Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 7.1

    HIGH
    CVE-2026-22218

    Chainlit versions prior to 2.9.4 contain an arbitrary file read vulnerability in the /project/element update flow. An authenticated client can send a custom Element with a user-controlled path value, causing the server to copy the referenced file into the... Read more

    Affected Products :
    • Published: Jan. 20, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Path Traversal

  • 5.5

    MEDIUM
    CVE-2026-1194

    A security flaw has been discovered in MineAdmin 1.x/2.x. This affects an unknown function of the component Swagger. The manipulation results in information disclosure. The attack may be performed from remote. The exploit has been released to the public a... Read more

    Affected Products :
    • Published: Jan. 20, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Information Disclosure

  • 8.0

    HIGH
    CVE-2026-20960

    Improper authorization in Microsoft Power Apps allows an authorized attacker to execute code over a network.... Read more

    Affected Products : power-apps
    • Published: Jan. 16, 2026
    • Modified: Jan. 26, 2026

  • 7.5

    HIGH
    CVE-2026-1124

    A security flaw has been discovered in Yonyou KSOA 9.0. Affected by this vulnerability is an unknown functionality of the file /worksheet/work_report.jsp of the component HTTP GET Parameter Handler. Performing a manipulation of the argument ID results in ... Read more

    Affected Products : ksoa
    • Published: Jan. 18, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Injection

  • 9.1

    CRITICAL
    CVE-2025-11043

    An Improper Certificate Validation vulnerability in the OPC-UA client and ANSL over TLS client used in Automation Studio versions before 6.5 could allow an unauthenticated attacker on the network to position themselves to intercept and interfere with data... Read more

    Affected Products :
    • Published: Jan. 19, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Authentication

  • 2.7

    LOW
    CVE-2025-52660

    HCL AION is affected by an Unrestricted File Upload vulnerability. This can allow malicious file uploads, potentially resulting in unauthorized code execution or system compromise.... Read more

    Affected Products :
    • Published: Jan. 19, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Misconfiguration

  • 10.0

    CRITICAL
    CVE-2026-23800

    Incorrect Privilege Assignment vulnerability in Modular DS modular-connector allows Privilege Escalation.This issue affects Modular DS: from 2.5.2 before 2.6.0.... Read more

    Affected Products :
    • Published: Jan. 16, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Authorization

  • 7.5

    HIGH
    CVE-2026-1179

    A vulnerability was detected in Yonyou KSOA 9.0. This affects an unknown part of the file /kmf/user_popedom.jsp of the component HTTP GET Parameter Handler. The manipulation of the argument folderid results in sql injection. The attack can be launched rem... Read more

    Affected Products : ksoa
    • Published: Jan. 19, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Injection

  • 8.3

    HIGH
    CVE-2026-22219

    Chainlit versions prior to 2.9.4 contain a server-side request forgery (SSRF) vulnerability in the /project/element update flow when configured with the SQLAlchemy data layer backend. An authenticated client can provide a user-controlled url value in an E... Read more

    Affected Products :
    • Published: Jan. 20, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Server-Side Request Forgery

  • 7.3

    HIGH
    CVE-2026-23880

    OnboardLite is a comprehensive membership lifecycle platform built for student organizations at the University of Central Florida. Versions of the software prior to commit 1d32081a66f21bcf41df1ecb672490b13f6e429f have a stored cross-site scripting vulnera... Read more

    Affected Products :
    • Published: Jan. 19, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Cross-Site Scripting

  • 9.8

    CRITICAL
    CVE-2025-10484

    The Registration & Login with Mobile Phone Number for WooCommerce plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.3.1. This is due to the plugin not properly verifying a users identity prior to authentic... Read more

    Affected Products :
    • Published: Jan. 17, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Authentication

  • 9.0

    HIGH
    CVE-2026-1140

    A vulnerability was found in UTT 进取 520W 1.7.7-180627. This issue affects the function strcpy of the file /goform/ConfigExceptAli. The manipulation results in buffer overflow. It is possible to launch the attack remotely. The exploit has been made public ... Read more

    Affected Products :
    • Published: Jan. 19, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Memory Corruption

  • 5.1

    MEDIUM
    CVE-2026-1146

    A vulnerability has been found in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. Affected by this issue is some unknown functionality of the file /php/api_register_patient.php. Such manipulation of the argument firstName/l... Read more

    • Published: Jan. 19, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Cross-Site Scripting

  • 7.5

    HIGH
    CVE-2025-61684

    Quicly, an IETF QUIC protocol implementation, is susceptible to a denial-of-service attack prior to commit d9d3df6a8530a102b57d840e39b0311ce5c9e14e. A remote attacker can exploit these bugs to trigger an assertion failure that crashes process using Quicly... Read more

    Affected Products : quicly
    • Published: Jan. 19, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Denial of Service

  • 9.0

    HIGH
    CVE-2026-1156

    A vulnerability was determined in Totolink LR350 9.3.5u.6369_B20220309. Affected by this issue is the function setWiFiBasicCfg of the file /cgi-bin/cstecgi.cgi. This manipulation of the argument ssid causes buffer overflow. It is possible to initiate the ... Read more

    Affected Products : lr350_firmware
    • Published: Jan. 19, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Memory Corruption

  • 7.7

    HIGH
    CVE-2026-23531

    FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, in ClearCodec, when `glyphData` is present, `clear_decompress` calls `freerdp_image_copy_no_overlap` without validating the destination rectangle, allowing an out-of... Read more

    Affected Products : freerdp
    • Published: Jan. 19, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Memory Corruption

  • 6.6

    MEDIUM
    CVE-2026-23885

    Alchemy is an open source content management system engine written in Ruby on Rails. Prior to versions 7.4.12 and 8.0.3, the application uses the Ruby `eval()` function to dynamically execute a string provided by the `resource_handler.engine_name` attribu... Read more

    Affected Products : alchemy_cms
    • Published: Jan. 19, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Injection

  • 7.5

    HIGH
    CVE-2026-1160

    A security vulnerability has been detected in PHPGurukul Directory Management System 1.0. Impacted is an unknown function of the file /index.php of the component Search. The manipulation of the argument searchdata leads to sql injection. The attack may be... Read more

    Affected Products : directory_management_system
    • Published: Jan. 19, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Injection

  • 4.4

    MEDIUM
    CVE-2026-0725

    The Integrate Dynamics 365 CRM plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This ma... Read more

    Affected Products :
    • Published: Jan. 17, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Cross-Site Scripting

  • 5.3

    MEDIUM
    CVE-2026-23849

    File Browser provides a file managing interface within a specified directory and can be used to upload, delete, preview, rename, and edit files. Prior to version 2.55.0, the JSONAuth. Auth function contains a logic flaw that allows unauthenticated attacke... Read more

    Affected Products : filebrowser
    • Published: Jan. 19, 2026
    • Modified: Jan. 26, 2026
    • Vuln Type: Authentication
Showing 20 of 4607 Results