Total CVEs

142,027

Critical Severity

3,943

High Severity

14,108

Last 7 Days

1,724
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 11,001 - 11,020 of 14,221 CVEs
CVE-2026-27477 MEDIUM - 5.9

Mastodon is a free, open-source social network server based on ActivityPub. FASP registration requires manual approval by an administrator. In versions 4.4.0 through 4.4.13 and 4.5.0 through 4.5.6, an unauthenticated attacker can register a FASP with an attacker-chosen `base_url` that includes or re...

Vendor: mastodon
Product: mastodon
Published: Feb 24, 2026
Source: NVD
CVE-2026-24241 MEDIUM - 4.3

NVIDIA Delegated Licensing Service for all appliance platforms contains a vulnerability where an attacker could exploit an improper authentication issue. A successful exploit of this vulnerability might lead to information disclosure.

Vendor: NVIDIA
Product: DLS component of NVIDIA License System
Published: Feb 24, 2026
Source: NVD
CVE-2026-23858 MEDIUM - 5.4

Dell Wyse Management Suite, versions prior to WMS 5.5, contain an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Script Injection.

Vendor: Dell
Product: Wyse Management Suite
Published: Feb 24, 2026
Source: NVD
CVE-2026-1768 MEDIUM - 4.3

A permission cache poisoning vulnerability in Devolutions Server allows authenticated users to bypass permissions to access entries.This issue affects Devolutions Server: before 2025.3.15.

Vendor: devolutions
Product: devolutions_server
Published: Feb 24, 2026
Source: NVD
CVE-2025-1787 MEDIUM - 4.2

Local admin could to leak information from the Genetec Update Service configuration web page. An authenticated, admin privileged, Windows user could exploit this vulnerability to gain elevated privileges in the Genetec Update Service. Could be combined with CVE-2025-1789 to achieve low privilege esc...

Vendor: genetec
Product: genetec_update_service
Published: Feb 24, 2026
Source: NVD
CVE-2026-27156 MEDIUM - 6.1

NiceGUI is a Python-based UI framework. Prior to version 3.8.0, several NiceGUI APIs that execute methods on client-side elements (`Element.run_method()`, `AgGrid.run_grid_method()`, `EChart.run_chart_method()`, and others) use an `eval()` fallback in the JavaScript-side `runMethod()` function. When...

Vendor: zauberzeug
Product: nicegui
Published: Feb 24, 2026
Source: NVD
CVE-2026-25603 MEDIUM - 6.6

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Linksys MR9600, Linksys MX4200 allows that contents of a USB drive partition can be mounted in an arbitrary location of the file system. This may result in the execution of shell scripts in the ...

Vendor: Linksys
Product: MR9600, MX4200
Published: Feb 24, 2026
Source: NVD
CVE-2025-62512 MEDIUM - 5.3

Piwigo is an open source photo gallery application for the web. In version 15.5.0 and likely earlier 15.x releases, the password reset functionality in Piwigo allows an unauthenticated attacker to determine whether a given username or email address exists in the system. The endpoint at password.php?...

Vendor: Piwigo
Product: Piwigo
Published: Feb 24, 2026
Source: NVD
CVE-2026-27589 MEDIUM - 6.5

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the local caddy admin API (default listen `127.0.0.1:2019`) exposes a state-changing `POST /load` endpoint that replaces the entire running configuration. When origin enforcement is not enabled (`enforce_origin...

Vendor: caddyserver
Product: caddy
Published: Feb 24, 2026
Source: NVD
CVE-2026-27585 MEDIUM - 6.5

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the path sanitization routine in file matcher doesn't sanitize backslashes which can lead to bypassing path related security protections. It affects users with specific Caddy and environment configurations...

Vendor: caddyserver
Product: caddy
Published: Feb 24, 2026
Source: NVD
CVE-2026-27571 MEDIUM - 5.9

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The WebSockets handling of NATS messages handles compressed messages via the WebSockets negotiated compression. Prior to versions 2.11.2 and 2.12.3, the implementation bound the memory size of a NATS mess...

Vendor: nats-io
Product: nats-server
Published: Feb 24, 2026
Source: NVD
CVE-2026-27521 MEDIUM - 6.5

Binardat 10G08-0800GSM network switch firmware version V300SP10260209 and prior do not implement rate limiting or account lockout on failed login attempts, enabling brute-force attacks against user credentials.

Vendor: Binardat Ltd.
Product: 10G08-0800GSM Network Switch
Published: Feb 24, 2026
Source: NVD
CVE-2026-27518 MEDIUM - 4.3

Binardat 10G08-0800GSM network switch firmware version V300SP10260209 and prior lack CSRF protections for state-changing actions in the administrative interface. An attacker can trick an authenticated administrator into performing unauthorized configuration changes.

Vendor: Binardat Ltd.
Product: 10G08-0800GSM Network Switch
Published: Feb 24, 2026
Source: NVD
CVE-2026-27517 MEDIUM - 5.4

Binardat 10G08-0800GSM network switch firmware version V300SP10260209 and prior reflect unsanitized user input in the web interface, allowing an attacker to inject and execute arbitrary JavaScript in the context of an authenticated user.

Vendor: Binardat Ltd.
Product: 10G08-0800GSM Network Switch
Published: Feb 24, 2026
Source: NVD
CVE-2025-47904 MEDIUM - 4.1

Download of Code Without Integrity Check vulnerability in Microchip Time Provider 4100 allows Malicious Manual Software Update.This issue affects Time Provider 4100: before 2.5.

Vendor: Microchip
Product: Time Provider 4100
Published: Feb 24, 2026
Source: NVD
CVE-2026-3102 MEDIUM - 6.3

A vulnerability was determined in exiftool up to 13.49 on macOS. This issue affects the function SetMacOSTags of the file lib/Image/ExifTool/MacOS.pm of the component PNG File Parser. This manipulation of the argument DateTimeOriginal causes os command injection. The attack is possible to be carried...

Vendor: exiftool_project
Product: exiftool
Published: Feb 24, 2026
Source: NVD
CVE-2026-3101 MEDIUM - 6.3

A vulnerability was found in Intelbras TIP 635G 1.12.3.5. This vulnerability affects unknown code of the component Ping Handler. The manipulation results in os command injection. The attack can be executed remotely. The exploit has been made public and could be used. The vendor was contacted early a...

Vendor: intelbras
Product: tip_635g_firmware
Published: Feb 24, 2026
Source: NVD
CVE-2026-27567 MEDIUM - 6.5

Payload is a free and open source headless content management system. Prior to 3.75.0, a Server-Side Request Forgery (SSRF) vulnerability exists in Payload's external file upload functionality. When processing external URLs for file uploads, insufficient validation of HTTP redirects could allow...

Vendor: payloadcms
Product: payload
Published: Feb 24, 2026
Source: NVD
CVE-2026-0402 MEDIUM - 4.9

A post-authentication Out-of-bounds Read vulnerability in SonicOS allows a remote attacker to crash a firewall.

Vendor: sonicwall
Product: sonicos
Published: Feb 24, 2026
Source: NVD
CVE-2026-0401 MEDIUM - 4.9

A post-authentication NULL Pointer Dereference vulnerability in SonicOS allows a remote attacker to crash a firewall.

Vendor: sonicwall
Product: sonicos
Published: Feb 24, 2026
Source: NVD