Total CVEs

141,249

Critical Severity

3,795

High Severity

13,708

Last 7 Days

2,152
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 11,741 - 11,760 of 13,404 CVEs
CVE-2026-0536 HIGH - 7.8

A maliciously crafted GIF file, when parsed through Autodesk 3ds Max, can cause a Stack-Based Buffer Overflow vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process.

Vendor: autodesk
Product: 3ds_max
Published: Feb 04, 2026
Source: NVD
CVE-2026-25161 HIGH - 8.8

Alist is a file list program that supports multiple storages, powered by Gin and Solidjs. Prior to version 3.57.0, the application contains path traversal vulnerability in multiple file operation handlers. An authenticated attacker can bypass directory-level authorisation by injecting traversal sequ...

Vendor: go
Product: github.com/alist-org/alist/v3
Published: Feb 04, 2026
Source: GitHub
CVE-2026-23897 HIGH - 7.5

Apollo Server is an open-source, spec-compliant GraphQL server that's compatible with any GraphQL client, including Apollo Client. In versions from 2.0.0 to 3.13.0, 4.2.0 to before 4.13.0, and 5.0.0 to before 5.4.0, the default configuration of startStandaloneServer from @apollo/server/standalo...

Vendor: npm
Product: apollo-server
Published: Feb 04, 2026
Source: GitHub
CVE-2026-25055 HIGH - 8.1

n8n is an open source workflow automation platform. Prior to versions 1.123.12 and 2.4.0, when workflows process uploaded files and transfer them to remote servers via the SSH node without validating their metadata the vulnerability can lead to files being written to unintended locations on those re...

Vendor: n8n-io
Product: n8n
Published: Feb 04, 2026
Source: NVD
CVE-2026-25054 HIGH - 5.4

n8n is an open source workflow automation platform. Prior to versions 1.123.9 and 2.2.1, a Cross-Site Scripting (XSS) vulnerability existed in a markdown rendering component used in n8n's interface, including workflow sticky notes and other areas that support markdown content. An authenticated ...

Vendor: n8n-io
Product: n8n
Published: Feb 04, 2026
Source: NVD
CVE-2026-25051 HIGH - 5.4

n8n is an open source workflow automation platform. Prior to version 1.123.2, a Cross-Site Scripting (XSS) vulnerability has been identified in the handling of webhook responses and related HTTP endpoints. Under certain conditions, the Content Security Policy (CSP) sandbox protection intended to iso...

Vendor: n8n-io
Product: n8n
Published: Feb 04, 2026
Source: NVD
CVE-2026-20119 HIGH - 7.5

A vulnerability in the text rendering subsystem of Cisco TelePresence Collaboration Endpoint (CE) Software and Cisco RoomOS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to insufficient valida...

Vendor: Cisco
Product: Cisco RoomOS Software, Cisco TelePresence Endpoint Software (TC/CE)
Published: Feb 04, 2026
Source: NVD
CVE-2026-20098 HIGH - 8.8

A vulnerability in the Certificate Management feature of Cisco Meeting Management could allow an authenticated, remote attacker to upload arbitrary files, execute arbitrary commands, and elevate privileges to root on an affected system. This vulnerability is due to improper input validation in ce...

Vendor: Cisco
Product: Cisco Meeting Management
Published: Feb 04, 2026
Source: NVD
CVE-2026-0662 HIGH - 7.8

A maliciously crafted project directory, when opening a max file in Autodesk 3ds Max, could lead to execution of arbitrary code in the context of the current process due to an Untrusted Search Path being utilized.

Vendor: autodesk
Product: 3ds_max
Published: Feb 04, 2026
Source: NVD
CVE-2026-0661 HIGH - 7.8

A maliciously crafted RGB file, when parsed through Autodesk 3ds Max, can force a Memory Corruption vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process.

Vendor: autodesk
Product: 3ds_max
Published: Feb 04, 2026
Source: NVD
CVE-2026-0660 HIGH - 7.8

A maliciously crafted GIF file, when parsed through Autodesk 3ds Max, can cause a Stack-Based Buffer Overflow vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process.

Vendor: autodesk
Product: 3ds_max
Published: Feb 04, 2026
Source: NVD
CVE-2026-0659 HIGH - 7.8

A maliciously crafted USD file, when loaded or imported into Autodesk Arnold or Autodesk 3ds Max, can force an Out-of-Bounds Write vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process.

Published: Feb 04, 2026
Source: NVD
CVE-2026-0538 HIGH - 7.8

A maliciously crafted GIF file, when parsed through Autodesk 3ds Max, can force an Out-of-Bounds Write vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process.

Vendor: autodesk
Product: 3ds_max
Published: Feb 04, 2026
Source: NVD
CVE-2026-0537 HIGH - 7.8

A maliciously crafted RGB file, when parsed through Autodesk 3ds Max, can force a Memory Corruption vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process.

Vendor: autodesk
Product: 3ds_max
Published: Feb 04, 2026
Source: NVD
CVE-2025-61917 HIGH - 7.7

n8n is an open source workflow automation platform. From version 1.65.0 to before 1.114.3, the use of Buffer.allocUnsafe() and Buffer.allocUnsafeSlow() in the task runner allowed untrusted code to allocate uninitialized memory. Such uninitialized buffers could contain residual data from within the s...

Vendor: n8n-io
Product: n8n
Published: Feb 04, 2026
Source: NVD
CVE-2025-15368 HIGH - 8.8

The SportsPress plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.7.26 via shortcodes 'template_name' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitra...

Vendor: themeboy
Product: SportsPress โ€“ Sports Club & League Manager
Published: Feb 04, 2026
Source: NVD
CVE-2026-24735 HIGH - 7.5

Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Apache Answer. This issue affects Apache Answer: through 1.7.1. An unauthenticated API endpoint incorrectly exposes full revision history for deleted content. This allows unauthorized user to retrieve restricted or ...

Vendor: Apache Software Foundation
Product: Apache Answer
Published: Feb 04, 2026
Source: NVD
CVE-2025-15285 HIGH - 7.5

The SEO Flow by LupsOnline plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the checkBlogAuthentication() and checkCategoryAuthentication() functions in all versions up to, and including, 2.2.1. These authorization functions only implement ...

Vendor: lupsonline
Product: SEO Flow by LupsOnline
Published: Feb 04, 2026
Source: NVD
CVE-2025-15268 HIGH - 7.5

The Infility Global plugin for WordPress is vulnerable to unauthenticated SQL Injection via the 'infility_get_data' API action in all versions up to, and including, 2.14.46. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existi...

Vendor: infility
Product: Infility Global
Published: Feb 04, 2026
Source: NVD
CVE-2026-1819 HIGH - 8.8

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Karel Electronics Industry and Trade Inc. ViPort allows Stored XSS.This issue affects ViPort: through 23012026.

Published: Feb 04, 2026
Source: NVD