Total CVEs

141,249

Critical Severity

3,795

High Severity

13,708

Last 7 Days

2,189
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 11,641 - 11,660 of 13,404 CVEs
CVE-2026-25754 HIGH - 7.2

AdonisJS is a TypeScript-first web framework. Prior to versions 10.1.3 and 11.0.0-next.9, a prototype pollution vulnerability in AdonisJS multipart form-data parsing may allow a remote attacker to manipulate object prototypes at runtime. This issue has been patched in versions 10.1.3 and 11.0.0-next...

Vendor: npm
Product: @adonisjs/bodyparser
Published: Feb 06, 2026
Source: GitHub

MCP Salesforce Connector is a Model Context Protocol (MCP) server implementation for Salesforce integration. Prior to 0.1.10, arbitrary attribute access leads to disclosure of Salesforce auth token. This vulnerability is fixed in 0.1.10.

Vendor: smn2gnt
Product: MCP-Salesforce
Published: Feb 06, 2026
Source: NVD
CVE-2026-24418 HIGH - 6.5

OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contain a critical Error-Based SQL Injection vulnerability in the bulk operations handler for the Scadenzario (Payment Schedule) module. The application fails to validate th...

Vendor: devcode-it
Product: openstamanager
Published: Feb 06, 2026
Source: NVD
CVE-2026-24417 HIGH - 6.5

OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contain a critical Time-Based Blind SQL Injection vulnerability in the global search functionality. The application fails to properly sanitize the term parameter before usin...

Vendor: devcode-it
Product: openstamanager
Published: Feb 06, 2026
Source: NVD
CVE-2026-24416 HIGH - 6.5

OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contain a critical Time-Based Blind SQL Injection vulnerability in the article pricing completion handler. The application fails to properly sanitize the idarticolo paramete...

Vendor: devcode-it
Product: openstamanager
Published: Feb 06, 2026
Source: NVD
CVE-2025-69216 HIGH - 6.5

OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, an authenticated SQL injection vulnerability in OpenSTAManager's Scadenzario (Payment Schedule) print template allows any authenticated user to extract sensitive data from the data...

Vendor: devcode-it
Product: openstamanager
Published: Feb 06, 2026
Source: NVD
CVE-2025-69214 HIGH - 8.8

OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, an SQL Injection vulnerability exists in the ajax_select.php endpoint when handling the componenti operation. An authenticated attacker can inject malicious SQL code through the options...

Vendor: devcode-it
Product: openstamanager
Published: Feb 06, 2026
Source: NVD
CVE-2026-25640 HIGH - 7.1

Pydantic AI is a Python agent framework for building applications and workflows with Generative AI. From 1.34.0 to before 1.51.0, a path traversal vulnerability in the Pydantic AI web UI allows an attacker to serve arbitrary JavaScript in the context of the application by crafting a malicious URL. ...

Vendor: pip
Product: pydantic-ai
Published: Feb 06, 2026
Source: GitHub
CVE-2026-25580 HIGH - 8.6

Pydantic AI is a Python agent framework for building applications and workflows with Generative AI. From 0.0.26 to before 1.56.0, aServer-Side Request Forgery (SSRF) vulnerability exists in Pydantic AI's URL download functionality. When applications accept message history from untrusted sources...

Vendor: pip
Product: pydantic-ai
Published: Feb 06, 2026
Source: GitHub
CVE-2026-2060 HIGH - 7.3

A vulnerability was found in code-projects Simple Blood Donor Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /simpleblooddonor/editcampaignform.php. Performing a manipulation of the argument ID results in sql injection. It is possible to initiate the at...

Vendor: fabian
Product: simple_blood_donor_management_system
Published: Feb 06, 2026
Source: NVD
CVE-2026-25725 HIGH - 10.0

Claude Code is an agentic coding tool. Prior to version 2.1.2, Claude Code's bubblewrap sandboxing mechanism failed to properly protect the .claude/settings.json configuration file when it did not exist at startup. While the parent directory was mounted as writable and .claude/settings.local.js...

Vendor: anthropics
Product: claude-code
Published: Feb 06, 2026
Source: NVD
CVE-2026-25723 HIGH - 6.5

Claude Code is an agentic coding tool. Prior to version 2.0.55, Claude Code failed to properly validate commands using piped sed operations with the echo command, allowing attackers to bypass file write restrictions. This vulnerability enabled writing to sensitive directories like the .claude folder...

Vendor: anthropics
Product: claude-code
Published: Feb 06, 2026
Source: NVD
CVE-2026-25722 HIGH - 9.1

Claude Code is an agentic coding tool. Prior to version 2.0.57, Claude Code failed to properly validate directory changes when combined with write operations to protected folders. By using the cd command to navigate into sensitive directories like .claude, it was possible to bypass write protection ...

Vendor: anthropics
Product: claude-code
Published: Feb 06, 2026
Source: NVD
CVE-2026-24419 HIGH - 6.5

OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contain a critical Error-Based SQL Injection vulnerability in the Prima Nota (Journal Entry) module's add.php file. The application fails to validate that comma-separat...

Vendor: devcode-it
Product: openstamanager
Published: Feb 06, 2026
Source: NVD

Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, a path traversal vulnerability exists in the updateWikiPage function of Gogs. The vulnerability allows an authenticated user with write access to a repository's wiki to delete arbitrary files on the server by manipulat...

Vendor: gogs
Product: gogs
Published: Feb 06, 2026
Source: NVD
CVE-2025-70963 HIGH - 7.6

Gophish <=0.12.1 is vulnerable to Incorrect Access Control. The administrative dashboard exposes each user’s long-lived API key directly inside the rendered HTML/JavaScript of the page on every login. This makes permanent API credentials accessible to any script running in the browser context.

Vendor: go
Product: github.com/gophish/gophish
Published: Feb 06, 2026
Source: NVD

Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, Gogs’ 2FA recovery code validation does not scope codes by user, enabling cross-account bypass. If an attacker knows a victim’s username and password, they can use any unused recovery code (e.g., from their own account) to ...

Vendor: gogs
Product: gogs
Published: Feb 06, 2026
Source: NVD
CVE-2026-2103 HIGH - 7.1

Infor SyteLine ERP uses hard-coded static cryptographic keys to encrypt stored credentials, including user passwords, database connection strings, and API keys. The encryption keys are identical across all installations. An attacker with access to the application binary and database can decrypt all ...

Published: Feb 06, 2026
Source: NVD
CVE-2026-2059 HIGH - 7.3

A vulnerability has been found in SourceCodester Medical Center Portal Management System 1.0. Affected is an unknown function of the file /emp_edit1.php. Such manipulation of the argument ID leads to sql injection. The attack may be performed from remote. The exploit has been disclosed to the public...

Vendor: bontrofftech
Product: medical_center_portal_management_system
Published: Feb 06, 2026
Source: NVD
CVE-2026-2058 HIGH - 7.3

A flaw has been found in mathurvishal CloudClassroom-PHP-Project up to 5dadec098bfbbf3300d60c3494db3fb95b66e7be. This impacts an unknown function of the file /postquerypublic.php of the component Post Query Details Page. This manipulation of the argument gnamex causes sql injection. The attack is po...

Published: Feb 06, 2026
Source: NVD