Latest CVE Feed
-
8.8
HIGHCVE-2026-22807
vLLM is an inference and serving engine for large language models (LLMs). Starting in version 0.10.1 and prior to version 0.14.0, vLLM loads Hugging Face `auto_map` dynamic modules during model resolution without gating on `trust_remote_code`, allowing at... Read more
Affected Products : vllm- Published: Jan. 21, 2026
- Modified: Jan. 21, 2026
- Vuln Type: Supply Chain
-
9.6
CRITICALCVE-2026-22793
5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. Prior to version 0.15.3, an unsafe option parsing vulnerability in the ECharts Markdown plugin allows any user able to submit ECharts code blocks to exec... Read more
Affected Products : 5ire- Published: Jan. 21, 2026
- Modified: Jan. 21, 2026
- Vuln Type: Cross-Site Scripting
-
9.6
CRITICALCVE-2026-22792
5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. Prior to version 0.15.3, an unsafe HTML rendering permits untrusted HTML (including on* event attributes) to execute in the renderer context. An attacker... Read more
Affected Products : 5ire- Published: Jan. 21, 2026
- Modified: Jan. 21, 2026
- Vuln Type: Cross-Site Scripting
-
7.1
HIGHCVE-2026-22598
ManageIQ is an open-source management platform. A flaw was found in the ManageIQ API prior to version radjabov-2 where a malformed TimeProfile could be created causing later UI and API requests to timeout leading to a Denial of Service. Version radjabov-2... Read more
Affected Products : manageiq- Published: Jan. 21, 2026
- Modified: Jan. 21, 2026
- Vuln Type: Denial of Service
-
5.3
MEDIUMCVE-2026-21852
Claude Code is an agentic coding tool. Prior to version 2.0.65, vulnerability in Claude Code's project-load flow allowed malicious repositories to exfiltrate data including Anthropic API keys before users confirmed trust. An attacker-controlled repository... Read more
Affected Products : claude_code- Published: Jan. 21, 2026
- Modified: Jan. 21, 2026
- Vuln Type: Information Disclosure
-
7.7
HIGHCVE-2025-69285
SQLBot is an intelligent data query system based on a large language model and RAG. Versions prior to 1.5.0 contain a missing authentication vulnerability in the /api/v1/datasource/uploadExcel endpoint, allowing a remote unauthenticated attacker to upload... Read more
Affected Products :- Published: Jan. 21, 2026
- Modified: Jan. 21, 2026
- Vuln Type: Authentication
-
4.2
MEDIUMCVE-2026-23955
EVerest is an EV charging software stack. Prior to version 2025.9.0, in several places, integer values are concatenated to literal strings when throwing errors. This results in pointers arithmetic instead of printing the integer value as expected, like mo... Read more
Affected Products :- Published: Jan. 21, 2026
- Modified: Jan. 21, 2026
- Vuln Type: Memory Corruption
-
6.9
MEDIUMCVE-2025-69209
ArduinoCore-avr contains the source code and configuration files of the Arduino AVR Boards platform. A vulnerability in versions prior to 1.8.7 allows an attacker to trigger a stack-based buffer overflow when converting floating-point values to strings wi... Read more
Affected Products :- Published: Jan. 21, 2026
- Modified: Jan. 21, 2026
- Vuln Type: Memory Corruption
-
7.4
HIGHCVE-2025-68141
EVerest is an EV charging software stack. Prior to version 2025.10.0, during the deserialization of a `DC_ChargeLoopRes` message that includes Receipt as well as TaxCosts, the vector `<DetailedTax>tax_costs` in the target `Receipt` structure is accessed o... Read more
Affected Products :- Published: Jan. 21, 2026
- Modified: Jan. 21, 2026
- Vuln Type: Memory Corruption
-
4.3
MEDIUMCVE-2025-68140
EVerest is an EV charging software stack. Prior to version 2025.9.0, once the validity of the received V2G message has been verified, it is checked whether the submitted session ID matches the registered one. However, if no session has been registered, th... Read more
Affected Products :- Published: Jan. 21, 2026
- Modified: Jan. 21, 2026
- Vuln Type: Authentication
-
4.3
MEDIUMCVE-2025-68139
EVerest is an EV charging software stack. In all versions up to and including 2025.12.1, the default value for `terminate_connection_on_failed_response` is `False`, which leaves the responsibility for session and connection termination to the EV. In this ... Read more
Affected Products :- Published: Jan. 21, 2026
- Modified: Jan. 21, 2026
- Vuln Type: Misconfiguration
-
4.7
MEDIUMCVE-2025-68138
EVerest is an EV charging software stack, and EVerest libocpp is a C++ implementation of the Open Charge Point Protocol. In libocpp prior to version 0.30.1, pointers returned by the `strdup` calls are never freed. At each connection attempt, the newly all... Read more
Affected Products :- Published: Jan. 21, 2026
- Modified: Jan. 21, 2026
- Vuln Type: Memory Corruption
-
8.3
HIGHCVE-2025-68137
EVerest is an EV charging software stack. Prior to version 2025.10.0, an integer overflow occurring in `SdpPacket::parse_header()` allows the current buffer length to be set to 7 after a complete header of size 8 has been read. The remaining length to rea... Read more
Affected Products :- Published: Jan. 21, 2026
- Modified: Jan. 21, 2026
- Vuln Type: Memory Corruption
-
7.4
HIGHCVE-2025-68136
EVerest is an EV charging software stack. Prior to version 2025.10.0, once the module receives a SDP request, it creates a whole new set of objects like `Session`, `IConnection` which open new TCP socket for the ISO15118-20 communications and registers ca... Read more
Affected Products :- Published: Jan. 21, 2026
- Modified: Jan. 21, 2026
- Vuln Type: Memory Corruption
-
6.9
MEDIUMCVE-2025-13465
Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but ... Read more
Affected Products : lodash- Published: Jan. 21, 2026
- Modified: Jan. 21, 2026
- Vuln Type: Injection
-
6.3
MEDIUMCVE-2025-12781
When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the "base64" module the characters "+/" will always be accepted, regardless of the value of "altchars" parameter, typically used to establish an "alternative ... Read more
Affected Products : python- Published: Jan. 21, 2026
- Modified: Jan. 21, 2026
-
6.5
MEDIUMCVE-2025-68135
EVerest is an EV charging software stack. Prior to version 2025.10.0, C++ exceptions are not properly handled for and by the `TbdController` loop, leading to its caller and itself to silently terminates. Thus, this leads to a denial of service as it is re... Read more
Affected Products :- Published: Jan. 21, 2026
- Modified: Jan. 21, 2026
- Vuln Type: Denial of Service
-
7.4
HIGHCVE-2025-68134
EVerest is an EV charging software stack. Prior to version 2025.10.0, the use of the `assert` function to handle errors frequently causes the module to crash. This is particularly critical because the manager shuts down all other modules and exits when an... Read more
Affected Products :- Published: Jan. 21, 2026
- Modified: Jan. 21, 2026
- Vuln Type: Denial of Service
-
2.4
LOWCVE-2025-68132
EVerest is an EV charging software stack. Prior to version 2025.12.0, `is_message_crc_correct` in the DZG_GSH01 powermeter SLIP parser reads `vec[vec.size()-1]` and `vec[vec.size()-2]` without checking that at least two bytes are present. Malformed SLIP f... Read more
Affected Products :- Published: Jan. 21, 2026
- Modified: Jan. 21, 2026
- Vuln Type: Memory Corruption
-
8.4
HIGHCVE-2026-23755
D-Link D-View 8 versions 2.0.1.107 and below contain an uncontrolled search path vulnerability in the installer. When executed with elevated privileges via UAC, the installer attempts to load version.dll from its execution directory, allowing DLL preloadi... Read more
Affected Products : d-view_8- Published: Jan. 21, 2026
- Modified: Jan. 21, 2026
- Vuln Type: Misconfiguration