Total CVEs

141,249

Critical Severity

3,795

High Severity

13,708

Last 7 Days

1,933
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 11,861 - 11,880 of 13,404 CVEs
CVE-2025-58382 HIGH - 7.2

A vulnerability in the secure configuration of authentication and management services in Brocade Fabric OS before Fabric OS 9.2.1c2 could allow an authenticated, remote attacker with administrative credentials to execute arbitrary commands as root using “supportsave”, “seccertmgmt”, “configuploa...

Vendor: Brocade
Product: Fabric OS
Published: Feb 03, 2026
Source: NVD
CVE-2026-25157 HIGH - 7.8

OpenClaw is a personal AI assistant. Prior to version 2026.1.29, there is an OS command injection vulnerability via the Project Root Path in sshNodeCommand. The sshNodeCommand function constructed a shell script without properly escaping the user-supplied project path in an error message. When the c...

Vendor: npm
Product: clawdbot
Published: Feb 02, 2026
Source: GitHub
CVE-2026-25060 HIGH - 8.1

OpenList Frontend is a UI component for OpenList. Prior to 4.1.10, certificate verification is disabled by default for all storage driver communications. The TlsInsecureSkipVerify setting is default to true in the DefaultConfig() function in internal/conf/config.go. This vulnerability enables Man-in...

Vendor: OpenListTeam
Product: OpenList
Published: Feb 02, 2026
Source: NVD
CVE-2026-24763 HIGH - 8.8

OpenClaw (formerly Clawdbot) is a personal AI assistant you run on your own devices. Prior to 2026.1.29, a command injection vulnerability existed in OpenClaw’s Docker sandbox execution mechanism due to unsafe handling of the PATH environment variable when constructing shell commands. An authentica...

Vendor: clawdbot
Product: clawdbot
Published: Feb 02, 2026
Source: NVD
CVE-2026-24051 HIGH - 7.0

OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system command using a search pat...

Vendor: open-telemetry
Product: opentelemetry-go
Published: Feb 02, 2026
Source: NVD
CVE-2026-1777 HIGH - 7.2

The Amazon SageMaker Python SDK before v3.2.0 and v2.256.0 includes the ModelBuilder HMAC signing key in the cleartext response elements of the DescribeTrainingJob function. A third party with permissions to both call this API and permissions to modify objects in the Training Jobs S3 output location...

Vendor: pip
Product: sagemaker
Published: Feb 02, 2026
Source: NVD
CVE-2025-13096 HIGH - 7.1

IBM Business Automation Workflow containers V25.0.0 through V25.0.0-IF007, V24.0.1 - V24.0.1-IF007, V24.0.0 - V24.0.0-IF007 and IBM Business Automation Workflow traditional V25.0.0, V24.0.1, V24.0.0 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote att...

Vendor: IBM
Product: Business Automation Workflow containers, Business Automation Workflow traditional
Published: Feb 02, 2026
Source: NVD
CVE-2026-25223 HIGH - 7.5

Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.2, a validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. By appending a tab character (\t) followed by arbitrary content t...

Vendor: npm
Product: fastify
Published: Feb 02, 2026
Source: GitHub
CVE-2026-25499 HIGH - 7.5

Terraform / OpenTofu Provider adds support for Proxmox Virtual Environment. Prior to version 0.93.1, in the SSH configuration documentation, the sudoer line suggested is insecure and can result in escaping the folder using ../, allowing any files on the system to be edited. This issue has been patch...

Vendor: go
Product: github.com/bpg/terraform-provider-proxmox
Published: Feb 02, 2026
Source: GitHub
CVE-2026-25059 HIGH - 8.8

OpenList Frontend is a UI component for OpenList. Prior to 4.1.10, the application contains path traversal vulnerability in multiple file operation handlers in server/handles/fsmanage.go. Filename components in req.Names are directly concatenated with validated directories using stdpath.Join. This a...

Vendor: go
Product: github.com/OpenListTeam/OpenList/v4
Published: Feb 02, 2026
Source: GitHub
CVE-2026-24737 HIGH - 8.1

jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to one of the following methods or properties,...

Vendor: npm
Product: jspdf
Published: Feb 02, 2026
Source: GitHub

jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of the first argument of the addImage method results in denial of service. If given the possibility to pass unsanitized image data or URLs to the addImage method, a user can provide a harmful BMP file that results in out...

Vendor: npm
Product: jspdf
Published: Feb 02, 2026
Source: GitHub
CVE-2026-23997 HIGH - 8.0

FacturaScripts is open-source enterprise resource planning and accounting software. In 2025.71 and earlier, a Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Observations field. The flaw occurs in the History view, where historical data is rendered without proper HTML entity en...

Vendor: composer
Product: facturascripts/facturascripts
Published: Feb 02, 2026
Source: GitHub
CVE-2026-22229 HIGH - 7.2

A command injection vulnerability may be exploited after the admin's authentication via the import of a crafted VPN client configuration file on the TP-Link Archer BE230 v1.2. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe ...

Vendor: TP-Link Systems Inc.
Product: Archer BE230 v1.2
Published: Feb 02, 2026
Source: NVD
CVE-2026-22227 HIGH - 7.2

A command injection vulnerability may be exploited after the admin's authentication via the configuration backup restoration function of the TP-Link Archer BE230 v1.2. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromi...

Vendor: TP-Link Systems Inc.
Product: Archer BE230 v1.2
Published: Feb 02, 2026
Source: NVD
CVE-2026-22226 HIGH - 7.2

A command injection vulnerability may be exploited after the admin's authentication in the VPN server configuration module on the TP-Link Archer BE230 v1.2. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of confi...

Vendor: TP-Link Systems Inc.
Product: Archer BE230 v1.2
Published: Feb 02, 2026
Source: NVD
CVE-2026-22225 HIGH - 7.2

A command injection vulnerability may be exploited after the admin's authentication in the VPN Connection Service on the Archer BE230 v1.2. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrit...

Vendor: TP-Link Systems Inc.
Product: Archer BE230 v1.2
Published: Feb 02, 2026
Source: NVD
CVE-2026-22224 HIGH - 7.2

A command injection vulnerability may be exploited after the admin's authentication in the cloud communication interface on the TP-Link Archer BE230 v1.2. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configu...

Vendor: TP-Link Systems Inc.
Product: Archer BE230 v1.2
Published: Feb 02, 2026
Source: NVD
CVE-2026-22223 HIGH - 8.0

An OS Command Injection vulnerability in TP-Link Archer BE230 v1.2(vpn modules) allows adjacent authenticated attacker execute arbitrary code. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration inte...

Vendor: TP-Link System Inc.
Product: Archer BE230 v1.2
Published: Feb 02, 2026
Source: NVD
CVE-2026-22222 HIGH - 8.0

An OS Command Injection vulnerability in TP-Link Archer BE230 v1.2(web modules) allows adjacent authenticated attacker to execute arbitrary code. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration int...

Vendor: TP-Link Systems Inc.
Product: Archer BE230 v1.2
Published: Feb 02, 2026
Source: NVD