Total CVEs

142,027

Critical Severity

3,943

High Severity

14,108

Last 7 Days

1,724
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 10,901 - 10,920 of 14,221 CVEs
CVE-2026-27710 MEDIUM - 5.0

NanaZip is an open source file archive. Starting in version 5.0.1252.0 and prior to versions 6.0.1638.0 and 6.5.1638.0, a denial-of-service vulnerability exists in NanaZip’s `.NET Single File Application` parser. A crafted bundle can force an integer underflow in header-size calculation and trigger ...

Vendor: M2Team
Product: NanaZip
Published: Feb 26, 2026
Source: NVD
CVE-2026-27709 MEDIUM - 6.6

NanaZip is an open source file archive. Starting in version 5.0.1252.0 and prior to versions 6.0.1638.0 and 6.5.1638.0, NanaZip’s `.NET Single File Application` parser has an out-of-bounds read vulnerability in manifest parsing. A crafted bundle can provide a malformed `RelativePathLength` so the pa...

Vendor: M2Team
Product: NanaZip
Published: Feb 26, 2026
Source: NVD
CVE-2026-26186 MEDIUM - 8.8

Fleet is open source device management software. A SQL injection vulnerability in versions prior to 4.80.1 allowed authenticated users to inject arbitrary SQL expressions via the `order_key` query parameter. Due to unsafe use of `goqu.I()` when constructing the `ORDER BY` clause, specially crafted i...

Vendor: fleetdm
Product: fleet
Published: Feb 26, 2026
Source: NVD
CVE-2026-3209 MEDIUM - 6.3

A vulnerability has been found in fosrl Pangolin up to 1.15.4-s.3. This affects the function verifyRoleAccess/verifyApiKeyRoleAccess of the component Role Handler. The manipulation leads to improper access controls. Remote exploitation of the attack is possible. The exploit has been disclosed to the...

Published: Feb 25, 2026
Source: NVD
CVE-2026-2694 MEDIUM - 5.4

The The Events Calendar plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to an improper capability check on the 'can_edit' and 'can_delete' function in all versions up to, and including, 6.15.16. This makes it possible for authenticated...

Published: Feb 25, 2026
Source: NVD
CVE-2026-27951 MEDIUM - 5.3

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, the function `Stream_EnsureCapacity` can create an endless blocking loop. This may affect all client and server implementations using `FreeRDP`. For practical exploitation this will only work on 32bit systems w...

Vendor: FreeRDP
Product: FreeRDP
Published: Feb 25, 2026
Source: NVD
CVE-2026-27116 MEDIUM - 6.1

Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, a reflected HTML injection vulnerability exists in the Projects module where the `filter` URL parameter is rendered into the DOM without output encoding when the user clicks "Filter." While `<script&...

Vendor: go-vikunja
Product: vikunja
Published: Feb 25, 2026
Source: NVD
CVE-2026-2845 MEDIUM - 6.5

An issue has been discovered in GitLab CE/EE affecting all versions from 11.2 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that could have allowed an authenticated user to cause denial of service by exploiting a Bitbucket Server import endpoint via repeatedly sending large responses.

Vendor: gitlab
Product: gitlab
Published: Feb 25, 2026
Source: NVD
CVE-2026-27015 MEDIUM - 6.5

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a missing bounds check in `smartcard_unpack_read_size_align()` (`libfreerdp/utils/smartcard_pack.c:1703`) allows a malicious RDP server to crash the FreeRDP client via a reachable `WINPR_ASSERT` → `abort()`. Th...

Vendor: FreeRDP
Product: FreeRDP
Published: Feb 25, 2026
Source: NVD
CVE-2026-26271 MEDIUM - 5.3

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a buffer overread in `freerdp_image_copy_from_icon_data()` (libfreerdp/codec/color.c) can be triggered by crafted RDP Window Icon (TS_ICON_INFO) data. The bug is reachable over the network when a client process...

Vendor: FreeRDP
Product: FreeRDP
Published: Feb 25, 2026
Source: NVD
CVE-2026-22721 MEDIUM - 6.2

VMware Aria Operations contains a privilege escalation vulnerability. A malicious actor with privileges in vCenter to access Aria Operations may leverage this vulnerability to obtain administrative access in VMware Aria Operations. To remediate CVE-2026-22721, apply the patches listed in the 'F...

Vendor: VMware
Product: VMware Aria Operations, VMware Cloud Foundation, VMware Telco Cloud Platform, VMware Telco Cloud Infrastructure
Published: Feb 25, 2026
Source: NVD
CVE-2026-1747 MEDIUM - 4.3

GitLab has remediated an issue in GitLab EE affecting all versions from 17.11 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that, under certain conditions, could have allowed Developer-role users with insufficient privileges to make unauthorized modifications to protected Conan packages.

Vendor: gitlab
Product: gitlab
Published: Feb 25, 2026
Source: NVD
CVE-2026-1725 MEDIUM - 5.3

GitLab has remediated an issue in GitLab CE/EE affecting versions from 18.9 before 18.9.1 that could have under certain conditions, allowed an unauthenticated user to cause denial of service by sending specially crafted requests to a CI jobs API endpoint.

Vendor: gitlab
Product: gitlab
Published: Feb 25, 2026
Source: NVD
CVE-2026-2636 MEDIUM - 5.5

This vulnerability is caused by a CWE‑159: "Improper Handling of Invalid Use of Special Elements" weakness, which leads to an unrecoverable inconsistency in the CLFS.sys driver. This condition forces a call to the KeBugCheckEx function, allowing an unprivileged user to trigger a system cra...

Published: Feb 25, 2026
Source: NVD
CVE-2026-25941 MEDIUM - 4.3

FreeRDP is a free implementation of the Remote Desktop Protocol. Versions on the 2.x branch prior to to 2.11.8 and on the 3.x branch prior to 3.23.0 have an out-of-bounds read vulnerability in the FreeRDP client's RDPGFX channel that allows a malicious RDP server to read uninitialized heap memo...

Vendor: FreeRDP
Product: FreeRDP
Published: Feb 25, 2026
Source: NVD
CVE-2025-3525 MEDIUM - 6.5

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.0 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that could have, under certain circumstances, allowed an authenticated user with certain access to cause Denial of Service by creating specially crafted CI trigger...

Vendor: gitlab
Product: gitlab
Published: Feb 25, 2026
Source: NVD
CVE-2025-14103 MEDIUM - 4.3

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.7 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that could have allowed an unauthorized user with Developer-role permissions to set pipeline variables for manually triggered jobs under certain conditions.

Vendor: GitLab
Product: GitLab
Published: Feb 25, 2026
Source: NVD
CVE-2026-3221 MEDIUM - 4.9

Sensitive user account information is not encrypted in the database in Devolutions Server 2025.3.14 and earlier, which allows an attacker with access to the database to obtain sensitive user information via direct database access.

Vendor: devolutions
Product: devolutions_server
Published: Feb 25, 2026
Source: NVD
CVE-2026-25930 MEDIUM - 6.5

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the Layout-Based Form (LBF) printable view accepts `formid` and `visitid` (or `patientid`) from the request and does not verify that the form belongs to the current user’s...

Vendor: openemr
Product: openemr
Published: Feb 25, 2026
Source: NVD
CVE-2026-25929 MEDIUM - 6.5

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the document controller’s `patient_picture` context serves the patient’s photo by document ID or patient ID without verifying that the current user is authorized to access...

Vendor: openemr
Product: openemr
Published: Feb 25, 2026
Source: NVD