Total CVEs

141,292

Critical Severity

3,799

High Severity

13,738

Last 7 Days

1,855
Quick preset (or use dates below)
Clear Filters
πŸ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years β†’
Showing 12,121 - 12,140 of 13,433 CVEs
CVE-2026-1506 HIGH - 7.2

A vulnerability was determined in D-Link DIR-615 4.10. Impacted is an unknown function of the file /adv_mac_filter.php of the component MAC Filter Configuration. This manipulation of the argument mac causes os command injection. The attack is possible to be carried out remotely. The exploit has been...

Vendor: dlink
Product: dir-615_firmware
Published: Jan 28, 2026
Source: NVD
CVE-2026-1513 HIGH - 7.1

billboard.js before 3.18.0 allows an attacker to execute malicious JavaScript due to improper sanitization during chart option binding.

Vendor: npm
Product: billboard.js
Published: Jan 28, 2026
Source: NVD
CVE-2026-1505 HIGH - 7.2

A vulnerability was found in D-Link DIR-615 4.10. This issue affects some unknown processing of the file /set_temp_nodes.php of the component URL Filter. The manipulation results in os command injection. The attack can be executed remotely. The exploit has been made public and could be used. This vu...

Vendor: dlink
Product: dir-615_firmware
Published: Jan 28, 2026
Source: NVD
CVE-2026-24842 HIGH - 8.2

node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path travers...

Vendor: isaacs
Product: node-tar
Published: Jan 28, 2026
Source: NVD
CVE-2026-24840 HIGH - 8.0

Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, a hardcoded credential in the provided installation script (located at https://dokploy.com/install.sh, line 154) uses a hardcoded password when creating the database container. This means that nearly all Dokp...

Vendor: Dokploy
Product: dokploy
Published: Jan 28, 2026
Source: NVD
CVE-2026-21569 HIGH - 7.9

This High severity XXE (XML External Entity Injection) vulnerability was introduced in version 7.1.0 of Crowd Data Center and Server. This XXE (XML External Entity Injection) vulnerability, with a CVSS Score of 7.9, allows an authenticated attacker to access local and remote content which has hi...

Vendor: Atlassian
Product: Crowd Data Center
Published: Jan 28, 2026
Source: NVD
CVE-2026-24837 HIGH - 7.6

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 9.0.0 and prior to versions 9.13.10 and 10.2.0, a module friendly name could include scripts that will run during some module operations in the Persona Bar. Versions 9.13...

Vendor: dnnsoftware
Product: Dnn.Platform
Published: Jan 28, 2026
Source: NVD
CVE-2026-24836 HIGH - 7.6

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 9.0.0 and prior to versions 9.13.10 and 10.2.0, extensions could write richtext in log notes which can include scripts that would run in the PersonaBar when displayed. Ve...

Vendor: dnnsoftware
Product: Dnn.Platform
Published: Jan 28, 2026
Source: NVD
CVE-2026-24833 HIGH - 7.6

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to versions 9.13.10 and 10.2.0, a module could install with richtext in its description field which could contain scripts that will run for user in the Persona Bar. Versions 9.13.10 an...

Vendor: dnnsoftware
Product: Dnn.Platform
Published: Jan 28, 2026
Source: NVD

Clatter is a no_std compatible, pure Rust implementation of the Noise protocol framework with post-quantum support. Versiosn prior to2.2.0 have a protocol compliance vulnerability. The library allowed post-quantum handshake patterns that violated the PSK validity rule (Noise Protocol Framework Secti...

Vendor: jmlepisto
Product: clatter
Published: Jan 28, 2026
Source: NVD
CVE-2025-67645 HIGH - 8.8

OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 7.0.4 have a broken access control in the Profile Edit endpoint. An authenticated normal user can modify the request parameters (pubpid / pid) to reference another user’s record...

Vendor: openemr
Product: openemr
Published: Jan 28, 2026
Source: NVD
CVE-2025-55292 HIGH - 8.2

Meshtastic is an open source mesh networking solution. In the current Meshtastic architecture, a Node is identified by their NodeID, generated from the MAC address, rather than their public key. This aspect downgrades the security, specifically by abusing the HAM mode which doesn't use encrypti...

Vendor: meshtastic
Product: firmware
Published: Jan 28, 2026
Source: NVD
CVE-2026-24783 HIGH - 7.5

soroban-fixed-point-math is a fixed-point math library for Soroban smart contacts. In versions 1.3.0 and 1.4.0, the `mulDiv(x, y, z)` function incorrectly handled cases where both the intermediate product $x * y$ and the divisor $z$ were negative. The logic assumed that if the intermediate product w...

Vendor: script3
Product: soroban-fixed-point-math
Published: Jan 27, 2026
Source: NVD
CVE-2026-24779 HIGH - 7.1

vLLM is an inference and serving engine for large language models (LLMs). Prior to version 0.14.1, a Server-Side Request Forgery (SSRF) vulnerability exists in the `MediaConnector` class within the vLLM project's multimodal feature set. The load_from_url and load_from_url_async methods obtain a...

Vendor: vllm-project
Product: vllm
Published: Jan 27, 2026
Source: NVD
CVE-2026-24778 HIGH - 8.8

Ghost is an open source content management system. In Ghost versions 5.43.0 through 5.12.04 and 6.0.0 through 6.14.0, an attacker was able to craft a malicious link that, when accessed by an authenticated staff user or member, would execute JavaScript with the victim's permissions, potentially ...

Vendor: TryGhost
Product: Ghost
Published: Jan 27, 2026
Source: NVD
CVE-2026-24765 HIGH - 7.8

PHPUnit is a testing framework for PHP. A vulnerability has been discovered in versions prior to 12.5.8, 11.5.50, 10.5.62, 9.6.33, and 8.5.52 involving unsafe deserialization of code coverage data in PHPT test execution. The vulnerability exists in the `cleanupForCoverage()` method, which deserializ...

Vendor: sebastianbergmann
Product: phpunit
Published: Jan 27, 2026
Source: NVD
CVE-2026-24747 HIGH - 8.8

PyTorch is a Python package that provides tensor computation. Prior to version 2.10.0, a vulnerability in PyTorch's `weights_only` unpickler allows an attacker to craft a malicious checkpoint file (`.pth`) that, when loaded with `torch.load(..., weights_only=True)`, can corrupt memory and poten...

Vendor: pytorch
Product: pytorch
Published: Jan 27, 2026
Source: NVD
CVE-2026-24741 HIGH - 8.1

ConvertXis a self-hosted online file converter. In versions prior to 0.17.0, the `POST /delete` endpoint uses a user-controlled `filename` value to construct a filesystem path and deletes it via `unlink` without sufficient validation. By supplying path traversal sequences (e.g., `../`), an attacker ...

Vendor: C4illin
Product: ConvertX
Published: Jan 27, 2026
Source: NVD
CVE-2026-24882 HIGH - 8.4

In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys.

Vendor: GnuPG
Product: GnuPG
Published: Jan 27, 2026
Source: NVD
CVE-2026-24881 HIGH - 8.1

In GnuPG before 2.5.17, a crafted CMS (S/MIME) EnvelopedData message carrying an oversized wrapped session key can cause a stack-based buffer overflow in gpg-agent during PKDECRYPT--kem=CMS handling. This can easily be leveraged for denial of service; however, there is also memory corruption that co...

Vendor: GnuPG
Product: GnuPG
Published: Jan 27, 2026
Source: NVD