Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 8.8

    HIGH
    CVE-2026-0492

    SAP HANA database is vulnerable to privilege escalation allowing an attacker with valid credentials of any user to switch to another user potentially gaining administrative access. This exploit could result in a total compromise of the system�s confidenti... Read more

    Affected Products : hana_database
    • Published: Jan. 13, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Authorization

  • 2.1

    LOW
    CVE-2026-22805

    Metabase is an open-source data analytics platform. Prior to 55.13, 56.3, and 57.1, self-hosted Metabase instances that allow users to create subscriptions could be potentially impacted if their Metabase is colocated with other unsecured resources. This v... Read more

    Affected Products : metabase
    • Published: Jan. 12, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Misconfiguration

  • 3.8

    LOW
    CVE-2026-0504

    Due to insufficient input handling, the SAP Identity Management REST interface allows an authenticated administrator to submit specially crafted malicious REST requests that are processed by JNDI operations without adequate input neutralization. This may ... Read more

    Affected Products :
    • Published: Jan. 13, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Injection

  • 5.1

    MEDIUM
    CVE-2026-0824

    A security flaw has been discovered in questdb ui up to 1.11.9. Impacted is an unknown function of the component Web Console. The manipulation results in cross site scripting. The attack can be executed remotely. The exploit has been released to the publi... Read more

    Affected Products :
    • Published: Jan. 10, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Cross-Site Scripting

  • 5.4

    MEDIUM
    CVE-2025-14001

    The WP Duplicate Page plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the 'duplicateBulkHandle' and 'duplicateBulkHandleHPOS' functions in all versions up to, and including, 1.8. This makes it po... Read more

    Affected Products : wp_duplicate_page
    • Published: Jan. 13, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Authorization

  • 9.3

    CRITICAL
    CVE-2026-22785

    orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Prior to 7.18.0, the MCP server generation logic relies on string manipulation that incorporates the summary field from the OpenAPI specification with... Read more

    Affected Products :
    • Published: Jan. 12, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Injection

  • 8.2

    HIGH
    CVE-2025-71063

    Errands before 46.2.10 does not verify TLS certificates for CalDAV servers.... Read more

    Affected Products :
    • Published: Jan. 12, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Misconfiguration

  • 8.5

    HIGH
    CVE-2026-22610

    Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0, a cross-site scripting (XSS) vulnerability has been identified... Read more

    Affected Products : angular
    • Published: Jan. 10, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Cross-Site Scripting

  • 8.1

    HIGH
    CVE-2026-0511

    SAP Fiori App Intercompany Balance Reconciliation does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This has high impact on confidentiality and integrity of the application ,availability is n... Read more

    Affected Products :
    • Published: Jan. 13, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Authorization

  • 7.6

    HIGH
    CVE-2025-59057

    React Router is a router for React. In @remix-run/react versions 1.15.0 through 2.17.0. and react-router versions 7.0.0 through 7.8.2, a XSS vulnerability exists in in React Router's meta()/<Meta> APIs in Framework Mode when generating script:ld+json tags... Read more

    Affected Products :
    • Published: Jan. 10, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Cross-Site Scripting

  • 6.5

    MEDIUM
    CVE-2026-0843

    A vulnerability has been found in jiujiujia/victor123/wxw850227 jjjfood and jjjshop_food up to 20260103. This vulnerability affects unknown code of the file /index.php/api/product.category/index. Such manipulation of the argument latitude leads to sql inj... Read more

    Affected Products :
    • Published: Jan. 11, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Injection

  • 6.1

    MEDIUM
    CVE-2026-0499

    SAP NetWeaver Enterprise Portal allows an unauthenticated attacker to inject malicious scripts into a URL parameter. The scripts are reflected in the server response and executed in a user's browser when the crafted URL is visited, leading to theft of ses... Read more

    Affected Products : netweaver
    • Published: Jan. 13, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Cross-Site Scripting

  • 6.3

    MEDIUM
    CVE-2026-0842

    A flaw has been found in Flycatcher Toys smART Sketcher up to 2.0. This affects an unknown part of the component Bluetooth Low Energy Interface. This manipulation causes missing authentication. The attack can only be done within the local network. The exp... Read more

    Affected Products :
    • Published: Jan. 11, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Authentication

  • 8.2

    HIGH
    CVE-2026-21884

    React Router is a router for React. In @remix-run/react version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, a XSS vulnerability exists in in React Router's <ScrollRestoration> API in Framework Mode when using the getKey/storageKey props during... Read more

    Affected Products :
    • Published: Jan. 10, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Cross-Site Scripting

  • 4.8

    MEDIUM
    CVE-2025-15505

    A vulnerability was found in Luxul XWR-600 up to 4.0.1. The affected element is an unknown function of the component Web Administration Interface. The manipulation of the argument Guest Network/Wireless Profile SSID results in cross site scripting. The at... Read more

    Affected Products :
    • Published: Jan. 11, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Cross-Site Scripting

  • 5.1

    MEDIUM
    CVE-2026-0495

    SAP Fiori App Intercompany Balance Reconciliation allows an attacker with high privileges to send uploaded files to arbitrary emails which could enable effective phishing campaigns. This has low impact on confidentiality, integrity and availability of th... Read more

    Affected Products :
    • Published: Jan. 13, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Information Disclosure

  • 6.6

    MEDIUM
    CVE-2026-0496

    SAP Fiori App Intercompany Balance Reconciliation allows an attacker with high privileges to upload any file (including script files) without proper file format validation. This has low impact on confidentiality, integrity and availability of the applica... Read more

    Affected Products :
    • Published: Jan. 13, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Misconfiguration

  • 8.8

    HIGH
    CVE-2026-22771

    Envoy Gateway is an open source project for managing Envoy Proxy as a standalone or Kubernetes-based application gateway. Prior to 1.5.7 and 1.6.2, EnvoyExtensionPolicy Lua scripts executed by Envoy proxy can be used to leak the proxy's credentials. These... Read more

    Affected Products : gateway
    • Published: Jan. 12, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Information Disclosure

  • 4.3

    MEDIUM
    CVE-2025-14943

    The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 8.7.2. This is due to a misconfigured authorization check on the 'getShipItemFullText' function ... Read more

    Affected Products : blog2social
    • Published: Jan. 10, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Authorization

  • 8.7

    HIGH
    CVE-2025-41078

    Weaknesses in the authorization mechanisms of Viafirma Documents v3.7.129 allow an authenticated user without privileges to list and access other user data, use user creation, modification, and deletion features, and escalate privileges by impersonating o... Read more

    Affected Products :
    • Published: Jan. 12, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Authorization
Showing 20 of 4486 Results