Total CVEs

142,027

Critical Severity

3,943

High Severity

14,108

Last 7 Days

1,702
Quick preset (or use dates below)
Clear Filters
Showing 11,781 - 11,800 of 14,604 CVEs
CVE-2026-2026 MEDIUM - 6.1

A vulnerability has been identified where weak file permissions in the Nessus Agent directory on Windows hosts could allow unauthorized access, potentially permitting Denial of Service (DoS) attacks.

Published: Feb 13, 2026
Source: NVD

beautiful-mermaid versions prior to 0.1.3 contain an SVG attribute injection issue that can lead to cross-site scripting (XSS) when rendering attacker-controlled Mermaid diagrams. User-controlled values from Mermaid style and classDef directives are interpolated into SVG attribute values without pro...

Vendor: lukilabs
Product: beautiful-mermaid
Published: Feb 13, 2026
Source: NVD
CVE-2025-70095 MEDIUM - 6.5

A cross-site scripting (XSS) vulnerability in the item management and sales invoice function of OpenSourcePOS v3.4.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload.

Vendor: opensourcepos
Product: open_source_point_of_sale
Published: Feb 13, 2026
Source: NVD
CVE-2025-70094 MEDIUM - 6.5

A cross-site scripting (XSS) vulnerability in the Generate Item Barcode function of OpenSourcePOS v3.4.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Item Category parameter.

Vendor: opensourcepos
Product: open_source_point_of_sale
Published: Feb 13, 2026
Source: NVD
CVE-2025-70091 MEDIUM - 6.5

A cross-site scripting (XSS) vulnerability in the Customers function of OpenSourcePOS v3.4.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Phone Number parameter.

Vendor: opensourcepos
Product: open_source_point_of_sale
Published: Feb 13, 2026
Source: NVD
CVE-2026-25531 MEDIUM - 4.3

Kanboard is project management software focused on Kanban methodology. Prior to 1.2.50, The fix for CVE-2023-33968 is incomplete. The TaskCreationController::duplicateProjects() endpoint does not validate user permissions for target projects, allowing authenticated users to duplicate tasks into proj...

Vendor: kanboard
Product: kanboard
Published: Feb 13, 2026
Source: NVD
CVE-2026-2443 MEDIUM - 5.3

A flaw was identified in libsoup, a widely used HTTP library in GNOME-based systems. When processing specially crafted HTTP Range headers, the library may improperly validate requested byte ranges. In certain build configurations, this could allow a remote attacker to access portions of server memor...

Published: Feb 13, 2026
Source: NVD
CVE-2026-22892 MEDIUM - 4.3

Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to validate user permissions when creating Jira issues from Mattermost posts, which allows an authenticated attacker with access to the Jira plugin to read post content and attachments from channels they do not ...

Vendor: Mattermost
Product: Mattermost
Published: Feb 13, 2026
Source: NVD
CVE-2025-15520 MEDIUM - 4.3

The RegistrationMagic WordPress plugin before 6.0.7.2 checks nonces but not capabilities, allowing for the disclosure of some sensitive data to subscribers and above.

Vendor: Unknown
Product: RegistrationMagic
Published: Feb 13, 2026
Source: NVD

Summary A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the AI Playground's OAuth callback handler. The `error_description` query parameter was directly interpolated into an HTML script tag without proper escaping, allowing attackers to execute arbitrary JavaScript in th...

Vendor: npm
Product: agents
Published: Feb 13, 2026
Source: NVD
CVE-2025-70092 MEDIUM - 5.5

A cross-site scripting (XSS) vulnerability in the Item Kits function of OpenSourcePOS v3.4.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Item Name parameter.

Vendor: opensourcepos
Product: open_source_point_of_sale
Published: Feb 12, 2026
Source: NVD
CVE-2019-25334 MEDIUM - 6.2

Product Key Explorer 4.2.0.0 contains a denial of service vulnerability that allows local attackers to crash the application by overflowing the registration name input field. Attackers can create a specially crafted text file with repeated characters to trigger a buffer overflow when pasted into the...

Vendor: Nsasoft
Product: Nsauditor Product Key Explorer
Published: Feb 12, 2026
Source: NVD
CVE-2019-25324 MEDIUM - 6.1

RICOH Web Image Monitor 1.09 contains an HTML injection vulnerability in the address configuration CGI script that allows attackers to inject malicious HTML code. Attackers can exploit the entryNameIn and entryDisplayNameIn parameters to insert arbitrary HTML content, potentially enabling cross-site...

Vendor: RICOH
Product: RICOH Web Image Monitor
Published: Feb 12, 2026
Source: NVD
CVE-2019-25323 MEDIUM - 6.1

Heatmiser Netmonitor v3.03 contains an HTML injection vulnerability in the outputSetup.htm page that allows attackers to inject malicious HTML code through the outputtitle parameter. Attackers can craft specially formatted POST requests to the outputtitle parameter to execute arbitrary HTML and pote...

Vendor: Heatmiser
Product: Heatmiser Netmonitor
Published: Feb 12, 2026
Source: NVD
CVE-2019-25320 MEDIUM - 6.5

E Learning Script 1.0 contains an authentication bypass vulnerability that allows attackers to access the dashboard without valid credentials by manipulating login parameters. Attackers can exploit the /login.php file by sending a specific payload '=''or' to bypass authentication...

Vendor: amitkolloldey
Product: elearning-script
Published: Feb 12, 2026
Source: NVD
CVE-2026-26185 MEDIUM - 5.3

Directus is a real-time API and App dashboard for managing SQL database content. Before 11.14.1, a timing-based user enumeration vulnerability exists in the password reset functionality. When an invalid reset_url parameter is provided, the response time differs by approximately 500ms between existin...

Vendor: directus
Product: directus, @directus/api
Published: Feb 12, 2026
Source: NVD
CVE-2026-25828 MEDIUM - 5.4

grub-btrfs through 2026-01-31 (on Arch Linux and derivative distributions) allows initramfs OS command injection because it does not sanitize the $root parameter to resolve_device().

Published: Feb 12, 2026
Source: NVD
CVE-2025-70845 MEDIUM - 6.1

lty628 aidigu v1.9.1 is vulnerable to Cross Site Scripting (XSS) exists in the /setting/ page where the "intro" field is not properly sanitized or escaped.

Published: Feb 12, 2026
Source: NVD
CVE-2025-14282 MEDIUM - 5.4

A flaw was found in Dropbear. When running in multi-user mode and authenticating users, the dropbear ssh server does the socket forwardings requested by the remote client as root, only switching to the logged-in user upon spawning a shell or performing some operations like reading the user's fi...

Vendor: Dropbear
Product: Dropbear
Published: Feb 12, 2026
Source: NVD
CVE-2026-26005 MEDIUM - 5.0

ClipBucket v5 is an open source video sharing platform. Prior to 5.5.3 - #45, in Clip Bucket V5, The Remote Play allows creating video entries that reference external video URLs without uploading the video files to the server. However, by specifying an internal network host in the video URL, an SSRF...

Vendor: MacWarrior
Product: clipbucket-v5
Published: Feb 12, 2026
Source: NVD