Total CVEs

142,250

Critical Severity

3,947

High Severity

14,209

Last 7 Days

1,911
Quick preset (or use dates below)
Clear Filters
Showing 11,961 - 11,980 of 14,674 CVEs
CVE-2025-69874 MEDIUM - 9.8

nanotar through 0.2.0 has a path traversal vulnerability in parseTar() and parseTarGzip() that allows remote attackers to write arbitrary files outside the intended extraction directory via a crafted tar archive containing path traversal sequence.

Vendor: npm
Product: nanotar
Published: Feb 11, 2026
Source: NVD
CVE-2025-13391 MEDIUM - 5.8

The Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'uni_cpo_remove_file' function in all versions up to, and including, 4.9.60. This makes it possibl...

Vendor: MooMoo
Product: Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium)
Published: Feb 11, 2026
Source: NVD
CVE-2026-25633 MEDIUM - 4.3

Statamic is a, Laravel + Git powered CMS designed for building websites. Prior to 5.73.6 and 6.2.5, users without permission to view assets are able are able to download them and view their metadata. Logged-out users and users without permission to access the control panel are unable to take advanta...

Vendor: composer
Product: statamic/cms
Published: Feb 11, 2026
Source: GitHub
CVE-2025-48508 MEDIUM - 6.0

Improper Hardware reset flow logic in the GPU GFX Hardware IP block could allow a privileged attacker in a guest virtual machine to control reset operation potentially causing host or GPU crash or reset resulting in denial of service.

Vendor: AMD
Product: AMD Radeonβ„’ PRO V710
Published: Feb 11, 2026
Source: NVD
CVE-2024-36316 MEDIUM - 5.5

The integer overflow vulnerability within AMD Graphics driver could allow an attacker to bypass size checks potentially resulting in a denial of service

Published: Feb 11, 2026
Source: NVD
CVE-2019-25317 MEDIUM - 6.4

Kimai 2 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts into timesheet descriptions. Attackers can insert SVG-based XSS payloads in the description field to execute arbitrary JavaScript when the page is loaded and viewed by other users.

Vendor: kevinpapst
Product: Kimai
Published: Feb 11, 2026
Source: NVD
CVE-2019-25316 MEDIUM - 6.4

GOautodial 4.0 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the event title parameter. Attackers can exploit the CreateEvent.php endpoint by sending crafted POST requests with XSS payloads to execute arbitrary JavaSc...

Vendor: Goautodial
Product: GOautodial
Published: Feb 11, 2026
Source: NVD
CVE-2019-25315 MEDIUM - 6.4

WordPress Server Log Viewer 1.0 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts through unfiltered log file paths. Attackers can add log files with embedded XSS payloads that will execute when viewed in the WordPress admin interface.

Vendor: anttiviljami
Product: WP Server Log Viewer
Published: Feb 11, 2026
Source: NVD
CVE-2019-25314 MEDIUM - 6.4

Yoast Duplicate-Post WordPress Plugin 3.2.3 contains a persistent cross-site scripting vulnerability in plugin settings parameters. Attackers can inject malicious scripts into title prefix, suffix, menu order, and blacklist fields to execute arbitrary JavaScript in admin interfaces.

Vendor: Duplicate-Post
Product: Post
Published: Feb 11, 2026
Source: NVD
CVE-2019-25312 MEDIUM - 6.4

InoERP 0.7.2 contains a persistent cross-site scripting vulnerability in the comment section that allows unauthenticated attackers to inject malicious scripts. Attackers can submit comments with JavaScript payloads that execute in other users' browsers, potentially stealing cookies and session ...

Vendor: InoIdeas
Product: InoERP
Published: Feb 11, 2026
Source: NVD
CVE-2019-25311 MEDIUM - 6.4

thesystem version 1.0 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts through multiple server data input fields. Attackers can submit crafted script payloads in operating_system, system_owner, system_username, system_password, system_descrip...

Vendor: kostasmitroglou
Product: thesystem
Published: Feb 11, 2026
Source: NVD
CVE-2018-25157 MEDIUM - 6.4

Phraseanet 4.0.3 contains a stored cross-site scripting vulnerability that allows authenticated users to inject malicious scripts through crafted file names during document uploads. Attackers can upload files with embedded SVG scripts that execute in the browser, potentially stealing cookies or redi...

Vendor: Phraseanet
Product: Phraseanet DAM Open Source
Published: Feb 11, 2026
Source: NVD
CVE-2026-26019 MEDIUM - 4.1

LangChain is a framework for building LLM-powered applications. Prior to 1.1.14, the RecursiveUrlLoader class in @langchain/community is a web crawler that recursively follows links from a starting URL. Its preventOutside option (enabled by default) is intended to restrict crawling to the same site ...

Vendor: npm
Product: @langchain/community
Published: Feb 11, 2026
Source: GitHub
CVE-2026-26014 MEDIUM - 5.9

Pion DTLS is a Go implementation of Datagram Transport Layer Security. Pion DTLS versions v1.0.0 through v3.0.10 and 3.1.0 use random nonce generation with AES GCM ciphers, which makes it easier for remote attackers to obtain the authentication key and spoof data by leveraging the reuse of a nonce i...

Vendor: go
Product: github.com/pion/dtls/v3
Published: Feb 11, 2026
Source: GitHub
CVE-2026-22894 MEDIUM - 6.5

A path traversal vulnerability has been reported to affect File Station 6. If a remote attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: File Station 5 5.5...

Vendor: QNAP Systems Inc.
Product: File Station 5
Published: Feb 11, 2026
Source: NVD
CVE-2025-68406 MEDIUM - 6.5

A path traversal vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0...

Vendor: QNAP Systems Inc.
Product: Qsync Central
Published: Feb 11, 2026
Source: NVD
CVE-2025-66278 MEDIUM - 6.5

A path traversal vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: File Station 5 5.5...

Vendor: QNAP Systems Inc.
Product: File Station 5
Published: Feb 11, 2026
Source: NVD
CVE-2025-66274 MEDIUM - 4.9

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the follow...

Vendor: QNAP Systems Inc.
Product: QuTS hero
Published: Feb 11, 2026
Source: NVD
CVE-2025-62856 MEDIUM - 4.4

A path traversal vulnerability has been reported to affect File Station 5. If a local attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: File Stat...

Vendor: QNAP Systems Inc.
Product: File Station 5
Published: Feb 11, 2026
Source: NVD
CVE-2025-62855 MEDIUM - 4.4

A path traversal vulnerability has been reported to affect File Station 5. If a local attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: File Stat...

Vendor: QNAP Systems Inc.
Product: File Station 5
Published: Feb 11, 2026
Source: NVD