Total CVEs

142,027

Critical Severity

3,943

High Severity

14,108

Last 7 Days

1,708
Quick preset (or use dates below)
Clear Filters
Showing 11,541 - 11,560 of 14,604 CVEs
CVE-2026-20142 MEDIUM - 6.8

In Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.7, 9.3.9, and 9.2.11, a user of a Splunk Search Head Cluster (SHC) deployment who holds a role with access to the Splunk `_internal` index could view the RSA `accessKey` value from the [<u>Authentication.conf</u> ](https://help.splu...

Vendor: Splunk
Product: Splunk Enterprise
Published: Feb 18, 2026
Source: NVD
CVE-2026-20141 MEDIUM - 4.3

In Splunk Enterprise versions below 10.0.2, 10.0.3, 9.4.8, and 9.3.9, a low-privileged user who does not hold the "admin" Splunk role could access the Splunk Monitoring Console App endpoints due to an improper access control. This could lead to a sensitive information disclosure.<br>...

Vendor: Splunk
Product: Splunk Enterprise
Published: Feb 18, 2026
Source: NVD
CVE-2026-20139 MEDIUM - 4.3

In Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.8, 9.3.9, and 9.2.12, and Splunk Cloud Platform versions below 10.2.2510.3, 10.1.2507.8, 10.0.2503.9, and 9.3.2411.121, a low-privileged user that does not hold the "admin" or "power" Splunk roles could craft a malicious pay...

Vendor: Splunk
Product: Splunk Enterprise, Splunk Cloud Platform
Published: Feb 18, 2026
Source: NVD
CVE-2026-20138 MEDIUM - 6.8

In Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.7, 9.3.9, and 9.2.11, a user of a Splunk Search Head Cluster (SHC) deployment who holds a role with access to the Splunk `_internal` index could view the `integrationKey`, `secretKey`, and `appSecretKey` secrets, generated by [Duo Two-Factor A...

Vendor: Splunk
Product: Splunk Enterprise
Published: Feb 18, 2026
Source: NVD
CVE-2026-27486 MEDIUM - 5.3

OpenClaw is a personal AI assistant. In versions 2026.2.13 and below of the OpenClaw CLI, the process cleanup uses system-wide process enumeration and pattern matching to terminate processes without verifying if they are owned by the current OpenClaw process. On shared hosts, unrelated processes can...

Vendor: npm
Product: openclaw
Published: Feb 18, 2026
Source: GitHub
CVE-2026-26972 MEDIUM - 6.7

OpenClaw is a personal AI assistant. In versions 2026.1.12 through 2026.2.12, OpenClaw browser download helpers accepted an unsanitized output path. When invoked via the browser control gateway routes, this allowed path traversal to write downloads outside the intended OpenClaw temp downloads direct...

Vendor: npm
Product: openclaw
Published: Feb 18, 2026
Source: GitHub
CVE-2026-2230 MEDIUM - 4.3

The Booking Calendar plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 10.14.14 via the handle_ajax_save function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level a...

Published: Feb 18, 2026
Source: NVD
CVE-2025-65519 MEDIUM - 6.5

mayswind ezbookkeeping versions 1.2.0 and earlier contain a critical vulnerability in JSON and XML file import processing. The application fails to validate nesting depth during parsing operations, allowing authenticated attackers to trigger denial of service conditions by uploading deeply nested ma...

Vendor: mayswind
Product: ezbookkeeping
Published: Feb 18, 2026
Source: NVD
CVE-2026-26189 MEDIUM - 5.9

Trivy Action runs Trivy as GitHub action to scan a Docker container image for vulnerabilities. A command injection vulnerability exists in `aquasecurity/trivy-action` versions 0.31.0 through 0.33.1 due to improper handling of action inputs when exporting environment variables. The action writes `exp...

Vendor: actions
Product: aquasecurity/trivy-action
Published: Feb 18, 2026
Source: GitHub
CVE-2026-27100 MEDIUM - 4.3

Jenkins 2.550 and earlier, LTS 2.541.1 and earlier accepts Run Parameter values that refer to builds the user submitting the build does not have access to, allowing attackers with Item/Build and Item/Configure permission to obtain information about the existence of jobs, the existence of builds, and...

Vendor: Jenkins Project
Product: Jenkins
Published: Feb 18, 2026
Source: NVD
CVE-2026-1404 MEDIUM - 6.1

The Ultimate Member โ€“ User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the filter parameters (e.g., 'filter_first_name') in all versions up to, and including, 2.11.1 due...

Published: Feb 18, 2026
Source: NVD
CVE-2026-2654 MEDIUM - 6.3

A weakness has been identified in huggingface smolagents 1.24.0. Impacted is the function requests.get/requests.post of the component LocalPythonExecutor. Executing a manipulation can lead to server-side request forgery. It is possible to launch the attack remotely. The exploit has been made availab...

Vendor: huggingface
Product: smolagents
Published: Feb 18, 2026
Source: NVD
CVE-2026-1441 MEDIUM - 6.1

Reflected Cross-Site Scripting (XSS) vulnerability in the Graylog Web Interface console, version 2.2.3, caused by a lack of proper sanitization and escaping in HTML output. Several endpoints include segments of the URL directly in the response without applying output encoding, allowing an attacker t...

Vendor: graylog
Product: graylog
Published: Feb 18, 2026
Source: NVD
CVE-2026-1440 MEDIUM - 6.1

Reflected Cross-Site Scripting (XSS) vulnerability in the Graylog Web Interface console, version 2.2.3, caused by a lack of proper sanitization and escaping in HTML output. Several endpoints include segments of the URL directly in the response without applying output encoding, allowing an attacker t...

Vendor: graylog
Product: graylog
Published: Feb 18, 2026
Source: NVD
CVE-2026-1439 MEDIUM - 6.1

Reflected Cross-Site Scripting (XSS) vulnerability in the Graylog Web Interface console, version 2.2.3, caused by a lack of proper sanitization and escaping in HTML output. Several endpoints include segments of the URL directly in the response without applying output encoding, allowing an attacker t...

Vendor: graylog
Product: graylog
Published: Feb 18, 2026
Source: NVD
CVE-2026-1438 MEDIUM - 6.1

Reflected Cross-Site Scripting (XSS) vulnerability in the Graylog Web Interface console, version 2.2.3, caused by a lack of proper sanitization and escaping in HTML output. Several endpoints include segments of the URL directly in the response without applying output encoding, allowing an attacker t...

Vendor: graylog
Product: graylog
Published: Feb 18, 2026
Source: NVD
CVE-2026-1437 MEDIUM - 6.1

Reflected Cross-Site Scripting (XSS) vulnerability in the Graylog Web Interface console, version 2.2.3, caused by a lack of proper sanitization and escaping in HTML output. Several endpoints include segments of the URL directly in the response without applying output encoding, allowing an attacker t...

Vendor: graylog
Product: graylog
Published: Feb 18, 2026
Source: NVD
CVE-2026-1436 MEDIUM - 6.5

Improper Access Control (IDOR) in the Graylog API, version 2.2.3, which occurs when modifying the user ID in the URL. An authenticated user can access other user's profiles without proper authorization checks. Exploiting this vulnerability allows valid users of the system to be listed and sensi...

Vendor: graylog
Product: graylog
Published: Feb 18, 2026
Source: NVD
CVE-2025-8308 MEDIUM - 6.3

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Key Software Solutions Inc. INFOREX- General Information Management System allows XSS Through HTTP Headers.This issue affects INFOREX- General Information Management System: from 20...

Published: Feb 18, 2026
Source: NVD
CVE-2026-2386 MEDIUM - 4.3

The The Plus Addons for Elementor โ€“ Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 6.4.7. This is due to the tpae_create_page() AJAX handler authorizing users only with current_...

Published: Feb 18, 2026
Source: NVD