Total CVEs

142,027

Critical Severity

3,943

High Severity

14,108

Last 7 Days

1,694
Quick preset (or use dates below)
Clear Filters
Showing 11,521 - 11,540 of 14,108 CVEs
CVE-2025-13691 HIGH - 8.1

IBM DataStage on Cloud Pak for Data 5.1.2 through 5.3.0 returns sensitive information in an HTTP response that could be used to impersonate other users in the system.

Vendor: IBM
Product: DataStage on Cloud Pak for Data
Published: Feb 17, 2026
Source: NVD
CVE-2026-2620 HIGH - 7.3

A weakness has been identified in Huace Monitoring and Early Warning System 2.2. Affected by this issue is some unknown functionality of the file /Web/SysManage/ProjectRole.aspx. Executing a manipulation of the argument ID can lead to sql injection. It is possible to launch the attack remotely. The ...

Published: Feb 17, 2026
Source: NVD
CVE-2026-26736 HIGH - 8.8

TOTOLINK A3002RU_V3 V3.0.0-B20220304.1804 was discovered to contain a stack-based buffer overflow via the static_ipv6 parameter in the formIpv6Setup function.

Vendor: totolink
Product: a3002ru_firmware
Published: Feb 17, 2026
Source: NVD
CVE-2026-26732 HIGH - 8.8

TOTOLINK A3002RU V2.1.1-B20211108.1455 was discovered to contain a stack-based buffer overflow via the vpnUser or vpnPassword` parameters in the formFilter function.

Vendor: totolink
Product: a3002ru_firmware
Published: Feb 17, 2026
Source: NVD
CVE-2026-26731 HIGH - 8.8

TOTOLINK A3002RU V2.1.1-B20211108.1455 was discovered to contain a stack-based buffer overflow via the routernamer`parameter in the formDnsv6 function.

Vendor: totolink
Product: a3002ru_firmware
Published: Feb 17, 2026
Source: NVD
CVE-2026-25474 HIGH - 7.5

OpenClaw is a personal AI assistant. In versions 2026.1.30 and below, if channels.telegram.webhookSecret is not set when in Telegram webhook mode, OpenClaw may accept webhook HTTP requests without verifying Telegram’s secret token header. In deployments where the webhook endpoint is reachable by an ...

Vendor: npm
Product: openclaw
Published: Feb 17, 2026
Source: GitHub
CVE-2026-25232 HIGH - 8.8

Gogs is an open source self-hosted Git service. Versions 0.13.4 and below have an access control bypass vulnerability which allows any repository collaborator with Write permissions to delete protected branches (including the default branch) by sending a direct POST request, completely bypassing the...

Vendor: go
Product: gogs.io/gogs
Published: Feb 17, 2026
Source: GitHub
CVE-2025-36247 HIGH - 7.1

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 through 11.5.9 and 12.1.0 through 12.1.3 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume mem...

Vendor: IBM
Product: Db2 for Linux, UNIX and Windows
Published: Feb 17, 2026
Source: NVD
CVE-2024-55270 HIGH - 8.8

phpgurukul Student Management System 1.0 is vulnerable to SQL Injection in studentms/admin/search.php via the searchdata parameter.

Vendor: phpgurukul
Product: student_management_system
Published: Feb 17, 2026
Source: NVD
CVE-2026-23648 HIGH - 7.8

Glory RBG-100 recycler systems using the ISPK-08 software component contain multiple system binaries with overly permissive file permissions. Several binaries executed by the root user are writable and executable by unprivileged local users. An attacker with local access can replace or modify these ...

Vendor: Glory Global Solutions
Product: RBG-100
Published: Feb 17, 2026
Source: NVD
CVE-2025-67905 HIGH - 8.7

Malwarebytes AdwCleaner before v.8.7.0 runs as Administrator and performs an insecure log file delete operation in which the target location is user-controllable, allowing a non-admin user to escalate privileges to SYSTEM via a symbolic link, a related issue to CVE-2023-28892. To exploit this, an at...

Published: Feb 17, 2026
Source: NVD
CVE-2025-70828 HIGH - 8.8

An issue in Datart v1.0.0-rc.3 allows attackers to execute arbitrary code via the url parameter in the JDBC configuration

Published: Feb 17, 2026
Source: NVD
CVE-2025-70397 HIGH - 8.8

jizhicms 2.5.6 is vulnerable to SQL Injection in Article/deleteAll and Extmolds/deleteAll via the data parameter.

Vendor: jizhicms
Product: jizhicms
Published: Feb 17, 2026
Source: NVD
CVE-2026-22860 HIGH - 7.5

Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory`’s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path starts with the root string, allowing directo...

Vendor: rubygems
Product: rack
Published: Feb 17, 2026
Source: GitHub
CVE-2026-2616 HIGH - 8.8

A vulnerability has been found in Beetel 777VR1 up to 01.00.09. The impacted element is an unknown function of the component Web Management Interface. The manipulation leads to hard-coded credentials. The attack needs to be initiated within the local network. The exploit has been disclosed to the pu...

Vendor: beetel
Product: 777vr1_firmware
Published: Feb 17, 2026
Source: NVD
CVE-2026-25087 HIGH - 7.0

Use After Free vulnerability in Apache Arrow C++. This issue affects Apache Arrow C++ from 15.0.0 through 23.0.0. It can be triggered when reading an Arrow IPC file (but not an IPC stream) with pre-buffering enabled, if the IPC file contains data with variadic buffers (such as Binary View and Strin...

Vendor: Apache Software Foundation
Product: Apache Arrow
Published: Feb 17, 2026
Source: NVD
CVE-2026-2615 HIGH - 7.2

A flaw has been found in Wavlink WL-NU516U1 up to 20251208. The affected element is the function singlePortForwardDelete of the file /cgi-bin/firewall.cgi. Executing a manipulation of the argument del_flag can lead to command injection. The attack may be launched remotely. The exploit has been publi...

Vendor: wavlink
Product: wl-nu516u1_firmware
Published: Feb 17, 2026
Source: NVD
CVE-2025-7631 HIGH - 8.6

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Tumeva Internet Technologies Software Information Advertising and Consulting Services Trade Ltd. Co. Tumeva News Software allows SQL Injection.This issue affects Tumeva News Software: thro...

Published: Feb 17, 2026
Source: NVD
CVE-2026-1216 HIGH - 7.2

The RSS Aggregator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'template' parameter in all versions up to, and including, 5.0.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for unauthenticat...

Published: Feb 17, 2026
Source: NVD
CVE-2026-2592 HIGH - 7.7

The Zarinpal Gateway for WooCommerce plugin for WordPress is vulnerable to Improper Access Control to Payment Status Update in all versions up to and including 5.0.16. This is due to the payment callback handler 'Return_from_ZarinPal_Gateway' failing to validate that the authority token pr...

Published: Feb 17, 2026
Source: NVD