Total CVEs

142,265

Critical Severity

3,947

High Severity

14,217

Last 7 Days

1,859
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 12,461 - 12,480 of 14,292 CVEs
CVE-2026-23704 MEDIUM - 6.5

A non-administrative user can upload malicious files. When an administrator or the product accesses that file, an arbitrary script may be executed on the administrator's browser. Note that Movable Type 7 series and 8.4 series, which are End-of-Life (EOL), are affected by the vulnerability as we...

Vendor: Six Apart Ltd.
Product: Movable Type (Software Edition), Movable Type Advanced (Software Edition), Movable Type Premium (Software Edition), Movable Type Premium (Advanced Edition) (Software Edition), Movable Type (Cloud Edition), Movable Type Premium (Cloud Edition)
Published: Feb 04, 2026
Source: NVD
CVE-2026-22875 MEDIUM - 5.4

Movable Type contains a stored cross-site scripting vulnerability in Export Sites. If crafted input is stored by an attacker, arbitrary script may be executed on a logged-in user's web browser. Note that Movable Type 7 series and 8.4 series, which are End-of-Life (EOL), are affected by the vuln...

Vendor: Six Apart Ltd.
Product: Movable Type (Software Edition), Movable Type Advanced (Software Edition), Movable Type Premium (Software Edition), Movable Type Premium (Advanced Edition) (Software Edition), Movable Type (Cloud Edition), Movable Type Premium (Cloud Edition)
Published: Feb 04, 2026
Source: NVD
CVE-2026-21393 MEDIUM - 5.4

Movable Type contains a stored cross-site scripting vulnerability in Edit Comment. If crafted input is stored by an attacker, arbitrary script may be executed on a logged-in user's web browser. Note that Movable Type 7 series and 8.4 series, which are End-of-Life (EOL), are affected by the vuln...

Vendor: Six Apart Ltd.
Product: Movable Type (Software Edition), Movable Type Advanced (Software Edition), Movable Type Premium (Software Edition), Movable Type Premium (Advanced Edition) (Software Edition), Movable Type (Cloud Edition), Movable Type Premium (Cloud Edition)
Published: Feb 04, 2026
Source: NVD
CVE-2026-20982 MEDIUM - 6.0

Path traversal in ShortcutService prior to SMR Feb-2026 Release 1 allows privileged local attacker to create file with system privilege.

Vendor: Samsung Mobile
Product: Samsung Mobile Devices
Published: Feb 04, 2026
Source: NVD
CVE-2026-20981 MEDIUM - 6.6

Improper input validation in FacAtFunction prior to SMR Feb-2026 Release 1 allows privileged physical attacker to execute arbitrary command with system privilege.

Vendor: Samsung Mobile
Product: Samsung Mobile Devices
Published: Feb 04, 2026
Source: NVD
CVE-2026-20980 MEDIUM - 6.8

Improper input validation in PACM prior to SMR Feb-2026 Release 1 allows physical attacker to execute arbitrary commands.

Vendor: Samsung Mobile
Product: Samsung Mobile Devices
Published: Feb 04, 2026
Source: NVD
CVE-2026-20978 MEDIUM - 6.1

Improper authorization in KnoxGuardManager prior to SMR Feb-2026 Release 1 allows local attackers to bypass the persistence configuration of the application.

Vendor: Samsung Mobile
Product: Samsung Mobile Devices
Published: Feb 04, 2026
Source: NVD
CVE-2026-20977 MEDIUM - 5.5

Improper access control in Emergency Sharing prior to SMR Feb-2026 Release 1 allows local attackers to interrupt its functioning.

Vendor: Samsung Mobile
Product: Samsung Mobile Devices
Published: Feb 04, 2026
Source: NVD
CVE-2025-69621 MEDIUM - 6.5

An arbitrary file overwrite vulnerability in the file import process of Comic Book Reader v1.0.95 allows attackers to overwrite critical internal files, potentially leading to arbitrary code execution or exposure of sensitive information.

Published: Feb 04, 2026
Source: NVD
CVE-2026-1835 MEDIUM - 4.3

A vulnerability was identified in lcg0124 BootDo up to e93dd428ef6f5c881aa74d49a2099ab0cf1e0fcb. This affects an unknown part. The manipulation leads to cross-site request forgery. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. This product ad...

Published: Feb 04, 2026
Source: NVD
CVE-2026-1813 MEDIUM - 6.3

A vulnerability was found in bolo-blog bolo-solo up to 2.6.4. Affected is an unknown function of the file src/main/java/org/b3log/solo/bolo/pic/PicUploadProcessor.java of the component FreeMarker Template Handler. The manipulation of the argument File results in unrestricted upload. It is possible t...

Published: Feb 04, 2026
Source: NVD
CVE-2026-25578 MEDIUM - 6.1

Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, a cross-site scripting vulnerability in the frontend allows a malicious attacker to inject code through the comment metadata of a song to exfiltrate user credentials. This issue has been patched in v...

Vendor: go
Product: github.com/navidrome/navidrome
Published: Feb 04, 2026
Source: GitHub
CVE-2026-25145 MEDIUM - 5.5

melange allows users to build apk packages using declarative pipelines. From version 0.14.0 to before 0.40.3, an attacker who can influence a melange configuration file (e.g., through pull request-driven CI or build-as-a-service scenarios) could read arbitrary files from the host system. The Licensi...

Vendor: go
Product: chainguard.dev/melange
Published: Feb 04, 2026
Source: GitHub
CVE-2026-25122 MEDIUM - 5.5

apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.0, expandapk.Split drains the first gzip stream of an APK archive via io.Copy(io.Discard, gzi) without explicit bounds. With an attacker-controlled input stream, this can force larg...

Vendor: go
Product: chainguard.dev/apko
Published: Feb 03, 2026
Source: GitHub
CVE-2026-24514 MEDIUM - 6.5

A security issue was discovered in ingress-nginx where the validating admission controller feature is subject to a denial of service condition. By sending large requests to the validating admission controller, an attacker can cause memory consumption, which may result in the ingress-nginx controller...

Vendor: Kubernetes
Product: ingress-nginx
Published: Feb 03, 2026
Source: NVD
CVE-2026-1812 MEDIUM - 6.3

A vulnerability has been found in bolo-blog bolo-solo up to 2.6.4. This impacts the function importFromCnblogs of the file src/main/java/org/b3log/solo/bolo/prop/BackupService.java of the component Filename Handler. The manipulation of the argument File leads to path traversal. It is possible to ini...

Published: Feb 03, 2026
Source: NVD
CVE-2026-1755 MEDIUM - 6.4

The Menu Icons by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘_wp_attachment_image_alt’ post meta in all versions up to, and including, 0.13.20 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, wit...

Published: Feb 03, 2026
Source: NVD
CVE-2025-36094 MEDIUM - 5.4

IBM Cloud Pak for Business Automation 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 007 could allow an authenticated user to cause a denial of service or corrupt existing data due to the improper validation of input length.

Vendor: IBM
Product: Cloud Pak for Business Automation
Published: Feb 03, 2026
Source: NVD
CVE-2025-36033 MEDIUM - 5.4

IBM Engineering Lifecycle Management - Global Configuration Management 7.0.3 through 7.0.3 Interim Fix 017, and 7.1.0 through 7.1.0 Interim Fix 004 IBM Global Configuration Management is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript...

Vendor: IBM
Product: Engineering Lifecycle Management - Global Configuration Management
Published: Feb 03, 2026
Source: NVD
CVE-2025-33081 MEDIUM - 4.3

IBM Concert 1.0.0 through 2.1.0 stores potentially sensitive information in log files that could be read by a local user.

Vendor: IBM
Product: Concert
Published: Feb 03, 2026
Source: NVD