Total CVEs

142,265

Critical Severity

3,947

High Severity

14,217

Last 7 Days

1,868
Quick preset (or use dates below)
Clear Filters
Showing 12,581 - 12,600 of 14,675 CVEs
CVE-2025-67857 MEDIUM - 4.3

A flaw was found in moodle. During anonymous assignment submissions, user identifiers were inadvertently exposed in URLs. This data exposure allows unauthorized viewers to see internal user IDs, compromising the intended anonymity and potentially leading to information disclosure.

Vendor: composer
Product: moodle/moodle
Published: Feb 03, 2026
Source: NVD
CVE-2025-67856 MEDIUM - 5.4

A flaw was found in Moodle. An authorization logic flaw, specifically due to incomplete role checks during the badge awarding process, allowed badges to be granted without proper verification. This could enable unauthorized users to obtain badges they are not entitled to, potentially leading to priv...

Vendor: composer
Product: moodle/moodle
Published: Feb 03, 2026
Source: NVD
CVE-2025-67855 MEDIUM - 5.4

A flaw was found in mooodle. A remote attacker could exploit a reflected Cross-Site Scripting (XSS) vulnerability in the policy tool return URL. This vulnerability arises from insufficient sanitization of URL parameters, allowing attackers to inject malicious scripts through specially crafted links....

Vendor: composer
Product: moodle/moodle
Published: Feb 03, 2026
Source: NVD
CVE-2025-67851 MEDIUM - 6.1

A flaw was found in moodle. This formula injection vulnerability occurs when data fields are exported without proper escaping. A remote attacker could exploit this by providing malicious data that, when exported and opened in a spreadsheet, allows arbitrary formulas to execute. This can lead to comp...

Vendor: composer
Product: moodle/moodle
Published: Feb 03, 2026
Source: NVD
CVE-2026-1592 MEDIUM - 6.3

Foxit PDF Editor Cloud (pdfonline) contains a stored cross-site scripting vulnerability in the Create New Layer feature. Unsanitized user input is embedded into the HTML output, allowing arbitrary JavaScript execution when the layer is referenced. This issue affects pdfonline.foxit.com: before 2026...

Published: Feb 03, 2026
Source: NVD
CVE-2026-1591 MEDIUM - 6.3

Foxit PDF Editor Cloud (pdfonline) contains a stored cross-site scripting vulnerability in the file upload feature. A malicious username is embedded into the upload file list without proper escaping, allowing arbitrary JavaScript execution when the list is displayed. This issue affects pdfonline.fo...

Published: Feb 03, 2026
Source: NVD
CVE-2026-1371 MEDIUM - 5.3

The Tutor LMS โ€“ eLearning and online course solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.9.5. This is due to missing authorization checks in the `ajax_coupon_details()` function, which only validates nonces but does not verify ...

Published: Feb 03, 2026
Source: NVD
CVE-2026-24449 MEDIUM - 4.6

For WRC-X1500GS-B and WRC-X1500GSA-B, the initial passwords can be calculated easily from the system information.

Vendor: ELECOM CO.,LTD.
Product: WRC-X1500GS-B, WRC-X1500GSA-B
Published: Feb 03, 2026
Source: NVD
CVE-2026-20704 MEDIUM - 4.3

Cross-site request forgery vulnerability exists in WRC-X1500GS-B and WRC-X1500GSA-B. If a user accesses a malicious page while logged-in to the affected product, unintended operations may be performed.

Vendor: ELECOM CO.,LTD.
Product: WRC-X1500GS-B, WRC-X1500GSA-B
Published: Feb 03, 2026
Source: NVD
CVE-2026-1447 MEDIUM - 5.4

The Mail Mint plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.19.2. This is due to missing nonce validation on the create_or_update_note function. This makes it possible for unauthenticated attackers to create or update contact notes via a for...

Published: Feb 03, 2026
Source: NVD
CVE-2026-1210 MEDIUM - 6.4

The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_elementor_data' meta field in all versions up to, and including, 3.20.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...

Published: Feb 03, 2026
Source: NVD
CVE-2026-0950 MEDIUM - 5.3

The Spectra Gutenberg Blocks โ€“ Website Builder for the Block Editor plugin for WordPress is vulnerable to Information Disclosure in all versions up to, and including, 2.19.17. This is due to the plugin failing to check `post_password_required()` before rendering post excerpts in the `render_excerpt(...

Published: Feb 03, 2026
Source: NVD
CVE-2025-14274 MEDIUM - 5.4

The Unlimited Elements for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Border Hero widget's Button Link field in versions up to 2.0.1. This is due to insufficient input sanitization and output escaping on user-supplied URLs. This makes it possible for aut...

Vendor: unitecms
Product: Unlimited Elements For Elementor
Published: Feb 03, 2026
Source: NVD
CVE-2026-0909 MEDIUM - 5.3

The WP ULike plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.8.3.1. This is due to the `wp_ulike_delete_history_api` AJAX action not verifying that the log entry being deleted belongs to the current user. This makes it possible for authe...

Published: Feb 03, 2026
Source: NVD
CVE-2025-58379 MEDIUM - 5.5

Brocade Fabric OS before 9.2.1 has a vulnerability that could allow a local authenticated attacker to reveal command line passwords using commands that may expose higher privilege sensitive information by a lower privileged user.

Vendor: Brocade
Product: Fabric OS
Published: Feb 03, 2026
Source: NVD
CVE-2026-25228 MEDIUM - 5.0

Signal K Server is a server application that runs on a central hub in a boat. Prior to 2.20.3, a path traversal vulnerability in SignalK Server's applicationData API allows authenticated users on Windows systems to read, write, and list arbitrary files and directories on the filesystem. The val...

Vendor: SignalK
Product: signalk-server
Published: Feb 02, 2026
Source: NVD
CVE-2026-25144 MEDIUM - 5.3

Talishar is a fan-made Flesh and Blood project. A Stored XSS exists in the chat in-game system. The playerID parameter in SubmitChat.php and is saved without sanitization and executed whenever a user view the current page game. This vulnerability is fixed by 09dd00e5452e3cd998eb1406a88e5b0fa868e6b4.

Vendor: Talishar
Product: Talishar
Published: Feb 02, 2026
Source: NVD
CVE-2026-24007 MEDIUM - 4.6

Tuleap is an Open Source Suite for management of software development and collaboration. Tuleap is missing CSRF protection in the Overview inconsistent items. An attacker could use this vulnerability to trick victims into repairing inconsistent items (creating artifact links from the release). This ...

Vendor: Enalean
Product: tuleap
Published: Feb 02, 2026
Source: NVD
CVE-2026-22780 MEDIUM - 4.4

Rizin is a UNIX-like reverse engineering framework and command-line toolset. Prior to 0.8.2, a heap overflow can be exploited when a malicious mach0 file, having bogus entries for the dyld chained segments, is parsed by rizin. This vulnerability is fixed in 0.8.2.

Vendor: rizinorg
Product: rizin
Published: Feb 02, 2026
Source: NVD
CVE-2026-1778 MEDIUM - 5.9

Amazon SageMaker Python SDK before v3.1.1 or v2.256.0 disables TLS certificate verification for HTTPS connections made by the service when a Triton Python model is imported, incorrectly allowing for requests with invalid and self-signed certificates to succeed.

Vendor: pip
Product: sagemaker
Published: Feb 02, 2026
Source: NVD