Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 5.1

    MEDIUM
    CVE-2026-0824

    A security flaw has been discovered in questdb ui up to 1.11.9. Impacted is an unknown function of the component Web Console. The manipulation results in cross site scripting. The attack can be executed remotely. The exploit has been released to the publi... Read more

    Affected Products :
    • Published: Jan. 10, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Cross-Site Scripting

  • 4.3

    MEDIUM
    CVE-2025-13393

    The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.3.1. This is due to insufficient validation of user-supplied URLs before passing them to the getimagesize() functi... Read more

    Affected Products : featured_image_from_url
    • Published: Jan. 10, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Server-Side Request Forgery

  • 8.7

    HIGH
    CVE-2025-41004

    Imaster's Patient Records Management System is vulnerable to SQL Injection in the endpoint ‘/projects/hospital/admin/complaints.php’ through the ‘id’ parameter.... Read more

    Affected Products :
    • Published: Jan. 12, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Injection

  • 6.5

    MEDIUM
    CVE-2026-22773

    vLLM is an inference and serving engine for large language models (LLMs). In versions from 0.6.4 to before 0.12.0, users can crash the vLLM engine serving multimodal models that use the Idefics3 vision model implementation by sending a specially crafted 1... Read more

    Affected Products : vllm
    • Published: Jan. 10, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Denial of Service

  • 10.0

    CRITICAL
    CVE-2025-65091

    XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.5, users with the right to view the Calendar.JSONService page (including guest users) can exploit a SQL injection vulnerability by accessing database info or st... Read more

    Affected Products :
    • Published: Jan. 10, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Injection

  • 6.5

    MEDIUM
    CVE-2026-22030

    React Router is a router for React. In @remix-run/server-runtime version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, React Router (or Remix v2) is vulnerable to CSRF attacks on document POST requests to UI routes when using server-side route a... Read more

    Affected Products :
    • Published: Jan. 10, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Cross-Site Request Forgery

  • 7.5

    HIGH
    CVE-2025-13457

    The WooCommerce Square plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.1 via the get_token_by_id function due to missing validation on a user controlled key. This makes it possible for unau... Read more

    Affected Products : woocommerce_square
    • Published: Jan. 10, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Authorization

  • 5.9

    MEDIUM
    CVE-2026-22798

    hermes is an implementation of the HERMES workflow to automatize software publication with rich metadata. From 0.8.1 to before 0.9.1, hermes subcommands take arbitrary options under the -O argument. These have been logged in raw form. If users provide sen... Read more

    Affected Products :
    • Published: Jan. 12, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Information Disclosure

  • 8.7

    HIGH
    CVE-2025-40944

    A vulnerability has been identified in SIMATIC ET 200AL IM 157-1 PN (6ES7157-1AB00-0AB0) (All versions), SIMATIC ET 200MP IM 155-5 PN HF (6ES7155-5AA00-0AC0) (All versions >= V4.2.0), SIMATIC ET 200SP IM 155-6 MF HF (6ES7155-6MU00-0CN0) (All versions), SI... Read more

    • Published: Jan. 13, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Denial of Service

  • 10.0

    CRITICAL
    CVE-2025-40805

    Affected devices do not properly enforce user authentication on specific API endpoints. This could facilitate an unauthenticated remote attacker to circumvent authentication and impersonate a legitimate user. Successful exploitation requires that the atta... Read more

    Affected Products :
    • Published: Jan. 13, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Authentication

  • 5.1

    MEDIUM
    CVE-2025-40978

    Stored Cross-Site Scripting (XSS) vulnerability in WorkDo's eCommerceGo SaaS, consisting of a stored XSS due to a lack of proper validation of user input by sending a POST request to ‘/ticket/x/conversion’, using the ‘reply_description’ parameter.... Read more

    Affected Products :
    • Published: Jan. 12, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Cross-Site Scripting

  • 4.3

    MEDIUM
    CVE-2026-0494

    Under certain conditions SAP Fiori App Intercompany Balance Reconciliation application allows an attacker to access information which would otherwise be restricted. This has low impact on confidentiality of the application, integrity and availability are ... Read more

    Affected Products :
    • Published: Jan. 13, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Authorization

  • 2.1

    LOW
    CVE-2026-22805

    Metabase is an open-source data analytics platform. Prior to 55.13, 56.3, and 57.1, self-hosted Metabase instances that allow users to create subscriptions could be potentially impacted if their Metabase is colocated with other unsecured resources. This v... Read more

    Affected Products : metabase
    • Published: Jan. 12, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Misconfiguration

  • 8.6

    HIGH
    CVE-2026-0719

    A flaw was identified in the NTLM authentication handling of the libsoup HTTP library, used by GNOME and other applications for network communication. When processing extremely long passwords, an internal size calculation can overflow due to improper use ... Read more

    Affected Products :
    • Published: Jan. 08, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Memory Corruption

  • 6.8

    MEDIUM
    CVE-2025-15070

    Exposure of Sensitive Information to an Unauthorized Actor, Missing Authorization vulnerability in Gmission Web Fax allows Authentication Abuse.This issue affects Web Fax: from 3.0 before 3.0.1... Read more

    Affected Products : web_fax
    • Published: Dec. 29, 2025
    • Modified: Jan. 13, 2026
    • Vuln Type: Authentication

  • 9.8

    CRITICAL
    CVE-2025-15069

    Improper Authentication vulnerability in Gmission Web Fax allows Privilege Escalation.This issue affects Web Fax: from 3.0 before 3.0.1... Read more

    Affected Products : web_fax
    • Published: Dec. 29, 2025
    • Modified: Jan. 13, 2026
    • Vuln Type: Authentication

  • 9.8

    CRITICAL
    CVE-2025-15068

    Missing Authorization vulnerability in Gmission Web Fax allows Authentication Abuse, Session Credential Falsification through Manipulation.This issue affects Web Fax: from 3.0 before 3.0.1... Read more

    Affected Products : web_fax
    • Published: Dec. 29, 2025
    • Modified: Jan. 13, 2026
    • Vuln Type: Authorization

  • 9.8

    CRITICAL
    CVE-2025-69264

    pnpm is a package manager. Versions 10.0.0 through 10.25 allow git-hosted dependencies to execute arbitrary code during pnpm install, circumventing the v10 security feature "Dependency lifecycle scripts execution disabled by default". While pnpm v10 block... Read more

    Affected Products : pnpm
    • Published: Jan. 07, 2026
    • Modified: Jan. 12, 2026
    • Vuln Type: Supply Chain

  • 8.8

    HIGH
    CVE-2025-69263

    pnpm is a package manager. Versions 10.26.2 and below store HTTP tarball dependencies (and git-hosted tarballs) in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is com... Read more

    Affected Products : pnpm
    • Published: Jan. 07, 2026
    • Modified: Jan. 12, 2026
    • Vuln Type: Supply Chain

  • 7.8

    HIGH
    CVE-2025-69262

    pnpm is a package manager. Versions 6.25.0 through 10.26.2 have a Command Injection vulnerability when using environment variable substitution in .npmrc configuration files with tokenHelper settings. An attacker who can control environment variables durin... Read more

    Affected Products : pnpm
    • Published: Jan. 07, 2026
    • Modified: Jan. 12, 2026
    • Vuln Type: Injection
Showing 20 of 4355 Results