Total CVEs

142,265

Critical Severity

3,947

High Severity

14,217

Last 7 Days

1,925
Quick preset (or use dates below)
Clear Filters
Showing 12,121 - 12,140 of 14,675 CVEs
CVE-2024-54192 MEDIUM - 5.0

An issue inTcpreplay v4.5.1 allows a local attacker to cause a denial of service via a crafted file to the tcpedit_dlt_getplugin function at src/tcpedit/plugins/dlt_utils.c.

Published: Feb 10, 2026
Source: NVD
CVE-2025-15570 MEDIUM - 5.3

A vulnerability was found in ckolivas lrzip up to 0.651. This impacts the function lzma_decompress_buf of the file stream.c. Performing a manipulation results in use after free. Attacking locally is a requirement. The exploit has been made public and could be used. The project was informed of the pr...

Vendor: ckolivas
Product: lrzip
Published: Feb 10, 2026
Source: NVD
CVE-2025-11537 MEDIUM - 5.0

A flaw was found in Keycloak. When the logging format is configured to a verbose, user-supplied pattern (such as the pre-defined 'long' pattern), sensitive headers including Authorization and Cookie are disclosed to the logs in cleartext. An attacker with read access to the log files can e...

Vendor: Red Hat
Product: Red Hat Build of Keycloak
Published: Feb 10, 2026
Source: NVD
CVE-2026-1922 MEDIUM - 6.4

The The Events Calendar Shortcode & Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `ecs-list-events` shortcode `message` attribute in all versions up to, and including, 3.1.2 due to insufficient input sanitization and output escaping on user supplie...

Published: Feb 10, 2026
Source: NVD
CVE-2025-14895 MEDIUM - 5.4

The PopupKit plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.2.0. This is due to the plugin not properly verifying that a user is authorized to access the /popup/logs REST API endpoint. This makes it possible for authenticated attackers, with Subscr...

Vendor: roxnor
Product: Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers
Published: Feb 10, 2026
Source: NVD
CVE-2024-52334 MEDIUM - 5.3

A vulnerability has been identified in syngo.plaza VB30E (All versions < VB30E_HF07). The affected application does not encrypt the passwords properly. This could allow an attacker to recover the original passwords and might gain unauthorized access.

Vendor: Siemens
Product: syngo.plaza VB30E
Published: Feb 10, 2026
Source: NVD
CVE-2026-1722 MEDIUM - 5.3

The WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.7.0. This is due to the plugin not implementing authorization checks in the `wcfm-refund-requests-form` AJAX controller. This ...

Published: Feb 10, 2026
Source: NVD
CVE-2026-2099 MEDIUM - 5.4

AgentFlow developed by Flowring has a Stored Cross-Site Scripting vulnerability, allowing authenticated remote attackers to inject persistent JavaScript codes that are executed in users' browsers upon page load.

Vendor: flowring
Product: agentflow
Published: Feb 10, 2026
Source: NVD
CVE-2026-2098 MEDIUM - 6.1

AgentFlow developed by Flowring has a Reflected Cross-site Scripting vulnerability, allowing unauthenticated remote attackers to execute arbitrary JavaScript codes in user's browser through phishing attacks.

Vendor: flowring
Product: agentflow
Published: Feb 10, 2026
Source: NVD
CVE-2025-12063 MEDIUM - 5.7

An insecure direct object reference allowed a non-admin user to modify or remove certain data objects without having the appropriate permissions.

Vendor: Axis Communications AB
Product: AXIS Camera Station Pro
Published: Feb 10, 2026
Source: NVD
CVE-2026-0996 MEDIUM - 6.4

The Fluent Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the AI Form Builder module in all versions up to, and including, 6.1.14 due to a combination of missing authorization checks, a leaked nonce, and insufficient input sanitization. The vulnerability allows Subscribe...

Published: Feb 10, 2026
Source: NVD
CVE-2025-13064 MEDIUM - 4.5

A server-side injection was possible for a malicious admin to manipulate the application to include a malicious script which is executed by the server. This attack is only possible if the admin uses a client that have been tampered with.

Vendor: Axis Communications AB
Product: AXIS Camera Station Pro
Published: Feb 10, 2026
Source: NVD
CVE-2025-12757 MEDIUM - 4.6

An AXIS Camera Station Pro feature can be exploited in a way that allows a non-admin user to view information they are not permitted to.

Vendor: Axis Communications AB
Product: AXIS Camera Station Pro
Published: Feb 10, 2026
Source: NVD
CVE-2026-24328 MEDIUM - 6.1

SAP TAF_APPLAUNCHER within Business Server Pages allows unauthenticated attacker to craft malicious links that, when clicked by a victim, redirect them to attacker?controlled sites, potentially exposing or altering sensitive information in the victim�s browser. This results in a low impact on confid...

Vendor: SAP_SE
Product: Business Server Pages Application (TAF_APPLAUNCHER)
Published: Feb 10, 2026
Source: NVD
CVE-2026-24327 MEDIUM - 4.3

Due to missing authorization check in SAP Strategic Enterprise Management (Balanced Scorecard in Business Server Pages), an authenticated attacker could access information that they are otherwise unauthorized to view. This leads to low impact on confidentiality and no effect on integrity or availabi...

Vendor: SAP_SE
Product: SAP Strategic Enterprise Management (Balanced Scorecard in BSP Application)
Published: Feb 10, 2026
Source: NVD
CVE-2026-24326 MEDIUM - 4.3

Due to a missing authorization check in the Disconnected Operations of the SAP S/4HANA Defense & Security, an attacker with user privileges could call remote-enabled function modules to do direct update on standard SAP database table . This results in low impact on integrity, with no impact on c...

Vendor: SAP_SE
Product: SAP S/4HANA Defense & Security (Disconnected Operations)
Published: Feb 10, 2026
Source: NVD
CVE-2026-24325 MEDIUM - 4.8

SAP BusinessObjects Enterprise does not sufficiently encode user-controlled inputs, leading to Stored Cross-Site Scripting (XSS) vulnerability. This enables an admin user to inject malicious JavaScript into a website and the injected script gets executed when the user visits the compromised page.Thi...

Vendor: SAP_SE
Product: SAP BusinessObjects Enterprise (Central Management Console)
Published: Feb 10, 2026
Source: NVD
CVE-2026-24324 MEDIUM - 6.5

SAP BusinessObjects Business Intelligence Platform (AdminTools) allows an authenticated attacker with user privileges to execute a specific query in AdminTools that could cause the Content Management Server (CMS) to crash, rendering the CMS partially or completely unavailable and resulting in the de...

Vendor: SAP_SE
Product: SAP BusinessObjects Business Intelligence Platform (AdminTools)
Published: Feb 10, 2026
Source: NVD
CVE-2026-24323 MEDIUM - 6.1

The BSP applications allow an unauthenticated user to inject malicious script content via user-controlled URL parameters that are not sufficiently sanitized. When a victim accesses a crafted URL, the injected script is executed in the victim�s browser, leading to a low impact on confidentiality and ...

Vendor: SAP_SE
Product: SAP Document Management System
Published: Feb 10, 2026
Source: NVD
CVE-2026-24321 MEDIUM - 5.3

SAP Commerce Cloud exposes multiple API endpoints to unauthenticated users, allowing them to submit requests to these open endpoints to retrieve sensitive information that is not intended to be publicly accessible via the front-end. This vulnerability has a low impact on confidentiality and does not...

Vendor: SAP_SE
Product: SAP Commerce Cloud
Published: Feb 10, 2026
Source: NVD