Total CVEs

142,027

Critical Severity

3,943

High Severity

14,108

Last 7 Days

1,693
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 11,641 - 11,660 of 14,221 CVEs
CVE-2025-12755 MEDIUM - 4.0

IBM MQ Operator (SC2 v3.2.0–3.8.1, LTS v2.0.0–2.0.29) and IBM‑supplied MQ Advanced container images (across affected SC2, CD, and LTS 9.3.x–9.4.x releases) contain a vulnerability where log messages are not properly neutralized before being written to log files. This flaw could allow an unauthorized...

Vendor: IBM
Product: MQ Operator, supplied MQ Advanced container images
Published: Feb 17, 2026
Source: NVD
CVE-2024-43178 MEDIUM - 5.9

IBM Concert 1.0.0 through 2.1.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.

Vendor: IBM
Product: Concert
Published: Feb 17, 2026
Source: NVD
CVE-2026-26057 MEDIUM - 6.5

Skill Scanner is a security scanner for AI Agent Skills that detects prompt injection, data exfiltration, and malicious code patterns. A vulnerability in the API Server of Skill Scanner could allow a unauthenticated, remote attacker to interact with the server API and either trigger a denial of serv...

Vendor: pip
Product: cisco-ai-skill-scanner
Published: Feb 17, 2026
Source: GitHub
CVE-2026-25739 MEDIUM - 5.4

Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Versions prior to 3.3.10 are vulnerable to cross-site scripting when uploading certain file types as materials. Users should upgrade to version 3.3.10 to receive a patch. To apply the fix...

Vendor: pip
Product: indico
Published: Feb 17, 2026
Source: GitHub
CVE-2026-25766 MEDIUM - 5.3

Echo is a Go web framework. In versions 5.0.0 through 5.0.2 on Windows, Echo’s `middleware.Static` using the default filesystem allows path traversal via backslashes, enabling unauthenticated remote file read outside the static root. In `middleware/static.go`, the requested path is unescaped and nor...

Vendor: go
Product: github.com/labstack/echo/v5
Published: Feb 17, 2026
Source: GitHub
CVE-2026-25738 MEDIUM - 4.3

Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Versions prior to 3.3.10 are vulnerable to server-side request forgery. Indico makes outgoing requests to user-provides URLs in various places. This is mostly intentional and part of Indi...

Vendor: pip
Product: indico
Published: Feb 17, 2026
Source: GitHub
CVE-2026-25500 MEDIUM - 5.4

Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory` generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename starts with the `javascript:` scheme (e.g. `javascript:alert(1)...

Vendor: rubygems
Product: rack
Published: Feb 17, 2026
Source: GitHub
CVE-2026-25242 MEDIUM - 9.8

Gogs is an open source self-hosted Git service. Versions 0.13.4 and below expose unauthenticated file upload endpoints by default. When the global RequireSigninView setting is disabled (default), any remote user can upload arbitrary files to the server via /releases/attachments and /issues/attachmen...

Vendor: go
Product: gogs.io/gogs
Published: Feb 17, 2026
Source: GitHub
CVE-2026-25229 MEDIUM - 6.5

Gogs is an open source self-hosted Git service. Versions 0.13.4 and below have a broken access control vulnerability which allows authenticated users with write access to any repository to modify labels belonging to other repositories. The UpdateLabel function in the Web UI (internal/route/repo/issu...

Vendor: go
Product: gogs.io/gogs
Published: Feb 17, 2026
Source: GitHub
CVE-2026-25120 MEDIUM - 2.7

Gogs is an open source self-hosted Git service. In versions 0.13.4 and below, the DeleteComment API does not verify that the comment belongs to the repository specified in the URL. This allows a repository administrator to delete comments from any other repository by supplying arbitrary comment IDs,...

Vendor: go
Product: gogs.io/gogs
Published: Feb 17, 2026
Source: GitHub
CVE-2025-36425 MEDIUM - 5.3

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 through 11.5.9 and 12.1.0 through 12.1.3 could allow an authenticated user to obtain sensitive information under specific HADR configuration.

Vendor: IBM
Product: Db2 for Linux, UNIX and Windows
Published: Feb 17, 2026
Source: NVD
CVE-2025-14689 MEDIUM - 6.5

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 12.1.0 through 12.1.3 could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in data query logic with federated objects.

Vendor: IBM
Product: Db2 for Linux, UNIX and Windows
Published: Feb 17, 2026
Source: NVD
CVE-2025-13867 MEDIUM - 6.5

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 through 11.5.9 and 12.1.0 through 12.1.3 could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in data query logic

Vendor: IBM
Product: Db2 for Linux, UNIX and Windows
Published: Feb 17, 2026
Source: NVD
CVE-2026-24126 MEDIUM - 6.6

Weblate is a web based localization tool. Prior to 5.16.0, the SSH management console did not validate the passed input while adding the SSH host key, which could lead to an argument injection to `ssh-add`. Version 5.16.0 fixes the issue. As a workaround, properly limit access to the management cons...

Vendor: pip
Product: Weblate
Published: Feb 17, 2026
Source: GitHub
CVE-2026-2617 MEDIUM - 6.3

A vulnerability was found in Beetel 777VR1 up to 01.00.09. This affects an unknown function of the component Telnet Service/SSH Service. The manipulation results in insecure default initialization of resource. The attack can only be performed from the local network. The exploit has been made public ...

Vendor: beetel
Product: 777vr1_firmware
Published: Feb 17, 2026
Source: NVD
CVE-2025-69287 MEDIUM - 5.4

The BSV Blockchain SDK is a unified TypeScript SDK for developing scalable apps on the BSV Blockchain. Prior to version 2.0.0, a cryptographic vulnerability in the TypeScript SDK's BRC-104 authentication implementation caused incorrect signature data preparation, resulting in signature incompat...

Vendor: npm
Product: @bsv/sdk
Published: Feb 17, 2026
Source: GitHub
CVE-2025-70829 MEDIUM - 5.7

An information exposure vulnerability in Datart v1.0.0-rc.3 allows authenticated attackers to access sensitive data via a custom H2 JDBC connection string.

Vendor: running-elephant
Product: datart
Published: Feb 17, 2026
Source: NVD
CVE-2024-31118 MEDIUM - 6.5

Missing Authorization vulnerability in Smartypants SP Project & Document Manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SP Project & Document Manager: from n/a through 4.70.

Vendor: Smartypants
Product: SP Project & Document Manager
Published: Feb 17, 2026
Source: NVD
CVE-2022-41650 MEDIUM - 6.5

Missing Authorization vulnerability in Paul Custom Content by Country (by Shield Security) custom-content-by-country.This issue affects Custom Content by Country (by Shield Security): from n/a through 3.1.2.

Vendor: Paul
Product: Custom Content by Country (by Shield Security)
Published: Feb 17, 2026
Source: NVD
CVE-2026-23861 MEDIUM - 5.4

Dell Unisphere for PowerMax vApp, version(s) 9.2.4.x, contain(s) an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to the execution of mal...

Vendor: Dell
Product: Unisphere for PowerMax vApp,
Published: Feb 17, 2026
Source: NVD