Total CVEs

142,027

Critical Severity

3,943

High Severity

14,108

Last 7 Days

1,916
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 4,201 - 4,220 of 38,432 CVEs
CVE-2025-69127 CRITICAL - 9.8

Unauthenticated PHP Object Injection in Plumbing <= 1.6 versions.

Vendor: ThemeREX
Product: Plumbing
Published: Jun 17, 2026
Source: NVD
CVE-2025-69126 HIGH - 8.1

Unauthenticated Local File Inclusion in Fortius <= 2.3.0 versions.

Vendor: ThemeREX
Product: Fortius
Published: Jun 17, 2026
Source: NVD
CVE-2025-69123 HIGH - 8.1

Unauthenticated Local File Inclusion in Snow Club <= 1.1 versions.

Vendor: ThemeREX
Product: Snow Club
Published: Jun 17, 2026
Source: NVD
CVE-2025-69120 HIGH - 8.1

Unauthenticated Local File Inclusion in Dazzle <= 1.0.0 versions.

Vendor: ThemeREX
Product: Dazzle
Published: Jun 17, 2026
Source: NVD
CVE-2025-69115 HIGH - 8.1

Unauthenticated Local File Inclusion in LuxMed | Medicine & Healthcare Doctor WordPress Theme <= 1.2.2 versions.

Vendor: ThemeREX
Product: LuxMed | Medicine & Healthcare Doctor WordPress Theme
Published: Jun 17, 2026
Source: NVD
CVE-2025-69111 CRITICAL - 9.8

Unauthenticated PHP Object Injection in Reisen <= 1.4.1 versions.

Vendor: ThemeREX
Product: Reisen
Published: Jun 17, 2026
Source: NVD
CVE-2025-69106 HIGH - 8.1

Unauthenticated Local File Inclusion in Imba <= 1.5.0 versions.

Vendor: ThemeREX
Product: Imba
Published: Jun 17, 2026
Source: NVD
CVE-2025-68524 HIGH - 7.1

Unauthenticated Cross Site Scripting (XSS) in Avante < 3.0.5 versions.

Vendor: ThemeGoods
Product: Avante
Published: Jun 17, 2026
Source: NVD
CVE-2025-66391 HIGH - 8.8

In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write operations, e.g., the system will send a one-time password to an attacker-controlled email address when the attacker attempts to reset the password of a user account.

Published: Jun 17, 2026
Source: NVD
CVE-2025-60236 CRITICAL - 9.8

Deserialization of Untrusted Data vulnerability in EMV Creatify allows Object Injection. This issue affects Creatify: from n/a through 1.5.

Vendor: EMV
Product: Creatify
Published: Jun 17, 2026
Source: NVD
CVE-2025-60231 CRITICAL - 9.8

Deserialization of Untrusted Data vulnerability in EMV The Hospital nrghospital allows Object Injection. This issue affects The Hospital: from n/a through 1.8.1.

Vendor: EMV
Product: The Hospital
Published: Jun 17, 2026
Source: NVD
CVE-2025-60230 CRITICAL - 9.8

Deserialization of Untrusted Data vulnerability in Themeton The Barber Shop allows Object Injection. This issue affects The Barber Shop: from n/a through 1.9.

Vendor: Themeton
Product: The Barber Shop
Published: Jun 17, 2026
Source: NVD
CVE-2025-60229 CRITICAL - 9.8

Deserialization of Untrusted Data vulnerability in Themeton Lagom allows Object Injection. This issue affects Lagom: from n/a through 2.0.

Vendor: Themeton
Product: Lagom
Published: Jun 17, 2026
Source: NVD
CVE-2025-59554 CRITICAL - 9.3

Unauthenticated SQL Injection in Advanced Ads โ€“ Tracking < 3.0.7 versions.

Vendor: Advanced Ads GmbH
Product: Advanced Ads โ€“ Tracking
Published: Jun 17, 2026
Source: NVD
CVE-2025-15657 MEDIUM - 5.3

Unauthenticated Insecure Direct Object References (IDOR) in School Management <= 93.1.0 versions.

Vendor: Mojoomla
Product: School Management
Published: Jun 17, 2026
Source: NVD
CVE-2026-54015 MEDIUM - 6.4

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, Open WebUI's prompt version-history endpoints authorize the prompt_id in the URL but then act on caller-supplied history IDs without verifying that the history row belongs to that ...

Vendor: pip
Product: open-webui
Published: Jun 17, 2026
Source: GitHub
CVE-2026-54014 MEDIUM - 4.3

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, a path traversal vulnerability exists in open-webui's cache file serving endpoint that allows any authenticated user to read files from sibling directories outside the intended cac...

Vendor: pip
Product: open-webui
Published: Jun 17, 2026
Source: GitHub
CVE-2026-54013 HIGH - 7.6

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, Open WebUI patched SVG XSS in user profile images and webhook profile images but forgot to apply the same fix to model profile images. The ModelMeta class has no validate_profile_image_...

Vendor: pip
Product: open-webui
Published: Jun 17, 2026
Source: GitHub
CVE-2026-54012 HIGH - 7.1

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, Open WebUI lets a user who can create, update, or import workspace models store arbitrary meta.knowledge entries on their model without checking whether they own or can read the referen...

Vendor: pip
Product: open-webui
Published: Jun 17, 2026
Source: GitHub
CVE-2026-54011 HIGH - 8.7

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6,Open WebUI renders Mermaid blocks from Markdown files in the file preview panel and inserts the generated SVG into the DOM using innerHTML. Because Mermaid is configured with securityLev...

Vendor: pip
Product: open-webui
Published: Jun 17, 2026
Source: GitHub