Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 9.0

    HIGH
    CVE-2026-2870

    A security flaw has been discovered in Tenda A21 1.0.0.0. Affected by this issue is the function set_qosMib_list of the file /goform/formSetQosBand. The manipulation of the argument list results in stack-based buffer overflow. The attack can be executed r... Read more

    Affected Products :
    • Published: Feb. 21, 2026
    • Modified: Feb. 21, 2026
    • Vuln Type: Memory Corruption

  • 4.8

    MEDIUM
    CVE-2026-2869

    A vulnerability was identified in janet-lang janet up to 1.40.1. Affected by this vulnerability is the function janetc_varset of the file src/core/specials.c of the component handleattr Handler. The manipulation leads to out-of-bounds read. The attack can... Read more

    Affected Products :
    • Published: Feb. 21, 2026
    • Modified: Feb. 21, 2026
    • Vuln Type: Memory Corruption

  • 7.5

    HIGH
    CVE-2026-2867

    A vulnerability was determined in itsourcecode Vehicle Management System 1.0. Affected is an unknown function of the file /billaction.php. Executing a manipulation of the argument ID can lead to sql injection. The attack may be launched remotely. The expl... Read more

    Affected Products :
    • Published: Feb. 21, 2026
    • Modified: Feb. 21, 2026
    • Vuln Type: Injection

  • 7.4

    HIGH
    CVE-2026-27579

    CollabPlatform is a full-stack, real-time doc collaboration platform. In all versions of CollabPlatform, the Appwrite project used by the application is misconfigured to allow arbitrary origins in CORS responses while also permitting credentialed requests... Read more

    Affected Products :
    • Published: Feb. 21, 2026
    • Modified: Feb. 21, 2026
    • Vuln Type: Misconfiguration

  • 9.9

    CRITICAL
    CVE-2026-27574

    OneUptime is a solution for monitoring and managing online services. In versions 9.5.13 and below, custom JavaScript monitor feature uses Node.js's node:vm module (explicitly documented as not a security mechanism) to execute user-supplied code, allowing ... Read more

    Affected Products :
    • Published: Feb. 21, 2026
    • Modified: Feb. 21, 2026
    • Vuln Type: Injection

  • 4.7

    MEDIUM
    CVE-2026-27492

    Lettermint Node.js SDK is the official Node.js SDK for Lettermint. In versions 1.5.0 and below, email properties (such as to, subject, html, text, and attachments) are not reset between sends when a single client instance is reused across multiple .send()... Read more

    Affected Products :
    • Published: Feb. 21, 2026
    • Modified: Feb. 21, 2026
    • Vuln Type: Information Disclosure

  • 4.8

    MEDIUM
    CVE-2026-1787

    The LearnPress Export Import – WordPress extension for LearnPress plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'delete_migrated_data' function in all versions up to, and including, 4.1.0. This ma... Read more

    Affected Products :
    • Published: Feb. 21, 2026
    • Modified: Feb. 21, 2026
    • Vuln Type: Authorization

  • 4.8

    MEDIUM
    CVE-2026-27576

    OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, the ACP bridge accepts very large prompt text blocks and can assemble oversized prompt payloads before forwarding them to chat.send. Because ACP runs over local stdio, this mainly affec... Read more

    Affected Products :
    • Published: Feb. 21, 2026
    • Modified: Feb. 21, 2026
    • Vuln Type: Denial of Service

  • 6.9

    MEDIUM
    CVE-2026-27488

    OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, Cron webhook delivery in src/gateway/server-cron.ts uses fetch() directly, so webhook targets can reach private/metadata/internal endpoints without SSRF policy checks. This issue was fi... Read more

    Affected Products :
    • Published: Feb. 21, 2026
    • Modified: Feb. 21, 2026
    • Vuln Type: Server-Side Request Forgery

  • 7.6

    HIGH
    CVE-2026-27487

    OpenClaw is a personal AI assistant. In versions 2026.2.13 and below, when using macOS, the Claude CLI keychain credential refresh path constructed a shell command to write the updated JSON blob into Keychain via security add-generic-password -w .... Beca... Read more

    Affected Products :
    • Published: Feb. 21, 2026
    • Modified: Feb. 21, 2026
    • Vuln Type: Injection

  • 4.3

    MEDIUM
    CVE-2026-27486

    OpenClaw is a personal AI assistant. In versions 2026.2.13 and below of the OpenClaw CLI, the process cleanup uses system-wide process enumeration and pattern matching to terminate processes without verifying if they are owned by the current OpenClaw proc... Read more

    Affected Products :
    • Published: Feb. 21, 2026
    • Modified: Feb. 21, 2026
    • Vuln Type: Misconfiguration

  • 4.6

    MEDIUM
    CVE-2026-27485

    OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, skills/skill-creator/scripts/package_skill.py (a local helper script used when authors package skills) previously followed symlinks while building .skill archives. If an author runs thi... Read more

    Affected Products :
    • Published: Feb. 21, 2026
    • Modified: Feb. 21, 2026
    • Vuln Type: Information Disclosure

  • 2.3

    LOW
    CVE-2026-27484

    OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, the Discord moderation action handling (timeout, kick, ban) uses sender identity from request parameters in tool-driven flows, instead of trusted runtime sender context. In setups where... Read more

    Affected Products :
    • Published: Feb. 21, 2026
    • Modified: Feb. 21, 2026
    • Vuln Type: Authorization

  • 5.9

    MEDIUM
    CVE-2026-27482

    Ray is an AI compute engine. In versions 2.53.0 and below, thedashboard HTTP server blocks browser-origin POST/PUT but does not cover DELETE, and key DELETE endpoints are unauthenticated by default. If the dashboard/agent is reachable (e.g., --dashboard-h... Read more

    Affected Products :
    • Published: Feb. 21, 2026
    • Modified: Feb. 21, 2026
    • Vuln Type: Authentication

  • 5.3

    MEDIUM
    CVE-2026-27480

    Static Web Server (SWS) is a production-ready web server suitable for static web files or assets. In versions 2.1.0 through 2.40.1, a timing-based username enumeration vulnerability in Basic Authentication allows attackers to identify valid users by explo... Read more

    Affected Products :
    • Published: Feb. 21, 2026
    • Modified: Feb. 21, 2026
    • Vuln Type: Authentication

  • 6.5

    MEDIUM
    CVE-2025-14339

    The weMail - Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation plugin for WordPress is vulnerable to unauthorized form deletion in all versions up to, and including, 2.0.7. This is due to the `Forms::permission(... Read more

    Affected Products :
    • Published: Feb. 21, 2026
    • Modified: Feb. 21, 2026
    • Vuln Type: Authorization

  • 7.7

    HIGH
    CVE-2026-27479

    Wallos is an open-source, self-hostable personal subscription tracker. Versions 4.6.0 and below contain a Server-Side Request Forgery (SSRF) vulnerability in the subscription and payment logo/icon upload functionality. The application validates the IP add... Read more

    Affected Products :
    • Published: Feb. 21, 2026
    • Modified: Feb. 21, 2026
    • Vuln Type: Server-Side Request Forgery

  • 7.5

    HIGH
    CVE-2026-2865

    A vulnerability was found in itsourcecode Agri-Trading Online Shopping System 1.0. This impacts an unknown function of the file admin/productcontroller.php of the component HTTP POST Request Handler. Performing a manipulation of the argument Product resul... Read more

    • Published: Feb. 21, 2026
    • Modified: Feb. 21, 2026
    • Vuln Type: Injection

  • 5.5

    MEDIUM
    CVE-2026-2864

    A vulnerability has been found in feng_ha_ha/megagao ssm-erp and production_ssm up to 4288d53bd35757b27f2d070057aefb2c07bdd097. This affects the function pictureDelete of the file PictureController.java. Such manipulation of the argument picName leads to ... Read more

    Affected Products :
    • Published: Feb. 21, 2026
    • Modified: Feb. 21, 2026
    • Vuln Type: Path Traversal

  • 8.8

    HIGH
    CVE-2026-27470

    ZoneMinder is a free, open source closed-circuit television software application. In versions 1.36.37 and below and 1.37.61 through 1.38.0, there is a second-order SQL Injection vulnerability in the web/ajax/status.php file within the getNearEvents() func... Read more

    Affected Products : zoneminder
    • Published: Feb. 21, 2026
    • Modified: Feb. 21, 2026
    • Vuln Type: Injection
Showing 20 of 5156 Results