Latest CVE Feed
-
9.1
CRITICALCVE-2026-25137
The NixOs Odoo package is an open source ERP and CRM system. From 21.11 to before 25.11 and 26.05, every NixOS based Odoo setup publicly exposes the database manager without any authentication. This allows unauthorized actors to delete and download the en... Read more
Affected Products :- Published: Feb. 02, 2026
- Modified: Feb. 02, 2026
- Vuln Type: Authentication
-
9.4
CRITICALCVE-2026-25134
Group-Office is an enterprise customer relationship management and groupware tool. Prior to 6.8.150, 25.0.82, and 26.0.5, the MaintenanceController exposes an action zipLanguage which takes a lang parameter and passes it directly to a system zip command v... Read more
Affected Products :- Published: Feb. 02, 2026
- Modified: Feb. 02, 2026
- Vuln Type: Injection
-
8.1
HIGHCVE-2026-25060
OpenList Frontend is a UI component for OpenList. Prior to 4.1.10, certificate verification is disabled by default for all storage driver communications. The TlsInsecureSkipVerify setting is default to true in the DefaultConfig() function in internal/conf... Read more
Affected Products :- Published: Feb. 02, 2026
- Modified: Feb. 02, 2026
- Vuln Type: Misconfiguration
-
8.8
HIGHCVE-2026-25059
OpenList Frontend is a UI component for OpenList. Prior to 4.1.10, the application contains path traversal vulnerability in multiple file operation handlers in server/handles/fsmanage.go. Filename components in req.Names are directly concatenated with val... Read more
Affected Products :- Published: Feb. 02, 2026
- Modified: Feb. 02, 2026
- Vuln Type: Path Traversal
-
8.8
HIGHCVE-2026-24763
OpenClaw (formerly Clawdbot) is a personal AI assistant you run on your own devices. Prior to 2026.1.29, a command injection vulnerability existed in OpenClaw’s Docker sandbox execution mechanism due to unsafe handling of the PATH environment variable wh... Read more
Affected Products :- Published: Feb. 02, 2026
- Modified: Feb. 02, 2026
- Vuln Type: Injection
-
8.1
HIGHCVE-2026-24737
jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input t... Read more
Affected Products :- Published: Feb. 02, 2026
- Modified: Feb. 02, 2026
- Vuln Type: Injection
-
9.3
CRITICALCVE-2026-24471
continuwuity is a Matrix homeserver written in Rust. This vulnerability allows an attacker with a malicious remote server to cause the local server to sign an arbitrary event upon user interaction. Upon a user account leaving a room (rejecting an invite),... Read more
Affected Products :- Published: Feb. 02, 2026
- Modified: Feb. 02, 2026
- Vuln Type: Authentication
-
8.7
HIGHCVE-2026-24133
jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of the first argument of the addImage method results in denial of service. If given the possibility to pass unsanitized image data or URLs to the addImage method, a user can p... Read more
Affected Products :- Published: Feb. 02, 2026
- Modified: Feb. 02, 2026
- Vuln Type: Denial of Service
-
7.0
HIGHCVE-2026-24051
OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go execute... Read more
Affected Products :- Published: Feb. 02, 2026
- Modified: Feb. 02, 2026
- Vuln Type: Path Traversal
-
6.9
MEDIUMCVE-2026-24043
jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of the first argument of the addMetadata function allows users to inject arbitrary XML. If given the possibility to pass unsanitized input to the addMetadata method, a user ca... Read more
Affected Products :- Published: Feb. 02, 2026
- Modified: Feb. 02, 2026
- Vuln Type: XML External Entity
-
6.3
MEDIUMCVE-2026-24040
jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, the addJS method in the jspdf Node.js build utilizes a shared module-scoped variable (text) to store JavaScript content. When used in a concurrent environment (e.g., a Node.js web server),... Read more
Affected Products :- Published: Feb. 02, 2026
- Modified: Feb. 02, 2026
- Vuln Type: Race Condition
-
4.6
MEDIUMCVE-2026-24007
Tuleap is an Open Source Suite for management of software development and collaboration. Tuleap is missing CSRF protection in the Overview inconsistent items. An attacker could use this vulnerability to trick victims into repairing inconsistent items (cre... Read more
Affected Products :- Published: Feb. 02, 2026
- Modified: Feb. 02, 2026
- Vuln Type: Cross-Site Request Forgery
-
8.0
HIGHCVE-2026-23997
FacturaScripts is open-source enterprise resource planning and accounting software. In 2025.71 and earlier, a Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Observations field. The flaw occurs in the History view, where historical d... Read more
Affected Products :- Published: Feb. 02, 2026
- Modified: Feb. 02, 2026
- Vuln Type: Cross-Site Scripting
-
9.9
CRITICALCVE-2026-23515
Signal K Server is a server application that runs on a central hub in a boat. Prior to 1.5.0, a command injection vulnerability allows authenticated users with write permissions to execute arbitrary shell commands on the Signal K server when the set-syste... Read more
Affected Products :- Published: Feb. 02, 2026
- Modified: Feb. 02, 2026
- Vuln Type: Injection
-
5.4
MEDIUMCVE-2026-23476
FacturaScripts is open-source enterprise resource planning and accounting software. Prior to 2025.8, there a reflected XSS bug in FacturaScripts. The problem is in how error messages get displayed. Twig's | raw filter is used, which skips HTML escaping. W... Read more
Affected Products :- Published: Feb. 02, 2026
- Modified: Feb. 02, 2026
- Vuln Type: Cross-Site Scripting
-
4.4
MEDIUMCVE-2026-22780
Rizin is a UNIX-like reverse engineering framework and command-line toolset. Prior to 0.8.2, a heap overflow can be exploited when a malicious mach0 file, having bogus entries for the dyld chained segments, is parsed by rizin. This vulnerability is fixed ... Read more
Affected Products :- Published: Feb. 02, 2026
- Modified: Feb. 02, 2026
- Vuln Type: Memory Corruption
-
9.8
CRITICALCVE-2026-22778
vLLM is an inference and serving engine for large language models (LLMs). From 0.8.3 to before 0.14.1, when an invalid image is sent to vLLM's multimodal endpoint, PIL throws an error. vLLM returns this error to the client, leaking a heap address. With th... Read more
Affected Products :- Published: Feb. 02, 2026
- Modified: Feb. 02, 2026
- Vuln Type: Information Disclosure
-
8.2
HIGHCVE-2026-1778
Amazon SageMaker Python SDK before v3.1.1 or v2.256.0 disables TLS certificate verification for HTTPS connections made by the service when a Triton Python model is imported, incorrectly allowing for requests with invalid and self-signed certificates to su... Read more
Affected Products :- Published: Feb. 02, 2026
- Modified: Feb. 02, 2026
- Vuln Type: Misconfiguration
-
8.5
HIGHCVE-2026-1777
The Amazon SageMaker Python SDK before v3.2.0 and v2.256.0 includes the ModelBuilder HMAC signing key in the cleartext response elements of the DescribeTrainingJob function. A third party with permissions to both call this API and permissions to modify ob... Read more
Affected Products :- Published: Feb. 02, 2026
- Modified: Feb. 02, 2026
- Vuln Type: Information Disclosure
-
7.3
HIGHCVE-2026-0924
BuhoCleaner contains an insecure XPC service that allows local, unprivileged users to escalate their privileges to root via insecure functions.This issue affects BuhoCleaner: 1.15.2.... Read more
Affected Products :- Published: Feb. 02, 2026
- Modified: Feb. 02, 2026
- Vuln Type: Authorization