Total CVEs

142,027

Critical Severity

3,943

High Severity

14,108

Last 7 Days

1,724
Quick preset (or use dates below)
Clear Filters
Showing 11,081 - 11,100 of 14,604 CVEs
CVE-2025-69251 MEDIUM - 5.3

free5gc UDM provides Unified Data Management (UDM) for free5GC, an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.1, remote attackers can inject control characters (e.g., %00) into the ueId parameter, triggering internal URL parsing errors (net/...

Vendor: free5gc
Product: udm
Published: Feb 24, 2026
Source: NVD
CVE-2026-3063 MEDIUM - 5.4

Inappropriate implementation in DevTools in Google Chrome prior to 145.0.7632.116 allowed an attacker who convinced a user to install a malicious extension to inject scripts or HTML into a privileged page via DevTools. (Chromium security severity: High)

Vendor: google
Product: chrome
Published: Feb 23, 2026
Source: NVD
CVE-2026-3040 MEDIUM - 4.7

A vulnerability was identified in DrayTek Vigor 300B up to 1.5.1.6. This affects the function cgiGetFile of the file /cgi-bin/mainfunction.cgi/uploadlangs of the component Web Management Interface. The manipulation of the argument File leads to os command injection. The attack may be initiated remot...

Vendor: draytek
Product: vigor300b_firmware
Published: Feb 23, 2026
Source: NVD
CVE-2026-3028 MEDIUM - 4.3

A vulnerability was determined in erzhongxmu JEEWMS up to 3.7. This vulnerability affects the function doAdd of the file src/main/java/com/jeecg/demo/controller/JeecgListDemoController.java. This manipulation of the argument Name causes cross site scripting. The attack may be initiated remotely. The...

Vendor: huayi-tec
Product: jeewms
Published: Feb 23, 2026
Source: NVD
CVE-2026-27742 MEDIUM - 5.4

Bludit version 3.16.2 contains a stored cross-site scripting (XSS) vulnerability in the post content functionality. The application performs client-side sanitation of content input but does not enforce equivalent sanitation on the server side. An authenticated user can inject arbitrary JavaScript in...

Vendor: Bludit
Product: Bludit
Published: Feb 23, 2026
Source: NVD
CVE-2026-27741 MEDIUM - 4.3

Bludit version 3.16.1 contains a cross-site request forgery (CSRF) vulnerability in the /admin/uninstall-plugin/ and /admin/install-theme/ endpoints. The application does not implement anti-CSRF tokens or other request origin validation mechanisms for these administrative actions. An attacker can in...

Vendor: Bludit
Product: Bludit
Published: Feb 23, 2026
Source: NVD
CVE-2026-27128 MEDIUM - 4.8

Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, a Time-of-Check-Time-of-Use (TOCTOU) race condition exists in Craft CMS’s token validation service for tokens that explicitly set a limited usage. The `getTokenRoute()` method reads a toke...

Vendor: composer
Product: craftcms/cms
Published: Feb 23, 2026
Source: GitHub
CVE-2025-69208 MEDIUM - 5.3

free5GC UDR is the user data repository (UDR) for free5GC, an an open-source project for 5th generation (5G) mobile core networks. Versions prior to 1.4.1 contain an Improper Error Handling vulnerability with Information Exposure. All deployments of free5GC using the Nnef_PfdManagement service may b...

Vendor: free5gc
Product: udr
Published: Feb 23, 2026
Source: NVD
CVE-2026-27126 MEDIUM - 4.8

Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, a stored Cross-site Scripting (XSS) vulnerability exists in the `editableTable.twig` component when using the `html` column type. The application fails to sanitize the input, allowing an a...

Vendor: composer
Product: craftcms/cms
Published: Feb 23, 2026
Source: GitHub
CVE-2026-25545 MEDIUM - 8.6

Astro is a web framework. Prior to version 9.5.4, Server-Side Rendered pages that return an error with a prerendered custom error page (eg. `404.astro` or `500.astro`) are vulnerable to SSRF. If the `Host:` header is changed to an attacker's server, it will be fetched on `/500.html` and they ca...

Vendor: npm
Product: @astrojs/node
Published: Feb 23, 2026
Source: GitHub
CVE-2026-3075 MEDIUM - 5.3

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Jeff Starr Simple Ajax Chat simple-ajax-chat allows Retrieve Embedded Sensitive Data.This issue affects Simple Ajax Chat: from n/a through <= 20251121.

Published: Feb 23, 2026
Source: NVD
CVE-2026-3027 MEDIUM - 4.3

A vulnerability was found in erzhongxmu JEEWMS up to 3.7. This affects an unknown part of the file src/main/webapp/plug-in/ueditor/jsp/getContent.jsp of the component UEditor. The manipulation of the argument myEditor results in cross site scripting. The attack can be launched remotely. The exploit ...

Vendor: jeewms
Product: jeewms
Published: Feb 23, 2026
Source: NVD
CVE-2026-23521 MEDIUM - 6.5

Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain an issue in which authenticated users who can create or edit devices can set a device `uniqueId` to an absolute path. When uploading a device image, Traccar uses that `uniqueId` to build the filesystem path wi...

Vendor: traccar
Product: traccar
Published: Feb 23, 2026
Source: NVD
CVE-2025-61147 MEDIUM - 6.2

strukturag libde265 commit d9fea9d wa discovered to contain a segmentation fault via the component decoder_context::compute_framedrop_table().

Published: Feb 23, 2026
Source: NVD
CVE-2025-61146 MEDIUM - 4.0

saitoha libsixel until v1.8.7 was discovered to contain a memory leak via the component malloc_stub.c.

Vendor: libsixel_project
Product: libsixel
Published: Feb 23, 2026
Source: NVD
CVE-2025-61145 MEDIUM - 5.0

libtiff up to v4.7.1 was discovered to contain a double free via the component tools/tiffcrop.c.

Vendor: libtiff
Product: libtiff
Published: Feb 23, 2026
Source: NVD
CVE-2025-61143 MEDIUM - 5.5

libtiff up to v4.7.1 was discovered to contain a NULL pointer dereference via the component libtiff/tif_open.c.

Vendor: libtiff
Product: libtiff
Published: Feb 23, 2026
Source: NVD
CVE-2026-26464 MEDIUM - 6.1

Stored Cross-Site Scripting (XSS) was found in the /admin/edit_user.php page of Society Management System Portal V1.0, which allows remote attackers to inject and store arbitrary JavaScript code that is executed in users' browsers. This vulnerability can be exploited via the name parameter in a...

Vendor: kashipara
Product: society_management_system_portal
Published: Feb 23, 2026
Source: NVD
CVE-2026-2698 MEDIUM - 6.5

An improper access control vulnerability exists where an authenticated user could access areas outside of their authorized scope.

Vendor: tenable
Product: security_center
Published: Feb 23, 2026
Source: NVD
CVE-2026-27514 MEDIUM - 6.5

Shenzhen Tenda F3 Wireless Router firmware V12.01.01.55_multi contains a sensitive information exposure vulnerability in the configuration download functionality. The configuration download response includes the router password and administrative password in plaintext. The endpoint also omits approp...

Vendor: Shenzhen Tenda Technology Co., Ltd.
Product: Tenda F3
Published: Feb 23, 2026
Source: NVD