Total CVEs

141,272

Critical Severity

3,795

High Severity

13,729

Last 7 Days

1,863
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 12,001 - 12,020 of 13,424 CVEs
CVE-2026-22623 HIGH - 7.2

Due to insufficient input parameter validation on the interface, authenticated users of certain HIKSEMI NAS products can execute arbitrary commands on the device by crafting specific messages.

Vendor: HIKSEMI
Product: HS-AFS-S1H1
Published: Jan 30, 2026
Source: NVD
CVE-2026-0709 HIGH - 7.2

Some Hikvision Wireless Access Points are vulnerable to authenticated command execution due to insufficient input validation. Attackers with valid credentials can exploit this flaw by sending crafted packets containing malicious commands to affected devices, leading to arbitrary command execution.

Published: Jan 30, 2026
Source: NVD
CVE-2026-22277 HIGH - 7.8

Dell UnityVSA, version(s) 5.4 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to arbitrary command execution ...

Vendor: Dell
Product: UnityVSA
Published: Jan 30, 2026
Source: NVD
CVE-2026-21418 HIGH - 7.8

Dell Unity, version(s) 5.5.2 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to arbitrary command execution w...

Vendor: Dell
Product: Unity
Published: Jan 30, 2026
Source: NVD
CVE-2025-1395 HIGH - 8.2

Generation of Error Message Containing Sensitive Information vulnerability in Codriapp Innovation and Software Technologies Inc. HeyGarson allows Fuzzing for application mapping.This issue affects HeyGarson: through 30012026. NOTE: The vendor was contacted several times to verifying fixing process ...

Published: Jan 30, 2026
Source: NVD
CVE-2026-0805 HIGH - 8.2

An input neutralization vulnerability in the Backup Configuration component of Crafty Controller allows a remote, authenticated attacker to perform file tampering and remote code execution via path traversal.

Published: Jan 30, 2026
Source: NVD
CVE-2026-24714 HIGH - 7.5

Some end of service NETGEAR products provide "TelnetEnable" functionality, which allows a magic packet to activate telnet service on the box.

Vendor: NETGEAR
Product: NETGEAR products
Published: Jan 30, 2026
Source: NVD
CVE-2026-1637 HIGH - 8.8

A vulnerability was identified in Tenda AC21 16.03.08.16. The affected element is the function fromAdvSetMacMtuWan of the file /goform/AdvSetMacMtuWan. The manipulation leads to stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit is publicly available and might be...

Published: Jan 29, 2026
Source: NVD
CVE-2026-25126 HIGH - 7.1

PolarLearn is a free and open-source learning program. Prior to version 0-PRERELEASE-15, the vote API route (`POST /api/v1/forum/vote`) trusts the JSON bodyโ€™s `direction` value without runtime validation. TypeScript types are not enforced at runtime, so an attacker can send arbitrary strings (e.g., ...

Vendor: polarnl
Product: PolarLearn
Published: Jan 29, 2026
Source: NVD
CVE-2026-25116 HIGH - 7.6

Runtipi is a personal homeserver orchestrator. Starting in version 4.5.0 and prior to version 4.7.2, an unauthenticated Path Traversal vulnerability in the `UserConfigController` allows any remote user to overwrite the system's `docker-compose.yml` configuration file. By exploiting insecure URN...

Vendor: runtipi
Product: runtipi
Published: Jan 29, 2026
Source: NVD
CVE-2026-24902 HIGH - 7.1

TrustTunnel is an open-source VPN protocol with a server-side request forgery and and private network restriction bypass in versions prior to 0.9.114. In `tcp_forwarder.rs`, SSRF protection for `allow_private_network_connections = false` was only applied in the `TcpDestination::HostName(peer)` path....

Vendor: TrustTunnel
Product: TrustTunnel
Published: Jan 29, 2026
Source: NVD
CVE-2025-69604 HIGH - 7.8

An issue in Shirt Pocket's SuperDuper! 3.11 and earlier allow a local attacker to modify the default task template to install an arbitrary package that can run shell scripts with root privileges and Full Disk Access, thus bypassing macOS privacy controls.

Published: Jan 29, 2026
Source: NVD
CVE-2025-69516 HIGH - 8.8

A Server-Side Template Injection (SSTI) vulnerability in the /reporting/templates/preview/ endpoint of Amidaware Tactical RMM, affecting versions equal to or earlier than v1.3.1, allows low-privileged users with Report Viewer or Report Manager permissions to achieve remote command execution on the s...

Published: Jan 29, 2026
Source: NVD
CVE-2025-63658 HIGH - 7.5

A stack overflow in the mk_http_index_lookup function (mk_server/mk_http.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server.

Published: Jan 29, 2026
Source: NVD
CVE-2025-63657 HIGH - 7.5

An out-of-bounds read in the mk_mimetype_find function (mk_server/mk_mimetype.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server.

Published: Jan 29, 2026
Source: NVD
CVE-2025-63656 HIGH - 7.5

An out-of-bounds read in the header_cmp function (mk_server/mk_http_parser.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server.

Published: Jan 29, 2026
Source: NVD
CVE-2025-63655 HIGH - 7.5

A NULL pointer dereference in the mk_http_range_parse function (mk_server/mk_http.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server.

Published: Jan 29, 2026
Source: NVD
CVE-2025-63653 HIGH - 7.5

An out-of-bounds read in the mk_vhost_fdt_close function (mk_server/mk_vhost.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server.

Published: Jan 29, 2026
Source: NVD
CVE-2025-63652 HIGH - 7.5

A use-after-free in the mk_http_request_end function (mk_server/mk_http.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server.

Published: Jan 29, 2026
Source: NVD
CVE-2025-63651 HIGH - 7.5

A use-after-free in the mk_string_char_search function (mk_core/mk_string.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server.

Published: Jan 29, 2026
Source: NVD