Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 4.5

    MEDIUM
    CVE-2026-22702

    virtualenv is a tool for creating isolated virtual python environments. Prior to version 20.36.1, TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in virtualenv allow local attackers to perform symlink-based attacks on directory creation operations. An ... Read more

    Affected Products : virtualenv
    • Published: Jan. 10, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Race Condition

  • 4.8

    MEDIUM
    CVE-2026-22212

    TinyOS versions up to and including 2.1.2 contain a stack-based buffer overflow vulnerability in the mcp2200gpio utility. The vulnerability is caused by unsafe use of strcpy() and strcat() functions when constructing device paths during automatic device d... Read more

    Affected Products :
    • Published: Jan. 12, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Memory Corruption

  • 9.3

    CRITICAL
    CVE-2026-22785

    orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Prior to 7.18.0, the MCP server generation logic relies on string manipulation that incorporates the summary field from the OpenAPI specification with... Read more

    Affected Products :
    • Published: Jan. 12, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Injection

  • 9.1

    CRITICAL
    CVE-2026-0491

    SAP Landscape Transformation allows an attacker with admin privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code/OS commands into the system, bypassing essential authorization ... Read more

    Affected Products :
    • Published: Jan. 13, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Injection

  • 8.1

    HIGH
    CVE-2025-14279

    MLFlow versions up to and including 3.4.0 are vulnerable to DNS rebinding attacks due to a lack of Origin header validation in the MLFlow REST server. This vulnerability allows malicious websites to bypass Same-Origin Policy protections and execute unauth... Read more

    Affected Products : mlflow
    • Published: Jan. 12, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Server-Side Request Forgery

  • 7.6

    HIGH
    CVE-2025-59057

    React Router is a router for React. In @remix-run/react versions 1.15.0 through 2.17.0. and react-router versions 7.0.0 through 7.8.2, a XSS vulnerability exists in in React Router's meta()/<Meta> APIs in Framework Mode when generating script:ld+json tags... Read more

    Affected Products :
    • Published: Jan. 10, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Cross-Site Scripting

  • 8.2

    HIGH
    CVE-2026-21884

    React Router is a router for React. In @remix-run/react version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, a XSS vulnerability exists in in React Router's <ScrollRestoration> API in Framework Mode when using the getKey/storageKey props during... Read more

    Affected Products :
    • Published: Jan. 10, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Cross-Site Scripting

  • 5.3

    MEDIUM
    CVE-2026-22701

    filelock is a platform-independent file lock for Python. Prior to version 3.20.3, a TOCTOU race condition vulnerability exists in the SoftFileLock implementation of the filelock package. An attacker with local filesystem access and permission to create sy... Read more

    Affected Products :
    • Published: Jan. 10, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Race Condition

  • 5.3

    MEDIUM
    CVE-2025-14948

    The miniOrange OTP Verification and SMS Notification for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `enable_wc_sms_notification` AJAX action in all versions up to, and inclu... Read more

    Affected Products :
    • Published: Jan. 10, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Authorization

  • 8.0

    HIGH
    CVE-2026-22029

    React Router is a router for React. In @remix-run/router version prior to 1.23.2. and react-router 7.0.0 through 7.11.0, React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the ... Read more

    Affected Products :
    • Published: Jan. 10, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Misconfiguration

  • 8.7

    HIGH
    CVE-2025-41005

    Imaster's MEMS Events CRM contains an SQL injection vulnerability in‘keyword’ parameter in ‘/memsdemo/exchange_offers.php’.... Read more

    Affected Products :
    • Published: Jan. 12, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Injection

  • 6.4

    MEDIUM
    CVE-2026-22705

    RustCrypto: Signatures offers support for digital signatures, which provide authentication of data using public-key cryptography. Prior to version 0.1.0-rc.2, a timing side-channel was discovered in the Decompose algorithm which is used during ML-DSA sign... Read more

    Affected Products :
    • Published: Jan. 10, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Cryptography

  • 8.1

    HIGH
    CVE-2026-22687

    WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.5, after WeKnora enables the Agent service, it allows users to call the database query tool. Due to insufficient backend validation, ... Read more

    Affected Products : weknora
    • Published: Jan. 10, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Information Disclosure

  • 4.8

    MEDIUM
    CVE-2025-15505

    A vulnerability was found in Luxul XWR-600 up to 4.0.1. The affected element is an unknown function of the component Web Administration Interface. The manipulation of the argument Guest Network/Wireless Profile SSID results in cross site scripting. The at... Read more

    Affected Products :
    • Published: Jan. 11, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Cross-Site Scripting

  • 8.8

    HIGH
    CVE-2026-0492

    SAP HANA database is vulnerable to privilege escalation allowing an attacker with valid credentials of any user to switch to another user potentially gaining administrative access. This exploit could result in a total compromise of the system�s confidenti... Read more

    Affected Products : hana_database
    • Published: Jan. 13, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Authorization

  • 8.6

    HIGH
    CVE-2026-22033

    Label Studio is a multi-type data labeling and annotation tool. In 1.22.0 and earlier, a persistent stored cross-site scripting (XSS) vulnerability exists in the custom_hotkeys functionality of the application. An authenticated attacker (or one who can tr... Read more

    Affected Products : label_studio
    • Published: Jan. 12, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Cross-Site Scripting

  • 8.7

    HIGH
    CVE-2025-40944

    A vulnerability has been identified in SIMATIC ET 200AL IM 157-1 PN (6ES7157-1AB00-0AB0) (All versions), SIMATIC ET 200MP IM 155-5 PN HF (6ES7155-5AA00-0AC0) (All versions >= V4.2.0), SIMATIC ET 200SP IM 155-6 MF HF (6ES7155-6MU00-0CN0) (All versions), SI... Read more

    • Published: Jan. 13, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Denial of Service

  • 6.8

    MEDIUM
    CVE-2025-68622

    Espressif ESP-IDF USB Host UVC Class Driver allows video streaming from USB cameras. Prior to 2.4.0, a vulnerability in the esp-usb UVC host implementation allows a malicious USB Video Class (UVC) device to trigger a stack buffer overflow during configura... Read more

    Affected Products :
    • Published: Jan. 12, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Memory Corruption

  • 10.0

    CRITICAL
    CVE-2025-65091

    XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.5, users with the right to view the Calendar.JSONService page (including guest users) can exploit a SQL injection vulnerability by accessing database info or st... Read more

    Affected Products :
    • Published: Jan. 10, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Injection

  • 4.8

    MEDIUM
    CVE-2025-15506

    A vulnerability was found in AcademySoftwareFoundation OpenColorIO up to 2.5.0. This issue affects the function ConvertToRegularExpression of the file src/OpenColorIO/FileRules.cpp. Performing a manipulation results in out-of-bounds read. The attack needs... Read more

    Affected Products :
    • Published: Jan. 11, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Memory Corruption
Showing 20 of 4331 Results