Latest CVE Feed
-
9.1
CRITICALCVE-2025-67647
SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.49.5, SvelteKit is vulnerable to a server side request forgery (SSRF) and denial of service (DoS) under certain conditions. From 2.44.0 through 2.... Read more
- Published: Jan. 15, 2026
- Modified: Jan. 21, 2026
- Vuln Type: Server-Side Request Forgery
-
9.1
CRITICALCVE-2024-5986
A vulnerability in h2oai/h2o-3 version 3.46.0.1 allows remote attackers to write arbitrary data to any file on the server. This is achieved by exploiting the `/3/Parse` endpoint to inject attacker-controlled data as the header of an empty file, which is t... Read more
- Published: Feb. 02, 2026
- Modified: Feb. 03, 2026
- Vuln Type: Path Traversal
-
9.1
CRITICALCVE-2021-47811
Grocery Crud 1.6.4 contains a SQL injection vulnerability in the order_by parameter that allows remote attackers to manipulate database queries. Attackers can inject malicious SQL code through the order_by[] parameter in POST requests to the ajax_list end... Read more
Affected Products : grocery_crud- Published: Jan. 16, 2026
- Modified: Feb. 02, 2026
- Vuln Type: Injection
-
9.1
CRITICALCVE-2025-37168
Arbitrary file deletion vulnerability have been identified in a system function of mobility conductors running AOS-8 operating system. Successful exploitation of this vulnerability could allow an unauthenticated remote malicious actor to delete arbitrary ... Read more
Affected Products : arubaos- Published: Jan. 13, 2026
- Modified: Jan. 23, 2026
- Vuln Type: Path Traversal
-
9.1
CRITICALCVE-2026-25160
Alist is a file list program that supports multiple storages, powered by Gin and Solidjs. Prior to version 3.57.0, the application disables TLS certificate verification by default for all outgoing storage driver communications, making the system vulnerabl... Read more
Affected Products :- Published: Feb. 04, 2026
- Modified: Feb. 05, 2026
- Vuln Type: Misconfiguration
-
9.1
CRITICALCVE-2025-14741
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to missing authorization to unauthorized data modification and deletion due to a missing capability check on the 'delete_object' function in all versions up to, and including, 3.28.25. Th... Read more
Affected Products : frontend_admin- Published: Jan. 09, 2026
- Modified: Jan. 13, 2026
- Vuln Type: Authorization
-
9.1
CRITICALCVE-2026-22600
OpenProject is an open-source, web-based project management software. A Local File Read (LFR) vulnerability exists in the work package PDF export functionality of OpenProject prior to version 16.6.4. By uploading a specially crafted SVG file (disguised as... Read more
Affected Products : openproject- Published: Jan. 10, 2026
- Modified: Jan. 14, 2026
- Vuln Type: Path Traversal
-
9.1
CRITICALCVE-2026-25137
The NixOs Odoo package is an open source ERP and CRM system. From 21.11 to before 25.11 and 26.05, every NixOS based Odoo setup publicly exposes the database manager without any authentication. This allows unauthorized actors to delete and download the en... Read more
Affected Products :- Published: Feb. 02, 2026
- Modified: Feb. 03, 2026
- Vuln Type: Authentication
-
9.1
CRITICALCVE-2023-54337
Sysax Multi Server 6.95 contains a denial of service vulnerability in the administrative password field that allows attackers to crash the application. Attackers can overwrite the password field with 800 bytes of repeated characters to trigger an applicat... Read more
Affected Products : multi_server- Published: Jan. 13, 2026
- Modified: Jan. 26, 2026
- Vuln Type: Denial of Service
-
9.1
CRITICALCVE-2025-69602
A session fixation vulnerability exists in 66biolinks v62.0.0 by AltumCode, where the application does not regenerate the session identifier after successful authentication. As a result, the same session cookie value is reused for users logging in from th... Read more
Affected Products :- Published: Jan. 28, 2026
- Modified: Jan. 29, 2026
- Vuln Type: Authentication
-
9.1
CRITICALCVE-2025-62754
Missing Authorization vulnerability in Kapil Paul Payment Gateway bKash for WC woo-payment-bkash allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Payment Gateway bKash for WC: from n/a through <= 3.1.0.... Read more
Affected Products :- Published: Jan. 22, 2026
- Modified: Jan. 26, 2026
- Vuln Type: Authorization
-
9.1
CRITICALCVE-2025-59468
This vulnerability allows a Backup Administrator to perform remote code execution (RCE) as the postgres user by sending a malicious password parameter.... Read more
Affected Products : veeam_backup_\&_replication- Published: Jan. 08, 2026
- Modified: Jan. 14, 2026
- Vuln Type: Authentication
-
9.1
CRITICALCVE-2025-69990
phpgurukul News Portal Project V4.1 has an Arbitrary File Deletion Vulnerability in remove_file.php. The parameter file can cause any file to be deleted.... Read more
Affected Products : news_portal- Published: Jan. 13, 2026
- Modified: Jan. 16, 2026
- Vuln Type: Path Traversal
-
9.1
CRITICALCVE-2026-20973
Out-of-bounds read in libimagecodec.quram.so prior to SMR Jan-2026 Release 1 allows remote attacker to access out-of-bounds memory.... Read more
Affected Products : android- Published: Jan. 09, 2026
- Modified: Feb. 02, 2026
- Vuln Type: Memory Corruption
-
9.1
CRITICALCVE-2025-70985
Incorrect access control in the update function of RuoYi v4.8.2 allows unauthorized attackers to arbitrarily modify data outside of their scope.... Read more
Affected Products : ruoyi- Published: Jan. 23, 2026
- Modified: Jan. 30, 2026
- Vuln Type: Authorization
-
9.1
CRITICALCVE-2025-25176
Intermediate register values of secure workloads can be exfiltrated in workloads scheduled from applications running in the non-secure environment of a platform.... Read more
Affected Products : ddk- Published: Jan. 13, 2026
- Modified: Jan. 30, 2026
- Vuln Type: Information Disclosure
-
9.1
CRITICALCVE-2025-61546
There is an issue on the /PSP/appNET/Store/CartV12.aspx/GetUnitPrice endpoint in edu Business Solutions Print Shop Pro WebDesk version 18.34 that enables remote attacker to create financial discrepancies by purchasing items with a negative quantity. This ... Read more
Affected Products : print_shop_pro_webdesk- Published: Jan. 08, 2026
- Modified: Jan. 26, 2026
- Vuln Type: Injection
-
9.1
CRITICALCVE-2025-62741
Server-Side Request Forgery (SSRF) vulnerability in SmartDataSoft Pool Services pool-services allows Server Side Request Forgery.This issue affects Pool Services: from n/a through <= 3.3.... Read more
Affected Products :- Published: Jan. 22, 2026
- Modified: Jan. 26, 2026
- Vuln Type: Server-Side Request Forgery
-
9.1
CRITICALCVE-2025-66719
An issue was discovered in Free5gc NRF 1.4.0. In the access-token generation logic of free5GC, the AccessTokenScopeCheck() function in file internal/sbi/processor/access_token.go bypasses all scope validation when the attacker uses a crafted targetNF valu... Read more
Affected Products :- Published: Jan. 23, 2026
- Modified: Jan. 26, 2026
- Vuln Type: Authentication
-
9.1
CRITICALCVE-2025-46651
Tiny File Manager through 2.6 contains a server-side request forgery (SSRF) vulnerability in the URL upload feature. Due to insufficient validation of user-supplied URLs, an attacker can send crafted requests to localhost by using http://www.127.0.0.1.exa... Read more
Affected Products :- Published: Feb. 03, 2026
- Modified: Feb. 05, 2026
- Vuln Type: Server-Side Request Forgery