Total CVEs

141,249

Critical Severity

3,795

High Severity

13,708

Last 7 Days

2,157
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 11,681 - 11,700 of 13,404 CVEs
CVE-2025-15566 HIGH - 8.8

A security issue was discovered in ingress-nginx where the `nginx.ingress.kubernetes.io/auth-proxy-set-headers` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets acces...

Vendor: Kubernetes
Product: ingress-nginx
Published: Feb 06, 2026
Source: NVD
CVE-2026-24302 HIGH - 8.6

Azure Arc Elevation of Privilege Vulnerability

Vendor: microsoft
Product: azure_arc
Published: Feb 05, 2026
Source: NVD
CVE-2026-21532 HIGH - 8.2

Azure Function Information Disclosure Vulnerability

Vendor: microsoft
Product: azure_functions
Published: Feb 05, 2026
Source: NVD
CVE-2026-25628 HIGH - 8.6

Qdrant is a vector similarity search engine and vector database. From 1.9.3 to before 1.16.0, it is possible to append to arbitrary files via /logger endpoint using an attacker-controlled on_disk.log_file path. Minimal privileges are required (read-only access). This vulnerability is fixed in 1.16.0...

Vendor: rust
Product: qdrant
Published: Feb 05, 2026
Source: GitHub

Spree is an open source e-commerce solution built with Ruby on Rails. A critical IDOR vulnerability exists in Spree Commerce's guest checkout flow that allows any guest user to bind arbitrary guest addresses to their order by manipulating address ID parameters. This enables unauthorized access ...

Vendor: rubygems
Product: spree_api
Published: Feb 05, 2026
Source: GitHub

Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2, unauthenticated users can view completed guest orders by Order ID. This issue may lead to disclosure of PII of guest users (including names, addresses and phone numbers). This iss...

Vendor: rubygems
Product: spree_storefront
Published: Feb 05, 2026
Source: GitHub
CVE-2026-25732 HIGH - 7.5

NiceGUI is a Python-based UI framework. Prior to 3.7.0, NiceGUI's FileUpload.name property exposes client-supplied filename metadata without sanitization, enabling path traversal when developers use the pattern UPLOAD_DIR / file.name. Malicious filenames containing ../ sequences allow attackers...

Vendor: pip
Product: nicegui
Published: Feb 05, 2026
Source: GitHub
CVE-2026-23989 HIGH - 8.2

REVA is an interoperability platform. Prior to 2.42.3 and 2.40.3, a bug in the GRPC authorization middleware of the "Reva" component of OpenCloud allows a malicious user to bypass the scope verification of a public link. By exploiting this via the the "archiver" service this can ...

Vendor: go
Product: github.com/opencloud-eu/reva/v2
Published: Feb 05, 2026
Source: GitHub
CVE-2025-15330 HIGH - 8.8

Tanium addressed an improper input validation vulnerability in Deploy.

Vendor: Tanium
Product: Deploy
Published: Feb 05, 2026
Source: NVD
CVE-2025-15311 HIGH - 7.8

Tanium addressed an unauthorized code execution vulnerability in Tanium Appliance.

Vendor: Tanium
Product: Tanium Appliance
Published: Feb 05, 2026
Source: NVD
CVE-2026-1707 HIGH - 7.4

pgAdmin versions 9.11 are affected by a Restore restriction bypass via key disclosure vulnerability that occurs when running in server mode and performing restores from PLAIN-format dump files. An attacker with access to the pgAdmin web interface can observe an active restore operation, extract the ...

Vendor: pip
Product: pgadmin4
Published: Feb 05, 2026
Source: NVD
CVE-2025-15557 HIGH - 8.8

An Improper Certificate Validation vulnerability in TP-Link Tapo H100 v1 and Tapo P100 v1 allows an on-path attacker on the same network segment to intercept and modify encrypted device-cloud communications.  This may compromise the confidentiality and integrity of device-to-cloud communication, ena...

Vendor: TP-Link Systems Inc.
Product: Tapo H100 v1, Tapo P100 v1
Published: Feb 05, 2026
Source: NVD
CVE-2025-69906 HIGH - 8.8

Monstra CMS v3.0.4 contains an arbitrary file upload vulnerability in the Files Manager plugin. The application relies on blacklist-based file extension validation and stores uploaded files directly in a web-accessible directory. Under typical server configurations, this can allow an attacker to upl...

Vendor: monstra
Product: monstra_cms
Published: Feb 05, 2026
Source: NVD
CVE-2025-69619 HIGH - 7.5

A path traversal in My Text Editor v1.6.2 allows attackers to cause a Denial of Service (DoS) via writing files to the internal storage.

Vendor: zipperapp
Product: my_teditor
Published: Feb 05, 2026
Source: NVD
CVE-2020-37150 HIGH - 7.5

Edimax EW-7438RPn-v3 Mini 1.27 allows unauthenticated attackers to access the /wizard_reboot.asp page in unsetup mode, which discloses the Wi-Fi SSID and security key. Attackers can retrieve the wireless password by sending a GET request to this endpoint, exposing sensitive information without authe...

Vendor: EDIMAX Technology
Product: EW-7438RPn Mini
Published: Feb 05, 2026
Source: NVD
CVE-2020-37149 HIGH - 8.1

Edimax EW-7438RPn-v3 Mini 1.27 is vulnerable to cross-site request forgery (CSRF) that can lead to command execution. An attacker can trick an authenticated user into submitting a crafted form to the /goform/mp endpoint, resulting in arbitrary command execution on the device with the user's pri...

Vendor: EDIMAX Technology
Product: EW-7438RPn Mini
Published: Feb 05, 2026
Source: NVD
CVE-2020-37143 HIGH - 7.5

ProficySCADA for iOS 5.0.25920 contains a denial of service vulnerability that allows attackers to crash the application by manipulating the password input field. Attackers can overwrite the password field with 257 bytes of repeated characters to trigger an application crash and prevent successful a...

Vendor: GE Intelligent Platforms, Inc.
Product: ProficySCADA for iOS
Published: Feb 05, 2026
Source: NVD
CVE-2020-37142 HIGH - 8.4

10-Strike Network Inventory Explorer 8.54 contains a structured exception handler buffer overflow vulnerability that allows attackers to execute arbitrary code by overwriting SEH records. Attackers can craft a malicious payload targeting the 'Computer' parameter during the 'Add' ...

Vendor: 10-Strike Software
Product: Network Inventory Explorer
Published: Feb 05, 2026
Source: NVD
CVE-2020-37139 HIGH - 8.4

Odin Secure FTP Expert 7.6.3 contains a local denial of service vulnerability that allows attackers to crash the application by manipulating site information fields. Attackers can generate a buffer overflow by pasting 108 bytes of repeated characters into connection fields, causing the application t...

Vendor: Odin-Secure-Ftp-Expert
Product: Odin Secure FTP Expert
Published: Feb 05, 2026
Source: NVD
CVE-2020-37136 HIGH - 7.5

ZOC Terminal 7.25.5 contains a denial of service vulnerability in the private key file input field that allows attackers to crash the application. Attackers can overwrite the private key file input with a 2000-byte buffer, causing the application to become unresponsive when attempting to create SSH ...

Vendor: EmTec
Product: ZOC Terminal
Published: Feb 05, 2026
Source: NVD