Total CVEs

141,249

Critical Severity

3,795

High Severity

13,708

Last 7 Days

1,946
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 11,821 - 11,840 of 13,404 CVEs
CVE-2020-37113 HIGH - 8.8

GUnet OpenEclass 1.7.3 allows authenticated users to bypass file extension restrictions when uploading files. By renaming a PHP file to .php3 or .PhP, an attacker can upload a web shell and execute arbitrary code on the server. This vulnerability enables remote code execution by bypassing the intend...

Vendor: Openeclass
Product: GUnet OpenEclass
Published: Feb 03, 2026
Source: NVD
CVE-2020-37112 HIGH - 7.1

GUnet OpenEclass 1.7.3 contains multiple SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries through unvalidated parameters. Attackers can exploit the 'month' parameter in the agenda module and other endpoints to extract sensitive database inform...

Vendor: Openeclass
Product: GUnet OpenEclass
Published: Feb 03, 2026
Source: NVD
CVE-2020-37110 HIGH - 8.2

60CycleCMS 2.5.2 contains an SQL injection vulnerability in news.php and common/lib.php that allows attackers to manipulate database queries through unvalidated user input. Attackers can exploit vulnerable query parameters like 'title' to inject malicious SQL code and potentially extract o...

Vendor: Davidvg
Product: 60CycleCMS
Published: Feb 03, 2026
Source: NVD
CVE-2020-37108 HIGH - 7.1

PhpIX 2012 Professional contains a SQL injection vulnerability in the 'id' parameter of product_detail.php that allows remote attackers to manipulate database queries. Attackers can inject malicious SQL code through the 'id' parameter to potentially extract or modify database inf...

Vendor: AllHandsMarketing
Product: PhpIX 2012 Professional
Published: Feb 03, 2026
Source: NVD
CVE-2020-37105 HIGH - 7.1

PMB 5.6 contains a SQL injection vulnerability in the administration download script that allows authenticated attackers to execute arbitrary SQL commands through the 'logid' parameter. Attackers can leverage this vulnerability by sending crafted requests to the /admin/sauvegarde/download....

Vendor: redmine
Product: PMB
Published: Feb 03, 2026
Source: NVD

FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.81, FacturaScripts contains a critical SQL injection vulnerability in the REST API that allows authenticated API users to execute arbitrary SQL queries through the sort parameter. The vulnerabil...

Vendor: composer
Product: facturascripts/facturascripts
Published: Feb 03, 2026
Source: GitHub
CVE-2026-24884 HIGH - 8.4

Compressing is a compressing and uncompressing lib for node. In version 2.0.0 and 1.10.3 and prior, Compressing extracts TAR archives while restoring symbolic links without validating their targets. By embedding symlinks that resolve outside the intended extraction directory, an attacker can cause s...

Vendor: npm
Product: compressing
Published: Feb 03, 2026
Source: GitHub

RustFS is a distributed object storage system built in Rust. Prior to version alpha.78, IP-based access control can be bypassed: get_condition_values trusts client-supplied X-Forwarded-For/X-Real-Ip without verifying a trusted proxy, so any reachable client can spoof aws:SourceIp and satisfy IP-allo...

Vendor: rustfs
Product: rustfs
Published: Feb 03, 2026
Source: NVD
CVE-2026-25027 HIGH - 7.5

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove Unicamp unicamp allows PHP Local File Inclusion.This issue affects Unicamp: from n/a through <= 2.7.1.

Vendor: ThemeMove
Product: Unicamp
Published: Feb 03, 2026
Source: NVD
CVE-2026-25022 HIGH - 8.5

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Iqonic Design KiviCare kivicare-clinic-management-system allows Blind SQL Injection.This issue affects KiviCare: from n/a through <= 3.6.16.

Vendor: Iqonic Design
Product: KiviCare
Published: Feb 03, 2026
Source: NVD
CVE-2026-24954 HIGH - 8.8

Deserialization of Untrusted Data vulnerability in magepeopleteam WpEvently mage-eventpress allows Object Injection.This issue affects WpEvently: from n/a through <= 5.0.8.

Vendor: magepeopleteam
Product: WpEvently
Published: Feb 03, 2026
Source: NVD
CVE-2026-1285 HIGH - 7.5

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_html` and `truncatewords_html` template filters allow a remote attacker to cause a potential denial-o...

Vendor: pip
Product: Django
Published: Feb 03, 2026
Source: NVD

Decidim is a participatory democracy framework. In versions from 0.30.0 to before 0.30.4 and from 0.31.0.rc1 to before 0.31.0, the private data exports can lead to data leaks in case the UUID generation, causing collisions for the generated UUIDs. This issue has been patched in versions 0.30.4 and 0...

Vendor: decidim
Product: decidim
Published: Feb 03, 2026
Source: NVD
CVE-2025-14550 HIGH - 7.5

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `ASGIRequest` allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not ev...

Vendor: djangoproject
Product: Django, asgiref
Published: Feb 03, 2026
Source: NVD
CVE-2020-37102 HIGH - 7.8

Adaware Web Companion 4.9.2159 contains an unquoted service path vulnerability in the WCAssistantService that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted binary path to inject malicious executables that will be run with LocalSystem privileges duri...

Vendor: Lavasoft
Product: Web Companion
Published: Feb 03, 2026
Source: NVD
CVE-2020-37101 HIGH - 7.8

VPN Unlimited 6.1 contains an unquoted service path vulnerability that allows local attackers to inject malicious executables into the service binary path. Attackers can exploit the unquoted path in 'C:\Program Files (x86)\VPN Unlimited\' to replace the service executable and gain elevated...

Vendor: Vpnunlimitedapp
Product: VPN unlimited
Published: Feb 03, 2026
Source: NVD
CVE-2020-37100 HIGH - 7.8

Sync Breeze Enterprise 12.4.18 contains an unquoted service path vulnerability that allows local attackers to execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path by placing malicious executables in specific file system locations to hijack the servic...

Vendor: SyncBreeze
Product: Sync Breeze Enterprise
Published: Feb 03, 2026
Source: NVD
CVE-2020-37099 HIGH - 7.8

Disk Savvy Enterprise 12.3.18 contains an unquoted service path vulnerability in its service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files\Disk Savvy Enterprise\bin\disksvs.exe' to inject malici...

Vendor: DiskSavvy
Product: Disk Savvy Enterprise
Published: Feb 03, 2026
Source: NVD
CVE-2020-37098 HIGH - 7.8

Disk Sorter Enterprise 12.4.16 contains an unquoted service path vulnerability that allows local attackers to execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious executables that will be launched with LocalS...

Vendor: DiskSorter
Product: Disk Sorter Enterprise
Published: Feb 03, 2026
Source: NVD
CVE-2019-25261 HIGH - 7.8

AnyDesk 5.4.0 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to potentially inject malicious executables. Attackers can exploit the unquoted binary path to place malicious files in service executable locations, potentially gaining ele...

Vendor: Anydesk
Product: AnyDesk
Published: Feb 03, 2026
Source: NVD