Total CVEs

141,249

Critical Severity

3,795

High Severity

13,708

Last 7 Days

2,137
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 11,761 - 11,780 of 13,404 CVEs
CVE-2026-20983 HIGH - 7.8

Improper export of android application components in Samsung Dialer prior to SMR Feb-2026 Release 1 allows local attackers to launch arbitrary activity with Samsung Dialer privilege.

Vendor: Samsung Mobile
Product: Samsung Mobile Devices
Published: Feb 04, 2026
Source: NVD
CVE-2026-20979 HIGH - 7.8

Improper privilege management in Settings prior to SMR Feb-2026 Release 1 allows local attackers to launch arbitrary activity with Settings privilege.

Vendor: Samsung Mobile
Product: Samsung Mobile Devices
Published: Feb 04, 2026
Source: NVD
CVE-2026-1756 HIGH - 8.8

The WP FOFT Loader plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'WP_FOFT_Loader_Mimes::file_and_ext' function in all versions up to, and including, 2.1.39. This makes it possible for authenticated attackers, with Author-level acc...

Published: Feb 04, 2026
Source: NVD
CVE-2025-69620 HIGH - 7.5

A path traversal in Moo Chan Song v4.5.7 allows attackers to cause a Denial of Service (DoS) via writing files to the internal storage.

Vendor: ntoolslab
Product: office_reader
Published: Feb 04, 2026
Source: NVD
CVE-2026-25143 HIGH - 7.8

melange allows users to build apk packages using declarative pipelines. From version 0.10.0 to before 0.40.3, an attacker who can influence inputs to the patch pipeline could execute arbitrary shell commands on the build host. The patch pipeline in pkg/build/pipelines/patch.yaml embeds input-derived...

Vendor: go
Product: chainguard.dev/melange
Published: Feb 04, 2026
Source: GitHub
CVE-2026-25140 HIGH - 7.5

apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, an attacker who controls or compromises an APK repository used by apko could cause resource exhaustion on the build host. The ExpandApk function in pkg/apk/expandapk/expandapk.go...

Vendor: go
Product: chainguard-dev/apko
Published: Feb 04, 2026
Source: GitHub
CVE-2026-25121 HIGH - 7.5

apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, a path traversal vulnerability was discovered in apko's dirFS filesystem abstraction. An attacker who can supply a malicious APK package (e.g., via a compromised or typosqua...

Vendor: go
Product: chainguard.dev/apko
Published: Feb 03, 2026
Source: GitHub
CVE-2026-24844 HIGH - 7.8

melange allows users to build apk packages using declarative pipelines. From version 0.3.0 to before 0.40.3, an attacker who can provide build input values, but not modify pipeline definitions, could execute arbitrary shell commands if the pipeline uses ${{vars.*}} or ${{inputs.*}} substitutions in ...

Vendor: go
Product: chainguard.dev/melange
Published: Feb 03, 2026
Source: GitHub
CVE-2026-24843 HIGH - 8.2

melange allows users to build apk packages using declarative pipelines. In version 0.11.3 to before 0.40.3, an attacker who can influence the tar stream from a QEMU guest VM could write files outside the intended workspace directory on the host. The retrieveWorkspace function extracts tar entries wi...

Vendor: go
Product: chainguard.dev/melange
Published: Feb 03, 2026
Source: GitHub
CVE-2026-24512 HIGH - 8.8

A security issue was discovered in ingress-nginx cthe `rules.http.paths.path` Ingress field can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in ...

Vendor: Kubernetes
Product: ingress-nginx
Published: Feb 03, 2026
Source: NVD
CVE-2026-1580 HIGH - 8.8

A security issue was discovered in ingress-nginxย where the `nginx.ingress.kubernetes.io/auth-method` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to th...

Vendor: go
Product: k8s.io/ingress-nginx
Published: Feb 03, 2026
Source: NVD
CVE-2020-37084 HIGH - 7.2

School ERP Pro 1.0 contains a remote code execution vulnerability that allows authenticated admin users to upload arbitrary PHP files as profile photos by bypassing file extension checks. Attackers can exploit improper file validation in pre-editstudent.inc.php to execute arbitrary code on the serve...

Vendor: Arox
Product: School ERP Pro
Published: Feb 03, 2026
Source: NVD
CVE-2020-37097 HIGH - 7.5

Edimax EW-7438RPn 1.13 contains an information disclosure vulnerability that exposes WiFi network configuration details through the wlencrypt_wiz.asp file. Attackers can access the script to retrieve sensitive information including WiFi network name and plaintext password stored in device configurat...

Vendor: EDIMAX Technology Co., Ltd.
Product: EW-7438RPn Mini
Published: Feb 03, 2026
Source: NVD
CVE-2020-37093 HIGH - 7.5

Netis E1+ 1.2.32533 contains an information disclosure vulnerability that allows unauthenticated attackers to retrieve WiFi passwords through the netcore_get.cgi endpoint. Attackers can send a GET request to the endpoint to extract sensitive network credentials including SSID and WiFi passwords in p...

Vendor: Netis Systems Co., Ltd.
Product: Netis E1+
Published: Feb 03, 2026
Source: NVD
CVE-2020-37092 HIGH - 7.5

Netis E1+ version 1.2.32533 contains a hardcoded root account vulnerability that allows unauthenticated attackers to access the device with predefined credentials. Attackers can leverage the embedded root account with a crackable password to gain full administrative access to the network device.

Vendor: Netis Systems Co., Ltd.
Product: Netis E1+
Published: Feb 03, 2026
Source: NVD
CVE-2020-37089 HIGH - 8.2

School ERP Pro 1.0 contains a SQL injection vulnerability in the 'es_messagesid' parameter that allows attackers to manipulate database queries through GET requests. Attackers can exploit the vulnerable parameter by injecting crafted SQL statements to potentially extract, modify, or delete...

Vendor: Arox
Product: School ERP Pro
Published: Feb 03, 2026
Source: NVD
CVE-2020-37088 HIGH - 7.5

School ERP Pro 1.0 contains a file disclosure vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the 'document' parameter in download.php. Attackers can access sensitive configuration files by supplying directory traversal paths to retrieve system c...

Vendor: Arox
Product: School ERP Pro
Published: Feb 03, 2026
Source: NVD
CVE-2020-37085 HIGH - 7.5

VirtualTablet Server 3.0.2 contains a denial of service vulnerability that allows attackers to crash the service by sending oversized string payloads through the Thrift protocol. Attackers can exploit the vulnerability by sending a long string to the send_say() method, causing the server to become u...

Vendor: SunnySideSoft
Product: VirtualTablet Server
Published: Feb 03, 2026
Source: NVD
CVE-2020-37083 HIGH - 8.2

PHP AddressBook 9.0.0.1 contains a time-based blind SQL injection vulnerability that allows remote attackers to manipulate database queries through the 'id' parameter. Attackers can inject crafted SQL statements with time delays to extract information by observing response times in the pho...

Vendor: chatelao
Product: PHP Address Book
Published: Feb 03, 2026
Source: NVD
CVE-2020-37081 HIGH - 7.1

Fishing Reservation System 7.5 contains multiple remote SQL injection vulnerabilities in admin.php, cart.php, and calendar.php that allow attackers to inject malicious SQL commands. Attackers can exploit vulnerable parameters like uid, pid, type, m, y, and code to compromise the database management ...

Vendor: Fishing Reservation System
Product: Fishing Reservation System
Published: Feb 03, 2026
Source: NVD