Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 7.5

    HIGH
    CVE-2026-23957

    seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, overriding encoded array lengths by replacing them with an excessively large value causes the deserialization proce... Read more

    Affected Products :
    • Published: Jan. 22, 2026
    • Modified: Jan. 22, 2026
    • Vuln Type: Denial of Service

  • 7.5

    HIGH
    CVE-2026-23956

    seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, overriding RegExp serialization with extremely large patterns can exhaust JavaScript runtime memory during deserial... Read more

    Affected Products :
    • Published: Jan. 22, 2026
    • Modified: Jan. 22, 2026
    • Vuln Type: Denial of Service

  • 8.6

    HIGH
    CVE-2026-23699

    AP180 series with firmware versions prior to AP_RGOS 11.9(4)B1P8 contains an OS command injection vulnerability. If this vulnerability is exploited, arbitrary commands may be executed on the devices.... Read more

    Affected Products :
    • Published: Jan. 22, 2026
    • Modified: Jan. 22, 2026
    • Vuln Type: Injection

  • 7.6

    HIGH
    CVE-2025-27380

    HTML injection in Project Release in Altium Enterprise Server (AES) 7.0.3 on all platforms allows an authenticated attacker to execute arbitrary JavaScript in the victim’s browser via crafted HTML content.... Read more

    Affected Products :
    • Published: Jan. 22, 2026
    • Modified: Jan. 22, 2026
    • Vuln Type: Cross-Site Scripting

  • 6.8

    MEDIUM
    CVE-2025-27379

    A stored cross-site scripting (XSS) vulnerability in the BOM Viewer in Altium AES 7.0.3 allows an authenticated attacker to inject arbitrary JavaScript into the Description field of a schematic, which is executed when the BOM Viewer renders the affected c... Read more

    Affected Products :
    • Published: Jan. 22, 2026
    • Modified: Jan. 22, 2026
    • Vuln Type: Cross-Site Scripting

  • 6.5

    MEDIUM
    CVE-2026-23952

    ImageMagick is free and open-source software used for editing and manipulating digital images. Versions 14.10.1 and below have a NULL pointer dereference vulnerability in the MSL (Magick Scripting Language) parser when processing <comment> tags before ima... Read more

    Affected Products : imagemagick
    • Published: Jan. 22, 2026
    • Modified: Jan. 22, 2026
    • Vuln Type: Denial of Service

  • 5.5

    MEDIUM
    CVE-2026-23951

    SumatraPDF is a multi-format reader for Windows. All versions contain an off-by-one error in the validation code that only triggers with exactly 2 records, causing an integer underflow in the size calculation. This bug exists in PalmDbReader::GetRecord wh... Read more

    Affected Products : sumatrapdf
    • Published: Jan. 22, 2026
    • Modified: Jan. 22, 2026
    • Vuln Type: Memory Corruption

  • 6.8

    MEDIUM
    CVE-2026-23946

    Tendenci is an open source content management system built for non-profits, associations and cause-based sites. Versions 15.3.11 and below include a critical deserialization vulnerability in the Helpdesk module (which is not enabled by default). This vuln... Read more

    Affected Products : tendenci
    • Published: Jan. 22, 2026
    • Modified: Jan. 22, 2026
    • Vuln Type: Information Disclosure

  • 6.8

    MEDIUM
    CVE-2026-23893

    openCryptoki is a PKCS#11 library and provides tooling for Linux and AIX. Versions 2.3.2 and above are vulnerable to symlink-following when running in privileged contexts. A token-group user can redirect file operations to arbitrary filesystem targets by ... Read more

    Affected Products :
    • Published: Jan. 22, 2026
    • Modified: Jan. 22, 2026
    • Vuln Type: Path Traversal

  • 8.6

    HIGH
    CVE-2025-27378

    AES contains a SQL injection vulnerability due to an inactive configuration that prevents the latest SQL parsing logic from being applied. When this configuration is not enabled, crafted input may be improperly handled, allowing attackers to inject and ex... Read more

    Affected Products :
    • Published: Jan. 22, 2026
    • Modified: Jan. 22, 2026
    • Vuln Type: Injection

  • 5.3

    MEDIUM
    CVE-2025-27377

    Altium Designer version 24.9.0 does not validate self-signed server certificates for cloud connections. An attacker capable of performing a man-in-the-middle (MITM) attack could exploit this issue to intercept or manipulate network traffic, potentially ex... Read more

    Affected Products :
    • Published: Jan. 22, 2026
    • Modified: Jan. 22, 2026
    • Vuln Type: Misconfiguration

  • 5.1

    MEDIUM
    CVE-2026-23887

    Group-Office is an enterprise customer relationship management and groupware tool. In versions 6.8.148 and below, and 25.0.1 through 25.0.79, the application stores unsanitized filenames in the database, which can lead to Stored Cross-Site Scripting (XSS)... Read more

    Affected Products : group_office
    • Published: Jan. 22, 2026
    • Modified: Jan. 22, 2026
    • Vuln Type: Cross-Site Scripting

  • 5.2

    MEDIUM
    CVE-2026-23873

    hustoj is an open source online judge based on PHP/C++/MySQL/Linux for ACM/ICPC and NOIP training. All versions are vulnerable to CSV Injection (Formula Injection) through the contest rank export functionality (contestrank.xls.php and admin/ranklist_expor... Read more

    Affected Products :
    • Published: Jan. 22, 2026
    • Modified: Jan. 22, 2026
    • Vuln Type: Injection

  • 5.3

    MEDIUM
    CVE-2026-1036

    The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the delete_comment() function in all versions up to, and including, 1.8.36. This makes ... Read more

    Affected Products : photo_gallery
    • Published: Jan. 22, 2026
    • Modified: Jan. 22, 2026
    • Vuln Type: Authorization

  • 3.5

    LOW
    CVE-2026-24048

    Backstage is an open framework for building developer portals, and @backstage/backend-defaults provides the default implementations and setup for a standard Backstage backend app. Prior to versions 0.12.2, 0.13.2, 0.14.1, and 0.15.0, the `FetchUrlReader` ... Read more

    Affected Products : backstage
    • Published: Jan. 21, 2026
    • Modified: Jan. 21, 2026
    • Vuln Type: Server-Side Request Forgery

  • 6.3

    MEDIUM
    CVE-2026-24047

    Backstage is an open framework for building developer portals, and @backstage/cli-common provides config loading functionality used by the backend and command line interface of Backstage. Prior to version 0.1.17, the `resolveSafeChildPath` utility functio... Read more

    Affected Products : backstage
    • Published: Jan. 21, 2026
    • Modified: Jan. 21, 2026
    • Vuln Type: Path Traversal

  • 7.1

    HIGH
    CVE-2026-24046

    Backstage is an open framework for building developer portals. Multiple Scaffolder actions and archive extraction utilities were vulnerable to symlink-based path traversal attacks. An attacker with access to create and execute Scaffolder templates could e... Read more

    Affected Products : backstage
    • Published: Jan. 21, 2026
    • Modified: Jan. 21, 2026
    • Vuln Type: Path Traversal

  • 3.7

    LOW
    CVE-2026-23996

    FastAPI Api Key provides a backend-agnostic library that provides an API key system. Version 1.1.0 has a timing side-channel vulnerability in verify_key(). The method applied a random delay only on verification failures, allowing an attacker to statistica... Read more

    Affected Products :
    • Published: Jan. 21, 2026
    • Modified: Jan. 21, 2026
    • Vuln Type: Authentication

  • 5.3

    MEDIUM
    CVE-2026-23990

    The Flux Operator is a Kubernetes CRD controller that manages the lifecycle of CNCF Flux CD and the ControlPlane enterprise distribution. Starting in version 0.36.0 and prior to version 0.40.0, a privilege escalation vulnerability exists in the Flux Opera... Read more

    Affected Products :
    • Published: Jan. 21, 2026
    • Modified: Jan. 21, 2026
    • Vuln Type: Authentication

  • 6.9

    MEDIUM
    CVE-2026-23986

    Copier is a library and CLI app for rendering project templates. Prior to version 9.11.2, Copier suggests that it's safe to generate a project from a safe template, i.e. one that doesn't use unsafe features like custom Jinja extensions which would require... Read more

    Affected Products :
    • Published: Jan. 21, 2026
    • Modified: Jan. 21, 2026
    • Vuln Type: Path Traversal
Showing 20 of 4323 Results