Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 9.8

    CRITICAL
    CVE-2025-55423

    A command injection vulnerability exists in the upnp_relay() function in multiple ipTIME router models because the controlURL value used to pass port-forwarding information to an upper router is passed to system() without proper validation or sanitization... Read more

    Affected Products :
    • Published: Jan. 20, 2026
    • Modified: Jan. 21, 2026
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2025-15113

    Ksenia Security Lares 4.0 Home Automation version 1.6 contains an unprotected endpoint vulnerability that allows authenticated attackers to upload MPFS File System binary images. Attackers can exploit this vulnerability to overwrite flash program memory a... Read more

    Affected Products : lares_firmware lares
    • Published: Dec. 30, 2025
    • Modified: Jan. 21, 2026
    • Vuln Type: Misconfiguration

  • 9.8

    CRITICAL
    CVE-2022-50905

    e107 CMS version 3.2.1 contains multiple vulnerabilities that allow cross-site scripting (XSS) attacks. The first vulnerability is a reflected XSS that occurs in the news comment functionality when authenticated users interact with the comment form. An at... Read more

    Affected Products : e107
    • Published: Jan. 13, 2026
    • Modified: Jan. 21, 2026
    • Vuln Type: Cross-Site Scripting

  • 9.4

    CRITICAL
    CVE-2026-22813

    OpenCode is an open source AI coding agent. The markdown renderer used for LLM responses will insert arbitrary HTML into the DOM. There is no sanitization with DOMPurify or even a CSP on the web interface to prevent JavaScript execution via HTML injection... Read more

    Affected Products : opencode
    • Published: Jan. 12, 2026
    • Modified: Jan. 21, 2026
    • Vuln Type: Cross-Site Scripting

  • 8.8

    HIGH
    CVE-2026-22812

    OpenCode is an open source AI coding agent. Prior to 1.0.216, OpenCode automatically starts an unauthenticated HTTP server that allows any local process (or any website via permissive CORS) to execute arbitrary shell commands with the user's privileges. T... Read more

    Affected Products : opencode
    • Published: Jan. 12, 2026
    • Modified: Jan. 21, 2026
    • Vuln Type: Authentication

  • 7.5

    HIGH
    CVE-2026-22036

    Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and e... Read more

    Affected Products : undici
    • Published: Jan. 14, 2026
    • Modified: Jan. 21, 2026
    • Vuln Type: Denial of Service

  • 8.8

    HIGH
    CVE-2025-67077

    File upload vulnerability in Omnispace Agora Project before 25.10 allowing authenticated, or under certain conditions also guest users, via the UploadTmpFile action.... Read more

    Affected Products : agora-project
    • Published: Jan. 15, 2026
    • Modified: Jan. 21, 2026
    • Vuln Type: Authentication

  • 7.5

    HIGH
    CVE-2025-67076

    Directory traversal vulnerability in Omnispace Agora Project before 25.10 allowing unauthenticated attackers to read files on the system via the misc controller and the ExternalGetFile action. Only files with an extension can be read.... Read more

    Affected Products : agora-project
    • Published: Jan. 15, 2026
    • Modified: Jan. 21, 2026
    • Vuln Type: Path Traversal

  • 6.1

    MEDIUM
    CVE-2025-67078

    Cross site scripting (XSS) vulnerability in Omnispace Agora Project before 25.10 allowing attackers to execute arbitrary code via the notify parameter of the file controller used to display errors.... Read more

    Affected Products : agora-project
    • Published: Jan. 15, 2026
    • Modified: Jan. 21, 2026
    • Vuln Type: Cross-Site Scripting

  • 9.8

    CRITICAL
    CVE-2025-67079

    File upload vulnerability in Omnispace Agora Project before 25.10 allowing attackers to execute code through the MSL engine of the Imagick library via crafted PDF file to the file upload and thumbnail functions.... Read more

    Affected Products : agora-project
    • Published: Jan. 15, 2026
    • Modified: Jan. 21, 2026
    • Vuln Type: Injection

  • 9.2

    CRITICAL
    CVE-2026-22863

    Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.6.0, node:crypto doesn't finalize cipher. The vulnerability allows an attacker to have infinite encryptions. This can lead to naive attempts at brute forcing, as well as more refined atta... Read more

    Affected Products : deno
    • Published: Jan. 15, 2026
    • Modified: Jan. 21, 2026
    • Vuln Type: Cryptography

  • 9.8

    CRITICAL
    CVE-2026-22864

    Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.5.6, a prior patch aimed to block spawning Windows batch/shell files by returning an error when a spawned path’s extension matched .bat or .cmd. That check performs a case-sensitive compa... Read more

    Affected Products : deno
    • Published: Jan. 15, 2026
    • Modified: Jan. 21, 2026
    • Vuln Type: Misconfiguration

  • 0.0

    NA
    CVE-2026-22977

    In the Linux kernel, the following vulnerability has been resolved: net: sock: fix hardened usercopy panic in sock_recv_errqueue skbuff_fclone_cache was created without defining a usercopy region, [1] unlike skbuff_head_cache which properly whitelists t... Read more

    Affected Products : linux_kernel
    • Published: Jan. 21, 2026
    • Modified: Jan. 21, 2026
    • Vuln Type: Memory Corruption

  • 8.4

    HIGH
    CVE-2025-65397

    An insecure authentication mechanism in the safe_exec.sh startup script of Blurams Flare Camera version 24.1114.151.929 and earlier allows an attacker with physical access to the device to execute arbitrary commands with root privileges, if file /opt/imag... Read more

    Affected Products :
    • Published: Jan. 14, 2026
    • Modified: Jan. 21, 2026
    • Vuln Type: Authentication

  • 9.8

    CRITICAL
    CVE-2025-60021

    Remote command injection vulnerability in heap profiler builtin service in Apache bRPC ((all versions < 1.15.0)) on all platforms allows attacker to inject remote command. Root Cause: The bRPC heap profiler built-in service (/pprof/heap) does not valid... Read more

    Affected Products : brpc
    • Published: Jan. 16, 2026
    • Modified: Jan. 21, 2026
    • Vuln Type: Injection

  • 7.5

    HIGH
    CVE-2025-68438

    In Apache Airflow versions before 3.1.6, when rendered template fields in a Dag exceed [core] max_templated_field_length, sensitive values could be exposed in cleartext in the Rendered Templates UI. This occurred because serialization of those fields used... Read more

    Affected Products : airflow
    • Published: Jan. 16, 2026
    • Modified: Jan. 21, 2026
    • Vuln Type: Information Disclosure

  • 7.5

    HIGH
    CVE-2025-68675

    In Apache Airflow versions before 3.1.6, the proxies and proxy fields within a Connection may include proxy URLs containing embedded authentication information. These fields were not treated as sensitive by default and therefore were not automatically mas... Read more

    Affected Products : airflow
    • Published: Jan. 16, 2026
    • Modified: Jan. 21, 2026
    • Vuln Type: Information Disclosure

  • 2.7

    LOW
    CVE-2025-14083

    A flaw was found in the Keycloak Admin REST API. This vulnerability allows the exposure of backend schema and rules, potentially leading to targeted attacks or privilege escalation via improper access control.... Read more

    Affected Products :
    • Published: Jan. 21, 2026
    • Modified: Jan. 21, 2026
    • Vuln Type: Information Disclosure

  • 3.7

    LOW
    CVE-2026-0988

    A flaw was found in glib. Missing validation of offset and count parameters in the g_buffered_input_stream_peek() function can lead to an integer overflow during length calculation. When specially crafted values are provided, this overflow results in an i... Read more

    Affected Products :
    • Published: Jan. 21, 2026
    • Modified: Jan. 21, 2026
    • Vuln Type: Denial of Service

  • 7.4

    HIGH
    CVE-2025-59870

    HCL MyXalytics  is affected by improper management of a static JWT signing secret in the web application, where the secret lacks rotation , introducing a security risk... Read more

    Affected Products : dryice_myxalytics
    • Published: Jan. 16, 2026
    • Modified: Jan. 21, 2026
    • Vuln Type: Cryptography
Showing 20 of 4285 Results