Total CVEs

141,292

Critical Severity

3,799

High Severity

13,738

Last 7 Days

1,604
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 12,601 - 12,620 of 13,433 CVEs
CVE-2026-21967 HIGH - 8.6

Vulnerability in the Oracle Hospitality OPERA 5 product of Oracle Hospitality Applications (component: Opera Servlet). Supported versions that are affected are 5.6.19.23, 5.6.25.17, 5.6.26.10 and 5.6.27.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTT...

Published: Jan 20, 2026
Source: NVD
CVE-2026-21957 HIGH - 7.5

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compro...

Published: Jan 20, 2026
Source: NVD
CVE-2026-21956 HIGH - 8.2

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...

Published: Jan 20, 2026
Source: NVD
CVE-2026-21955 HIGH - 8.2

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...

Published: Jan 20, 2026
Source: NVD
CVE-2026-21945 HIGH - 7.5

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 an...

Published: Jan 20, 2026
Source: NVD
CVE-2026-21940 HIGH - 7.5

Vulnerability in the Oracle Agile PLM product of Oracle Supply Chain (component: User and User Group). The supported version that is affected is 9.3.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Agile PLM. Successful attacks ...

Published: Jan 20, 2026
Source: NVD
CVE-2026-21939 HIGH - 7.0

Vulnerability in the SQLcl component of Oracle Database Server. Supported versions that are affected are 23.4.0-23.26.0. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where SQLcl executes to compromise SQLcl. Successful attacks require human in...

Published: Jan 20, 2026
Source: NVD
CVE-2026-21932 HIGH - 7.4

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: AWT, JavaFX). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17...

Published: Jan 20, 2026
Source: NVD
CVE-2026-21926 HIGH - 7.5

Vulnerability in the Siebel CRM Deployment product of Oracle Siebel CRM (component: Server Infrastructure). Supported versions that are affected are 17.0-25.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise Siebel CRM Deployment. Successf...

Published: Jan 20, 2026
Source: NVD
CVE-2026-21641 HIGH - 7.1

HackerOne community member Jad Ghamloush (0xjad) has reported an authorization bypass vulnerability in the `tracker-delete.php` script of Revive Adserver. Users with permissions to delete trackers are mistakenly allowed to delete trackers owned by other accounts.

Vendor: Revive
Product: Revive Adserver
Published: Jan 20, 2026
Source: NVD
CVE-2025-66902 HIGH - 7.5

An input validation issue in in Pithikos websocket-server v.0.6.4 allows a remote attacker to obtain sensitive information or cause unexpected server behavior via the websocket_server/websocket_server.py, WebSocketServer._message_received components.

Vendor: n/a
Product: n/a
Published: Jan 20, 2026
Source: NVD
CVE-2025-66692 HIGH - 7.5

A buffer over-read in the PublicKey::verify() method of Binance - Trust Wallet Core before commit 5668c67 allows attackers to cause a Denial of Service (DoS) via a crafted input.

Vendor: n/a
Product: n/a
Published: Jan 20, 2026
Source: NVD
CVE-2025-63648 HIGH - 7.5

A NULL pointer dereference in the dacp_reply_playqueueedit_move function (src/httpd_dacp.c) of owntone-server commit b7e385f allows attackers to cause a Denial of Service (DoS) via sending a crafted DACP request to the server.

Vendor: n/a
Product: n/a
Published: Jan 20, 2026
Source: NVD
CVE-2025-63647 HIGH - 7.5

A NULL pointer dereference in the parse_meta function (src/httpd_daap.c) of owntone-server commit 334beb allows attackers to cause a Denial of Service (DoS) via sending a crafted DAAP request to the server.

Vendor: n/a
Product: n/a
Published: Jan 20, 2026
Source: NVD
CVE-2025-59465 HIGH - 7.5

A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that d...

Vendor: nodejs
Product: node
Published: Jan 20, 2026
Source: NVD
CVE-2025-57156 HIGH - 7.5

NULL pointer dereference in the dacp_reply_playqueueedit_clear function in src/httpd_dacp.c in owntone-server through commit 6d604a1 (newer commit after version 28.12) allows remote attackers to cause a Denial of Service (crash).

Vendor: n/a
Product: n/a
Published: Jan 20, 2026
Source: NVD
CVE-2025-57155 HIGH - 7.5

NULL pointer dereference in the daap_reply_groups function in src/httpd_daap.c in owntone-server through commit 5e6f19a (newer commit after version 28.2) allows remote attackers to cause a Denial of Service.

Vendor: n/a
Product: n/a
Published: Jan 20, 2026
Source: NVD
CVE-2025-55131 HIGH - 7.1

A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contai...

Vendor: nodejs
Product: node
Published: Jan 20, 2026
Source: NVD
CVE-2025-55130 HIGH - 7.1

A flaw in Node.jsโ€™s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive file...

Vendor: nodejs
Product: node
Published: Jan 20, 2026
Source: NVD

Fleet is open source device management software. A broken access control issue in versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 allowed authenticated users to access debug and profiling endpoints regardless of role. As a result, low-privilege users could view internal server diagnosti...

Vendor: go
Product: github.com/fleetdm/fleet
Published: Jan 20, 2026
Source: GitHub