Total CVEs

141,249

Critical Severity

3,795

High Severity

13,708

Last 7 Days

2,216
Quick preset (or use dates below)
Clear Filters
πŸ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years β†’
Showing 11,601 - 11,620 of 13,404 CVEs
CVE-2026-25564 HIGH - 7.5

WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in checklist creation and related checklist routes. The implementation does not verify that the supplied cardId belongs to the supplied boardId, allowing cross-board ID tampering by manipulating identifiers.

Vendor: WeKan
Product: WeKan
Published: Feb 07, 2026
Source: NVD
CVE-2026-25563 HIGH - 7.5

WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in checklist creation and related checklist routes. The implementation does not verify that the supplied cardId belongs to the supplied boardId, allowing cross-board ID tampering by manipulating identifiers.

Vendor: WeKan
Product: WeKan
Published: Feb 07, 2026
Source: NVD
CVE-2026-25561 HIGH - 7.5

WeKan versions prior to 8.19 contain an authorization weakness in the attachment upload API. The API does not fully validate that provided identifiers (such as boardId, cardId, swimlaneId, and listId) are consistent and refer to a coherent card/board relationship, enabling attempts to upload attachm...

Vendor: WeKan
Product: WeKan
Published: Feb 07, 2026
Source: NVD
CVE-2026-2113 HIGH - 7.3

A security vulnerability has been detected in yuan1994 tpadmin up to 1.3.12. This affects an unknown part in the library /public/static/admin/lib/webuploader/0.1.5/server/preview.php of the component WebUploader. The manipulation leads to deserialization. The attack is possible to be carried out rem...

Published: Feb 07, 2026
Source: NVD
CVE-2026-2090 HIGH - 7.3

A vulnerability was determined in SourceCodester Online Class Record System 1.0. This issue affects some unknown processing of the file /admin/message/search.php. Executing a manipulation of the argument term can lead to sql injection. The attack can be executed remotely. The exploit has been public...

Vendor: janobe
Product: online_class_record_system
Published: Feb 07, 2026
Source: NVD
CVE-2026-2089 HIGH - 7.3

A vulnerability was found in SourceCodester Online Class Record System 1.0. This vulnerability affects unknown code of the file /admin/subject/controller.php. Performing a manipulation of the argument ID results in sql injection. Remote exploitation of the attack is possible. The exploit has been ma...

Vendor: janobe
Product: online_class_record_system
Published: Feb 07, 2026
Source: NVD
CVE-2026-2088 HIGH - 7.3

A vulnerability has been found in PHPGurukul Beauty Parlour Management System 1.1. This affects an unknown part of the file /admin/accepted-appointment.php. Such manipulation of the argument delid leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the publ...

Vendor: phpgurukul
Product: beauty_parlour_management_system
Published: Feb 07, 2026
Source: NVD
CVE-2026-2087 HIGH - 7.3

A flaw has been found in SourceCodester Online Class Record System 1.0. Affected by this issue is some unknown functionality of the file /admin/login.php. This manipulation of the argument user_email causes sql injection. The attack may be initiated remotely. The exploit has been published and may b...

Vendor: janobe
Product: online_class_record_system
Published: Feb 07, 2026
Source: NVD
CVE-2026-2086 HIGH - 8.8

A vulnerability was detected in UTT HiPER 810G up to 1.7.7-171114. Affected by this vulnerability is the function strcpy of the file /goform/formFireWall of the component Management Interface. The manipulation of the argument GroupName results in buffer overflow. The attack can be launched remotely....

Published: Feb 07, 2026
Source: NVD
CVE-2026-2085 HIGH - 7.2

A security vulnerability has been detected in D-Link DWR-M921 1.1.50. Affected is the function sub_419F20 of the file /boafrm/formUSSDSetup of the component USSD Configuration Endpoint. The manipulation of the argument ussdValue leads to command injection. The attack can be initiated remotely. The e...

Vendor: dlink
Product: dwr-m921_firmware
Published: Feb 07, 2026
Source: NVD
CVE-2026-2084 HIGH - 7.2

A weakness has been identified in D-Link DIR-823X 250416. This impacts an unknown function of the file /goform/set_language. Executing a manipulation of the argument langSelection can lead to os command injection. It is possible to launch the attack remotely. The exploit has been made available to t...

Vendor: dlink
Product: dir-823x_firmware
Published: Feb 07, 2026
Source: NVD
CVE-2026-2083 HIGH - 7.3

A security flaw has been discovered in code-projects Social Networking Site 1.0. This affects an unknown function of the file /delete_post.php. Performing a manipulation of the argument ID results in sql injection. It is possible to initiate the attack remotely. The exploit has been released to the ...

Vendor: code-projects
Product: social_networking_site
Published: Feb 07, 2026
Source: NVD
CVE-2026-2080 HIGH - 7.2

A vulnerability has been found in UTT HiPER 810 1.7.4-141218. This issue affects the function setSysAdm of the file /goform/formUser. The manipulation of the argument passwd1 leads to command injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and m...

Vendor: utt
Product: 810_firmware
Published: Feb 07, 2026
Source: NVD
CVE-2026-2073 HIGH - 7.3

A vulnerability was determined in itsourcecode School Management System 1.0. This affects an unknown function of the file /ramonsys/user/index.php. Executing a manipulation of the argument ID can lead to sql injection. The attack may be performed from remote. The exploit has been publicly disclosed ...

Vendor: itsourcecode
Product: school_management_system
Published: Feb 07, 2026
Source: NVD
CVE-2026-2071 HIGH - 8.8

A vulnerability was found in UTT 进取 520W 1.7.7-180627. The impacted element is the function strcpy of the file /goform/formP2PLimitConfig. Performing a manipulation of the argument except results in buffer overflow. The attack is possible to be carried out remotely. The exploit has been made public ...

Vendor: utt
Product: 520w_firmware
Published: Feb 07, 2026
Source: NVD
CVE-2020-37163 HIGH - 8.2

QuickDate 1.3.2 contains a SQL injection vulnerability that allows remote attackers to manipulate database queries through the '_located' parameter in the find_matches endpoint. Attackers can inject UNION-based SQL statements to extract database information including user credentials, data...

Vendor: QuickDate
Product: QuickDate
Published: Feb 07, 2026
Source: NVD
CVE-2020-37157 HIGH - 7.5

DBPower C300 HD Camera contains a configuration disclosure vulnerability that allows unauthenticated attackers to retrieve sensitive credentials through an unprotected configuration backup endpoint. Attackers can download the configuration file and extract hardcoded username and password by accessin...

Vendor: DBPower
Product: DBPower C300 HD Camera
Published: Feb 07, 2026
Source: NVD
CVE-2020-37155 HIGH - 7.5

Core FTP Lite 1.3 contains a buffer overflow vulnerability in the username input field that allows attackers to crash the application by supplying oversized input. Attackers can generate a 7000-byte payload of repeated 'A' characters to trigger an application crash without requiring additi...

Vendor: Core FTP
Product: Core FTP Lite
Published: Feb 07, 2026
Source: NVD
CVE-2020-37154 HIGH - 7.1

eLection 2.0 contains an authenticated SQL injection vulnerability in the candidate management endpoint that allows attackers to manipulate database queries through the 'id' parameter. Attackers can leverage SQLMap to exploit the vulnerability, potentially gaining remote code execution by ...

Vendor: Tripath Project
Product: eLection
Published: Feb 07, 2026
Source: NVD
CVE-2020-37147 HIGH - 7.1

ATutor 2.2.4 contains a SQL injection vulnerability in the admin user deletion page that allows authenticated attackers to manipulate database queries through the 'id' parameter. Attackers can exploit the vulnerability by injecting malicious SQL code into the 'id' parameter of th...

Vendor: Atutor
Product: ATutor
Published: Feb 07, 2026
Source: NVD