Total CVEs

141,272

Critical Severity

3,795

High Severity

13,729

Last 7 Days

1,863
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 11,981 - 12,000 of 13,424 CVEs
CVE-2020-37024 HIGH - 8.4

Nidesoft DVD Ripper 5.2.18 contains a local buffer overflow vulnerability in the License Code registration parameter that allows attackers to execute arbitrary code. Attackers can craft a malicious payload and paste it into the License Code field to trigger a stack-based buffer overflow and execute ...

Vendor: Nidesoft Studio
Product: Nidesoft DVD Ripper
Published: Jan 30, 2026
Source: NVD
CVE-2020-37023 HIGH - 8.8

Koken CMS 0.22.24 contains a file upload vulnerability that allows authenticated attackers to bypass file extension restrictions by renaming malicious PHP files. Attackers can upload PHP files with system command execution capabilities by manipulating the file upload request through a web proxy and ...

Vendor: Koken
Product: Koken CMS
Published: Jan 30, 2026
Source: NVD
CVE-2026-25153 HIGH - 7.7

Backstage is an open framework for building developer portals, and @backstage/plugin-techdocs-node provides common node.js functionalities for TechDocs. In versions of @backstage/plugin-techdocs-node prior to 1.13.11 and 1.14.1, when TechDocs is configured with `runIn: local`, a malicious actor who ...

Vendor: backstage
Product: backstage
Published: Jan 30, 2026
Source: NVD
CVE-2025-36384 HIGH - 8.4

IBM Db2 for Windowsย 12.1.0 - 12.1.3 could allow a local user with filesystem access to escalate their privileges due to the use of an unquoted search path element.

Vendor: IBM
Product: Db2 for Linux, UNIX and Windows
Published: Jan 30, 2026
Source: NVD
CVE-2025-36184 HIGH - 7.2

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server)ย 11.5.0 - 11.5.9 could allow an instance owner to execute malicious code that escalate their privileges to root due to execution of unnecessary privileges operated at a higher than minimum level.

Vendor: IBM
Product: Db2 for Linux, UNIX and Windows
Published: Jan 30, 2026
Source: NVD
CVE-2025-69662 HIGH - 8.6

SQL injection vulnerability in geopandas before v.1.1.2 allows an attacker to obtain sensitive information via the to_postgis()` function being used to write GeoDataFrames to a PostgreSQL database.

Vendor: pip
Product: geopandas
Published: Jan 30, 2026
Source: NVD
CVE-2025-62348 HIGH - 7.8

Salt's junos execution module contained an unsafe YAML decode/load usage. A specially crafted YAML payload processed by the junos module could lead to unintended code execution under the context of the Salt process.

Vendor: Salt Project
Product: Salt
Published: Jan 30, 2026
Source: NVD
CVE-2026-1701 HIGH - 7.3

A security vulnerability has been detected in itsourcecode Student Management System 1.0. This issue affects some unknown processing of the file /enrollment/index.php. Such manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disc...

Published: Jan 30, 2026
Source: NVD
CVE-2026-1689 HIGH - 7.3

A vulnerability was detected in Tenda HG10 US_HG7_HG9_HG10re_300001138_en_xpon. The impacted element is the function checkUserFromLanOrWan of the file /boaform/admin/formLogin of the component Login Interface. The manipulation of the argument Host results in command injection. The attack can be laun...

Published: Jan 30, 2026
Source: NVD
CVE-2020-37060 HIGH - 7.8

Atomic Alarm Clock 6.3 contains a local privilege escalation vulnerability in its service configuration that allows attackers to execute arbitrary code with SYSTEM privileges. Attackers can exploit the unquoted service path by placing a malicious executable named 'Program.exe' to gain pers...

Vendor: Drive-Software
Product: Atomic Alarm Clock x86
Published: Jan 30, 2026
Source: NVD
CVE-2020-37059 HIGH - 7.8

Popcorn Time 6.2.1.14 contains an unquoted service path vulnerability that allows local non-privileged users to potentially execute code with elevated system privileges. Attackers can insert malicious executables in Program Files (x86) or system root directories to be executed with SYSTEM-level perm...

Vendor: Getpopcorntime
Product: Popcorn Time
Published: Jan 30, 2026
Source: NVD
CVE-2020-37058 HIGH - 7.8

Andrea ST Filters Service 1.0.64.7 contains an unquoted service path vulnerability in its Windows service configuration. Local attackers can exploit the unquoted path to inject malicious code that will execute with elevated LocalSystem privileges during service startup.

Vendor: Andrea Electronics
Product: Andrea ST Filters Service
Published: Jan 30, 2026
Source: NVD
CVE-2020-37030 HIGH - 7.8

Outline Service 1.3.3 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path in C:\Program Files (x86)\Outline to inject malicious code that would execute with Local...

Vendor: Getoutline
Product: Outline Service
Published: Jan 30, 2026
Source: NVD
CVE-2026-25128 HIGH - 7.5

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.3.6 through 5.3.3, a RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML with out-of-range e...

Vendor: NaturalIntelligence
Product: fast-xml-parser
Published: Jan 30, 2026
Source: NVD
CVE-2026-24854 HIGH - 8.8

ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in endpoint `/PaddleNumEditor.php` in ChurchCRM prior to version 6.7.2. Any authenticated user, including one with zero assigned permissions, can exploit SQL injection through the `PerID` parameter. Version 6....

Vendor: ChurchCRM
Product: CRM
Published: Jan 30, 2026
Source: NVD
CVE-2026-1688 HIGH - 7.3

A security vulnerability has been detected in itsourcecode Directory Management System 1.0. The affected element is an unknown function of the file /admin/index.php. The manipulation of the argument Username leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed...

Published: Jan 30, 2026
Source: NVD
CVE-2026-1687 HIGH - 7.3

A weakness has been identified in Tenda HG10 US_HG7_HG9_HG10re_300001138_en_xpon. Impacted is an unknown function of the file /boaform/formSamba of the component Boa Webserver. Executing a manipulation of the argument serverString can lead to command injection. It is possible to launch the attack re...

Published: Jan 30, 2026
Source: NVD
CVE-2026-1686 HIGH - 8.8

A security flaw has been discovered in Totolink A3600R 5.9c.4959. This issue affects the function setAppEasyWizardConfig in the library /lib/cste_modules/app.so. Performing a manipulation of the argument apcliSsid results in buffer overflow. It is possible to initiate the attack remotely. The exploi...

Published: Jan 30, 2026
Source: NVD
CVE-2025-4686 HIGH - 8.6

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Kodmatic Computer Software Tourism Construction Industry and Trade Ltd. Co. Online Exam and Assessment allows SQL Injection.This issue affects Online Exam and Assessment: through 30012026....

Published: Jan 30, 2026
Source: NVD
CVE-2024-4027 HIGH - 7.5

A flaw was found in Undertow. Servlets using a method that calls HttpServletRequestImpl.getParameterNames() can cause an OutOfMemoryError when the client sends a request with large parameter names. This issue can be exploited by an unauthorized user to cause a remote denial-of-service (DoS) attack.

Vendor: maven
Product: io.undertow:undertow-core
Published: Jan 30, 2026
Source: NVD