Total CVEs

142,265

Critical Severity

3,947

High Severity

14,217

Last 7 Days

1,892
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 12,261 - 12,280 of 14,292 CVEs
CVE-2025-15491 MEDIUM - 5.5

The Post Slides WordPress plugin through 1.0.1 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as with contributor or higher roles to perform LFI attacks

Vendor: Unknown
Product: Post Slides
Published: Feb 07, 2026
Source: NVD
CVE-2025-15267 MEDIUM - 6.4

The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's bt_bb_accordion_item shortcode in all versions up to, and including, 5.5.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for ...

Vendor: boldthemes
Product: Bold Page Builder
Published: Feb 07, 2026
Source: NVD
CVE-2025-13463 MEDIUM - 6.4

The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Post Grid component in all versions up to, and including, 5.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and...

Vendor: boldthemes
Product: Bold Page Builder
Published: Feb 07, 2026
Source: NVD
CVE-2025-12803 MEDIUM - 6.4

The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin 'bt_bb_tabs' shortcode in all versions up to, and including, 5.5.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authe...

Vendor: boldthemes
Product: Bold Page Builder
Published: Feb 07, 2026
Source: NVD
CVE-2025-12159 MEDIUM - 6.4

The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's bt_bb_raw_content shortcode in all versions up to, and including, 5.4.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for aut...

Vendor: boldthemes
Product: Bold Page Builder
Published: Feb 07, 2026
Source: NVD
CVE-2026-2074 MEDIUM - 6.3

A vulnerability was identified in O2OA up to 9.0.0. This impacts an unknown function of the file /x_program_center/jaxrs/mpweixin/check of the component HTTP POST Request Handler. The manipulation leads to xml external entity reference. It is possible to initiate the attack remotely. The exploit is ...

Published: Feb 07, 2026
Source: NVD
CVE-2025-31990 MEDIUM - 6.8

Rate limiting for certain API calls is not being enforced, making HCL Velocity vulnerable to Denial of Service (DoS) attacks. An attacker could flood the system with a large number of requests, overwhelming its resources and causing it to become unresponsive to legitimate users. This vulnerability...

Vendor: HCLSoftware
Product: HCL DevOps Velocity
Published: Feb 07, 2026
Source: NVD
CVE-2020-37171 MEDIUM - 6.2

TapinRadio 2.12.3 contains a denial of service vulnerability in the application proxy username configuration that allows local attackers to crash the application. Attackers can overwrite the username field with 10,000 bytes of arbitrary data to trigger an application crash and prevent normal program...

Vendor: Raimersoft
Product: TapinRadio
Published: Feb 07, 2026
Source: NVD
CVE-2020-37170 MEDIUM - 6.2

TapinRadio 2.12.3 contains a denial of service vulnerability in the application proxy address configuration that allows local attackers to crash the application. Attackers can overwrite the address field with 3000 bytes of arbitrary data to trigger an application crash and prevent normal program fun...

Vendor: Raimersoft
Product: TapinRadio
Published: Feb 07, 2026
Source: NVD
CVE-2020-37166 MEDIUM - 6.2

AbsoluteTelnet 11.12 contains a denial of service vulnerability in the SSH2 username input field that allows local attackers to crash the application. Attackers can overwrite the username field with a 1000-byte buffer, causing the application to become unresponsive and terminate.

Vendor: Celestial Software
Product: AbsoluteTelnet
Published: Feb 07, 2026
Source: NVD
CVE-2020-37165 MEDIUM - 6.2

AbsoluteTelnet 11.12 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an oversized license name. Attackers can generate a 2500-character payload and paste it into the license name field to trigger an application crash.

Vendor: Celestial Software
Product: AbsoluteTelnet
Published: Feb 07, 2026
Source: NVD
CVE-2020-37164 MEDIUM - 6.2

AbsoluteTelnet 11.12 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an oversized license name. Attackers can generate a 2500-character payload and paste it into the license entry field to trigger an application crash.

Vendor: Celestial Software
Product: AbsoluteTelnet
Published: Feb 07, 2026
Source: NVD
CVE-2020-37160 MEDIUM - 6.2

SprintWork 2.3.1 contains multiple local privilege escalation vulnerabilities through insecure file, service, and folder permissions on Windows systems. Local unprivileged users can exploit missing executable files and weak service configurations to create a new administrative user and gain complete...

Vendor: Veridium
Product: SprintWork
Published: Feb 07, 2026
Source: NVD
CVE-2020-37106 MEDIUM - 5.3

Business Live Chat Software 1.0 contains a cross-site request forgery vulnerability that allows attackers to change user account roles without authentication. Attackers can craft a malicious HTML form to modify user privileges by submitting a POST request to the user creation endpoint with administr...

Vendor: Bdtask
Product: Business Live Chat Software
Published: Feb 07, 2026
Source: NVD
CVE-2020-37079 MEDIUM - 4.3

Wing FTP Server versions prior to 6.2.7 contain a cross-site request forgery (CSRF) vulnerability in the web administration interface that allows attackers to delete admin users. Attackers can craft a malicious HTML page with a hidden form to submit a request that deletes the administrative user acc...

Vendor: Wing FTP Server
Product: Wing FTP Server
Published: Feb 07, 2026
Source: NVD
CVE-2026-25749 MEDIUM - 6.6

Vim is an open source, command line text editor. Prior to version 9.1.2132, a heap buffer overflow vulnerability exists in Vim's tag file resolution logic when processing the 'helpfile' option. The vulnerability is located in the get_tagfname() function in src/tag.c. When processing h...

Vendor: vim
Product: vim
Published: Feb 06, 2026
Source: NVD
CVE-2026-25123 MEDIUM - 5.3

Homarr is an open-source dashboard. Prior to 1.52.0, a public (unauthenticated) tRPC endpoint widget.app.ping accepts an arbitrary url and performs a server-side request to that URL. This allows an unauthenticated attacker to trigger outbound HTTP requests from the Homarr server, enabling SSRF behav...

Vendor: homarr-labs
Product: homarr
Published: Feb 06, 2026
Source: NVD
CVE-2026-2065 MEDIUM - 6.3

A security flaw has been discovered in Flycatcher Toys smART Pixelator 2.0. Affected by this issue is some unknown functionality of the component Bluetooth Low Energy Interface. Performing a manipulation results in missing authentication. The attack can only be performed from the local network. The ...

Published: Feb 06, 2026
Source: NVD
CVE-2026-25642 MEDIUM - 4.3

HedgeDoc is an open source, real-time, collaborative, markdown notes application. Prior to 1.10.6, files served below the /uploads/ endpoint did not use a more strict security-policy. This resulted in a too open Content-Security-Policy and furthermore opened the possibility to host malicious interac...

Vendor: hedgedoc
Product: hedgedoc
Published: Feb 06, 2026
Source: NVD

Gogs has authorization bypass in repository deletion API

Vendor: go
Product: gogs.io/gogs
Published: Feb 06, 2026
Source: GitHub