Total CVEs

142,265

Critical Severity

3,947

High Severity

14,217

Last 7 Days

1,881
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 12,381 - 12,400 of 14,292 CVEs
CVE-2020-37131 MEDIUM - 6.2

Nsauditor Product Key Explorer 4.2.2.0 contains a denial of service vulnerability that allows local attackers to crash the application by inputting a specially crafted registration key. Attackers can generate a payload of 1000 bytes of repeated characters and paste it into the 'Key' input ...

Vendor: Nsauditor
Product: Product Key Explorer
Published: Feb 05, 2026
Source: NVD
CVE-2020-37128 MEDIUM - 6.2

ZOC Terminal 7.25.5 contains a script processing vulnerability that allows local attackers to crash the application by loading a maliciously crafted REXX script file. Attackers can generate an oversized script with 20,000 repeated characters to trigger an application crash and cause a denial of serv...

Vendor: EmTec
Product: ZOC Terminal
Published: Feb 05, 2026
Source: NVD
CVE-2026-1927 MEDIUM - 4.3

The Greenshift โ€“ animation and page builder blocks plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the greenshift_app_pass_validation() function in all versions up to, and including, 12.5.7. This makes it possible for authenticated attackers, wi...

Published: Feb 05, 2026
Source: NVD
CVE-2025-14150 MEDIUM - 6.5

IBM webMethods Integration (on prem) - Integration Server 10.15 through IS_10.15_Core_Fix2411.1 to IS_11.1_Core_Fix8 IBM webMethods Integration could disclose sensitive user information in server responses.

Vendor: IBM
Product: webMethods Integration (on prem) - Integration Server
Published: Feb 05, 2026
Source: NVD
CVE-2025-13491 MEDIUM - 5.1

IBM App Connect Enterprise Certified Containerย up to 12.19.0 (Continuous Delivery) andย 12.0 LTS (Long Term Support) could allow an attacker to access sensitive files or modify configurations due to an untrusted search path.

Vendor: IBM
Product: App Connect Operator, App Connect EnterpriseCertified Containers Operands
Published: Feb 05, 2026
Source: NVD
CVE-2026-1517 MEDIUM - 4.7

A vulnerability was identified in iomad up to 5.0. Affected is an unknown function of the component Company Admin Block. Such manipulation leads to sql injection. The attack can be executed remotely. Upgrading to version 4.5 LTS and 5.0 is able to address this issue. You should upgrade the affected ...

Published: Feb 05, 2026
Source: NVD
CVE-2026-1654 MEDIUM - 6.1

The Peter's Date Countdown plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` parameter in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated a...

Published: Feb 05, 2026
Source: NVD
CVE-2026-1271 MEDIUM - 5.3

The ProfileGrid โ€“ User Profiles, Groups and Communities plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.9.7.2 via the 'pm_upload_image' and 'pm_upload_cover_image' AJAX actions. This is due to the update_user_meta() f...

Published: Feb 05, 2026
Source: NVD
CVE-2025-14079 MEDIUM - 5.3

The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.3.5. This is due to missing capability checks on the eh_crm_ticket_general function combined with a shared nonce that is exposed to low-priv...

Vendor: elextensions
Product: ELEX WordPress HelpDesk & Customer Ticketing System
Published: Feb 05, 2026
Source: NVD
CVE-2026-1319 MEDIUM - 6.4

The Robin Image Optimizer โ€“ Unlimited Image Optimization & WebP Converter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Alternative Text' field of a Media Library image in all versions up to, and including, 2.0.2 due to insufficient input sanitization and o...

Published: Feb 05, 2026
Source: NVD
CVE-2025-13416 MEDIUM - 4.3

The ProfileGrid โ€“ User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized user suspension due to a missing capability check on the pm_deactivate_user_from_group() function in all versions up to, and including, 5.9.7.2. This makes it possible for authenticated attacke...

Vendor: metagauss
Product: ProfileGrid โ€“ User Profiles, Groups and Communities
Published: Feb 05, 2026
Source: NVD
CVE-2026-25198 MEDIUM - 4.7

web2py versions 2.27.1-stable+timestamp.2023.11.16.08.03.57 and prior contain an open redirect vulnerability. If this vulnerability is exploited, the user may be redirected to an arbitrary website when accessing a specially crafted URL. As a result, the user may become a victim of a phishing attack.

Vendor: web2py
Product: web2py
Published: Feb 05, 2026
Source: NVD
CVE-2025-10258 MEDIUM - 6.3

Infinera DNA is vulnerable to a time-based SQL injection vulnerability due to insufficient input validation, which may result in leaking of sensitive information.

Vendor: Nokia
Product: Infinera DNA
Published: Feb 05, 2026
Source: NVD
CVE-2026-1268 MEDIUM - 6.4

The Dynamic Widget Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the widget content field in the Gutenberg editor sidebar in all versions up to, and including, 1.3.6 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it ...

Published: Feb 05, 2026
Source: NVD
CVE-2026-1246 MEDIUM - 4.9

The ShortPixel Image Optimizer plugin for WordPress is vulnerable to Arbitrary File Read via path traversal in the 'loadFile' parameter in all versions up to, and including, 6.4.2 due to insufficient path validation and sanitization in the 'loadLogFile' AJAX action. This makes it...

Published: Feb 05, 2026
Source: NVD
CVE-2026-0867 MEDIUM - 6.4

The Essential Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ew-author, ew-archive, ew-category, ew-page, and ew-menu shortcodes in all versions up to, and including, 3.0 due to insufficient input sanitization and output escaping on user supplied attr...

Published: Feb 05, 2026
Source: NVD
CVE-2026-1898 MEDIUM - 6.3

A vulnerability was determined in WeKan up to 8.20. This affects an unknown part of the file packages/wekan-ldap/server/syncUser.js of the component LDAP User Sync. This manipulation causes improper access controls. It is possible to initiate the attack remotely. Upgrading to version 8.21 is able to...

Vendor: wekan_project
Product: wekan
Published: Feb 05, 2026
Source: NVD
CVE-2026-1897 MEDIUM - 4.3

A vulnerability was found in WeKan up to 8.20. Affected by this issue is some unknown functionality of the file server/methods/positionHistory.js of the component Position-History Tracking. The manipulation results in missing authorization. The attack may be performed from remote. Upgrading to versi...

Vendor: wekan_project
Product: wekan
Published: Feb 05, 2026
Source: NVD
CVE-2026-1896 MEDIUM - 6.3

A vulnerability has been found in WeKan up to 8.20. Affected by this vulnerability is the function ComprehensiveBoardMigration of the file server/migrations/comprehensiveBoardMigration.js of the component Migration Operation Handler. The manipulation of the argument boardId leads to improper access ...

Vendor: wekan_project
Product: wekan
Published: Feb 05, 2026
Source: NVD
CVE-2023-43637 MEDIUM - 6.7

Due to the implementation of "deriveVaultKey", prior to version 7.10, the generated vault key would always have the last 16 bytes predetermined to be "arfoobarfoobarfo". This issue happens because "deriveVaultKey" calls "retrieveCloudKey" (which will always ...

Vendor: go
Product: github.com/lf-edge/eve
Published: Feb 04, 2026
Source: GitHub