Latest CVE Feed
-
8.8
HIGHCVE-2021-47788
WebsiteBaker 2.13.0 contains an authenticated remote code execution vulnerability that allows users with language editing permissions to execute arbitrary code. Attackers can exploit the language installation endpoint by manipulating language installation... Read more
Affected Products : websitebaker- Published: Jan. 16, 2026
- Modified: Jan. 30, 2026
- Vuln Type: Injection
-
8.8
HIGHCVE-2020-36951
Phpscript-sgh 0.1.0 contains a time-based blind SQL injection vulnerability in the admin interface that allows attackers to manipulate database queries through the 'id' parameter. Attackers can exploit this vulnerability by crafting malicious payloads tha... Read more
Affected Products :- Published: Jan. 27, 2026
- Modified: Jan. 29, 2026
- Vuln Type: Injection
-
8.8
HIGHCVE-2026-24529
Missing Authorization vulnerability in Alejandro Quick Restaurant Reservations quick-restaurant-reservations allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Quick Restaurant Reservations: from n/a through <= 1.6.... Read more
Affected Products : quick_restaurant_reservations- Published: Jan. 23, 2026
- Modified: Jan. 28, 2026
- Vuln Type: Authorization
-
8.8
HIGHCVE-2026-1150
A security flaw has been discovered in Totolink LR350 9.3.5u.6369_B20220309. Impacted is the function setTracerouteCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. The manipulation of the argument command results in command inje... Read more
- Published: Jan. 19, 2026
- Modified: Jan. 29, 2026
- Vuln Type: Injection
-
8.8
HIGHCVE-2026-1149
A vulnerability was identified in Totolink LR350 9.3.5u.6369_B20220309. This issue affects the function setDiagnosisCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. The manipulation of the argument ip leads to command injection.... Read more
- Published: Jan. 19, 2026
- Modified: Jan. 29, 2026
- Vuln Type: Injection
-
8.8
HIGHCVE-2025-46068
An issue in Automai Director v.25.2.0 allows a remote attacker to execute arbitrary code via the update mechanism... Read more
Affected Products : director- Published: Jan. 12, 2026
- Modified: Jan. 21, 2026
- Vuln Type: Supply Chain
-
8.8
HIGHCVE-2026-22042
RustFS is a distributed object storage system built in Rust. Prior to version 1.0.0-alpha.79, he `ImportIam` admin API validates permissions using `ExportIAMAction` instead of `ImportIAMAction`, allowing a principal with export-only IAM permissions to per... Read more
Affected Products : rustfs- Published: Jan. 08, 2026
- Modified: Jan. 15, 2026
- Vuln Type: Authorization
-
8.8
HIGHCVE-2026-1144
A vulnerability was detected in quickjs-ng quickjs up to 0.11.0. Affected is an unknown function of the file quickjs.c of the component Atomics Ops Handler. The manipulation results in use after free. The attack can be executed remotely. The exploit is no... Read more
Affected Products : quickjs- Published: Jan. 19, 2026
- Modified: Jan. 30, 2026
- Vuln Type: Memory Corruption
-
8.8
HIGHCVE-2026-24070
During the installation of the Native Access application, a privileged helper `com.native-instruments.NativeAccess.Helper2`, which is used by Native Access to trigger functions via XPC communication like copy-file, remove or set-permissions, is deployed a... Read more
Affected Products :- Published: Feb. 02, 2026
- Modified: Feb. 03, 2026
- Vuln Type: Authentication
-
8.8
HIGHCVE-2025-69194
A security issue was discovered in GNU Wget2 when handling Metalink documents. The application fails to properly validate file paths provided in Metalink <file name> elements. An attacker can abuse this behavior to write files to unintended locations on t... Read more
Affected Products :- Published: Jan. 09, 2026
- Modified: Jan. 13, 2026
- Vuln Type: Path Traversal
-
8.8
HIGHCVE-2026-24530
Missing Authorization vulnerability in sheepfish WebP Conversion webp-conversion allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WebP Conversion: from n/a through <= 2.1.... Read more
Affected Products :- Published: Jan. 23, 2026
- Modified: Jan. 28, 2026
- Vuln Type: Authorization
-
8.8
HIGHCVE-2025-33015
IBM Concert 1.0.0 through 2.1.0 is vulnerable to malicious file upload by not validating the content of the file uploaded to the web interface.... Read more
Affected Products : concert- Published: Jan. 20, 2026
- Modified: Jan. 26, 2026
- Vuln Type: Misconfiguration
-
8.8
HIGHCVE-2026-23958
Dataease is an open source data visualization analysis tool. Prior to version 2.10.19, DataEase uses the MD5 hash of the user’s password as the JWT signing secret. This deterministic secret derivation allows an attacker to brute-force the admin’s password... Read more
Affected Products : dataease- Published: Jan. 22, 2026
- Modified: Jan. 26, 2026
- Vuln Type: Authentication
-
8.8
HIGHCVE-2026-1580
A security issue was discovered in ingress-nginx where the `nginx.ingress.kubernetes.io/auth-method` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controlle... Read more
Affected Products : ingress-nginx- Published: Feb. 03, 2026
- Modified: Feb. 04, 2026
- Vuln Type: Injection
-
8.8
HIGHCVE-2026-1819
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Karel Electronics Industry and Trade Inc. ViPort allows Stored XSS.This issue affects ViPort: through 23012026.... Read more
Affected Products :- Published: Feb. 04, 2026
- Modified: Feb. 04, 2026
- Vuln Type: Cross-Site Scripting
-
8.8
HIGHCVE-2026-24411
iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have Undefined Behavior in CIccTagXmlSegmentedCurve::ToXml(). This occurs when user-controllable input is unsafe... Read more
Affected Products : iccdev- Published: Jan. 24, 2026
- Modified: Jan. 30, 2026
- Vuln Type: Memory Corruption
-
8.8
HIGHCVE-2026-24410
iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have Undefined Behavior and Null Pointer Deference in CIccProfileXml::ParseBasic(). This occurs when user-contro... Read more
Affected Products : iccdev- Published: Jan. 24, 2026
- Modified: Jan. 30, 2026
- Vuln Type: Memory Corruption
-
8.8
HIGHCVE-2025-66136
Missing Authorization vulnerability in merkulove Carter for Elementor carter-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Carter for Elementor: from n/a through <= 1.0.2.... Read more
Affected Products :- Published: Jan. 22, 2026
- Modified: Jan. 26, 2026
- Vuln Type: Authorization
-
8.8
HIGHCVE-2026-1141
A vulnerability was identified in PHPGurukul News Portal 1.0. The affected element is an unknown function of the file /admin/add-subadmins.php of the component Add Sub-Admin Page. Such manipulation leads to improper authorization. The attack can be launch... Read more
- Published: Jan. 19, 2026
- Modified: Jan. 27, 2026
- Vuln Type: Authorization
-
8.8
HIGHCVE-2026-23622
Easy!Appointments is a self hosted appointment scheduler. In 1.5.2 and earlier, application/core/EA_Security.php::csrf_verify() only enforces CSRF for POST requests and returns early for non-POST methods. Several application endpoints perform state-changi... Read more
- Published: Jan. 15, 2026
- Modified: Jan. 28, 2026
- Vuln Type: Cross-Site Request Forgery