Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 10.0

    CRITICAL
    CVE-2025-69425

    The Ruckus vRIoT IoT Controller firmware versions prior to 3.0.0.0 (GA) expose a command execution service on TCP port 2004 running with root privileges. Authentication to this service relies on a hardcoded Time-based One-Time Password (TOTP) secret and a... Read more

    Affected Products :
    • Published: Jan. 09, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Authentication

  • 6.4

    MEDIUM
    CVE-2025-13852

    The Debt.com Business in a Box plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'configuration' parameter of the lead_form shortcode in all versions up to, and including, 4.1.0 due to insufficient input sanitization and output esc... Read more

    Affected Products :
    • Published: Jan. 09, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Cross-Site Scripting

  • 7.2

    HIGH
    CVE-2025-14937

    The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'acff' parameter in the 'frontend_admin/forms/update_field' AJAX action in all versions up to, and including, 3.28.23 due to insufficient input sani... Read more

    Affected Products : frontend_admin
    • Published: Jan. 09, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Cross-Site Scripting

  • 6.5

    MEDIUM
    CVE-2025-14980

    The BetterDocs plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.3 via the scripts() function. This makes it possible for authenticated attackers, with contributor-level access and above, to ext... Read more

    Affected Products :
    • Published: Jan. 09, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Information Disclosure

  • 7.2

    HIGH
    CVE-2025-14436

    The Brevo for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘user_connection_id’ parameter in all versions up to, and including, 4.0.49 due to insufficient input sanitization and output escaping. This makes it possi... Read more

    Affected Products :
    • Published: Jan. 08, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Cross-Site Scripting

  • 5.8

    MEDIUM
    CVE-2026-21896

    Kirby is an open-source content management system. From versions 5.0.0 to 5.2.1, Kirby is missing permission checks in the content changes API. This vulnerability affects all Kirby sites where user permissions are configured to prevent specific role(s) fr... Read more

    Affected Products : kirby
    • Published: Jan. 08, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Authorization

  • 8.4

    HIGH
    CVE-2026-0830

    Processing specially crafted workspace folder names could allow for arbitrary command injection in the Kiro GitLab Merge-Request helper in Kiro IDE before version 0.6.18 when opening maliciously crafted workspaces. To mitigate, users should update to the... Read more

    Affected Products :
    • Published: Jan. 09, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Injection

  • 2.3

    LOW
    CVE-2026-22712

    Improper Encoding or Escaping of Output due to magic word replacement in ParserAfterTidy vulnerability in The Wikimedia Foundation Mediawiki - ApprovedRevs Extension allows Input Data Manipulation.This issue affects Mediawiki - ApprovedRevs Extension: 1.4... Read more

    Affected Products :
    • Published: Jan. 09, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Injection

  • 7.5

    HIGH
    CVE-2025-15464

    Exported Activity allows external applications to gain application context and directly launch Gmail with inbox access, bypassing security controls.... Read more

    Affected Products : fun_print_mobile
    • Published: Jan. 08, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Authentication

  • 6.5

    MEDIUM
    CVE-2025-67810

    In Area9 Rhapsode 1.47.3, an authenticated attacker can exploit the operation, url, and filename parameters via POST request to read arbitrary files from the server filesystem. Fixed in 1.47.4 (#7254) and further versions.... Read more

    Affected Products :
    • Published: Jan. 09, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Path Traversal

  • 6.9

    MEDIUM
    CVE-2025-15035

    Improper Input Validation vulnerability in TP-Link Archer AXE75 v1.6 (vpn modules) allows an authenticated adjacent attacker to delete arbitrary server file, leading to possible loss of critical system files and service interruption or degraded functional... Read more

    Affected Products :
    • Published: Jan. 09, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Path Traversal

  • 10.0

    CRITICAL
    CVE-2025-40805

    Affected devices do not properly enforce user authentication on specific API endpoints. This could facilitate an unauthenticated remote attacker to circumvent authentication and impersonate a legitimate user. Successful exploitation requires that the atta... Read more

    Affected Products :
    • Published: Jan. 13, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Authentication

  • 5.9

    MEDIUM
    CVE-2026-22798

    hermes is an implementation of the HERMES workflow to automatize software publication with rich metadata. From 0.8.1 to before 0.9.1, hermes subcommands take arbitrary options under the -O argument. These have been logged in raw form. If users provide sen... Read more

    Affected Products :
    • Published: Jan. 12, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Information Disclosure

  • 8.8

    HIGH
    CVE-2026-22685

    DevToys is a desktop app for developers. In versions from 2.0.0.0 to before 2.0.9.0, a path traversal vulnerability exists in the DevToys extension installation mechanism. When processing extension packages (NUPKG archives), DevToys does not sufficiently ... Read more

    Affected Products :
    • Published: Jan. 10, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Path Traversal

  • 8.1

    HIGH
    CVE-2026-0511

    SAP Fiori App Intercompany Balance Reconciliation does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This has high impact on confidentiality and integrity of the application ,availability is n... Read more

    Affected Products :
    • Published: Jan. 13, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Authorization

  • 3.7

    LOW
    CVE-2026-22611

    AWS SDK for .NET works with Amazon Web Services to help build scalable solutions with Amazon S3, Amazon DynamoDB, Amazon Glacier, and more. From versions 4.0.0 to before 4.0.3.3, Customer applications could be configured to improperly route AWS API calls ... Read more

    Affected Products :
    • Published: Jan. 10, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Server-Side Request Forgery

  • 2.1

    LOW
    CVE-2026-22805

    Metabase is an open-source data analytics platform. Prior to 55.13, 56.3, and 57.1, self-hosted Metabase instances that allow users to create subscriptions could be potentially impacted if their Metabase is colocated with other unsecured resources. This v... Read more

    Affected Products : metabase
    • Published: Jan. 12, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Misconfiguration

  • 9.1

    CRITICAL
    CVE-2025-61686

    React Router is a router for React. In @react-router/node versions 7.0.0 through 7.9.3, @remix-run/deno prior to version 2.17.2, and @remix-run/node prior to version 2.17.2, if createFileSessionStorage() is being used from @react-router/node (or @remix-ru... Read more

    Affected Products :
    • Published: Jan. 10, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Path Traversal

  • 8.7

    HIGH
    CVE-2025-40944

    A vulnerability has been identified in SIMATIC ET 200AL IM 157-1 PN (6ES7157-1AB00-0AB0) (All versions), SIMATIC ET 200MP IM 155-5 PN HF (6ES7155-5AA00-0AC0) (All versions >= V4.2.0), SIMATIC ET 200SP IM 155-6 MF HF (6ES7155-6MU00-0CN0) (All versions), SI... Read more

    • Published: Jan. 13, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Denial of Service

  • 2.5

    LOW
    CVE-2026-22250

    wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, the SSL verification would be skipped for some crafted URLs. This vulnerability is fixed in 1.17.0.... Read more

    Affected Products :
    • Published: Jan. 12, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Misconfiguration
Showing 20 of 4351 Results