Total CVEs

142,265

Critical Severity

3,947

High Severity

14,217

Last 7 Days

1,850
Quick preset (or use dates below)
Clear Filters
Showing 12,481 - 12,500 of 14,217 CVEs
CVE-2020-37030 HIGH - 7.8

Outline Service 1.3.3 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path in C:\Program Files (x86)\Outline to inject malicious code that would execute with Local...

Vendor: Getoutline
Product: Outline Service
Published: Jan 30, 2026
Source: NVD
CVE-2026-25128 HIGH - 7.5

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.3.6 through 5.3.3, a RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML with out-of-range e...

Vendor: NaturalIntelligence
Product: fast-xml-parser
Published: Jan 30, 2026
Source: NVD
CVE-2026-24854 HIGH - 8.8

ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in endpoint `/PaddleNumEditor.php` in ChurchCRM prior to version 6.7.2. Any authenticated user, including one with zero assigned permissions, can exploit SQL injection through the `PerID` parameter. Version 6....

Vendor: ChurchCRM
Product: CRM
Published: Jan 30, 2026
Source: NVD
CVE-2026-1688 HIGH - 7.3

A security vulnerability has been detected in itsourcecode Directory Management System 1.0. The affected element is an unknown function of the file /admin/index.php. The manipulation of the argument Username leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed...

Published: Jan 30, 2026
Source: NVD
CVE-2026-1687 HIGH - 7.3

A weakness has been identified in Tenda HG10 US_HG7_HG9_HG10re_300001138_en_xpon. Impacted is an unknown function of the file /boaform/formSamba of the component Boa Webserver. Executing a manipulation of the argument serverString can lead to command injection. It is possible to launch the attack re...

Published: Jan 30, 2026
Source: NVD
CVE-2026-1686 HIGH - 8.8

A security flaw has been discovered in Totolink A3600R 5.9c.4959. This issue affects the function setAppEasyWizardConfig in the library /lib/cste_modules/app.so. Performing a manipulation of the argument apcliSsid results in buffer overflow. It is possible to initiate the attack remotely. The exploi...

Published: Jan 30, 2026
Source: NVD
CVE-2025-4686 HIGH - 8.6

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Kodmatic Computer Software Tourism Construction Industry and Trade Ltd. Co. Online Exam and Assessment allows SQL Injection.This issue affects Online Exam and Assessment: through 30012026....

Published: Jan 30, 2026
Source: NVD
CVE-2024-4027 HIGH - 7.5

A flaw was found in Undertow. Servlets using a method that calls HttpServletRequestImpl.getParameterNames() can cause an OutOfMemoryError when the client sends a request with large parameter names. This issue can be exploited by an unauthorized user to cause a remote denial-of-service (DoS) attack.

Vendor: maven
Product: io.undertow:undertow-core
Published: Jan 30, 2026
Source: NVD
CVE-2026-22623 HIGH - 7.2

Due to insufficient input parameter validation on the interface, authenticated users of certain HIKSEMI NAS products can execute arbitrary commands on the device by crafting specific messages.

Vendor: HIKSEMI
Product: HS-AFS-S1H1
Published: Jan 30, 2026
Source: NVD
CVE-2026-0709 HIGH - 7.2

Some Hikvision Wireless Access Points are vulnerable to authenticated command execution due to insufficient input validation. Attackers with valid credentials can exploit this flaw by sending crafted packets containing malicious commands to affected devices, leading to arbitrary command execution.

Published: Jan 30, 2026
Source: NVD
CVE-2026-22277 HIGH - 7.8

Dell UnityVSA, version(s) 5.4 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to arbitrary command execution ...

Vendor: Dell
Product: UnityVSA
Published: Jan 30, 2026
Source: NVD
CVE-2026-21418 HIGH - 7.8

Dell Unity, version(s) 5.5.2 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to arbitrary command execution w...

Vendor: Dell
Product: Unity
Published: Jan 30, 2026
Source: NVD
CVE-2025-1395 HIGH - 8.2

Generation of Error Message Containing Sensitive Information vulnerability in Codriapp Innovation and Software Technologies Inc. HeyGarson allows Fuzzing for application mapping.This issue affects HeyGarson: through 30012026. NOTE: The vendor was contacted several times to verifying fixing process ...

Published: Jan 30, 2026
Source: NVD
CVE-2026-0805 HIGH - 8.2

An input neutralization vulnerability in the Backup Configuration component of Crafty Controller allows a remote, authenticated attacker to perform file tampering and remote code execution via path traversal.

Published: Jan 30, 2026
Source: NVD
CVE-2026-24714 HIGH - 7.5

Some end of service NETGEAR products provide "TelnetEnable" functionality, which allows a magic packet to activate telnet service on the box.

Vendor: NETGEAR
Product: NETGEAR products
Published: Jan 30, 2026
Source: NVD
CVE-2026-1637 HIGH - 8.8

A vulnerability was identified in Tenda AC21 16.03.08.16. The affected element is the function fromAdvSetMacMtuWan of the file /goform/AdvSetMacMtuWan. The manipulation leads to stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit is publicly available and might be...

Published: Jan 29, 2026
Source: NVD
CVE-2026-25126 HIGH - 7.1

PolarLearn is a free and open-source learning program. Prior to version 0-PRERELEASE-15, the vote API route (`POST /api/v1/forum/vote`) trusts the JSON bodyโ€™s `direction` value without runtime validation. TypeScript types are not enforced at runtime, so an attacker can send arbitrary strings (e.g., ...

Vendor: polarnl
Product: PolarLearn
Published: Jan 29, 2026
Source: NVD
CVE-2026-25116 HIGH - 7.6

Runtipi is a personal homeserver orchestrator. Starting in version 4.5.0 and prior to version 4.7.2, an unauthenticated Path Traversal vulnerability in the `UserConfigController` allows any remote user to overwrite the system's `docker-compose.yml` configuration file. By exploiting insecure URN...

Vendor: runtipi
Product: runtipi
Published: Jan 29, 2026
Source: NVD
CVE-2026-24902 HIGH - 7.1

TrustTunnel is an open-source VPN protocol with a server-side request forgery and and private network restriction bypass in versions prior to 0.9.114. In `tcp_forwarder.rs`, SSRF protection for `allow_private_network_connections = false` was only applied in the `TcpDestination::HostName(peer)` path....

Vendor: TrustTunnel
Product: TrustTunnel
Published: Jan 29, 2026
Source: NVD
CVE-2025-69604 HIGH - 7.8

An issue in Shirt Pocket's SuperDuper! 3.11 and earlier allow a local attacker to modify the default task template to install an arbitrary package that can run shell scripts with root privileges and Full Disk Access, thus bypassing macOS privacy controls.

Published: Jan 29, 2026
Source: NVD