Total CVEs

141,249

Critical Severity

3,795

High Severity

13,708

Last 7 Days

2,220
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 11,501 - 11,520 of 13,404 CVEs
CVE-2026-0845 HIGH - 7.2

The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'WCFM_Settings_Controller::processing' fun...

Published: Feb 10, 2026
Source: NVD
CVE-2025-15310 HIGH - 7.8

Tanium addressed a local privilege escalation vulnerability in Patch Endpoint Tools.

Vendor: Tanium
Product: Patch Endpoint Tools
Published: Feb 10, 2026
Source: NVD
CVE-2026-25958 HIGH - 7.7

Cube is a semantic layer for building data applications. From 0.27.19 to before 1.5.13, 1.4.2, and 1.0.14, it is possible to make a specially crafted request with a valid API token that leads to privilege escalation. This vulnerability is fixed in 1.5.13, 1.4.2, and 1.0.14.

Vendor: cube-js
Product: cube
Published: Feb 09, 2026
Source: NVD
CVE-2026-25951 HIGH - 7.2

FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. Prior to 1.2.11, there is a flaw in the path sanitization logic allows an authenticated attacker with administrative privileges to bypass directory traversal protections. By using nested traversal sequences (e.g., ....//), an ...

Vendor: frangoteam
Product: FUXA
Published: Feb 09, 2026
Source: NVD
CVE-2026-25931 HIGH - 7.8

vscode-spell-checker is a basic spell checker that works well with code and documents. Prior to v4.5.4, DocumentSettings._determineIsTrusted treats the configuration value cSpell.trustedWorkspace as the authoritative trust flag. The value defaults to true (package.json) and is read from workspace co...

Vendor: streetsidesoftware
Product: vscode-spell-checker
Published: Feb 09, 2026
Source: NVD
CVE-2025-15319 HIGH - 7.8

Tanium addressed a local privilege escalation vulnerability in Endpoint Configuration Toolset Solution.

Vendor: Tanium
Product: Patch Endpoint Tools
Published: Feb 09, 2026
Source: NVD
CVE-2026-25961 HIGH - 7.5

SumatraPDF is a multi-format reader for Windows. In 3.5.0 through 3.5.2, SumatraPDF's update mechanism disables TLS hostname verification (INTERNET_FLAG_IGNORE_CERT_CN_INVALID) and executes installers without signature checks. A network attacker with any valid TLS certificate (e.g., Let's ...

Vendor: sumatrapdfreader
Product: sumatrapdf
Published: Feb 09, 2026
Source: NVD
CVE-2026-25925 HIGH - 7.8

PowerDocu contains a Windows GUI executable to perform technical documentations. Prior to 2.4.0, PowerDocu contains a critical security vulnerability in how it parses JSON files within Flow or App packages. The application blindly trusts the $type property in JSON files, allowing an attacker to inst...

Vendor: modery
Product: PowerDocu
Published: Feb 09, 2026
Source: NVD
CVE-2026-25892 HIGH - 7.5

Adminer is open-source database management software. Adminer v5.4.1 and earlier has a version check mechanism where adminer.org sends signed version info via JavaScript postMessage, which the browser then POSTs to ?script=version. This endpoint lacks origin validation and accepts POST data from any ...

Vendor: vrana
Product: adminer
Published: Feb 09, 2026
Source: NVD
CVE-2026-25890 HIGH - 8.1

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to 2.57.1, an authenticated user can bypass the application's "Disallow" file path rules by modifying the request URL. By adding mul...

Vendor: filebrowser
Product: filebrowser
Published: Feb 09, 2026
Source: NVD
CVE-2026-25880 HIGH - 7.8

SumatraPDF is a multi-format reader for Windows. In 3.5.2 and earlier, the PDF reader allows execution of a malicious binary (explorer.exe) located in the same directory as the opened PDF when the user clicks File → “Show in folder”. This behavior leads to arbitrary code execution on the victim’s sy...

Vendor: sumatrapdfreader
Product: sumatrapdf
Published: Feb 09, 2026
Source: NVD
CVE-2026-25808 HIGH - 7.5

Hollo is a federated single-user microblogging software designed to be federated through ActivityPub. Prior to 0.6.20 and 0.7.2, there is a security vulnerability where DMs and followers-only posts were exposed through the ActivityPub outbox endpoint without authorization. This vulnerability is fixe...

Vendor: fedify-dev
Product: hollo
Published: Feb 09, 2026
Source: NVD
CVE-2026-25807 HIGH - 8.8

ZAI Shell is an autonomous SysOps agent designed to navigate, repair, and secure complex environments. Prior to 9.0.3, the P2P terminal sharing feature (share start) opens a TCP socket on port 5757 without any authentication mechanism. Any remote attacker can connect to this port using a simple sock...

Vendor: TaklaXBR
Product: zai-shell
Published: Feb 09, 2026
Source: NVD

Craft is a platform for creating digital experiences. In versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a Remote Code Execution (RCE) vulnerability exists in Craft CMS where the assembleLayoutFromPost() function in src/services/Fields.php fails to sanitize user-supplied configurati...

Vendor: craftcms
Product: cms
Published: Feb 09, 2026
Source: NVD

Craft is a platform for creating digital experiences. In Craft versions from 4.0.0-RC1 to before 4.17.0-beta.1 and 5.9.0-beta.1, there is a Privilege Escalation vulnerability in Craft CMS’s GraphQL API that allows an authenticated user with write access to one asset volume to escalate their privileg...

Vendor: craftcms
Product: cms
Published: Feb 09, 2026
Source: NVD

Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the element-indexes/get-elements endpoint is vulnerable to SQL Injection via the criteria[orderBy] parameter (JSON body). The application fails to sanitize this input befor...

Vendor: craftcms
Product: cms
Published: Feb 09, 2026
Source: NVD
CVE-2026-25231 HIGH - 7.5

FileRise is a self-hosted web file manager / WebDAV server. Versions prior to 3.3.0, the application contains an unauthenticated file read vulnerability due to the lack of access control on the /uploads directory. Files uploaded to this directory can be accessed directly by any user who knows or can...

Vendor: error311
Product: FileRise
Published: Feb 09, 2026
Source: NVD
CVE-2026-1529 HIGH - 8.1

A flaw was found in Keycloak. An attacker can exploit this vulnerability by modifying the organization ID and target email within a legitimate invitation token's JSON Web Token (JWT) payload. This lack of cryptographic signature verification allows the attacker to successfully self-register int...

Vendor: maven
Product: org.keycloak:keycloak-services
Published: Feb 09, 2026
Source: NVD
CVE-2026-1486 HIGH - 8.8

A flaw was found in Keycloak. A vulnerability exists in the jwt-authorization-grant flow where the server fails to verify if an Identity Provider (IdP) is enabled before issuing tokens. The issuer lookup mechanism (lookupIdentityProviderFromIssuer) retrieves the IdP configuration but does not filter...

Vendor: maven
Product: org.keycloak:keycloak-services
Published: Feb 09, 2026
Source: NVD
CVE-2026-24684 HIGH - 7.5

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, the RDPSND async playback thread can process queued PDUs after the channel is closed and internal state is freed, leading to a use after free in rdpsnd_treat_wave. This vulnerability is fixed in 3.22.0.

Vendor: FreeRDP
Product: FreeRDP
Published: Feb 09, 2026
Source: NVD