Total CVEs

141,249

Critical Severity

3,795

High Severity

13,708

Last 7 Days

1,946
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 11,801 - 11,820 of 13,404 CVEs

OpenSTAManager is an open source management software for technical assistance and invoicing. In version 2.9.8 and prior, there is a SQL Injection vulnerability in the Stampe Module. At time of publication, no known patch exists.

Vendor: composer
Product: devcode-it/openstamanager
Published: Feb 03, 2026
Source: GitHub

OpenSTAManager is an open source management software for technical assistance and invoicing. In version 2.9.8 and prior, a SQL Injection vulnerability exists in the ajax_complete.php endpoint when handling the get_sedi operation. An authenticated attacker can inject malicious SQL code through the id...

Vendor: composer
Product: devcode-it/openstamanager
Published: Feb 03, 2026
Source: GitHub

FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.81, FacturaScripts contains a critical SQL injection vulnerability in the autocomplete functionality that allows authenticated attackers to extract sensitive data from the database including use...

Vendor: composer
Product: facturascripts/facturascripts
Published: Feb 03, 2026
Source: GitHub
CVE-2026-24773 HIGH - 7.5

The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, an Insecure Direct Object Reference (IDOR) vulnerability allows unauthenticated remote attackers to access personal files of other users by directly requesting predictable user ide...

Vendor: gunet
Product: openeclass
Published: Feb 03, 2026
Source: NVD
CVE-2026-24672 HIGH - 7.3

The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a Stored Cross-Site Scripting (XSS) vulnerability allows authenticated students to inject malicious JavaScript into user profile fields, which is executed when users with viewing p...

Vendor: gunet
Product: openeclass
Published: Feb 03, 2026
Source: NVD
CVE-2026-24669 HIGH - 7.8

The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, an insecure password reset mechanism allows local attackers to reuse a valid password reset token after it has already been used, enabling unauthorized password changes and potenti...

Vendor: gunet
Product: openeclass
Published: Feb 03, 2026
Source: NVD
CVE-2026-24665 HIGH - 8.7

The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a stored Cross-Site Scripting (XSS) vulnerability allows authenticated students to inject malicious JavaScript into uploaded assignment files, which is executed when instructors vi...

Vendor: gunet
Product: openeclass
Published: Feb 03, 2026
Source: NVD
CVE-2025-70560 HIGH - 8.4

Boltz 2.0.0 contains an insecure deserialization vulnerability in its molecule loading functionality. The application uses Python pickle to deserialize molecule data files without validation. An attacker with the ability to place a malicious pickle file in a directory processed by boltz can achieve ...

Vendor: pip
Product: boltz
Published: Feb 03, 2026
Source: NVD
CVE-2025-69983 HIGH - 9.8

FUXA v1.2.7 allows Remote Code Execution (RCE) via the project import functionality. The application does not properly sanitize or sandbox user-supplied scripts within imported project files. An attacker can upload a malicious project containing system commands, leading to full system compromise.

Vendor: npm
Product: fuxa-server
Published: Feb 03, 2026
Source: NVD
CVE-2025-69981 HIGH - 9.8

FUXA v1.2.7 contains an Unrestricted File Upload vulnerability in the `/api/upload` API endpoint. The endpoint lacks authentication mechanisms, allowing unauthenticated remote attackers to upload arbitrary files. This can be exploited to overwrite critical system files (such as the SQLite user datab...

Vendor: npm
Product: fuxa-server
Published: Feb 03, 2026
Source: NVD
CVE-2025-69971 HIGH - 9.8

FUXA v1.2.7 contains a hard-coded credential vulnerability in server/api/jwt-helper.js. The application uses a hard-coded secret key to sign and verify JWT Tokens. This allows remote attackers to forge valid admin tokens and bypass authentication to gain full administrative access.

Vendor: npm
Product: fuxa-server
Published: Feb 03, 2026
Source: NVD
CVE-2025-69970 HIGH - 9.3

FUXA v1.2.7 contains an insecure default configuration vulnerability in server/settings.default.js. The 'secureEnabled' flag is commented out by default, causing the application to initialize with authentication disabled. This allows unauthenticated remote attackers to access sensitive API...

Vendor: npm
Product: fuxa-server
Published: Feb 03, 2026
Source: NVD
CVE-2025-69875 HIGH - 7.8

A vulnerability exists in Quick Heal Total Security 23.0.0 in the quarantine management component where insufficient validation of restore paths and improper permission handling allow a low-privileged local user to restore quarantined files into protected system directories. This behavior can be abu...

Published: Feb 03, 2026
Source: NVD
CVE-2025-69429 HIGH - 7.5

The ORICO NAS CD3510 (version V1.9.12 and below) contains an Incorrect Symlink Follow vulnerability that could be exploited by attackers to leak or tamper with the internal file system. Attackers can format a USB drive to ext4, create a symbolic link to its root directory, insert the drive into the ...

Published: Feb 03, 2026
Source: NVD
CVE-2025-66374 HIGH - 7.8

CyberArk Endpoint Privilege Manager Agent through 25.10.0 allows a local user to achieve privilege escalation through policy elevation of an Administration task.

Published: Feb 03, 2026
Source: NVD
CVE-2025-65875 HIGH - 8.8

An arbitrary file upload vulnerability in the AddFont() function of FPDF v1.86 and earlier allows attackers to execute arbitrary code via uploading a crafted PHP file.

Published: Feb 03, 2026
Source: NVD
CVE-2025-63372 HIGH - 7.5

Articentgroup Zip Rar Extractor Tool 1.345.93.0 is vulnerable to Directory Traversal. The vulnerability resides in the ZIP file processing component, specifically in the functionality responsible for extracting and handling ZIP archive contents.

Published: Feb 03, 2026
Source: NVD
CVE-2025-60865 HIGH - 7.8

Insecure Permissions vulnerability in avanquest Driver Updater v.9.1.57803.1174 allows a local attacker to escalate privileges via the Driver Updater Service windows component.

Published: Feb 03, 2026
Source: NVD
CVE-2025-59439 HIGH - 7.5

An issue was discovered in Samsung Mobile Processor, Wearable Processor and Modem Exynos 980, 990, 850, 1080, 9110, W920, W930, W1000 and Modem 5123. Incorrect handling of NAS Registration messages leads to a Denial of Service because of Improper Handling of Exceptional Conditions.

Vendor: samsung
Product: exynos_990_firmware
Published: Feb 03, 2026
Source: NVD
CVE-2020-37116 HIGH - 8.8

GUnet OpenEclass 1.7.3 includes phpMyAdmin 2.10.0.2 by default, which allows remote logins. Attackers with access to the platform can remotely access phpMyAdmin and, after uploading a shell, view the config.php file to obtain the MySQL password, leading to full database compromise.

Vendor: Openeclass
Product: GUnet OpenEclass
Published: Feb 03, 2026
Source: NVD