Total CVEs

142,265

Critical Severity

3,947

High Severity

14,217

Last 7 Days

1,859
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 12,481 - 12,500 of 14,292 CVEs
CVE-2026-25155 MEDIUM - 5.9

Qwik is a performance focused javascript framework. Prior to version 1.12.0, a typo in the regular expression within isContentType causes incorrect parsing of certain Content-Type headers. This issue has been patched in version 1.12.0.

Vendor: QwikDev
Product: qwik
Published: Feb 03, 2026
Source: NVD
CVE-2026-25151 MEDIUM - 5.9

Qwik is a performance focused javascript framework. Prior to version 1.19.0, Qwik City’s server-side request handler inconsistently interprets HTTP request headers, which can be abused by a remote attacker to circumvent form submission CSRF protections using specially crafted or multi-valued Content...

Vendor: QwikDev
Product: qwik
Published: Feb 03, 2026
Source: NVD

Qwik is a performance focused javascript framework. Prior to version 1.19.0, a Cross-Site Scripting vulnerability in Qwik.js' server-side rendering virtual attribute serialization allows a remote attacker to inject arbitrary web scripts into server-rendered pages via virtual attributes. Success...

Vendor: QwikDev
Product: qwik
Published: Feb 03, 2026
Source: NVD
CVE-2026-1811 MEDIUM - 6.3

A flaw has been found in bolo-blog bolo-solo up to 2.6.4. This affects the function importFromMarkdown of the file src/main/java/org/b3log/solo/bolo/prop/BackupService.java of the component Filename Handler. Executing a manipulation of the argument File can lead to path traversal. The attack may be ...

Published: Feb 03, 2026
Source: NVD
CVE-2020-37096 MEDIUM - 5.3

Edimax EW-7438RPn 1.13 contains a cross-site request forgery vulnerability in the MAC filtering configuration interface. Attackers can craft malicious web pages to trick users into adding unauthorized MAC addresses to the device's filtering rules without their consent.

Vendor: EDIMAX Technology Co., Ltd.
Product: EW-7438RPn Mini
Published: Feb 03, 2026
Source: NVD
CVE-2020-37091 MEDIUM - 5.3

Maian Support Helpdesk 4.3 contains a cross-site request forgery vulnerability that allows attackers to create administrative accounts without authentication. Attackers can craft malicious HTML forms to add admin users and upload PHP files with unrestricted file upload capabilities through the FAQ a...

Vendor: Maian Media
Product: Maian Support Helpdesk
Published: Feb 03, 2026
Source: NVD
CVE-2020-37086 MEDIUM - 6.2

Easy Transfer 1.7 iOS mobile application contains a directory traversal vulnerability that allows remote attackers to access unauthorized file system paths without authentication. Attackers can exploit the vulnerability by manipulating path parameters in GET and POST requests to list or download sen...

Vendor: Rubikon Teknoloji
Product: Easy Transfer
Published: Feb 03, 2026
Source: NVD
CVE-2020-37077 MEDIUM - 6.5

Booked Scheduler 2.7.7 contains a directory traversal vulnerability in the manage_email_templates.php script that allows authenticated administrators to access unauthorized files. Attackers can exploit the vulnerable 'tn' parameter to read files outside the intended directory by manipulati...

Vendor: Twinkle Toes Software
Product: Booked Scheduler
Published: Feb 03, 2026
Source: NVD
CVE-2026-1810 MEDIUM - 6.3

A vulnerability was detected in bolo-blog bolo-solo up to 2.6.4. The impacted element is the function unpackFilteredZip of the file src/main/java/org/b3log/solo/bolo/prop/BackupService.java of the component ZIP File Handler. Performing a manipulation of the argument File results in path traversal. T...

Published: Feb 03, 2026
Source: NVD
CVE-2026-1801 MEDIUM - 5.3

A flaw was found in libsoup, an HTTP client/server library. This HTTP Request Smuggling vulnerability arises from non-RFC-compliant parsing in the soup_filter_input_stream_read_line() logic, where libsoup accepts malformed chunk headers, such as lone line feed (LF) characters instead of the required...

Published: Feb 03, 2026
Source: NVD
CVE-2026-25597 MEDIUM - 5.3

PrestaShop is an open source e-commerce web application. Prior to 8.2.4 and 9.0.3, there is a time-based user enumeration vulnerability in the user authentication functionality of PrestaShop. This vulnerability allows an attacker to determine whether a customer account exists in the system by measur...

Vendor: composer
Product: prestashop/prestashop
Published: Feb 03, 2026
Source: GitHub
CVE-2026-25616 MEDIUM - 4.7

Blesta 3.x through 5.x before 5.13.3 mishandles input validation, aka CORE-5665.

Vendor: Blesta
Product: Blesta
Published: Feb 03, 2026
Source: NVD
CVE-2026-24441 MEDIUM - 5.9

Shenzhen Tenda AC7 firmware version V03.03.03.01_cn and prior expose account credentials in plaintext within HTTP responses, allowing an on-path attacker to obtain sensitive authentication material.

Vendor: Shenzhen Tenda Technology Co., Ltd.
Product: Tenda AC7
Published: Feb 03, 2026
Source: NVD
CVE-2026-24434 MEDIUM - 6.5

Shenzhen Tenda AC7 firmware version V03.03.03.01_cn and prior does not implement CSRF protections for administrative functions in the web management interface. The interface does not enforce anti-CSRF tokens or robust origin validation, which can allow an attacker to induce a logged-in administrator...

Vendor: Shenzhen Tenda Technology Co., Ltd.
Product: Tenda AC7
Published: Feb 03, 2026
Source: NVD

HtmlSanitizer is a .NET library for cleaning HTML fragments and documents from constructs that can lead to XSS attacks. Prior to versions 9.0.892 and 9.1.893-beta, if the template tag is allowed, its contents are not sanitized. The template tag is a special tag that does not usually render its conte...

Vendor: nuget
Product: HtmlSanitizer
Published: Feb 03, 2026
Source: GitHub

Bytes is a utility library for working with bytes. From version 1.2.1 to before 1.11.1, Bytes is vulnerable to integer overflow in BytesMut::reserve. In the unique reclaim path of BytesMut::reserve, if the condition "v_capacity >= new_cap + offset" uses an unchecked addition. When new_c...

Vendor: rust
Product: bytes
Published: Feb 03, 2026
Source: GitHub

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Zone (Name & Descript...

Vendor: craftcms
Product: commerce
Published: Feb 03, 2026
Source: NVD
CVE-2026-24427 MEDIUM - 5.5

Shenzhen Tenda AC7 firmware version V03.03.03.01_cn and prior expose sensitive information in web management responses. Administrative credentials, including the router and/or admin panel password, are included in plaintext within configuration response bodies. In addition, responses lack appropriat...

Vendor: Shenzhen Tenda Technology Co., Ltd.
Product: Tenda AC7
Published: Feb 03, 2026
Source: NVD
CVE-2026-24426 MEDIUM - 6.1

Shenzhen Tenda AC7 firmware version V03.03.03.01_cn and prior contain an improper output encoding vulnerability in the web management interface. User-supplied input is reflected in HTTP responses without adequate escaping, allowing injection of arbitrary HTML or JavaScript in a victim’s browser cont...

Vendor: Shenzhen Tenda Technology Co., Ltd.
Product: Tenda AC7
Published: Feb 03, 2026
Source: NVD
CVE-2025-52628 MEDIUM - 4.6

HCL AION is affected by a Cookie with Insecure, Improper, or Missing SameSite vulnerability. This can allow cookies to be sent in cross-site requests, potentially increasing exposure to cross-site request forgery and related security risks. This issue affects AION: 2.0.

Vendor: HCL
Product: AION
Published: Feb 03, 2026
Source: NVD