Total CVEs

142,250

Critical Severity

3,947

High Severity

14,209

Last 7 Days

1,910
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 11,861 - 11,880 of 14,291 CVEs
CVE-2025-70092 MEDIUM - 5.5

A cross-site scripting (XSS) vulnerability in the Item Kits function of OpenSourcePOS v3.4.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Item Name parameter.

Vendor: opensourcepos
Product: open_source_point_of_sale
Published: Feb 12, 2026
Source: NVD
CVE-2019-25334 MEDIUM - 6.2

Product Key Explorer 4.2.0.0 contains a denial of service vulnerability that allows local attackers to crash the application by overflowing the registration name input field. Attackers can create a specially crafted text file with repeated characters to trigger a buffer overflow when pasted into the...

Vendor: Nsasoft
Product: Nsauditor Product Key Explorer
Published: Feb 12, 2026
Source: NVD
CVE-2019-25324 MEDIUM - 6.1

RICOH Web Image Monitor 1.09 contains an HTML injection vulnerability in the address configuration CGI script that allows attackers to inject malicious HTML code. Attackers can exploit the entryNameIn and entryDisplayNameIn parameters to insert arbitrary HTML content, potentially enabling cross-site...

Vendor: RICOH
Product: RICOH Web Image Monitor
Published: Feb 12, 2026
Source: NVD
CVE-2019-25323 MEDIUM - 6.1

Heatmiser Netmonitor v3.03 contains an HTML injection vulnerability in the outputSetup.htm page that allows attackers to inject malicious HTML code through the outputtitle parameter. Attackers can craft specially formatted POST requests to the outputtitle parameter to execute arbitrary HTML and pote...

Vendor: Heatmiser
Product: Heatmiser Netmonitor
Published: Feb 12, 2026
Source: NVD
CVE-2019-25320 MEDIUM - 6.5

E Learning Script 1.0 contains an authentication bypass vulnerability that allows attackers to access the dashboard without valid credentials by manipulating login parameters. Attackers can exploit the /login.php file by sending a specific payload '=''or' to bypass authentication...

Vendor: amitkolloldey
Product: elearning-script
Published: Feb 12, 2026
Source: NVD
CVE-2026-26185 MEDIUM - 5.3

Directus is a real-time API and App dashboard for managing SQL database content. Before 11.14.1, a timing-based user enumeration vulnerability exists in the password reset functionality. When an invalid reset_url parameter is provided, the response time differs by approximately 500ms between existin...

Vendor: directus
Product: directus, @directus/api
Published: Feb 12, 2026
Source: NVD
CVE-2026-25828 MEDIUM - 5.4

grub-btrfs through 2026-01-31 (on Arch Linux and derivative distributions) allows initramfs OS command injection because it does not sanitize the $root parameter to resolve_device().

Published: Feb 12, 2026
Source: NVD
CVE-2025-70845 MEDIUM - 6.1

lty628 aidigu v1.9.1 is vulnerable to Cross Site Scripting (XSS) exists in the /setting/ page where the "intro" field is not properly sanitized or escaped.

Published: Feb 12, 2026
Source: NVD
CVE-2025-14282 MEDIUM - 5.4

A flaw was found in Dropbear. When running in multi-user mode and authenticating users, the dropbear ssh server does the socket forwardings requested by the remote client as root, only switching to the logged-in user upon spawning a shell or performing some operations like reading the user's fi...

Vendor: Dropbear
Product: Dropbear
Published: Feb 12, 2026
Source: NVD
CVE-2026-26005 MEDIUM - 5.0

ClipBucket v5 is an open source video sharing platform. Prior to 5.5.3 - #45, in Clip Bucket V5, The Remote Play allows creating video entries that reference external video URLs without uploading the video files to the server. However, by specifying an internal network host in the video URL, an SSRF...

Vendor: MacWarrior
Product: clipbucket-v5
Published: Feb 12, 2026
Source: NVD

Inspektor Gadget is a set of tools and framework for data collection and system inspection on Kubernetes clusters and Linux hosts using eBPF. String fields from eBPF events in columns output mode are rendered to the terminal without any sanitization of control characters or ANSI escape sequences. Th...

Vendor: inspektor-gadget
Product: inspektor-gadget
Published: Feb 12, 2026
Source: NVD
CVE-2026-25933 MEDIUM - 6.8

Arduino App Lab is a cross-platform IDE for developing Arduino Apps. Prior to 0.4.0, a vulnerability was identified in the Terminal component of the arduino-app-lab application. The issue stems from insufficient sanitization and validation of input data received from connected hardware devices, spec...

Vendor: arduino
Product: arduino-app-lab
Published: Feb 12, 2026
Source: NVD
CVE-2026-22821 MEDIUM - 4.9

mreporting is the more reporting GLPI plugin. Prior to 1.9.4, there is a possible SQL injection on date change. This vulnerability is fixed in 1.9.4.

Vendor: pluginsGLPI
Product: mreporting
Published: Feb 12, 2026
Source: NVD
CVE-2025-69752 MEDIUM - 4.3

An issue in the "My Details" user profile functionality of Ideagen Q-Pulse 7.1.0.32 allows an authenticated user to view other users' profile information by modifying the objectKey HTTP parameter in the My Details page URL.

Published: Feb 12, 2026
Source: NVD
CVE-2025-56647 MEDIUM - 6.5

npm @farmfe/core before 1.7.6 is Missing Origin Validation in WebSocket. The development (hot module reloading) server does not validate origin when connecting to a WebSocket client. This allows attackers to surveil developers running Farm who visit their webpage and steal source code that is leaked...

Vendor: npm
Product: @farmfe/core
Published: Feb 12, 2026
Source: NVD
CVE-2026-26000 MEDIUM - 6.1

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.9.0, 17.4.6, and 16.10.13, it's possible using comments to inject CSS that would transform the full wiki in a link area leading to a malicious page. This vulnerability is fixed i...

Vendor: maven
Product: org.xwiki.platform:xwiki-platform-web
Published: Feb 12, 2026
Source: GitHub
CVE-2026-21438 MEDIUM - 5.3

webtransport-go is an implementation of the WebTransport protocol. Prior to 0.10.0, an attacker can cause unbounded memory consumption repeatedly creating and closing many WebTransport streams. Closed streams were not removed from an internal session map, preventing garbage collection of their resou...

Vendor: go
Product: github.com/quic-go/webtransport-go
Published: Feb 12, 2026
Source: GitHub
CVE-2026-21435 MEDIUM - 5.3

webtransport-go is an implementation of the WebTransport protocol. Prior to v0.10.0, an attacker can cause a denial of service in webtransport-go by preventing or indefinitely delaying WebTransport session closure. A malicious peer can withhold QUIC flow control credit on the CONNECT stream, blockin...

Vendor: go
Product: github.com/quic-go/webtransport-go
Published: Feb 12, 2026
Source: GitHub
CVE-2026-21434 MEDIUM - 5.3

webtransport-go is an implementation of the WebTransport protocol. From 0.3.0 to 0.9.0, an attacker can cause excessive memory consumption in webtransport-go's session implementation by sending a WT_CLOSE_SESSION capsule containing an excessively large Application Error Message. The implementat...

Vendor: go
Product: github.com/quic-go/webtransport-go
Published: Feb 12, 2026
Source: GitHub
CVE-2026-2003 MEDIUM - 4.3

Improper validation of type "oidvector" in PostgreSQL allows a database user to disclose a few bytes of server memory. We have not ruled out viability of attacks that arrange for presence of confidential information in disclosed bytes, but they seem unlikely. Versions before PostgreSQL 1...

Published: Feb 12, 2026
Source: NVD