Total CVEs

142,250

Critical Severity

3,947

High Severity

14,209

Last 7 Days

1,911
Quick preset (or use dates below)
Clear Filters
Showing 11,941 - 11,960 of 14,674 CVEs
CVE-2026-26023 MEDIUM - 6.1

Dify is an open-source LLM app development platform. Prior to 1.13.0, a cross site scripting vulnerability has been found in the web application chat frontend when using echarts. User or llm inputs containing echarts containing a specific javascript payload will be executed. This vulnerability is fi...

Vendor: langgenius
Product: dify
Published: Feb 11, 2026
Source: NVD
CVE-2026-26012 MEDIUM - 6.5

vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to 1.35.3, a regular organization member can retrieve all ciphers within an organization, regardless of collection permissions. The endpoint /ciphers/organization-details is accessible to ...

Vendor: dani-garcia
Product: vaultwarden
Published: Feb 11, 2026
Source: NVD
CVE-2026-25062 MEDIUM - 5.5

Outline is a service that allows for collaborative documentation. Prior to 1.4.0, during the JSON import process, the value of attachments[].key from the imported JSON is passed directly to path.join(rootPath, node.key) and then read using fs.readFile without validation. By embedding path traversal ...

Vendor: outline
Product: outline
Published: Feb 11, 2026
Source: NVD
CVE-2020-37192 MEDIUM - 6.2

MSN Password Recovery 1.30 contains an XML external entity injection vulnerability that allows attackers to read local system files through crafted XML input. Attackers can exploit the 'Favorites' tab by injecting a malicious XML file that references external entities to retrieve sensitive...

Vendor: Top Password Software
Product: MSN Password Recovery
Published: Feb 11, 2026
Source: NVD
CVE-2020-37172 MEDIUM - 5.3

AVideo Platform 8.1 contains a cross-site request forgery vulnerability that allows attackers to reset user passwords by exploiting the password recovery mechanism. Attackers can craft malicious requests to the recoverPass endpoint using the user's recovery token to change account credentials w...

Vendor: AVideo
Product: AVideo Platform
Published: Feb 11, 2026
Source: NVD
CVE-2020-37158 MEDIUM - 5.3

AVideo Platform 8.1 contains a cross-site request forgery vulnerability that allows attackers to reset user passwords by exploiting the password recovery mechanism. Attackers can craft malicious requests to the recoverPass endpoint using the user's recovery token to change account credentials w...

Vendor: AVideo
Product: AVideo Platform
Published: Feb 11, 2026
Source: NVD
CVE-2020-37156 MEDIUM - 6.5

BloodX 1.0 contains an authentication bypass vulnerability in login.php that allows attackers to access the dashboard without valid credentials. Attackers can exploit the vulnerability by sending a crafted payload with '=''or' parameters to bypass login authentication and gain un...

Vendor: diveshlunker
Product: BloodX
Published: Feb 11, 2026
Source: NVD
CVE-2019-25313 MEDIUM - 4.0

FlexNet Publisher 11.12.1 contains a cross-site request forgery vulnerability that allows attackers to create administrative user accounts without authentication. Attackers can craft a malicious HTML form to trick authenticated users into submitting a request that creates a new local admin account w...

Vendor: Flexera Software
Product: FlexNet Publisher
Published: Feb 11, 2026
Source: NVD
CVE-2024-50618 MEDIUM - 4.3

A Use of Single-factor Authentication vulnerability in the Authentication component of CIPPlanner CIPAce before 9.17 allows attackers to bypass a protection mechanism. When the system is configured to allow login with internal accounts, an attacker can possibly obtain full authentication if the secr...

Vendor: cipplanner
Product: cipace
Published: Feb 11, 2026
Source: NVD
CVE-2024-26479 MEDIUM - 5.3

An issue in Statping-ng v.0.91.0 allows an attacker to obtain sensitive information via a crafted request to the Command execution function.

Published: Feb 11, 2026
Source: NVD
CVE-2024-26478 MEDIUM - 5.3

An issue in Statping-ng v.0.91.0 allows an attacker to obtain sensitive information via a crafted request to the /api/users endpoint.

Published: Feb 11, 2026
Source: NVD
CVE-2026-2323 MEDIUM - 4.3

Inappropriate implementation in Downloads in Google Chrome prior to 145.0.7632.45 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)

Vendor: google
Product: chrome
Published: Feb 11, 2026
Source: NVD
CVE-2026-2322 MEDIUM - 4.3

Inappropriate implementation in File input in Google Chrome prior to 145.0.7632.45 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)

Vendor: google
Product: chrome
Published: Feb 11, 2026
Source: NVD
CVE-2026-2320 MEDIUM - 6.5

Inappropriate implementation in File input in Google Chrome prior to 145.0.7632.45 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

Vendor: google
Product: chrome
Published: Feb 11, 2026
Source: NVD
CVE-2026-2318 MEDIUM - 6.5

Inappropriate implementation in PictureInPicture in Google Chrome prior to 145.0.7632.45 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

Vendor: google
Product: chrome
Published: Feb 11, 2026
Source: NVD
CVE-2026-2317 MEDIUM - 6.5

Inappropriate implementation in Animation in Google Chrome prior to 145.0.7632.45 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

Vendor: google
Product: chrome
Published: Feb 11, 2026
Source: NVD
CVE-2026-2316 MEDIUM - 6.5

Insufficient policy enforcement in Frames in Google Chrome prior to 145.0.7632.45 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

Vendor: google
Product: chrome
Published: Feb 11, 2026
Source: NVD
CVE-2025-70297 MEDIUM - 6.1

A stored cross-site scripting (XSS) vulnerability in the recipe asset upload and media serving component in Mealie 3.3.1 allows remote authenticated users to inject arbitrary web script or HTML via an uploaded SVG file that is served as image/svg+xml and rendered by a victim s browser.

Published: Feb 11, 2026
Source: NVD
CVE-2025-70296 MEDIUM - 5.4

A stored HTML injection vulnerability in the Recipe Notes rendering component in Mealie 3.3.1 allows remote authenticated users to inject arbitrary HTML, resulting in user interface redressing within the recipe view.

Published: Feb 11, 2026
Source: NVD
CVE-2025-69872 MEDIUM - 9.8

DiskCache (python-diskcache) through 5.6.3 uses Python pickle for serialization by default. An attacker with write access to the cache directory can achieve arbitrary code execution when a victim application reads from the cache.

Vendor: pip
Product: diskcache
Published: Feb 11, 2026
Source: NVD