Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 8.7

    HIGH
    CVE-2026-22079

    This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the plaintext transmission of login credentials during the initial login or post-factory reset setup through the web-based administrative in... Read more

    Affected Products :
    • Published: Jan. 09, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Authentication

  • 6.0

    MEDIUM
    CVE-2025-46644

    Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.4.0.0, LTS2025 release version 8.3.1.10, LTS2024 release versions 7.13.1.0 through 7.13.1.40, LTS2023 release versions 7.10.1.0 through 7... Read more

    Affected Products :
    • Published: Jan. 09, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Injection

  • 6.4

    MEDIUM
    CVE-2025-13903

    The PullQuote plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'pullquote' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This m... Read more

    Affected Products :
    • Published: Jan. 09, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Cross-Site Scripting

  • 5.3

    MEDIUM
    CVE-2025-13717

    The Contact Form vCard Generator plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'wp_gvccf_check_download_request' function in all versions up to, and including, 2.4. This makes it possible for un... Read more

    Affected Products :
    • Published: Jan. 09, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Authorization

  • 9.3

    CRITICAL
    CVE-2025-7072

    The firmware in KAON CG3000TC and CG3000T routers contains hard-coded credentials in clear text (shared across all routers of this model) that an unauthenticated remote attacker could use to execute commands with root privileges. This vulnerability has be... Read more

    Affected Products :
    • Published: Jan. 09, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Authentication

  • 9.4

    CRITICAL
    CVE-2025-68717

    KAYSUS KS-WR3600 routers with firmware 1.0.5.9.1 allow authentication bypass during session validation. If any user is logged in, endpoints such as /cgi-bin/system-tool accept unauthenticated requests with empty or invalid session values. This design flaw... Read more

    Affected Products :
    • Published: Jan. 08, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Authentication

  • 7.6

    HIGH
    CVE-2025-69195

    A flaw was found in GNU Wget2. This vulnerability, a stack-based buffer overflow, occurs in the filename sanitization logic when processing attacker-controlled URL paths, particularly when filename restriction options are active. A remote attacker can exp... Read more

    Affected Products :
    • Published: Jan. 09, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Memory Corruption

  • 2.3

    LOW
    CVE-2026-22710

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - Wikibase Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Wikibase Extension: 1.45,... Read more

    Affected Products :
    • Published: Jan. 09, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Cross-Site Scripting

  • 7.5

    HIGH
    CVE-2025-56225

    fluidsynth-2.4.6 and earlier versions is vulnerable to Null pointer dereference in fluid_synth_monopoly.c, that can be triggered when loading an invalid midi file.... Read more

    Affected Products :
    • Published: Jan. 09, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Memory Corruption

  • 2.3

    LOW
    CVE-2026-22714

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - Monaco Skin allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Monaco Skin: 1.45, 1.44, 1.43, 1... Read more

    Affected Products :
    • Published: Jan. 09, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Cross-Site Scripting

  • 10.0

    CRITICAL
    CVE-2025-69426

    The Ruckus vRIoT IoT Controller firmware versions prior to 3.0.0.0 (GA) contain hardcoded credentials for an operating system user account within an initialization script. The SSH service is network-accessible without IP-based restrictions. Although the c... Read more

    Affected Products :
    • Published: Jan. 09, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Authentication

  • 8.2

    HIGH
    CVE-2025-67070

    A vulnerability exists in Intelbras CFTV IP NVD 9032 R Ftd V2.800.00IB00C.0.T, which allows an unauthenticated attacker to bypass the multi-factor authentication (MFA) mechanism during the password recovery process. This results in the ability to change t... Read more

    Affected Products :
    • Published: Jan. 09, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Authentication

  • 7.2

    HIGH
    CVE-2025-15055

    The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'notes' and 'resource' parameters in all versions up to, and including, 5.3.4 due to insufficient input sanitization and output escaping. This makes it possib... Read more

    Affected Products :
    • Published: Jan. 09, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Cross-Site Scripting

  • 6.5

    MEDIUM
    CVE-2025-15496

    A vulnerability was determined in guchengwuyue yshopmall up to 1.9.1. Affected is the function getPage of the file /api/jobs. This manipulation of the argument sort causes sql injection. The attack may be initiated remotely. The exploit has been publicly ... Read more

    Affected Products :
    • Published: Jan. 09, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Injection

  • 6.9

    MEDIUM
    CVE-2025-15035

    Improper Input Validation vulnerability in TP-Link Archer AXE75 v1.6 (vpn modules) allows an authenticated adjacent attacker to delete arbitrary server file, leading to possible loss of critical system files and service interruption or degraded functional... Read more

    Affected Products :
    • Published: Jan. 09, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Path Traversal

  • 6.1

    MEDIUM
    CVE-2025-13893

    The Lesson Plan Book plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible ... Read more

    Affected Products :
    • Published: Jan. 09, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Cross-Site Scripting

  • 7.2

    HIGH
    CVE-2025-15057

    The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `fh` (fingerprint) parameter in all versions up to, and including, 5.3.3. This is due to insufficient input sanitization and output escaping on the fingerprin... Read more

    Affected Products :
    • Published: Jan. 09, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Cross-Site Scripting

  • 5.3

    MEDIUM
    CVE-2025-14146

    The Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 10.14.10 via the `WPBC_FLEXTIMELINE_NAV` AJAX action. This is due to the nonce verification being conditionally disabled by def... Read more

    Affected Products : booking_calendar
    • Published: Jan. 09, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Information Disclosure

  • 7.2

    HIGH
    CVE-2025-14657

    The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4... Read more

    Affected Products :
    • Published: Jan. 09, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Authentication

  • 6.1

    MEDIUM
    CVE-2025-13892

    The MG AdvancedOptions plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possibl... Read more

    Affected Products :
    • Published: Jan. 09, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Cross-Site Scripting
Showing 20 of 4642 Results