Total CVEs

142,027

Critical Severity

3,943

High Severity

14,108

Last 7 Days

1,699
Quick preset (or use dates below)
Clear Filters
Showing 11,801 - 11,820 of 14,604 CVEs

Inspektor Gadget is a set of tools and framework for data collection and system inspection on Kubernetes clusters and Linux hosts using eBPF. String fields from eBPF events in columns output mode are rendered to the terminal without any sanitization of control characters or ANSI escape sequences. Th...

Vendor: inspektor-gadget
Product: inspektor-gadget
Published: Feb 12, 2026
Source: NVD
CVE-2026-25933 MEDIUM - 6.8

Arduino App Lab is a cross-platform IDE for developing Arduino Apps. Prior to 0.4.0, a vulnerability was identified in the Terminal component of the arduino-app-lab application. The issue stems from insufficient sanitization and validation of input data received from connected hardware devices, spec...

Vendor: arduino
Product: arduino-app-lab
Published: Feb 12, 2026
Source: NVD
CVE-2026-22821 MEDIUM - 4.9

mreporting is the more reporting GLPI plugin. Prior to 1.9.4, there is a possible SQL injection on date change. This vulnerability is fixed in 1.9.4.

Vendor: pluginsGLPI
Product: mreporting
Published: Feb 12, 2026
Source: NVD
CVE-2025-69752 MEDIUM - 4.3

An issue in the "My Details" user profile functionality of Ideagen Q-Pulse 7.1.0.32 allows an authenticated user to view other users' profile information by modifying the objectKey HTTP parameter in the My Details page URL.

Published: Feb 12, 2026
Source: NVD
CVE-2025-56647 MEDIUM - 6.5

npm @farmfe/core before 1.7.6 is Missing Origin Validation in WebSocket. The development (hot module reloading) server does not validate origin when connecting to a WebSocket client. This allows attackers to surveil developers running Farm who visit their webpage and steal source code that is leaked...

Vendor: npm
Product: @farmfe/core
Published: Feb 12, 2026
Source: NVD
CVE-2026-26000 MEDIUM - 6.1

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.9.0, 17.4.6, and 16.10.13, it's possible using comments to inject CSS that would transform the full wiki in a link area leading to a malicious page. This vulnerability is fixed i...

Vendor: maven
Product: org.xwiki.platform:xwiki-platform-web
Published: Feb 12, 2026
Source: GitHub
CVE-2026-21438 MEDIUM - 5.3

webtransport-go is an implementation of the WebTransport protocol. Prior to 0.10.0, an attacker can cause unbounded memory consumption repeatedly creating and closing many WebTransport streams. Closed streams were not removed from an internal session map, preventing garbage collection of their resou...

Vendor: go
Product: github.com/quic-go/webtransport-go
Published: Feb 12, 2026
Source: GitHub
CVE-2026-21435 MEDIUM - 5.3

webtransport-go is an implementation of the WebTransport protocol. Prior to v0.10.0, an attacker can cause a denial of service in webtransport-go by preventing or indefinitely delaying WebTransport session closure. A malicious peer can withhold QUIC flow control credit on the CONNECT stream, blockin...

Vendor: go
Product: github.com/quic-go/webtransport-go
Published: Feb 12, 2026
Source: GitHub
CVE-2026-21434 MEDIUM - 5.3

webtransport-go is an implementation of the WebTransport protocol. From 0.3.0 to 0.9.0, an attacker can cause excessive memory consumption in webtransport-go's session implementation by sending a WT_CLOSE_SESSION capsule containing an excessively large Application Error Message. The implementat...

Vendor: go
Product: github.com/quic-go/webtransport-go
Published: Feb 12, 2026
Source: GitHub
CVE-2026-2003 MEDIUM - 4.3

Improper validation of type "oidvector" in PostgreSQL allows a database user to disclose a few bytes of server memory. We have not ruled out viability of attacks that arrange for presence of confidential information in disclosed bytes, but they seem unlikely. Versions before PostgreSQL 1...

Published: Feb 12, 2026
Source: NVD
CVE-2025-13004 MEDIUM - 6.3

Authorization Bypass Through User-Controlled Key vulnerability in Farktor Software E-Commerce Services Inc. E-Commerce Package allows Manipulating User-Controlled Variables.This issue affects E-Commerce Package: through 27112025.

Vendor: Farktor Software E-Commerce Services Inc.
Product: E-Commerce Package
Published: Feb 12, 2026
Source: NVD
CVE-2026-1671 MEDIUM - 6.5

The Activity Log for WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the winter_activity_log_action() function in all versions up to, and including, 1.2.8. This makes it possible for authenticated attackers, with Subscriber-level acces...

Published: Feb 12, 2026
Source: NVD
CVE-2025-15575 MEDIUM - 5.3

The firmware update functionality does not verify the authenticity of the supplied firmware update files. This allows attackers to flash malicious firmware update files on the device. Initial analysis of the firmware update functionality does not show any cryptographic checks (e.g. digital signature...

Vendor: SolaX Power
Product: Pocket WiFi 3.0, Pocket WiFi+LAN, Pocket WiFi+4GM, Pocket WiFi+LAN 2.0, Pocket WiFi 4.0
Published: Feb 12, 2026
Source: NVD
CVE-2025-15574 MEDIUM - 6.5

When connecting to the Solax Cloud MQTT server the username is the "registration number", which is the 10 character string printed on the SolaX Power Pocket device / the QR code on the device. The password is derived from the "registration number" using a proprietary XOR/transpos...

Vendor: SolaX Power
Product: Pocket WiFi 3.0, Pocket WiFi+LAN, Pocket WiFi+4GM, Pocket WiFi+LAN 2.0, Pocket WiFi 4.0
Published: Feb 12, 2026
Source: NVD
CVE-2026-1356 MEDIUM - 4.8

The Converter for Media – Optimize images | Convert WebP & AVIF plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.5.1 via the PassthruLoader::load_image_source function. This makes it possible for unauthenticated attackers to make web reque...

Published: Feb 12, 2026
Source: NVD
CVE-2026-21722 MEDIUM - 5.3

Public dashboards with annotations enabled did not limit their annotation timerange to the locked timerange of the public dashboard. This means one could read the entire history of annotations visible on the specific dashboard, even those outside the locked timerange. This did not leak any annotati...

Vendor: Grafana
Product: grafana/grafana, grafana/grafana-enterprise
Published: Feb 12, 2026
Source: NVD
CVE-2025-41117 MEDIUM - 6.8

Stack traces in Grafana's Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScript to be entered into the stack trace field. Only datasources with the Jaeger HTTP API appear to be affected; Jaeger gRPC and Tem...

Vendor: Grafana
Product: grafana/grafana, grafana/grafana-enterprise
Published: Feb 12, 2026
Source: NVD
CVE-2026-2327 MEDIUM - 5.3

Versions of the package markdown-it from 13.0.0 and before 14.1.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the use of the regex /\*+$/ in the linkify function. An attacker can supply a long sequence of * characters followed by a non-matching character, which triggers exc...

Vendor: npm
Product: markdown-it
Published: Feb 12, 2026
Source: NVD
CVE-2026-1537 MEDIUM - 5.3

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the load_step() function in all versions up to, and including, 5.2.6. This makes it possible for unauthenticated attackers to vie...

Published: Feb 12, 2026
Source: NVD
CVE-2026-20682 MEDIUM - 5.3

A logic issue was addressed with improved state management. This issue is fixed in iOS 26.3 and iPadOS 26.3, iOS 18.7.5 and iPadOS 18.7.5. An attacker may be able to discover a user’s deleted notes.

Vendor: Apple
Product: iOS and iPadOS
Published: Feb 11, 2026
Source: NVD