Total CVEs

142,265

Critical Severity

3,947

High Severity

14,217

Last 7 Days

1,881
Quick preset (or use dates below)
Clear Filters
Showing 12,261 - 12,280 of 14,217 CVEs
CVE-2026-0538 HIGH - 7.8

A maliciously crafted GIF file, when parsed through Autodesk 3ds Max, can force an Out-of-Bounds Write vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process.

Vendor: autodesk
Product: 3ds_max
Published: Feb 04, 2026
Source: NVD
CVE-2026-0537 HIGH - 7.8

A maliciously crafted RGB file, when parsed through Autodesk 3ds Max, can force a Memory Corruption vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process.

Vendor: autodesk
Product: 3ds_max
Published: Feb 04, 2026
Source: NVD
CVE-2025-61917 HIGH - 7.7

n8n is an open source workflow automation platform. From version 1.65.0 to before 1.114.3, the use of Buffer.allocUnsafe() and Buffer.allocUnsafeSlow() in the task runner allowed untrusted code to allocate uninitialized memory. Such uninitialized buffers could contain residual data from within the s...

Vendor: n8n-io
Product: n8n
Published: Feb 04, 2026
Source: NVD
CVE-2025-15368 HIGH - 8.8

The SportsPress plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.7.26 via shortcodes 'template_name' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitra...

Vendor: themeboy
Product: SportsPress – Sports Club & League Manager
Published: Feb 04, 2026
Source: NVD
CVE-2026-24735 HIGH - 7.5

Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Apache Answer. This issue affects Apache Answer: through 1.7.1. An unauthenticated API endpoint incorrectly exposes full revision history for deleted content. This allows unauthorized user to retrieve restricted or ...

Vendor: Apache Software Foundation
Product: Apache Answer
Published: Feb 04, 2026
Source: NVD
CVE-2025-15285 HIGH - 7.5

The SEO Flow by LupsOnline plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the checkBlogAuthentication() and checkCategoryAuthentication() functions in all versions up to, and including, 2.2.1. These authorization functions only implement ...

Vendor: lupsonline
Product: SEO Flow by LupsOnline
Published: Feb 04, 2026
Source: NVD
CVE-2025-15268 HIGH - 7.5

The Infility Global plugin for WordPress is vulnerable to unauthenticated SQL Injection via the 'infility_get_data' API action in all versions up to, and including, 2.14.46. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existi...

Vendor: infility
Product: Infility Global
Published: Feb 04, 2026
Source: NVD
CVE-2026-1819 HIGH - 8.8

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Karel Electronics Industry and Trade Inc. ViPort allows Stored XSS.This issue affects ViPort: through 23012026.

Published: Feb 04, 2026
Source: NVD
CVE-2026-20983 HIGH - 7.8

Improper export of android application components in Samsung Dialer prior to SMR Feb-2026 Release 1 allows local attackers to launch arbitrary activity with Samsung Dialer privilege.

Vendor: Samsung Mobile
Product: Samsung Mobile Devices
Published: Feb 04, 2026
Source: NVD
CVE-2026-20979 HIGH - 7.8

Improper privilege management in Settings prior to SMR Feb-2026 Release 1 allows local attackers to launch arbitrary activity with Settings privilege.

Vendor: Samsung Mobile
Product: Samsung Mobile Devices
Published: Feb 04, 2026
Source: NVD
CVE-2026-1756 HIGH - 8.8

The WP FOFT Loader plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'WP_FOFT_Loader_Mimes::file_and_ext' function in all versions up to, and including, 2.1.39. This makes it possible for authenticated attackers, with Author-level acc...

Published: Feb 04, 2026
Source: NVD
CVE-2025-69620 HIGH - 7.5

A path traversal in Moo Chan Song v4.5.7 allows attackers to cause a Denial of Service (DoS) via writing files to the internal storage.

Vendor: ntoolslab
Product: office_reader
Published: Feb 04, 2026
Source: NVD
CVE-2026-25143 HIGH - 7.8

melange allows users to build apk packages using declarative pipelines. From version 0.10.0 to before 0.40.3, an attacker who can influence inputs to the patch pipeline could execute arbitrary shell commands on the build host. The patch pipeline in pkg/build/pipelines/patch.yaml embeds input-derived...

Vendor: go
Product: chainguard.dev/melange
Published: Feb 04, 2026
Source: GitHub
CVE-2026-25140 HIGH - 7.5

apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, an attacker who controls or compromises an APK repository used by apko could cause resource exhaustion on the build host. The ExpandApk function in pkg/apk/expandapk/expandapk.go...

Vendor: go
Product: chainguard-dev/apko
Published: Feb 04, 2026
Source: GitHub
CVE-2026-25121 HIGH - 7.5

apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, a path traversal vulnerability was discovered in apko's dirFS filesystem abstraction. An attacker who can supply a malicious APK package (e.g., via a compromised or typosqua...

Vendor: go
Product: chainguard.dev/apko
Published: Feb 03, 2026
Source: GitHub
CVE-2026-24844 HIGH - 7.8

melange allows users to build apk packages using declarative pipelines. From version 0.3.0 to before 0.40.3, an attacker who can provide build input values, but not modify pipeline definitions, could execute arbitrary shell commands if the pipeline uses ${{vars.*}} or ${{inputs.*}} substitutions in ...

Vendor: go
Product: chainguard.dev/melange
Published: Feb 03, 2026
Source: GitHub
CVE-2026-24843 HIGH - 8.2

melange allows users to build apk packages using declarative pipelines. In version 0.11.3 to before 0.40.3, an attacker who can influence the tar stream from a QEMU guest VM could write files outside the intended workspace directory on the host. The retrieveWorkspace function extracts tar entries wi...

Vendor: go
Product: chainguard.dev/melange
Published: Feb 03, 2026
Source: GitHub
CVE-2026-24512 HIGH - 8.8

A security issue was discovered in ingress-nginx cthe `rules.http.paths.path` Ingress field can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in ...

Vendor: Kubernetes
Product: ingress-nginx
Published: Feb 03, 2026
Source: NVD
CVE-2026-1580 HIGH - 8.8

A security issue was discovered in ingress-nginx where the `nginx.ingress.kubernetes.io/auth-method` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to th...

Vendor: go
Product: k8s.io/ingress-nginx
Published: Feb 03, 2026
Source: NVD
CVE-2020-37084 HIGH - 7.2

School ERP Pro 1.0 contains a remote code execution vulnerability that allows authenticated admin users to upload arbitrary PHP files as profile photos by bypassing file extension checks. Attackers can exploit improper file validation in pre-editstudent.inc.php to execute arbitrary code on the serve...

Vendor: Arox
Product: School ERP Pro
Published: Feb 03, 2026
Source: NVD