Total CVEs

142,027

Critical Severity

3,943

High Severity

14,108

Last 7 Days

1,712
Quick preset (or use dates below)
Clear Filters
Showing 11,501 - 11,520 of 14,604 CVEs
CVE-2026-27003 MEDIUM - 5.5

OpenClaw is a personal AI assistant. Telegram bot tokens can appear in error messages and stack traces (for example, when request URLs include `https://api.telegram.org/bot<token>/...`). Prior to version 2026.2.15, OpenClaw logged these strings without redaction, which could leak the bot token...

Vendor: npm
Product: openclaw
Published: Feb 18, 2026
Source: GitHub
CVE-2026-27026 MEDIUM - 5.5

pypdf is a free and open-source pure-python PDF library. Prior to 6.7.1, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires a malformed /FlateDecode stream, where the byte-by-byte decompression is used. This vulnerability is fixed in 6.7.1.

Vendor: pip
Product: pypdf
Published: Feb 18, 2026
Source: GitHub
CVE-2026-27025 MEDIUM - 5.5

pypdf is a free and open-source pure-python PDF library. Prior to 6.7.1, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes and large memory consumption. This requires parsing the /ToUnicode entry of a font with unusually large values, for example during text extrac...

Vendor: pip
Product: pypdf
Published: Feb 18, 2026
Source: GitHub
CVE-2026-27024 MEDIUM - 5.5

pypdf is a free and open-source pure-python PDF library. Prior to 6.7.1, an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires accessing the children of a TreeObject, for example as part of outlines. This vulnerability is fixed in 6.7.1.

Vendor: pip
Product: pypdf
Published: Feb 18, 2026
Source: GitHub
CVE-2026-27022 MEDIUM - 6.5

@langchain/langgraph-checkpoint-redis is the Redis checkpoint and store implementation for LangGraph. A query injection vulnerability exists in the @langchain/langgraph-checkpoint-redis package's filter handling. The RedisSaver and ShallowRedisSaver classes construct RediSearch queries by direc...

Vendor: npm
Product: @langchain/langgraph-checkpoint-redis
Published: Feb 18, 2026
Source: GitHub
CVE-2026-26315 MEDIUM - 7.5

go-ethereum (Geth) is a golang execution layer implementation of the Ethereum protocol. Prior to version 1.16.9, through a flaw in the ECIES cryptography implementation, an attacker may be able to extract bits of the p2p node key. The issue is resolved in the v1.16.9 and v1.17.0 releases of Geth. Ge...

Vendor: go
Product: github.com/ethereum/go-ethereum
Published: Feb 18, 2026
Source: GitHub
CVE-2026-26313 MEDIUM - 7.5

go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. Prior to version 1.17.0, an attacker can cause high memory usage by sending a specially-crafted p2p message. The issue is resolved in the v1.17.0 release.

Vendor: go
Product: github.com/ethereum/go-ethereum
Published: Feb 18, 2026
Source: GitHub
CVE-2026-26989 MEDIUM - 4.3

LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below are affected by a Stored Cross-Site Scripting (XSS) vulnerability in the Alert Rules workflow. An attacker with administrative privileges can inject malicious scripts that execute in the browser ...

Vendor: composer
Product: librenms/librenms
Published: Feb 18, 2026
Source: GitHub
CVE-2026-2672 MEDIUM - 4.3

A security flaw has been discovered in Tsinghua Unigroup Electronic Archives System 3.2.210802(62532). Affected by this vulnerability is the function Download of the file /Search/Subject/downLoad. Performing a manipulation of the argument path results in path traversal. The attack is possible to be ...

Published: Feb 18, 2026
Source: NVD
CVE-2026-2669 MEDIUM - 6.5

A vulnerability was determined in Rongzhitong Visual Integrated Command and Dispatch Platform up to 20260206. This impacts an unknown function of the file /dm/dispatch/user/delete of the component User Handler. This manipulation of the argument ID causes improper access controls. Remote exploitation...

Published: Feb 18, 2026
Source: NVD
CVE-2026-27176 MEDIUM - 6.1

MajorDoMo (aka Major Domestic Module) contains a reflected cross-site scripting (XSS) vulnerability in command.php. The $qry parameter is rendered directly into the HTML page without sanitization via htmlspecialchars(), both in an input field value attribute and in a paragraph element. An attacker c...

Vendor: sergejey
Product: MajorDoMo
Published: Feb 18, 2026
Source: NVD
CVE-2026-24744 MEDIUM - 5.7

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability occurs in the Edit Invoices functions of InvoicePlane version 1.7.0. When editing invoices, the application does not validate user input at the `invoi...

Vendor: InvoicePlane
Product: InvoicePlane
Published: Feb 18, 2026
Source: NVD
CVE-2026-24743 MEDIUM - 5.7

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability occurs in the upload Invoice Logo functions of InvoicePlane version 1.7.0. The Upload Invoice Logo function allows the application to upload svg files...

Vendor: InvoicePlane
Product: InvoicePlane
Published: Feb 18, 2026
Source: NVD
CVE-2019-25400 MEDIUM - 5.4

IPFire 2.21 Core Update 127 contains multiple reflected cross-site scripting vulnerabilities in the fwhosts.cgi script that allow attackers to inject malicious scripts through multiple parameters including HOSTNAME, IP, SUBNET, NETREMARK, HOSTREMARK, newhost, grp_name, remark, SRV_NAME, SRV_PORT, SR...

Vendor: Ipfire
Product: IPFire
Published: Feb 18, 2026
Source: NVD
CVE-2019-25399 MEDIUM - 6.4

IPFire 2.21 Core Update 127 contains multiple stored cross-site scripting vulnerabilities in the extrahd.cgi script that allow attackers to inject malicious scripts through the FS, PATH, and UUID parameters. Attackers can submit POST requests with script payloads in these parameters to execute arbit...

Vendor: Ipfire
Product: IPFire
Published: Feb 18, 2026
Source: NVD
CVE-2019-25398 MEDIUM - 6.1

IPFire 2.21 Core Update 127 contains multiple cross-site scripting vulnerabilities in the ovpnmain.cgi script that allow attackers to inject malicious scripts through VPN configuration parameters. Attackers can submit POST requests with script payloads in parameters like VPN_IP, DMTU, ccdname, ccdsu...

Vendor: Ipfire
Product: IPFire
Published: Feb 18, 2026
Source: NVD
CVE-2019-25397 MEDIUM - 6.1

IPFire 2.21 Core Update 127 contains multiple reflected cross-site scripting vulnerabilities in the hosts.cgi script that allow attackers to inject malicious scripts through unvalidated parameters. Attackers can submit POST requests with script payloads in the KEY1, IP, HOST, or DOM parameters to ex...

Vendor: Ipfire
Product: IPFire
Published: Feb 18, 2026
Source: NVD
CVE-2019-25396 MEDIUM - 6.1

IPFire 2.21 Core Update 127 contains a reflected cross-site scripting vulnerability in the updatexlrator.cgi script that allows attackers to inject malicious scripts through POST parameters. Attackers can submit crafted requests with script payloads in the MAX_DISK_USAGE or MAX_DOWNLOAD_RATE paramet...

Vendor: Ipfire
Product: IPFire
Published: Feb 18, 2026
Source: NVD
CVE-2019-25356 MEDIUM - 6.1

Bematech (formerly Logic Controls, now Elgin) MP-4200 TH printer contains a cross-site scripting vulnerability in the admin configuration page. Attackers can inject malicious scripts via crafted POST requests with malformed 'admin' and 'person' parameters, allowing execution of a...

Vendor: Bematech
Product: MP-4200
Published: Feb 18, 2026
Source: NVD
CVE-2019-25326 MEDIUM - 6.2

ipPulse 1.92 contains a denial of service vulnerability that allows local attackers to crash the application by providing an oversized input in the Enter Key field. Attackers can generate a 256-byte buffer of repeated 'A' characters to trigger an application crash when pasting the maliciou...

Vendor: Northwest Performance Software, Inc.
Product: ipPulse
Published: Feb 18, 2026
Source: NVD