Total CVEs

141,292

Critical Severity

3,799

High Severity

13,738

Last 7 Days

1,823
Quick preset (or use dates below)
Clear Filters
πŸ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years β†’
Showing 12,321 - 12,340 of 13,433 CVEs
CVE-2026-23954 HIGH - 8.7

Incus is a system container and virtual machine manager. Versions 6.21.0 and below allow a user with the ability to launch a container with a custom image (e.g a member of the β€˜incus’ group) to use directory traversal or symbolic links in the templating functionality to achieve host arbitrary file r...

Vendor: go
Product: github.com/lxc/incus/v6/cmd/incusd
Published: Jan 22, 2026
Source: GitHub
CVE-2026-23953 HIGH - 8.7

Incus is a system container and virtual machine manager. In versions 6.20.0 and below, a user with the ability to launch a container with a custom YAML configuration (e.g a member of the β€˜incus’ group) can create an environment variable containing newlines, which can be used to add additional config...

Vendor: go
Product: github.com/lxc/incus/v6
Published: Jan 22, 2026
Source: GitHub
CVE-2025-66428 HIGH - 8.8

An issue with WordPress directory names in WebPros WordPress Toolkit before 6.9.1 allows privilege escalation.

Vendor: n/a
Product: n/a
Published: Jan 22, 2026
Source: NVD

Invalid memory access in Sentencepiece versions less than 0.2.1 when using a vulnerable model file, which is not created in the normal training procedure.

Vendor: pip
Product: sentencepiece
Published: Jan 22, 2026
Source: GitHub

Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Versions 7.19.0 and below and 8.0.0-rc.0 through 8.0.2 allow untrusted OpenAPI specifications to inject arbitrary TypeScript/JavaScript into generated mock files via the const keyword on schema ...

Vendor: npm
Product: @orval/mock
Published: Jan 22, 2026
Source: GitHub

Dragonfly is an open source P2P-based file distribution and image acceleration system. In versions 2.4.1-rc.0 and below, the Job API endpoints (/api/v1/jobs) lack JWT authentication middleware and RBAC authorization checks in the routing configuration. This allows any unauthenticated user with acces...

Vendor: go
Product: d7y.io/dragonfly/v2
Published: Jan 22, 2026
Source: GitHub
CVE-2026-24049 HIGH - 7.1

wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the archi...

Vendor: pip
Product: wheel
Published: Jan 22, 2026
Source: GitHub
CVE-2026-24009 HIGH - 8.1

Docling Core (or docling-core) is a library that defines core data types and transformations in the document processing application Docling. A PyYAML-related Remote Code Execution (RCE) vulnerability, namely CVE-2020-14343, is exposed in docling-core starting in version 2.21.0 and prior to version 2...

Vendor: pip
Product: docling-core
Published: Jan 22, 2026
Source: GitHub
CVE-2026-24006 HIGH - 7.5

Seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, serialization of objects with extreme depth can exceed the maximum call stack limit. In version 1.4.1, Seroval introduces a `depthLimit` parameter in serializat...

Vendor: npm
Product: seroval
Published: Jan 22, 2026
Source: GitHub
CVE-2025-65098 HIGH - 7.4

Typebot is an open-source chatbot builder. In versions prior to 3.13.2, client-side script execution in Typebot allows stealing all stored credentials from any user. When a victim previews a malicious typebot by clicking "Run", JavaScript executes in their browser and exfiltrates their Ope...

Vendor: npm
Product: @typebot.io/js
Published: Jan 22, 2026
Source: GitHub
CVE-2026-24390 HIGH - 7.5

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in QantumThemes Kentha Elementor Widgets kentha-elementor allows PHP Local File Inclusion.This issue affects Kentha Elementor Widgets: from n/a through < 3.1.

Vendor: QantumThemes
Product: Kentha Elementor Widgets
Published: Jan 22, 2026
Source: NVD
CVE-2026-24380 HIGH - 8.8

Missing Authorization vulnerability in Metagauss EventPrime eventprime-event-calendar-management allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects EventPrime: from n/a through <= 4.2.8.0.

Vendor: Metagauss
Product: EventPrime
Published: Jan 22, 2026
Source: NVD
CVE-2026-24377 HIGH - 7.5

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in POSIMYTH Nexter Blocks the-plus-addons-for-block-editor allows Retrieve Embedded Sensitive Data.This issue affects Nexter Blocks: from n/a through <= 4.6.3.

Vendor: POSIMYTH
Product: Nexter Blocks
Published: Jan 22, 2026
Source: NVD
CVE-2026-24368 HIGH - 8.8

Missing Authorization vulnerability in Theme-one The Grid the-grid allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Grid: from n/a through < 2.8.0.

Vendor: Theme-one
Product: The Grid
Published: Jan 22, 2026
Source: NVD
CVE-2026-24367 HIGH - 8.8

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in shinetheme Traveler traveler allows Blind SQL Injection.This issue affects Traveler: from n/a through < 3.2.8.

Vendor: shinetheme
Product: Traveler
Published: Jan 22, 2026
Source: NVD
CVE-2026-24358 HIGH - 8.8

Missing Authorization vulnerability in ExpressTech Systems Quiz And Survey Master quiz-master-next allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Quiz And Survey Master: from n/a through <= 10.3.3.

Vendor: ExpressTech Systems
Product: Quiz And Survey Master
Published: Jan 22, 2026
Source: NVD
CVE-2026-24357 HIGH - 8.1

Missing Authorization vulnerability in Brecht WP Recipe Maker wp-recipe-maker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Recipe Maker: from n/a through <= 10.2.4.

Vendor: Brecht
Product: WP Recipe Maker
Published: Jan 22, 2026
Source: NVD
CVE-2026-24356 HIGH - 8.8

Missing Authorization vulnerability in Roxnor GetGenie getgenie allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GetGenie: from n/a through <= 4.3.0.

Vendor: Roxnor
Product: GetGenie
Published: Jan 22, 2026
Source: NVD
CVE-2026-24353 HIGH - 8.1

Missing Authorization vulnerability in wpeverest User Registration user-registration allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Registration: from n/a through <= 4.4.9.

Vendor: wpeverest
Product: User Registration
Published: Jan 22, 2026
Source: NVD
CVE-2026-23976 HIGH - 7.1

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Chill Modula Image Gallery modula-best-grid-gallery allows Stored XSS.This issue affects Modula Image Gallery: from n/a through <= 2.13.4.

Vendor: WP Chill
Product: Modula Image Gallery
Published: Jan 22, 2026
Source: NVD