Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 6.5

    MEDIUM
    CVE-2025-46645

    Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.4.0.0, LTS2025 release version 8.3.1.10, LTS2024 release versions 7.13.1.0 through 7.13.1.40, LTS 2023 release versions 7.10.1.0 through ... Read more

    Affected Products :
    • Published: Jan. 09, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Injection

  • 5.5

    MEDIUM
    CVE-2026-0731

    A vulnerability has been found in TOTOLINK WA1200 5.9c.2914. The impacted element is an unknown function of the file cstecgi.cgi of the component HTTP Request Handler. The manipulation leads to null pointer dereference. The attack is possible to be carrie... Read more

    Affected Products :
    • Published: Jan. 08, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Memory Corruption

  • 7.5

    HIGH
    CVE-2025-15464

    Exported Activity allows external applications to gain application context and directly launch Gmail with inbox access, bypassing security controls.... Read more

    Affected Products : fun_print_mobile
    • Published: Jan. 08, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Authentication

  • 2.3

    LOW
    CVE-2026-22713

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - GrowthExperiments Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - GrowthExperiment... Read more

    Affected Products :
    • Published: Jan. 09, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Cross-Site Scripting

  • 5.3

    MEDIUM
    CVE-2025-14782

    The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.49.1 via the 'listen_for_csv_export' function. This is due to the plugin not properl... Read more

    Affected Products : forminator
    • Published: Jan. 09, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Authorization

  • 6.4

    MEDIUM
    CVE-2025-15019

    The BIALTY - Bulk Image Alt Text (Alt tag, Alt Attribute) with Yoast SEO + WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'bialty_cs_alt' post meta in all versions up to, and including, 2.2.1 due to insufficient inpu... Read more

    Affected Products :
    • Published: Jan. 09, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Cross-Site Scripting

  • 5.3

    MEDIUM
    CVE-2025-14574

    The weDocs plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.15 via the `/wp-json/wp/v2/docs/settings` REST API endpoint. This makes it possible for unauthenticated attackers to extract sensitiv... Read more

    Affected Products :
    • Published: Jan. 09, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Information Disclosure

  • 6.4

    MEDIUM
    CVE-2026-0627

    The AMP for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 1.1.10. This is due to insufficient sanitization of SVG file content that only removes `<script>` tags while allowi... Read more

    Affected Products : accelerated_mobile_pages
    • Published: Jan. 09, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Cross-Site Scripting

  • 9.1

    CRITICAL
    CVE-2025-14741

    The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to missing authorization to unauthorized data modification and deletion due to a missing capability check on the 'delete_object' function in all versions up to, and including, 3.28.25. Th... Read more

    Affected Products : frontend_admin
    • Published: Jan. 09, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Authorization

  • 5.4

    MEDIUM
    CVE-2025-14718

    The Schedule Post Changes With PublishPress Future plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.9.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. Thi... Read more

    Affected Products :
    • Published: Jan. 09, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Authorization

  • 4.3

    MEDIUM
    CVE-2025-13935

    The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course completion in all versions up to, and including, 3.9.2. This is due to missing enrollment verification in the 'mark_course_complete' function. T... Read more

    Affected Products : tutor_lms
    • Published: Jan. 09, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Authorization

  • 7.5

    HIGH
    CVE-2025-64092

    This vulnerability allows unauthenticated attackers to inject an SQL request into GET request parameters and directly query the underlying database.... Read more

    Affected Products :
    • Published: Jan. 09, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Injection

  • 6.5

    MEDIUM
    CVE-2025-14172

    The WP Page Permalink Extension plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.5.4. This is due to missing authorization checks on the `cwpp_trigger_flush_rewrite_rules` function hooked to `wp_ajax_cwpp... Read more

    Affected Products :
    • Published: Jan. 09, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Authorization

  • 5.5

    MEDIUM
    CVE-2026-22232

    OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript in the "A or SIC Number" field within the Project Setup functionality. The JavaScript is executed whenever another user views the project. Fixed in OPEXUS eCASE Audit 11.14.2.0.... Read more

    Affected Products : ecase_audit
    • Published: Jan. 08, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Cross-Site Scripting

  • 5.5

    MEDIUM
    CVE-2026-22233

    OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript as a comment in the "Estimated Staff Hours" field. The JavaScript is executed whenever another user visits the Project Cost tab. Fixed in OPEXUS eCASE Audit 11.14.2.0.... Read more

    Affected Products : ecase_audit
    • Published: Jan. 08, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Cross-Site Scripting

  • 8.4

    HIGH
    CVE-2025-68716

    KAYSUS KS-WR3600 routers with firmware 1.0.5.9.1 enable the SSH service enabled by default on the LAN interface. The root account is configured with no password, and administrators cannot disable SSH or enforce authentication via the CLI or web GUI. This ... Read more

    Affected Products :
    • Published: Jan. 08, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Authentication

  • 8.6

    HIGH
    CVE-2025-64091

    This vulnerability allows authenticated attackers to execute commands via the NTP-configuration of the device.... Read more

    Affected Products :
    • Published: Jan. 09, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Injection

  • 5.4

    MEDIUM
    CVE-2026-22253

    Soft Serve is a self-hostable Git server for the command line. Prior to version 0.11.2, an authorization bypass in the LFS lock deletion endpoint allows any authenticated user with repository write access to delete locks owned by other users by setting th... Read more

    Affected Products : soft_serve
    • Published: Jan. 08, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Authorization

  • 8.7

    HIGH
    CVE-2026-22079

    This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the plaintext transmission of login credentials during the initial login or post-factory reset setup through the web-based administrative in... Read more

    Affected Products :
    • Published: Jan. 09, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Authentication

  • 9.8

    CRITICAL
    CVE-2025-14598

    BeeS Software Solutions BET Portal contains an SQL injection vulnerability in the login functionality of affected sites. The vulnerability enables arbitrary SQL commands to be executed on the backend database.... Read more

    Affected Products :
    • Published: Jan. 09, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Injection
Showing 20 of 4539 Results