Total CVEs

141,272

Critical Severity

3,795

High Severity

13,729

Last 7 Days

1,855
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 12,021 - 12,040 of 13,424 CVEs
CVE-2025-63650 HIGH - 7.5

An out-of-bounds read in the mk_ptr_to_buf in mk_core function (mk_memory.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server.

Published: Jan 29, 2026
Source: NVD
CVE-2025-63649 HIGH - 7.5

An out-of-bounds read in the http_parser_transfer_encoding_chunked function (mk_server/mk_http_parser.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted POST request to the server.

Published: Jan 29, 2026
Source: NVD
CVE-2026-1610 HIGH - 8.1

A vulnerability was found in Tenda AX12 Pro V2 16.03.49.24_cn. Affected by this issue is some unknown functionality of the component Telnet Service. Performing a manipulation results in hard-coded credentials. The attack is possible to be carried out remotely. A high degree of complexity is needed f...

Published: Jan 29, 2026
Source: NVD
CVE-2026-23896 HIGH - 7.2

immich is a high performance self-hosted photo and video management solution. Prior to version 2.5.0, API keys can escalate their own permissions by calling the update endpoint, allowing a low-privilege API key to grant itself full administrative access to the system. Version 2.5.0 fixes the issue.

Vendor: immich-app
Product: immich
Published: Jan 29, 2026
Source: NVD
CVE-2026-1595 HIGH - 7.3

A vulnerability was detected in itsourcecode Society Management System 1.0. This affects an unknown part of the file /admin/edit_student_query.php. The manipulation of the argument student_id results in sql injection. The attack can be executed remotely. The exploit is now public and may be used.

Vendor: angeljudesuarez
Product: society_management_system
Published: Jan 29, 2026
Source: NVD
CVE-2025-62514 HIGH - 8.3

Parsec is a cloud-based application for cryptographically secure file sharing. In versions on the 3.x branch prior to 3.6.0, `libparsec_crypto`, a component of the Parsec application, does not check for weak order point of Curve25519 when compiled with its RustCrypto backend. In practice this means ...

Vendor: Scille
Product: parsec-cloud
Published: Jan 29, 2026
Source: NVD
CVE-2026-1594 HIGH - 7.3

A security vulnerability has been detected in itsourcecode Society Management System 1.0. Affected by this issue is some unknown functionality of the file /admin/add_expenses.php. The manipulation of the argument detail leads to sql injection. Remote exploitation of the attack is possible. The explo...

Vendor: angeljudesuarez
Product: society_management_system
Published: Jan 29, 2026
Source: NVD
CVE-2026-1593 HIGH - 7.3

A weakness has been identified in itsourcecode Society Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/edit_expenses_query.php. Executing a manipulation of the argument detail can lead to sql injection. The attack may be launched remotely. The exp...

Vendor: angeljudesuarez
Product: society_management_system
Published: Jan 29, 2026
Source: NVD
CVE-2026-1590 HIGH - 7.3

A vulnerability was identified in itsourcecode School Management System 1.0. This impacts an unknown function of the file /ramonsys/faculty/index.php. Such manipulation of the argument ID leads to sql injection. The attack can be launched remotely. The exploit is publicly available and might be used...

Vendor: angeljudesuarez
Product: school_management_system
Published: Jan 29, 2026
Source: NVD
CVE-2026-1589 HIGH - 7.3

A vulnerability was determined in itsourcecode School Management System 1.0. This affects an unknown function of the file /ramonsys/inquiry/index.php. This manipulation of the argument txtsearch causes sql injection. The attack can be initiated remotely. The exploit has been publicly disclosed and m...

Vendor: angeljudesuarez
Product: school_management_system
Published: Jan 29, 2026
Source: NVD
CVE-2025-7714 HIGH - 7.5

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Global Interactive Design Media Software Inc. Content Management System (CMS) allows Command Line Execution through SQL Injection.This issue affects Content Management System (CMS): throug...

Published: Jan 29, 2026
Source: NVD
CVE-2025-7713 HIGH - 7.5

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Global Interactive Design Media Software Inc. Content Management System (CMS) allows XSS Through HTTP Headers.This issue affects Content Management System (CMS): through 21072025.

Published: Jan 29, 2026
Source: NVD
CVE-2020-37021 HIGH - 7.8

10-Strike Bandwidth Monitor 3.9 contains an unquoted service path vulnerability in multiple services that allows local attackers to escalate privileges. Attackers can place a malicious executable in specific file path locations to achieve privilege escalation to SYSTEM during service startup.

Vendor: 10-Strike
Product: Bandwidth Monitor
Published: Jan 29, 2026
Source: NVD
CVE-2020-37020 HIGH - 7.8

SonarQube 8.3.1 contains an unquoted service path vulnerability that allows local attackers to gain SYSTEM privileges by exploiting the service executable path. Attackers can replace the wrapper.exe in the service path with a malicious executable to execute code with highest system privileges during...

Vendor: Sonarqube
Product: SonarQube
Published: Jan 29, 2026
Source: NVD
CVE-2020-37017 HIGH - 7.8

CodeMeter 6.60 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path in the CodeMeter Runtime Server service to inject malicious code that would execute with LocalS...

Vendor: Wibu
Product: CodeMeter
Published: Jan 29, 2026
Source: NVD
CVE-2020-37016 HIGH - 7.8

BarcodeOCR 19.3.6 contains an unquoted service path vulnerability that allows local attackers to execute code with elevated privileges during system startup. Attackers can exploit the unquoted path in the service configuration to inject malicious executables that will run with LocalSystem privileges...

Vendor: Barcode-Ocr
Product: BarcodeOCR
Published: Jan 29, 2026
Source: NVD
CVE-2020-37015 HIGH - 7.5

Ruijie Networks Switch eWeb S29_RGOS 11.4 contains a directory traversal vulnerability that allows unauthenticated attackers to access sensitive configuration files by manipulating file path parameters. Attackers can exploit the /download.do endpoint with '../' sequences to retrieve system...

Vendor: Ruijienetworks
Product: Ruijie Networks Switch eWeb S29_RGOS
Published: Jan 29, 2026
Source: NVD
CVE-2020-37013 HIGH - 8.4

Audio Playback Recorder 3.2.2 contains a local buffer overflow vulnerability in the eject and registration parameters that allows attackers to execute arbitrary code. Attackers can craft malicious payloads and overwrite Structured Exception Handler (SEH) to execute shellcode when pasting specially c...

Vendor: Tucows Inc.
Product: Audio Playback Recorder
Published: Jan 29, 2026
Source: NVD
CVE-2020-37011 HIGH - 7.5

Gnome Fonts Viewer 3.34.0 contains a heap corruption vulnerability that allows attackers to trigger an out-of-bounds write by crafting a malicious TTF font file. Attackers can generate a specially crafted TTF file with an oversized pattern to cause an infinite malloc() loop and potentially crash the...

Vendor: GNOME
Product: Fonts Viewer
Published: Jan 29, 2026
Source: NVD
CVE-2020-37009 HIGH - 8.8

MedDream PACS Server 6.8.3.751 contains an authenticated remote code execution vulnerability that allows authorized users to upload malicious PHP files. Attackers can exploit the uploadImage.php endpoint by authenticating and uploading a PHP shell to execute arbitrary system commands with elevated p...

Vendor: MedDream
Product: MedDream PACS Server
Published: Jan 29, 2026
Source: NVD