Total CVEs

141,292

Critical Severity

3,799

High Severity

13,738

Last 7 Days

1,850
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 12,161 - 12,180 of 13,433 CVEs
CVE-2026-24868 HIGH - 7.5

Mitigation bypass in the Privacy: Anti-Tracking component. This vulnerability affects Firefox < 147.0.2.

Vendor: Mozilla
Product: Firefox
Published: Jan 27, 2026
Source: NVD
CVE-2026-24831 HIGH - 7.5

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in ixray-team ixray-1.6-stcop.This issue affects ixray-1.6-stcop: before 1.3.

Vendor: ixray-team
Product: ixray-1.6-stcop
Published: Jan 27, 2026
Source: NVD
CVE-2026-0648 HIGH - 7.8

The vulnerability stems from an incorrect error-checking logic in the CreateCounter() function (in threadx/utility/rtos_compatibility_layers/OSEK/tx_osek.c) when handling the return value of osek_get_counter(). Specifically, the current code checks if cntr_id equals 0u to determine failure, but @ose...

Published: Jan 27, 2026
Source: NVD
CVE-2025-69421 HIGH - 7.5

Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer dereference in the PKCS12_item_decrypt_d2i_ex() function. Impact summary: A NULL pointer dereference can trigger a crash which leads to Denial of Service for an application processing PKCS#12 files. The PKCS12_item_decry...

Vendor: OpenSSL
Product: OpenSSL
Published: Jan 27, 2026
Source: NVD
CVE-2025-69420 HIGH - 7.5

Issue summary: A type confusion vulnerability exists in the TimeStamp Response verification code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing a malformed TimeStamp Response file. Impact summary: An appl...

Vendor: OpenSSL
Product: OpenSSL
Published: Jan 27, 2026
Source: NVD
CVE-2025-69419 HIGH - 7.4

Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing non-ASCII BMP code point can trigger a one byte write before the allocated buffer. Impact summary: The out-of-bounds write can cause a memory corrupti...

Vendor: OpenSSL
Product: OpenSSL
Published: Jan 27, 2026
Source: NVD
CVE-2021-47902 HIGH - 8.2

Testa Online Test Management System 3.4.7 contains a SQL injection vulnerability that allows attackers to manipulate database queries through the 'q' search parameter. Attackers can inject malicious SQL code in the search field to extract database information, potentially accessing sensiti...

Vendor: Testa
Product: Testa Online Test Management System
Published: Jan 27, 2026
Source: NVD
CVE-2020-36951 HIGH - 8.2

Phpscript-sgh 0.1.0 contains a time-based blind SQL injection vulnerability in the admin interface that allows attackers to manipulate database queries through the 'id' parameter. Attackers can exploit this vulnerability by crafting malicious payloads that trigger time delays, enabling the...

Vendor: geraked
Product: phpscript-sgh
Published: Jan 27, 2026
Source: NVD
CVE-2020-36949 HIGH - 7.5

TapinRadio 2.13.7 contains a denial of service vulnerability in the application proxy settings that allows attackers to crash the program by overflowing input fields. Attackers can paste a large buffer of 20,000 characters into the username and address fields to cause the application to become unres...

Vendor: Raimersoft
Product: TapinRadio
Published: Jan 27, 2026
Source: NVD
CVE-2020-36947 HIGH - 7.1

LibreNMS 1.46 contains an authenticated SQL injection vulnerability in the MAC accounting graph endpoint that allows remote attackers to extract database information. Attackers can exploit the vulnerability by manipulating the 'sort' parameter with crafted SQL injection techniques to retri...

Vendor: LibreNMS
Product: LibreNMS
Published: Jan 27, 2026
Source: NVD
CVE-2020-36946 HIGH - 7.5

SyncBreeze 10.0.28 contains a denial of service vulnerability in the login endpoint that allows remote attackers to crash the service. Attackers can send an oversized payload in the login request to overwhelm the application and potentially disrupt service availability.

Vendor: Flexense Ltd.
Product: SyncBreeze
Published: Jan 27, 2026
Source: NVD
CVE-2020-36942 HIGH - 8.8

Victor CMS 1.0 contains a file upload vulnerability that allows authenticated users to upload malicious PHP files through the profile image upload feature. Attackers can upload a PHP shell to the /img directory and execute system commands by accessing the uploaded file via web browser.

Vendor: VictorAlagwu
Product: CMSsite
Published: Jan 27, 2026
Source: NVD
CVE-2020-36939 HIGH - 7.5

Cassandra Web 0.5.0 contains a directory traversal vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating path traversal parameters. Attackers can exploit the disabled Rack::Protection module to read sensitive system files like /etc/passwd and retrieve Apache Cas...

Vendor: avalanche123
Product: Cassandra Web
Published: Jan 27, 2026
Source: NVD
CVE-2020-36938 HIGH - 8.8

WinAVR version 20100110 contains an insecure permissions vulnerability that allows authenticated users to modify system files and executables. Attackers can leverage the overly permissive access controls to potentially modify critical DLLs and executable files in the WinAVR installation directory.

Vendor: WinAVR
Product: WinAVR
Published: Jan 27, 2026
Source: NVD
CVE-2025-41727 HIGH - 7.8

A local low privileged attacker can bypass the authentication of the Device Manager user interface, allowing them to perform privileged operations and gain administrator access.

Vendor: Beckhoff Automation
Product: Beckhoff.Device.Manager.XAR, MDP software package for TwinCAT/BSD, MDP for Beckhoff RT Linux(R)
Published: Jan 27, 2026
Source: NVD
CVE-2025-41726 HIGH - 8.8

A low privileged remote attacker can execute arbitrary code by sending specially crafted calls to the web service of the Device Manager or locally via an API and can cause integer overflows which then may lead to arbitrary code execution within privileged processes.

Vendor: Beckhoff Automation
Product: Beckhoff.Device.Manager.XAR, MDP software package for TwinCAT/BSD, MDP for Beckhoff RT Linux(R)
Published: Jan 27, 2026
Source: NVD
CVE-2026-24828 HIGH - 7.5

Missing Release of Memory after Effective Lifetime vulnerability in Is-Daouda is-Engine.This issue affects is-Engine: before 3.3.4.

Vendor: Is-Daouda
Product: is-Engine
Published: Jan 27, 2026
Source: NVD
CVE-2026-24827 HIGH - 7.5

Out-of-bounds Write vulnerability in gerstrong Commander-Genius.This issue affects Commander-Genius: before Release refs/pull/358/merge.

Vendor: gerstrong
Product: Commander-Genius
Published: Jan 27, 2026
Source: NVD
CVE-2026-21417 HIGH - 7.0

Dell CloudBoost Virtual Appliance, versions prior to 19.14.0.0, contains a Plaintext Storage of Password vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Elevation of privileges.

Vendor: Dell
Product: CloudBoost Virtual Appliance
Published: Jan 27, 2026
Source: NVD
CVE-2026-21721 HIGH - 8.1

The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization‑internal privilege esca...

Vendor: Grafana
Product: grafana/grafana, grafana/grafana-enterprise
Published: Jan 27, 2026
Source: NVD