gmail with inbox access, bypassing security controls.... Read more

    Affected Products : fun_print_mobile
    • Published: Jan. 08, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Authentication

  • 8.4

    HIGH
    CVE-2025-68716

    KAYSUS KS-WR3600 routers with firmware 1.0.5.9.1 enable the SSH service enabled by default on the LAN interface. The root account is configured with no password, and administrators cannot disable SSH or enforce authentication via the CLI or web GUI. This ... Read more

    Affected Products :
    • Published: Jan. 08, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Authentication

  • 9.8

    CRITICAL
    CVE-2025-66913

    JimuReport thru version 2.1.3 is vulnerable to remote code execution when processing user-controlled H2 JDBC URLs. The application passes the attacker-supplied JDBC URL directly to the H2 driver, allowing the use of certain directives to execute arbitrary... Read more

    Affected Products :
    • Published: Jan. 08, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Injection

  • 8.8

    HIGH
    CVE-2026-22256

    Salvo is a Rust web backend framework. Prior to version 0.88.1, the function list_html generate an file view of a folder which include a render of the current path, in which its inserted in the HTML without proper sanitation, this leads to reflected XSS u... Read more

    Affected Products :
    • Published: Jan. 08, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Cross-Site Scripting

  • 5.3

    MEDIUM
    CVE-2025-14948

    The miniOrange OTP Verification and SMS Notification for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `enable_wc_sms_notification` AJAX action in all versions up to, and inclu... Read more

    Affected Products :
    • Published: Jan. 10, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Authorization

  • 6.6

    MEDIUM
    CVE-2026-0496

    SAP Fiori App Intercompany Balance Reconciliation allows an attacker with high privileges to upload any file (including script files) without proper file format validation. This has low impact on confidentiality, integrity and availability of the applica... Read more

    Affected Products :
    • Published: Jan. 13, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Misconfiguration

  • 5.4

    MEDIUM
    CVE-2025-14001

    The WP Duplicate Page plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the 'duplicateBulkHandle' and 'duplicateBulkHandleHPOS' functions in all versions up to, and including, 1.8. This makes it po... Read more

    Affected Products : wp_duplicate_page
    • Published: Jan. 13, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Authorization

  • 4.3

    MEDIUM
    CVE-2026-0497

    SAP Product Designer Web UI of Business Server Pages allows authenticated non-administrative users to access non-sensitive information. This results in a low impact on confidentiality, with no impact on integrity or availability of the application.... Read more

    Affected Products :
    • Published: Jan. 13, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Information Disclosure

  • 9.1

    CRITICAL
    CVE-2025-61686

    React Router is a router for React. In @react-router/node versions 7.0.0 through 7.9.3, @remix-run/deno prior to version 2.17.2, and @remix-run/node prior to version 2.17.2, if createFileSessionStorage() is being used from @react-router/node (or @remix-ru... Read more

    Affected Products :
    • Published: Jan. 10, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Path Traversal
Showing 20 of 4348 Results