Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 4.8

    MEDIUM
    CVE-2026-22212

    TinyOS versions up to and including 2.1.2 contain a stack-based buffer overflow vulnerability in the mcp2200gpio utility. The vulnerability is caused by unsafe use of strcpy() and strcat() functions when constructing device paths during automatic device d... Read more

    Affected Products :
    • Published: Jan. 12, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Memory Corruption

  • 9.6

    CRITICAL
    CVE-2026-0500

    Due to the usage of vulnerable third party component in SAP Wily Introscope Enterprise Manager (WorkStation), an unauthenticated attacker could create a malicious JNLP (Java Network Launch Protocol) file accessible by a public facing URL. When a victim cl... Read more

    Affected Products :
    • Published: Jan. 13, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Injection

  • 6.5

    MEDIUM
    CVE-2025-66689

    A path traversal vulnerability exists in Zen MCP Server before 9.8.2 that allows authenticated attackers to read arbitrary files on the system. The vulnerability is caused by flawed logic in the is_dangerous_path() validation function that uses exact stri... Read more

    Affected Products :
    • Published: Jan. 12, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Path Traversal

  • 2.1

    LOW
    CVE-2026-22805

    Metabase is an open-source data analytics platform. Prior to 55.13, 56.3, and 57.1, self-hosted Metabase instances that allow users to create subscriptions could be potentially impacted if their Metabase is colocated with other unsecured resources. This v... Read more

    Affected Products : metabase
    • Published: Jan. 12, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Misconfiguration

  • 8.2

    HIGH
    CVE-2023-36331

    Incorrect access control in the /member/orderList API of xmall v1.1 allows attackers to arbitrarily access other users' order details via manipulation of the query parameter userId.... Read more

    Affected Products :
    • Published: Jan. 12, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Authorization

  • 8.1

    HIGH
    CVE-2026-0511

    SAP Fiori App Intercompany Balance Reconciliation does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This has high impact on confidentiality and integrity of the application ,availability is n... Read more

    Affected Products :
    • Published: Jan. 13, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Authorization

  • 6.4

    MEDIUM
    CVE-2026-22705

    RustCrypto: Signatures offers support for digital signatures, which provide authentication of data using public-key cryptography. Prior to version 0.1.0-rc.2, a timing side-channel was discovered in the Decompose algorithm which is used during ML-DSA sign... Read more

    Affected Products :
    • Published: Jan. 10, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Cryptography

  • 5.1

    MEDIUM
    CVE-2025-40975

    Stored Cross-Site Scripting (XSS) vulnerability in WorkDo's HRMGo, consisting of a lack of proper validation of user input by sending a POST request to ‘/hrmgo/ticket/changereply’, using the ‘description’ parameter.... Read more

    Affected Products :
    • Published: Jan. 12, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Cross-Site Scripting

  • 9.1

    CRITICAL
    CVE-2026-0491

    SAP Landscape Transformation allows an attacker with admin privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code/OS commands into the system, bypassing essential authorization ... Read more

    Affected Products :
    • Published: Jan. 13, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Injection

  • 4.3

    MEDIUM
    CVE-2026-0493

    Due to a Cross-Site Request Forgery (CSRF) vulnerability in SAP Fiori App Intercompany Balance Reconciliation an attacker could execute state?changing actions using an inappropriate request type, this deviation from expected request semantics may allow an... Read more

    Affected Products :
    • Published: Jan. 13, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Cross-Site Request Forgery

  • 8.8

    HIGH
    CVE-2025-40942

    A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.4). Affected application contains a local privilege escalation vulnerability that could allow an attacker to run arbitrary code with elevated privileges.... Read more

    Affected Products : telecontrol_server_basic
    • Published: Jan. 13, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Authorization

  • 10.0

    CRITICAL
    CVE-2025-40805

    Affected devices do not properly enforce user authentication on specific API endpoints. This could facilitate an unauthenticated remote attacker to circumvent authentication and impersonate a legitimate user. Successful exploitation requires that the atta... Read more

    Affected Products :
    • Published: Jan. 13, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Authentication

  • 8.7

    HIGH
    CVE-2025-40944

    A vulnerability has been identified in SIMATIC ET 200AL IM 157-1 PN (6ES7157-1AB00-0AB0) (All versions), SIMATIC ET 200MP IM 155-5 PN HF (6ES7155-5AA00-0AC0) (All versions >= V4.2.0), SIMATIC ET 200SP IM 155-6 MF HF (6ES7155-6MU00-0CN0) (All versions), SI... Read more

    • Published: Jan. 13, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Denial of Service

  • 10.0

    CRITICAL
    CVE-2025-65091

    XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.5, users with the right to view the Calendar.JSONService page (including guest users) can exploit a SQL injection vulnerability by accessing database info or st... Read more

    Affected Products :
    • Published: Jan. 10, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Injection

  • 7.5

    HIGH
    CVE-2026-0822

    A vulnerability was identified in quickjs-ng quickjs up to 0.11.0. This issue affects the function js_typed_array_sort of the file quickjs.c. The manipulation leads to heap-based buffer overflow. Remote exploitation of the attack is possible. The exploit ... Read more

    Affected Products : quickjs
    • Published: Jan. 10, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Memory Corruption

  • 6.3

    MEDIUM
    CVE-2026-0842

    A flaw has been found in Flycatcher Toys smART Sketcher up to 2.0. This affects an unknown part of the component Bluetooth Low Energy Interface. This manipulation causes missing authentication. The attack can only be done within the local network. The exp... Read more

    Affected Products :
    • Published: Jan. 11, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Authentication

  • 6.5

    MEDIUM
    CVE-2026-0843

    A vulnerability has been found in jiujiujia/victor123/wxw850227 jjjfood and jjjshop_food up to 20260103. This vulnerability affects unknown code of the file /index.php/api/product.category/index. Such manipulation of the argument latitude leads to sql inj... Read more

    Affected Products :
    • Published: Jan. 11, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Injection

  • 5.3

    MEDIUM
    CVE-2026-22693

    HarfBuzz is a text shaping engine. Prior to version 12.3.0, a null pointer dereference vulnerability exists in the SubtableUnicodesCache::create function located in src/hb-ot-cmap-table.hh. The function fails to check if hb_malloc returns NULL before usin... Read more

    Affected Products : harfbuzz
    • Published: Jan. 10, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Memory Corruption

  • 7.5

    HIGH
    CVE-2025-15503

    A security flaw has been discovered in Sangfor Operation and Maintenance Management System up to 3.0.8. The impacted element is an unknown function of the file /fort/trust/version/common/common.jsp. Performing a manipulation of the argument File results i... Read more

    Affected Products :
    • Published: Jan. 10, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Misconfiguration

  • 6.5

    MEDIUM
    CVE-2026-22689

    Mailpit is an email testing tool and API for developers. Prior to version 1.28.2, the Mailpit WebSocket server is configured to accept connections from any origin. This lack of Origin header validation introduces a Cross-Site WebSocket Hijacking (CSWSH) v... Read more

    Affected Products :
    • Published: Jan. 10, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Misconfiguration
Showing 20 of 4329 Results