Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 8.3

    HIGH
    CVE-2026-25117

    pwn.college DOJO is an education platform for learning cybersecurity. Prior to commit e33da14449a5abcff507e554f66e2141d6683b0a, missing sandboxing on `/workspace/*` routes allows challenge authors to inject arbitrary javascript which runs on the same orig... Read more

    Affected Products :
    • Published: Jan. 29, 2026
    • Modified: Feb. 04, 2026
    • Vuln Type: Cross-Site Scripting

  • 9.5

    CRITICAL
    CVE-2025-26385

    Johnson Controls Metasys component listed below have Improper Neutralization of Special Elements used in a Command (Command Injection) Vulnerability . Successful exploitation of this vulnerability could allow remote SQL execution This issue affects  ... Read more

    Affected Products : metasys
    • Published: Jan. 30, 2026
    • Modified: Feb. 04, 2026
    • Vuln Type: Injection

  • 7.8

    HIGH
    CVE-2026-21418

    Dell Unity, version(s) 5.5.2 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leadi... Read more

    Affected Products : unity_operating_environment
    • Published: Jan. 30, 2026
    • Modified: Feb. 04, 2026
    • Vuln Type: Injection

  • 9.1

    CRITICAL
    CVE-2026-22806

    vCluster Platform provides a Kubernetes platform for managing virtual clusters, multi-tenancy, and cluster sharing. Prior to versions 4.6.0, 4.5.4, 4.4.2, and 4.3.10, when an access key is created with a limited scope, the scope can be bypassed to access ... Read more

    Affected Products :
    • Published: Jan. 29, 2026
    • Modified: Feb. 04, 2026
    • Vuln Type: Authorization

  • 8.6

    HIGH
    CVE-2025-69662

    SQL injection vulnerability in geopandas before v.1.1.2 allows an attacker to obtain sensitive information via the to_postgis()` function being used to write GeoDataFrames to a PostgreSQL database.... Read more

    Affected Products :
    • Published: Jan. 30, 2026
    • Modified: Feb. 04, 2026
    • Vuln Type: Injection

  • 7.5

    HIGH
    CVE-2025-63657

    An out-of-bounds read in the mk_mimetype_find function (mk_server/mk_mimetype.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server.... Read more

    Affected Products :
    • Published: Jan. 29, 2026
    • Modified: Feb. 04, 2026
    • Vuln Type: Denial of Service

  • 6.9

    MEDIUM
    CVE-2024-9432

    Cleartext Storage of Sensitive Information vulnerability in OpenText™ Vertica allows Retrieve Embedded Sensitive Data.   The vulnerability could read Vertica agent plaintext apikey.This issue affects Vertica versions: 23.X, 24.X, 25.X.... Read more

    Affected Products : vertica
    • Published: Jan. 30, 2026
    • Modified: Feb. 04, 2026
    • Vuln Type: Information Disclosure

  • 4.8

    MEDIUM
    CVE-2025-15549

    FluentCMS 2026 contains a stored cross-site scripting vulnerability that allows authenticated administrators to upload SVG files with embedded JavaScript via the File Management module. Attackers can upload malicious SVG files that execute JavaScript in t... Read more

    Affected Products : fluentcms
    • Published: Jan. 29, 2026
    • Modified: Feb. 04, 2026
    • Vuln Type: Cross-Site Scripting

  • 7.5

    HIGH
    CVE-2025-63656

    An out-of-bounds read in the header_cmp function (mk_server/mk_http_parser.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server.... Read more

    Affected Products :
    • Published: Jan. 29, 2026
    • Modified: Feb. 04, 2026
    • Vuln Type: Denial of Service

  • 4.3

    MEDIUM
    CVE-2026-22624

    Due to inadequate access control, authenticated users of certain HIKSEMI NAS products can manipulate other users' file resources without proper authorization.... Read more

    Affected Products :
    • Published: Jan. 30, 2026
    • Modified: Feb. 04, 2026
    • Vuln Type: Authorization

  • 7.5

    HIGH
    CVE-2025-62349

    Salt contains an authentication protocol version downgrade weakness that can allow a malicious minion to bypass newer authentication/security features by using an older request payload format, enabling minion impersonation and circumventing protections in... Read more

    Affected Products : salt
    • Published: Jan. 30, 2026
    • Modified: Feb. 04, 2026
    • Vuln Type: Authentication

  • 7.5

    HIGH
    CVE-2025-63650

    An out-of-bounds read in the mk_ptr_to_buf in mk_core function (mk_memory.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server.... Read more

    Affected Products :
    • Published: Jan. 29, 2026
    • Modified: Feb. 04, 2026
    • Vuln Type: Denial of Service

  • 9.8

    CRITICAL
    CVE-2025-69929

    An issue in N3uron Web User Interface v.1.21.7-240207.1047 allows a remote attacker to escalate privileges via the password hashing on the client side using the MD5 algorithm over a predictable string format... Read more

    Affected Products :
    • Published: Jan. 29, 2026
    • Modified: Feb. 04, 2026
    • Vuln Type: Authentication

  • 7.5

    HIGH
    CVE-2025-63651

    A use-after-free in the mk_string_char_search function (mk_core/mk_string.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server.... Read more

    Affected Products :
    • Published: Jan. 29, 2026
    • Modified: Feb. 04, 2026
    • Vuln Type: Memory Corruption

  • 9.3

    CRITICAL
    CVE-2026-24728

    A missing authentication for critical function vulnerability in the /servlet/baServer3 endpoint of Interinfo DreamMaker versions before 2025/10/22 allows remote attackers to access exposed administrative functionality without prior authentication.... Read more

    Affected Products :
    • Published: Jan. 30, 2026
    • Modified: Feb. 04, 2026
    • Vuln Type: Authentication

  • 8.6

    HIGH
    CVE-2025-4686

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Kodmatic Computer Software Tourism Construction Industry and Trade Ltd. Co. Online Exam and Assessment allows SQL Injection.This issue affects Online Exa... Read more

    Affected Products :
    • Published: Jan. 30, 2026
    • Modified: Feb. 04, 2026
    • Vuln Type: Injection

  • 4.8

    MEDIUM
    CVE-2026-1705

    A vulnerability was detected in D-Link DSL-6641K N8.TR069.20131126. Affected by this issue is the function ad_virtual_server_vdsl of the component Web Interface. Performing a manipulation of the argument Name results in cross site scripting. It is possibl... Read more

    Affected Products :
    • Published: Jan. 30, 2026
    • Modified: Feb. 04, 2026
    • Vuln Type: Cross-Site Scripting

  • 10.0

    CRITICAL
    CVE-2026-1699

    In the Eclipse Theia Website repository, the GitHub Actions workflow .github/workflows/preview.yml used pull_request_target trigger while checking out and executing untrusted pull request code. This allowed any GitHub user to execute arbitrary code in the... Read more

    Affected Products :
    • Published: Jan. 30, 2026
    • Modified: Feb. 04, 2026
    • Vuln Type: Misconfiguration

  • 6.5

    MEDIUM
    CVE-2026-24845

    malcontent discovers supply-chain compromises through. context, differential analysis, and YARA. Starting in version 0.10.0 and prior to version 1.20.3, malcontent could be made to expose Docker registry credentials if it scanned a specially crafted OCI i... Read more

    Affected Products :
    • Published: Jan. 29, 2026
    • Modified: Feb. 04, 2026
    • Vuln Type: Supply Chain

  • 6.5

    MEDIUM
    CVE-2026-1625

    A vulnerability was detected in D-Link DWR-M961 1.1.47. The impacted element is the function sub_4250E0 of the file /boafrm/formSmsManage of the component SMS Message. Performing a manipulation of the argument action_value results in command injection. Th... Read more

    Affected Products : dwr-m961_firmware
    • Published: Jan. 29, 2026
    • Modified: Feb. 04, 2026
    • Vuln Type: Injection
Showing 20 of 4606 Results