Total CVEs

142,027

Critical Severity

3,943

High Severity

14,108

Last 7 Days

1,706
Quick preset (or use dates below)
Clear Filters
Showing 11,421 - 11,440 of 14,108 CVEs
CVE-2025-12821 HIGH - 8.8

The NewsBlogger theme for WordPress is vulnerable to Cross-Site Request Forgery in versions 0.2.5.6 to 0.2.6.1. This is due to missing or incorrect nonce validation on the newsblogger_install_and_activate_plugin() function. This makes it possible for unauthenticated attackers to upload arbitrary fi...

Vendor: spicethemes
Product: NewsBlogger
Published: Feb 19, 2026
Source: NVD
CVE-2025-12707 HIGH - 7.5

The Library Management System plugin for WordPress is vulnerable to SQL Injection via the 'bid' parameter in all versions up to, and including, 3.2.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it pos...

Vendor: owthub
Product: Library Management System
Published: Feb 19, 2026
Source: NVD
CVE-2025-11754 HIGH - 7.5

The GDPR Cookie Consent plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'gdpr/v1/settings' REST API endpoint in all versions up to, and including, 4.1.2. This makes it possible for unauthenticated attackers to retrieve sensitive pl...

Vendor: wplegalpages
Product: Cookie Banner for GDPR / CCPA โ€“ WPLP Cookie Consent
Published: Feb 19, 2026
Source: NVD
CVE-2026-2684 HIGH - 7.3

A vulnerability was determined in Tsinghua Unigroup Electronic Archives System up to 3.2.210802(62532). The impacted element is an unknown function of the file /Archive/ErecordManage/uploadFile.html. Executing a manipulation of the argument File can lead to unrestricted upload. The attack may be lau...

Published: Feb 19, 2026
Source: NVD
CVE-2026-25926 HIGH - 7.3

Notepad++ is a free and open-source source code editor. An Unsafe Search Path vulnerability (CWE-426) exists in versions prior to 8.9.2 when launching Windows Explorer without an absolute executable path. This may allow execution of a malicious explorer.exe if an attacker can control the process wor...

Vendor: notepad-plus-plus
Product: notepad-plus-plus
Published: Feb 19, 2026
Source: NVD
CVE-2026-27013 HIGH - 7.6

Fabric.js is a Javascript HTML5 canvas library. Prior to version 7.2.0, Fabric.js applies `escapeXml()` to text content during SVG export (`src/shapes/Text/TextSVGExportMixin.ts:186`) but fails to apply it to other user-controlled string values that are interpolated into SVG attribute markup. When a...

Vendor: npm
Product: fabric
Published: Feb 18, 2026
Source: GitHub
CVE-2026-27002 HIGH - 9.8

OpenClaw is a personal AI assistant. Prior to version 2026.2.15, a configuration injection issue in the Docker tool sandbox could allow dangerous Docker options (bind mounts, host networking, unconfined profiles) to be applied, enabling container escape or host data access. OpenClaw 2026.2.15 blocks...

Vendor: npm
Product: openclaw
Published: Feb 18, 2026
Source: GitHub
CVE-2026-27001 HIGH - 7.8

OpenClaw is a personal AI assistant. Prior to version 2026.2.15, OpenClaw embedded the current working directory (workspace path) into the agent system prompt without sanitization. If an attacker can cause OpenClaw to run inside a directory whose name contains control/format characters (for example ...

Vendor: npm
Product: openclaw
Published: Feb 18, 2026
Source: GitHub
CVE-2026-26996 HIGH - 7.5

minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't...

Vendor: npm
Product: minimatch
Published: Feb 18, 2026
Source: GitHub
CVE-2026-26318 HIGH - 8.8

systeminformation is a System and OS information library for node.js. Versions prior to 5.31.0 are vulnerable to command injection via unsanitized `locate` output in `versions()`. Version 5.31.0 fixes the issue.

Vendor: npm
Product: systeminformation
Published: Feb 18, 2026
Source: GitHub
CVE-2026-26314 HIGH - 7.5

go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. Prior to version 1.16.9, a vulnerable node can be forced to shutdown/crash using a specially crafted message. The problem is resolved in the v1.16.9 and v1.17.0 releases of Geth.

Vendor: go
Product: github.com/ethereum/go-ethereum
Published: Feb 18, 2026
Source: GitHub
CVE-2026-26990 HIGH - 8.8

LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below have a Time-Based Blind SQL Injection vulnerability in address-search.inc.php via the address parameter. When a crafted subnet prefix is supplied, the prefix value is concatenated directly into a...

Vendor: composer
Product: librenms/librenms
Published: Feb 18, 2026
Source: GitHub
CVE-2026-26988 HIGH - 9.1

LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below contain an SQL Injection vulnerability in the ajax_table.php endpoint. The application fails to properly sanitize or parameterize user input when processing IPv6 address searches. Specifically, t...

Vendor: composer
Product: librenms/librenms
Published: Feb 18, 2026
Source: GitHub
CVE-2026-2670 HIGH - 7.2

A vulnerability was identified in Advantech WISE-6610 1.2.1_20251110. Affected is an unknown function of the file /cgi-bin/luci/admin/openvpn_apply of the component Background Management. Such manipulation of the argument delete_file leads to os command injection. The attack can be executed remotely...

Published: Feb 18, 2026
Source: NVD
CVE-2026-2650 HIGH - 8.8

Heap buffer overflow in Media in Google Chrome prior to 145.0.7632.109 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)

Vendor: google
Product: chrome
Published: Feb 18, 2026
Source: NVD
CVE-2026-2649 HIGH - 8.8

Integer overflow in V8 in Google Chrome prior to 145.0.7632.109 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Vendor: google
Product: chrome
Published: Feb 18, 2026
Source: NVD
CVE-2026-2648 HIGH - 8.8

Heap buffer overflow in PDFium in Google Chrome prior to 145.0.7632.109 allowed a remote attacker to perform an out of bounds memory write via a crafted PDF file. (Chromium security severity: High)

Vendor: google
Product: chrome
Published: Feb 18, 2026
Source: NVD
CVE-2026-27182 HIGH - 8.4

Saturn Remote Mouse Server contains a command injection vulnerability that allows unauthenticated attackers to execute arbitrary commands by sending specially crafted UDP JSON frames to port 27000. Attackers on the local network can send malformed packets with unsanitized command data that the servi...

Vendor: saturnremote
Product: Saturn Remote Mouse Server
Published: Feb 18, 2026
Source: NVD
CVE-2026-27181 HIGH - 7.5

MajorDoMo (aka Major Domestic Module) allows unauthenticated arbitrary module uninstallation through the market module. The market module's admin() method reads gr('mode') from $_REQUEST and assigns it to $this->mode at the start of execution, making all mode-gated code paths reach...

Vendor: sergejey
Product: MajorDoMo
Published: Feb 18, 2026
Source: NVD
CVE-2026-27179 HIGH - 8.2

MajorDoMo (aka Major Domestic Module) contains an unauthenticated SQL injection vulnerability in the commands module. The commands_search.inc.php file directly interpolates the $_GET['parent'] parameter into multiple SQL queries without sanitization or parameterized queries. The commands m...

Vendor: sergejey
Product: MajorDoMo
Published: Feb 18, 2026
Source: NVD