Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 5.3

    MEDIUM
    CVE-2025-14574

    The weDocs plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.15 via the `/wp-json/wp/v2/docs/settings` REST API endpoint. This makes it possible for unauthenticated attackers to extract sensitiv... Read more

    Affected Products :
    • Published: Jan. 09, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Information Disclosure

  • 6.4

    MEDIUM
    CVE-2025-15019

    The BIALTY - Bulk Image Alt Text (Alt tag, Alt Attribute) with Yoast SEO + WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'bialty_cs_alt' post meta in all versions up to, and including, 2.2.1 due to insufficient inpu... Read more

    Affected Products :
    • Published: Jan. 09, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Cross-Site Scripting

  • 8.2

    HIGH
    CVE-2026-21409

    Improper authorization vulnerability exists in RICOH Streamline NX 3.5.1 to 24R3. If a man-in-the-middle attack is conducted on the communication between the affected product and its user, and some crafted request is processed by the product, the user's r... Read more

    Affected Products :
    • Published: Jan. 09, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Authorization

  • 7.2

    HIGH
    CVE-2025-14937

    The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'acff' parameter in the 'frontend_admin/forms/update_field' AJAX action in all versions up to, and including, 3.28.23 due to insufficient input sani... Read more

    Affected Products : frontend_admin
    • Published: Jan. 09, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Cross-Site Scripting

  • 6.4

    MEDIUM
    CVE-2025-13853

    The Nearby Now Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'data_tech' parameter of the nn-tech shortcode in all versions up to, and including, 5.2 due to insufficient input sanitization and output escaping. This make... Read more

    Affected Products :
    • Published: Jan. 09, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Cross-Site Scripting

  • 6.5

    MEDIUM
    CVE-2025-14172

    The WP Page Permalink Extension plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.5.4. This is due to missing authorization checks on the `cwpp_trigger_flush_rewrite_rules` function hooked to `wp_ajax_cwpp... Read more

    Affected Products :
    • Published: Jan. 09, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Authorization

  • 9.8

    CRITICAL
    CVE-2025-66913

    JimuReport thru version 2.1.3 is vulnerable to remote code execution when processing user-controlled H2 JDBC URLs. The application passes the attacker-supplied JDBC URL directly to the H2 driver, allowing the use of certain directives to execute arbitrary... Read more

    Affected Products :
    • Published: Jan. 08, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2026-22584

    Improper Control of Generation of Code ('Code Injection') vulnerability in Salesforce Uni2TS on MacOS, Windows, Linux allows Leverage Executable Code in Non-Executable Files.This issue affects Uni2TS: through 1.2.0.... Read more

    Affected Products : uni2ts
    • Published: Jan. 09, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Injection

  • 10.0

    HIGH
    CVE-2025-15501

    A vulnerability was determined in Sangfor Operation and Maintenance Management System up to 3.0.8. Impacted is the function WriterHandle.getCmd of the file /isomp-protocol/protocol/getCmd. This manipulation of the argument sessionPath causes os command in... Read more

    Affected Products :
    • Published: Jan. 09, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Injection

  • 8.8

    HIGH
    CVE-2026-22081

    This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the missing HTTPOnly flag for session cookies associated with the web-based administrative interface. A remote at-tacker could exploit this ... Read more

    Affected Products :
    • Published: Jan. 09, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Information Disclosure

  • 6.5

    MEDIUM
    CVE-2025-13781

    GitLab has remediated an issue in GitLab EE affecting all versions from 18.5 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to modify instance-wide AI feature provider settings by exploiting missing... Read more

    Affected Products : gitlab
    • Published: Jan. 09, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Authorization

  • 8.7

    HIGH
    CVE-2026-22079

    This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the plaintext transmission of login credentials during the initial login or post-factory reset setup through the web-based administrative in... Read more

    Affected Products :
    • Published: Jan. 09, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Authentication

  • 7.6

    HIGH
    CVE-2026-22230

    OPEXUS eCASE Audit allows an authenticated attacker to modify client-side JavaScript or craft HTTP requests to access functions or buttons that have been disabled or blocked by an administrator. Fixed in eCASE Platform 11.14.1.0.... Read more

    Affected Products :
    • Published: Jan. 08, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Cross-Site Request Forgery

  • 6.4

    MEDIUM
    CVE-2025-13900

    The WP Popup Magic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' parameter of the [wppum_end] shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes i... Read more

    Affected Products :
    • Published: Jan. 09, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Cross-Site Scripting

  • 9.8

    CRITICAL
    CVE-2025-14598

    BeeS Software Solutions BET Portal contains an SQL injection vulnerability in the login functionality of affected sites. The vulnerability enables arbitrary SQL commands to be executed on the backend database.... Read more

    Affected Products :
    • Published: Jan. 09, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Injection

  • 3.3

    LOW
    CVE-2026-0747

    Exposure of sensitive information in the TeamViewer entry dashboard component in Devolutions Remote Desktop Manager 2025.3.24.0 through 2025.3.28.0 on Windows allows an external observer to view a password on screen via a defective masking feature, for ex... Read more

    Affected Products : remote_desktop_manager
    • Published: Jan. 08, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Information Disclosure

  • 7.5

    HIGH
    CVE-2025-56225

    fluidsynth-2.4.6 and earlier versions is vulnerable to Null pointer dereference in fluid_synth_monopoly.c, that can be triggered when loading an invalid midi file.... Read more

    Affected Products :
    • Published: Jan. 09, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Memory Corruption

  • 9.1

    CRITICAL
    CVE-2025-68715

    An issue was discovered in Panda Wireless PWRU0 devices with firmware 2.2.9 that exposes multiple HTTP endpoints (/goform/setWan, /goform/setLan, /goform/wirelessBasic) that do not enforce authentication. A remote unauthenticated attacker can modify WAN, ... Read more

    Affected Products :
    • Published: Jan. 08, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Authentication

  • 9.4

    CRITICAL
    CVE-2025-68717

    KAYSUS KS-WR3600 routers with firmware 1.0.5.9.1 allow authentication bypass during session validation. If any user is logged in, endpoints such as /cgi-bin/system-tool accept unauthenticated requests with empty or invalid session values. This design flaw... Read more

    Affected Products :
    • Published: Jan. 08, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Authentication

  • 2.3

    LOW
    CVE-2026-22710

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - Wikibase Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Wikibase Extension: 1.45,... Read more

    Affected Products :
    • Published: Jan. 09, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Cross-Site Scripting
Showing 20 of 4330 Results