Total CVEs

141,272

Critical Severity

3,795

High Severity

13,729

Last 7 Days

1,855
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 12,041 - 12,060 of 13,424 CVEs
CVE-2020-37008 HIGH - 7.5

EasyPMS 1.0.0 contains an authentication bypass vulnerability that allows unprivileged users to manipulate SQL queries in JSON requests to access admin user information. Attackers can exploit weak input validation by injecting single quotes in ID parameters and modify admin user passwords without pr...

Vendor: Elektraweb
Product: EasyPMS
Published: Jan 29, 2026
Source: NVD
CVE-2020-37006 HIGH - 8.2

berliCRM 1.0.24 contains a SQL injection vulnerability in the 'src_record' parameter that allows remote attackers to manipulate database queries. Attackers can inject malicious SQL code through a crafted POST request to the index.php endpoint to potentially extract or modify database infor...

Vendor: crm-now GmbH
Product: berliCRM
Published: Jan 29, 2026
Source: NVD
CVE-2020-37005 HIGH - 7.1

TimeClock Software 1.01 contains an authenticated time-based SQL injection vulnerability that allows attackers to enumerate valid usernames by manipulating the 'notes' parameter. Attackers can inject conditional time delays in the add_entry.php endpoint to determine user existence by measu...

Vendor: TimeClock Software
Product: TimeClock Software
Published: Jan 29, 2026
Source: NVD
CVE-2020-37004 HIGH - 8.2

Ultimate Project Manager CRM PRO 2.0.5 contains a blind SQL injection vulnerability that allows attackers to extract usernames and password hashes from the tbl_users database table. Attackers can exploit the /frontend/get_article_suggestion/ endpoint by crafting malicious search parameters to progre...

Vendor: codexcube
Product: Ultimate Project Manager CRM PRO
Published: Jan 29, 2026
Source: NVD
CVE-2020-37001 HIGH - 8.4

Frigate Professional 3.36.0.9 contains a local buffer overflow vulnerability in the Pack File feature that allows attackers to execute arbitrary code by overflowing the 'Archive To' input field. Attackers can craft a malicious payload that overwrites the Structured Exception Handler (SEH) ...

Vendor: Frigate3
Product: Frigate Professional
Published: Jan 29, 2026
Source: NVD
CVE-2020-36999 HIGH - 8.2

Elaniin CMS 1.0 contains an authentication bypass vulnerability that allows attackers to access the dashboard by manipulating the login page with SQL injection. Attackers can bypass authentication by sending crafted email and password parameters with '=''or' payload to login.php,...

Vendor: Elaniin
Product: Elaniin CMS
Published: Jan 29, 2026
Source: NVD
CVE-2020-36995 HIGH - 7.5

Mocha Telnet Lite for iOS 4.2 contains a denial of service vulnerability that allows attackers to crash the application by manipulating the user configuration input. Attackers can overwrite the 'User' field with 350 bytes of repeated characters to trigger an application crash and prevent n...

Vendor: telnet-lite
Product: Mocha Telnet Lite for iOS
Published: Jan 29, 2026
Source: NVD
CVE-2026-1616 HIGH - 7.5

The $uri$args concatenation in nginx configuration file present in Open Security Issue Management (OSIM) prior v2025.9.0 allows path traversal attacks via query parameters.

Published: Jan 29, 2026
Source: NVD
CVE-2025-7016 HIGH - 8.0

Improper Access Control vulnerability in Akฤฑn Software Computer Import Export Industry and Trade Ltd. QR Menu allows Authentication Abuse.This issue affects QR Menu: before s1.05.12.

Published: Jan 29, 2026
Source: NVD
CVE-2025-14975 HIGH - 8.1

The Custom Login Page Customizer WordPress plugin before 2.5.4 does not have a proper password reset process, allowing a few unauthenticated requests to reset the password of any user by knowing their username, such as administrator ones, and therefore gain access to their account

Vendor: Unknown
Product: Custom Login Page Customizer
Published: Jan 29, 2026
Source: NVD
CVE-2026-1545 HIGH - 7.3

A weakness has been identified in itsourcecode School Management System 1.0. The affected element is an unknown function of the file /course/index.php. Executing a manipulation of the argument ID can lead to sql injection. The attack may be performed from remote. The exploit has been made available ...

Vendor: angeljudesuarez
Product: school_management_system
Published: Jan 28, 2026
Source: NVD
CVE-2026-24856 HIGH - 7.8

iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Versions prior to 2.3.1.2 have an undefined behavior issue when floating-point NaN values are converted to unsigned short integer types during ICC profile XML ...

Vendor: InternationalColorConsortium
Product: iccDEV
Published: Jan 28, 2026
Source: NVD

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, a stored cross-site scripting (XSS) vulnerability exists in NocoDBโ€™s attachment handling mechanism. Authenticated users can upload malicious SVG files containing embedded JavaScript, which are later rendered inline ...

Vendor: nocodb
Product: nocodb
Published: Jan 28, 2026
Source: NVD
CVE-2026-23743 HIGH - 7.5

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, permalinks pointing to access-restricted resources (private topics, categories, posts, or hidden tags) were redirecting users to URLs containing the resource slug, even when the user didn...

Vendor: discourse
Product: discourse
Published: Jan 28, 2026
Source: NVD
CVE-2026-1535 HIGH - 7.3

A security vulnerability has been detected in code-projects Online Music Site 1.0. This impacts an unknown function of the file /Administrator/PHP/AdminReply.php. Such manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed...

Vendor: fabian
Product: online_music_site
Published: Jan 28, 2026
Source: NVD
CVE-2026-1534 HIGH - 7.3

A weakness has been identified in code-projects Online Music Site 1.0. This affects an unknown function of the file /Administrator/PHP/AdminEditUser.php. This manipulation of the argument ID causes sql injection. It is possible to initiate the attack remotely. The exploit has been made available to ...

Vendor: fabian
Product: online_music_site
Published: Jan 28, 2026
Source: NVD
CVE-2025-71007 HIGH - 7.5

An input validation vulnerability in the oneflow.index_add component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.

Vendor: oneflow
Product: oneflow
Published: Jan 28, 2026
Source: NVD
CVE-2025-71003 HIGH - 7.5

An input validation vulnerability in the flow.arange() component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.

Vendor: oneflow
Product: oneflow
Published: Jan 28, 2026
Source: NVD
CVE-2025-68662 HIGH - 7.6

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, a hostname validation issue in FinalDestination could allow bypassing SSRF protections under certain conditions. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1....

Vendor: discourse
Product: discourse
Published: Jan 28, 2026
Source: NVD
CVE-2025-68119 HIGH - 7.0

Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are constructed. This is...

Vendor: Go toolchain
Product: cmd/go
Published: Jan 28, 2026
Source: NVD