Total CVEs

141,249

Critical Severity

3,795

High Severity

13,708

Last 7 Days

2,137
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 11,781 - 11,800 of 13,404 CVEs
CVE-2020-37078 HIGH - 8.8

i-doit Open Source CMDB 1.14.1 contains a file deletion vulnerability in the import module that allows authenticated attackers to delete arbitrary files by manipulating the delete_import parameter. Attackers can send a POST request to the import module with a crafted filename to remove files from th...

Vendor: i-doit GmbH
Product: i-doit Open Source CMDB
Published: Feb 03, 2026
Source: NVD
CVE-2020-37076 HIGH - 8.2

Victor CMS version 1.0 contains a SQL injection vulnerability in the 'post' parameter on post.php that allows remote attackers to manipulate database queries. Attackers can exploit this vulnerability by sending crafted UNION SELECT payloads to extract database information through boolean-b...

Vendor: VictorAlagwu
Product: CMSsite
Published: Feb 03, 2026
Source: NVD
CVE-2020-37073 HIGH - 8.8

Victor CMS 1.0 contains an authenticated file upload vulnerability that allows administrators to upload PHP files with arbitrary content through the user_image parameter. Attackers can upload a malicious PHP shell to the /img/ directory and execute system commands by accessing the uploaded file with...

Vendor: VictorAlagwu
Product: CMSsite
Published: Feb 03, 2026
Source: NVD
CVE-2020-37072 HIGH - 7.2

Victor CMS 1.0 contains a stored cross-site scripting vulnerability in the 'comment_author' POST parameter that allows attackers to inject malicious scripts. Attackers can submit crafted JavaScript payloads through the comment submission form to execute arbitrary code in victim browsers.

Vendor: VictorAlagwu
Product: CMSsite
Published: Feb 03, 2026
Source: NVD
CVE-2019-25260 HIGH - 8.2

OXID eShop versions 6.x prior to 6.3.4 contains a SQL injection vulnerability in the 'sorting' parameter that allows attackers to insert malicious database content. Attackers can exploit the vulnerability by manipulating the sorting parameter to inject PHP code into the database and execut...

Vendor: OXID-eSales
Product: OXID eShop
Published: Feb 03, 2026
Source: NVD
CVE-2026-1862 HIGH - 8.8

Type Confusion in V8 in Google Chrome prior to 144.0.7559.132 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Published: Feb 03, 2026
Source: NVD
CVE-2026-1861 HIGH - 8.8

Heap buffer overflow in libvpx in Google Chrome prior to 144.0.7559.132 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Published: Feb 03, 2026
Source: NVD
CVE-2026-25615 HIGH - 7.2

Blesta 3.x through 5.x before 5.13.3 allows object injection, aka CORE-5668.

Vendor: Blesta
Product: Blesta
Published: Feb 03, 2026
Source: NVD
CVE-2026-25614 HIGH - 7.5

Blesta 3.x through 5.x before 5.13.3 allows object injection, aka CORE-5680.

Vendor: Blesta
Product: Blesta
Published: Feb 03, 2026
Source: NVD
CVE-2026-24149 HIGH - 7.8

NVIDIA Megatron-LM for all platforms contains a vulnerability in a script, where malicious data created by an attacker may cause a code injection issue. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, information disclosure, data tampering.

Vendor: NVIDIA
Product: Megatron-LM
Published: Feb 03, 2026
Source: NVD
CVE-2026-1803 HIGH - 8.1

A weakness has been identified in Ziroom ZHOME A0101 1.0.1.0. Impacted is an unknown function of the component Dropbear SSH Service. This manipulation causes use of default credentials. Remote exploitation of the attack is possible. The complexity of an attack is rather high. The exploitability is c...

Published: Feb 03, 2026
Source: NVD

@isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, th...

Vendor: npm
Product: @isaacs/brace-expansion
Published: Feb 03, 2026
Source: GitHub
CVE-2026-24887 HIGH - 8.8

Claude Code is an agentic coding tool. Prior to version 2.0.72, due to an error in command parsing, it was possible to bypass the Claude Code confirmation prompt to trigger execution of untrusted commands through the find command. Reliably exploiting this required the ability to add untrusted conten...

Vendor: npm
Product: @anthropic-ai/claude-code
Published: Feb 03, 2026
Source: GitHub
CVE-2026-24053 HIGH - 6.5

Claude Code is an agentic coding tool. Prior to version 2.0.74, due to a Bash command validation flaw in parsing ZSH clobber syntax, it was possible to bypass directory restrictions and write files outside the current working directory without user permission prompts. Exploiting this required the us...

Vendor: npm
Product: @anthropic-ai/claude-code
Published: Feb 03, 2026
Source: GitHub
CVE-2026-25503 HIGH - 7.1

iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, type confusion allowed malformed ICC profiles to trigger undefined behavior when loading invalid icImageEncodingType values causing d...

Vendor: InternationalColorConsortium
Product: iccDEV
Published: Feb 03, 2026
Source: NVD
CVE-2026-25502 HIGH - 7.8

iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, stack-based buffer overflow in icFixXml() function when processing malformed ICC profiles, allows potential arbitrary code execution ...

Vendor: InternationalColorConsortium
Product: iccDEV
Published: Feb 03, 2026
Source: NVD
CVE-2026-25239 HIGH - 7.5

PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability in apidoc queue insertion can allow query manipulation if an attacker can influence the inserted filename value. This issue has been patched in version 1.33.0.

Vendor: pear
Product: pearweb
Published: Feb 03, 2026
Source: NVD
CVE-2026-25235 HIGH - 7.5

PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, predictable verification hashes may allow attackers to guess verification tokens and potentially verify election account requests without authorization. This issue has been patched in version 1.33.0.

Vendor: pear
Product: pearweb
Published: Feb 03, 2026
Source: NVD
CVE-2026-1802 HIGH - 7.3

A security flaw has been discovered in Ziroom ZHOME A0101 1.0.1.0. This issue affects the function macAddrClone of the file luci\controller\api\zrMacClone.lua. The manipulation of the argument macType results in command injection. The attack may be launched remotely. The exploit has been released to...

Published: Feb 03, 2026
Source: NVD
CVE-2026-24052 HIGH - 7.4

Claude Code is an agentic coding tool. Prior to version 1.0.111, Claude Code contained insufficient URL validation in its trusted domain verification mechanism for WebFetch requests. The application used a startsWith() function to validate trusted domains (e.g., docs.python.org, modelcontextprotocol...

Vendor: npm
Product: @anthropic-ai/claude-code
Published: Feb 03, 2026
Source: GitHub