Total CVEs

142,027

Critical Severity

3,943

High Severity

14,108

Last 7 Days

1,724
Quick preset (or use dates below)
Clear Filters
Showing 10,961 - 10,980 of 14,604 CVEs
CVE-2026-26104 MEDIUM - 5.5

A flaw was found in the udisks storage management daemon that allows unprivileged users to back up LUKS encryption headers without authorization. The issue occurs because a privileged D-Bus method responsible for exporting encryption metadata does not perform a policy check. As a result, sensitive c...

Vendor: Red Hat
Product: Red Hat Enterprise Linux 10, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9
Published: Feb 25, 2026
Source: NVD
CVE-2026-2410 MEDIUM - 4.3

The Disable Admin Notices – Hide Dashboard Notifications plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.2. This is due to missing nonce validation in the `showPageContent()` function. This makes it possible for unauthenticated attackers to ...

Published: Feb 25, 2026
Source: NVD
CVE-2026-2367 MEDIUM - 6.4

The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ays_block' shortcode in all versions up to, and including, 5.0.1 due to insufficient input sanitization and output escaping on user supplied attri...

Published: Feb 25, 2026
Source: NVD
CVE-2026-2301 MEDIUM - 4.3

The Post Duplicator plugin for WordPress is vulnerable to unauthorized arbitrary protected post meta insertion in all versions up to, and including, 3.0.8. This is due to the `duplicate_post()` function in `includes/api.php` using `$wpdb->insert()` directly to the `wp_postmeta` table instead of W...

Published: Feb 25, 2026
Source: NVD
CVE-2025-14742 MEDIUM - 4.3

The WP Recipe Maker plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'ajax_search_recipes' and 'ajax_get_recipe' functions in all versions up to, and including, 10.2.3. This makes it possible for authenticated attackers, w...

Vendor: brechtvds
Product: WP Recipe Maker
Published: Feb 25, 2026
Source: NVD
CVE-2026-2479 MEDIUM - 5.0

The Responsive Lightbox & Gallery plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.7.1. This is due to the use of `strpos()` for substring-based hostname validation instead of strict host comparison in the `ajax_upload_image()` function. T...

Published: Feb 25, 2026
Source: NVD
CVE-2025-11563 MEDIUM - 4.6

URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. This flaw only affects the wcurl command line tool.

Vendor: curl
Product: curl
Published: Feb 25, 2026
Source: NVD
CVE-2026-1614 MEDIUM - 6.4

The Rise Blocks – A Complete Gutenberg Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘logoTag’ Site Identity block attribute in all versions up to, and including, 3.7 due to insufficient input sanitization and output escaping. This makes it possible for authe...

Published: Feb 25, 2026
Source: NVD
CVE-2026-3163 MEDIUM - 6.3

A vulnerability has been found in SourceCodester Website Link Extractor 1.0. This vulnerability affects the function file_get_contents of the component URL Handler. The manipulation leads to server-side request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed t...

Vendor: remyandrade
Product: website_link_extractor
Published: Feb 25, 2026
Source: NVD
CVE-2026-3100 MEDIUM - 6.5

The FTP Backup on the ADM will not properly strictly enforce TLS certificate verification while connecting to an FTP server using FTPES/FTPS. An improper validated TLS/SSL certificates allows a remote attacker can intercept network traffic to perform a Man-in-the-Middle (MitM) attack, which may inte...

Vendor: asustor
Product: data_master
Published: Feb 25, 2026
Source: NVD
CVE-2026-3150 MEDIUM - 6.3

A security vulnerability has been detected in itsourcecode College Management System 1.0. This affects an unknown part of the file /admin/display-teacher.php. The manipulation of the argument teacher_id leads to sql injection. The attack is possible to be carried out remotely. The exploit has been d...

Vendor: angeljudesuarez
Product: college_management_system
Published: Feb 25, 2026
Source: NVD
CVE-2026-3149 MEDIUM - 6.3

A weakness has been identified in itsourcecode College Management System 1.0. Affected by this issue is some unknown functionality of the file /admin/asign-single-student-subjects.php. Executing a manipulation of the argument course_code can lead to sql injection. The attack can be executed remotely...

Vendor: angeljudesuarez
Product: college_management_system
Published: Feb 25, 2026
Source: NVD
CVE-2026-27645 MEDIUM - 6.1

changedetection.io is a free open source web page change detection tool. In versions prior to 0.54.1, the RSS single-watch endpoint reflects the UUID path parameter directly in the HTTP response body without HTML escaping. Since Flask returns text/html by default for plain string responses, the brow...

Vendor: dgtlmoon
Product: changedetection.io
Published: Feb 25, 2026
Source: NVD
CVE-2025-0976 MEDIUM - 4.7

Information Exposure Vulnerability in Hitachi Ops Center API Configuration Manager, Hitachi Configuration Manager.This issue affects Hitachi Ops Center API Configuration Manager: from 10.0.0-00 before 11.0.4-00; Hitachi Configuration Manager: from 8.6.1-00 before 11.0.5-00.

Vendor: hitachi
Product: configuration_manager
Published: Feb 25, 2026
Source: NVD
CVE-2026-3147 MEDIUM - 5.3

A vulnerability was found in libvips up to 8.18.0. This affects the function vips_foreign_load_csv_build of the file libvips/foreign/csvload.c. The manipulation results in heap-based buffer overflow. The attack requires a local approach. The exploit has been made public and could be used. The patch ...

Vendor: libvips
Product: libvips
Published: Feb 25, 2026
Source: NVD
CVE-2026-27747 MEDIUM - 6.5

The SPIP interface_traduction_objets plugin versions prior to 4.3.3 contain an authenticated SQL injection vulnerability in interface_traduction_objets_pipelines.php. When handling translation requests, the plugin reads the id_parent parameter from user-supplied input and concatenates it directly in...

Vendor: SPIP
Product: interface_traduction_objets
Published: Feb 25, 2026
Source: NVD
CVE-2026-27746 MEDIUM - 6.1

The SPIP jeux plugin versions prior to 4.1.1 contain a reflected cross-site scripting (XSS) vulnerability in the pre_propre pipeline. The plugin incorporates untrusted request parameters into HTML output without proper output encoding, allowing attackers to inject arbitrary script content into pages...

Vendor: SPIP
Product: jeux
Published: Feb 25, 2026
Source: NVD
CVE-2026-27639 MEDIUM - 5.4

Mercator is an open source web application designed to enable mapping of information systems. A stored Cross-Site Scripting (XSS) vulnerability exists in Mercator prior to version 2026.02.22 due to the use of unescaped Blade directives (`{!! !!}`) in display templates. An authenticated user with the...

Vendor: dbarzin
Product: mercator
Published: Feb 25, 2026
Source: NVD
CVE-2026-3145 MEDIUM - 5.3

A flaw has been found in libvips up to 8.18.0. The affected element is the function vips_foreign_load_matrix_file_is_a/vips_foreign_load_matrix_header of the file libvips/foreign/matrixload.c. Executing a manipulation can lead to memory corruption. The attack needs to be launched locally. This patch...

Vendor: libvips
Product: libvips
Published: Feb 25, 2026
Source: NVD
CVE-2026-27629 MEDIUM - 5.9

InvenTree is an Open Source Inventory Management System. Prior to version 1.2.3, insecure server-side templates can be hijacked to expose secure information to the client. When generating custom batch codes, the InvenTree server makes use of a customizable jinja2 template, which can be modified by a...

Vendor: inventree
Product: InvenTree
Published: Feb 25, 2026
Source: NVD