Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 1.8

    LOW
    CVE-2026-1225

    ACE vulnerability in configuration file processing by QOS.CH logback-core up to and including version 1.5.24 in Java applications, allows an attacker to instantiate classes already present on the class path by compromising an existing logback configurati... Read more

    Affected Products :
    • Published: Jan. 22, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Misconfiguration

  • 5.5

    MEDIUM
    CVE-2025-4763

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Aida Computer Information Technology Inc. Hotel Guest Hotspot allows Reflected XSS.This issue affects Hotel Guest Hotspot: through 22012026.  NOT... Read more

    Affected Products :
    • Published: Jan. 22, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Cross-Site Scripting

  • 4.3

    MEDIUM
    CVE-2026-24039

    Horilla is a free and open source Human Resource Management System (HRMS). Version 1.4.0 has Improper Access Control, allowing low-privileged employees to self-approve documents they have uploaded. The document-approval UI is intended to be restricted to ... Read more

    Affected Products : horilla
    • Published: Jan. 22, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Authorization

  • 8.6

    HIGH
    CVE-2026-23516

    CVAT is an open source interactive video and image annotation tool for computer vision. In versions 2.2.0 through 2.54.0, an attacker is able to execute arbitrary JavaScript in a victim user's CVAT UI session, provided that they are able to create a malic... Read more

    Affected Products : computer_vision_annotation_tool
    • Published: Jan. 21, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Cross-Site Scripting

  • 7.3

    HIGH
    CVE-2026-23960

    Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.6.17 and 3.7.8, stored XSS in the artifact directory listing allows any workflow author to execute arbitrary JavaScript in... Read more

    Affected Products : argo_workflows
    • Published: Jan. 21, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Cross-Site Scripting

  • 7.3

    HIGH
    CVE-2026-23736

    seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, due to improper input validation, a malicious object key can lead to prototype pollution during JSON deserializatio... Read more

    Affected Products :
    • Published: Jan. 21, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Misconfiguration

  • 7.1

    HIGH
    CVE-2021-47872

    SEO Panel versions prior to 4.9.0 contain a blind SQL injection vulnerability in the archive.php page that allows authenticated attackers to manipulate database queries through the 'order_col' parameter. Attackers can use sqlmap to exploit the vulnerabili... Read more

    Affected Products : seo_panel
    • Published: Jan. 21, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Injection

  • 8.5

    HIGH
    CVE-2021-47882

    FreeLAN 2.2 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to execute arbitrary code. Attackers can exploit the unquoted binary path to inject malicious executables that will be launched wi... Read more

    Affected Products : freelan
    • Published: Jan. 21, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Misconfiguration

  • 5.2

    MEDIUM
    CVE-2026-23873

    hustoj is an open source online judge based on PHP/C++/MySQL/Linux for ACM/ICPC and NOIP training. All versions are vulnerable to CSV Injection (Formula Injection) through the contest rank export functionality (contestrank.xls.php and admin/ranklist_expor... Read more

    Affected Products : hustoj
    • Published: Jan. 22, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Injection

  • 8.7

    HIGH
    CVE-2021-47850

    Mini Mouse 9.2.0 contains a path traversal vulnerability that allows remote attackers to access arbitrary system files and directories through crafted HTTP requests. Attackers can retrieve sensitive files like win.ini and list contents of system directori... Read more

    Affected Products :
    • Published: Jan. 21, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Path Traversal

  • 5.3

    MEDIUM
    CVE-2025-27377

    Altium Designer version 24.9.0 does not validate self-signed server certificates for cloud connections. An attacker capable of performing a man-in-the-middle (MITM) attack could exploit this issue to intercept or manipulate network traffic, potentially ex... Read more

    Affected Products :
    • Published: Jan. 22, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Misconfiguration

  • 2.7

    LOW
    CVE-2026-24001

    jsdiff is a JavaScript text differencing implementation. Prior to versions 8.0.3, 5.2.2, and 4.0.4, attempting to parse a patch whose filename headers contain the line break characters `\r`, `\u2028`, or `\u2029` can cause the `parsePatch` method to enter... Read more

    Affected Products :
    • Published: Jan. 22, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Denial of Service

  • 8.4

    HIGH
    CVE-2026-23755

    D-Link D-View 8 versions 2.0.1.107 and below contain an uncontrolled search path vulnerability in the installer. When executed with elevated privileges via UAC, the installer attempts to load version.dll from its execution directory, allowing DLL preloadi... Read more

    Affected Products : d-view_8
    • Published: Jan. 21, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Misconfiguration

  • 7.5

    HIGH
    CVE-2026-21982

    Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Difficult to exploit vulnerability allows unauthenticated attacker with access to the physical commu... Read more

    Affected Products : vm_virtualbox
    • Published: Jan. 20, 2026
    • Modified: Jan. 26, 2026

  • 2.7

    LOW
    CVE-2025-14083

    A flaw was found in the Keycloak Admin REST API. This vulnerability allows the exposure of backend schema and rules, potentially leading to targeted attacks or privilege escalation via improper access control.... Read more

    Affected Products :
    • Published: Jan. 21, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Information Disclosure

  • 7.5

    HIGH
    CVE-2025-13878

    Malformed BRID/HHIT records can cause `named` to terminate unexpectedly. This issue affects BIND 9 versions 9.18.40 through 9.18.43, 9.20.13 through 9.20.17, 9.21.12 through 9.21.16, 9.18.40-S1 through 9.18.43-S1, and 9.20.13-S1 through 9.20.17-S1.... Read more

    Affected Products : bind
    • Published: Jan. 21, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Denial of Service

  • 7.5

    HIGH
    CVE-2026-23962

    Mastodon is a free, open-source social network server based on ActivityPub. Mastodon versions before v4.3.18, v4.4.12, and v4.5.5 do not have a limit on the maximum number of poll options for remote posts, allowing attackers to create polls with a very la... Read more

    Affected Products : mastodon
    • Published: Jan. 22, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Denial of Service

  • 6.3

    MEDIUM
    CVE-2026-24047

    Backstage is an open framework for building developer portals, and @backstage/cli-common provides config loading functionality used by the backend and command line interface of Backstage. Prior to version 0.1.17, the `resolveSafeChildPath` utility functio... Read more

    Affected Products : backstage
    • Published: Jan. 21, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Path Traversal

  • 6.5

    MEDIUM
    CVE-2025-14559

    A flaw was found in the keycloak-services component of Keycloak. This vulnerability allows the issuance of access and refresh tokens for disabled users, leading to unauthorized use of previously revoked privileges, via a business logic vulnerability in th... Read more

    Affected Products :
    • Published: Jan. 21, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Authorization

  • 6.8

    MEDIUM
    CVE-2025-71176

    pytest through 9.0.2 on UNIX relies on directories with the /tmp/pytest-of-{user} name pattern, which allows local users to cause a denial of service or possibly gain privileges.... Read more

    Affected Products :
    • Published: Jan. 22, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Misconfiguration
Showing 20 of 4448 Results