Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 5.4

    MEDIUM
    CVE-2025-14976

    The User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.4.8. T... Read more

    Affected Products :
    • Published: Jan. 10, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Cross-Site Request Forgery

  • 7.5

    HIGH
    CVE-2025-15502

    A vulnerability was identified in Sangfor Operation and Maintenance Management System up to 3.0.8. The affected element is the function SessionController of the file /isomp-protocol/protocol/session. Such manipulation of the argument Hostname leads to os ... Read more

    Affected Products :
    • Published: Jan. 10, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Injection

  • 9.3

    CRITICAL
    CVE-2025-41006

    Imaster's MEMS Events CRM contains an SQL injection vulnerability in ‘phone’ parameter in ‘/memsdemo/login.php’.... Read more

    Affected Products :
    • Published: Jan. 12, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Injection

  • 8.6

    HIGH
    CVE-2025-41077

    IDOR vulnerability has been found in Viafirma Inbox v4.5.13 that allows any authenticated user without privileges in the application to list all users, access and modify their data. This allows the user's email addresses to be modified and, subsequently, ... Read more

    Affected Products :
    • Published: Jan. 12, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Authorization

  • 8.2

    HIGH
    CVE-2025-71063

    Errands before 46.2.10 does not verify TLS certificates for CalDAV servers.... Read more

    Affected Products :
    • Published: Jan. 12, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Misconfiguration

  • 2.5

    LOW
    CVE-2026-22250

    wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, the SSL verification would be skipped for some crafted URLs. This vulnerability is fixed in 1.17.0.... Read more

    Affected Products :
    • Published: Jan. 12, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Misconfiguration

  • 6.4

    MEDIUM
    CVE-2025-68657

    Espressif ESP-IDF USB Host HID (Human Interface Device) Driver allows access to HID devices. Prior to 1.1.0, calls to hid_host_device_close() can free the same usb_transfer_t twice. The USB event callback and user code share the hid_iface_t state without ... Read more

    Affected Products :
    • Published: Jan. 12, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Memory Corruption

  • 5.3

    MEDIUM
    CVE-2026-22251

    wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, wlc supported providing unscoped API keys in the setting. This practice was discouraged for years, but the code was never removed. This might cause the API key to be leaked to... Read more

    Affected Products :
    • Published: Jan. 12, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Misconfiguration

  • 6.8

    MEDIUM
    CVE-2025-68656

    Espressif ESP-IDF USB Host HID (Human Interface Device) Driver allows access to HID devices. Prior to 1.1.0, usb_class_request_get_descriptor() frees and reallocates hid_device->ctrl_xfer when an oversized descriptor is requested but continues to use the ... Read more

    Affected Products :
    • Published: Jan. 12, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Memory Corruption

  • 8.8

    HIGH
    CVE-2026-22771

    Envoy Gateway is an open source project for managing Envoy Proxy as a standalone or Kubernetes-based application gateway. Prior to 1.5.7 and 1.6.2, EnvoyExtensionPolicy Lua scripts executed by Envoy proxy can be used to leak the proxy's credentials. These... Read more

    Affected Products : gateway
    • Published: Jan. 12, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Information Disclosure

  • 9.4

    CRITICAL
    CVE-2025-67146

    Multiple SQL Injection vulnerabilities exist in AbhishekMali21 GYM-MANAGEMENT-SYSTEM 1.0 via the 'name' parameter in (1) member_search.php, (2) trainer_search.php, and (3) gym_search.php, and via the 'id' parameter in (4) payment_search.php. An unauthenti... Read more

    Affected Products :
    • Published: Jan. 12, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Injection

  • 4.8

    MEDIUM
    CVE-2026-22212

    TinyOS versions up to and including 2.1.2 contain a stack-based buffer overflow vulnerability in the mcp2200gpio utility. The vulnerability is caused by unsafe use of strcpy() and strcat() functions when constructing device paths during automatic device d... Read more

    Affected Products :
    • Published: Jan. 12, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Memory Corruption

  • 4.3

    MEDIUM
    CVE-2026-0494

    Under certain conditions SAP Fiori App Intercompany Balance Reconciliation application allows an attacker to access information which would otherwise be restricted. This has low impact on confidentiality of the application, integrity and availability are ... Read more

    Affected Products :
    • Published: Jan. 13, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Authorization

  • 8.8

    HIGH
    CVE-2025-40942

    A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.4). Affected application contains a local privilege escalation vulnerability that could allow an attacker to run arbitrary code with elevated privileges.... Read more

    Affected Products : telecontrol_server_basic
    • Published: Jan. 13, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Authorization

  • 5.4

    MEDIUM
    CVE-2025-14001

    The WP Duplicate Page plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the 'duplicateBulkHandle' and 'duplicateBulkHandleHPOS' functions in all versions up to, and including, 1.8. This makes it po... Read more

    Affected Products : wp_duplicate_page
    • Published: Jan. 13, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Authorization

  • 6.5

    MEDIUM
    CVE-2026-22030

    React Router is a router for React. In @remix-run/server-runtime version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, React Router (or Remix v2) is vulnerable to CSRF attacks on document POST requests to UI routes when using server-side route a... Read more

    Affected Products :
    • Published: Jan. 10, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Cross-Site Request Forgery

  • 10.0

    CRITICAL
    CVE-2025-65091

    XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.5, users with the right to view the Calendar.JSONService page (including guest users) can exploit a SQL injection vulnerability by accessing database info or st... Read more

    Affected Products :
    • Published: Jan. 10, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Injection

  • 4.3

    MEDIUM
    CVE-2025-14943

    The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 8.7.2. This is due to a misconfigured authorization check on the 'getShipItemFullText' function ... Read more

    Affected Products : blog2social
    • Published: Jan. 10, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Authorization

  • 6.5

    MEDIUM
    CVE-2026-22773

    vLLM is an inference and serving engine for large language models (LLMs). In versions from 0.6.4 to before 0.12.0, users can crash the vLLM engine serving multimodal models that use the Idefics3 vision model implementation by sending a specially crafted 1... Read more

    Affected Products : vllm
    • Published: Jan. 10, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Denial of Service

  • 4.3

    MEDIUM
    CVE-2025-13393

    The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.3.1. This is due to insufficient validation of user-supplied URLs before passing them to the getimagesize() functi... Read more

    Affected Products : featured_image_from_url
    • Published: Jan. 10, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Server-Side Request Forgery
Showing 20 of 4337 Results