Total CVEs

141,492

Critical Severity

3,867

High Severity

13,899

Last 7 Days

1,783
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 12,681 - 12,700 of 13,594 CVEs
CVE-2026-24010 HIGH - 8.8

Horilla is a free and open source Human Resource Management System (HRMS). A critical File Upload vulnerability in versions prior to 1.5.0, with Social Engineering, allows authenticated users to deploy phishing attacks. By uploading a malicious HTML file disguised as a profile picture, an attacker c...

Vendor: horilla-opensource
Product: horilla
Published: Jan 22, 2026
Source: NVD
CVE-2026-23962 HIGH - 7.5

Mastodon is a free, open-source social network server based on ActivityPub. Mastodon versions before v4.3.18, v4.4.12, and v4.5.5 do not have a limit on the maximum number of poll options for remote posts, allowing attackers to create polls with a very large amount of options, greatly increasing res...

Vendor: mastodon
Product: mastodon
Published: Jan 22, 2026
Source: NVD
CVE-2026-23699 HIGH - 7.2

AP180 series with firmware versions prior to AP_RGOS 11.9(4)B1P8 contains an OS command injection vulnerability. If this vulnerability is exploited, arbitrary commands may be executed on the devices.

Vendor: Ruijie Networks Co., Ltd.
Product: AP180(JA) V1.xx, AP180(JP) V1.xx, AP180-AC V1.xx, AP180-PE V1.xx, AP180(JA) V2.xx, AP180-AC V2.xx, AP180-PE V2.xx, AP180-AC V3.xx, AP180-PE V3.xx
Published: Jan 22, 2026
Source: NVD
CVE-2025-27380 HIGH - 7.6

HTML injection in Project Release in Altium Enterprise Server (AES) 7.0.3 on all platforms allows an authenticated attacker to execute arbitrary JavaScript in the victimโ€™s browser via crafted HTML content.

Vendor: Altium
Product: AES
Published: Jan 22, 2026
Source: NVD
CVE-2025-27378 HIGH - 8.6

AES contains a SQL injection vulnerability due to an inactive configuration that prevents the latest SQL parsing logic from being applied. When this configuration is not enabled, crafted input may be improperly handled, allowing attackers to inject and execute arbitrary SQL queries.

Vendor: Altium
Product: AES
Published: Jan 22, 2026
Source: NVD

Soft Serve is a self-hostable Git server for the command line. Versions 0.11.2 and below have a critical authentication bypass vulnerability that allows an attacker to impersonate any user (including admin) by "offering" the victim's public key during the SSH handshake before authenti...

Vendor: go
Product: github.com/charmbracelet/soft-serve
Published: Jan 21, 2026
Source: GitHub

SummaryA command injection vulnerability (CWE-78) has been found to exist in the `wrangler pages deploy` command. The issue occurs because the `--commit-hash` parameter is passed directly to a shell command without proper validation or sanitization, allowing an attacker with control of `--commit-has...

Vendor: npm
Product: wrangler
Published: Jan 21, 2026
Source: GitHub
CVE-2026-24046 HIGH - 7.1

Backstage is an open framework for building developer portals. Multiple Scaffolder actions and archive extraction utilities were vulnerable to symlink-based path traversal attacks. An attacker with access to create and execute Scaffolder templates could exploit symlinks to read arbitrary files via t...

Vendor: npm
Product: @backstage/backend-defaults
Published: Jan 21, 2026
Source: GitHub

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.6.17 and 3.7.8, stored XSS in the artifact directory listing allows any workflow author to execute arbitrary JavaScript in another userโ€™s browser under the Argo Server...

Vendor: go
Product: github.com/argoproj/argo-workflows/v3
Published: Jan 21, 2026
Source: GitHub
CVE-2025-68141 HIGH - 7.4

EVerest is an EV charging software stack. Prior to version 2025.10.0, during the deserialization of a `DC_ChargeLoopRes` message that includes Receipt as well as TaxCosts, the vector `<DetailedTax>tax_costs` in the target `Receipt` structure is accessed out of bounds. This occurs in the method...

Vendor: EVerest
Product: everest-core
Published: Jan 21, 2026
Source: NVD
CVE-2025-68137 HIGH - 8.3

EVerest is an EV charging software stack. Prior to version 2025.10.0, an integer overflow occurring in `SdpPacket::parse_header()` allows the current buffer length to be set to 7 after a complete header of size 8 has been read. The remaining length to read is computed using the current length subtra...

Vendor: EVerest
Product: everest-core
Published: Jan 21, 2026
Source: NVD
CVE-2025-68136 HIGH - 7.4

EVerest is an EV charging software stack. Prior to version 2025.10.0, once the module receives a SDP request, it creates a whole new set of objects like `Session`, `IConnection` which open new TCP socket for the ISO15118-20 communications and registers callbacks for the created file descriptor, with...

Vendor: EVerest
Product: everest-core
Published: Jan 21, 2026
Source: NVD
CVE-2025-68134 HIGH - 7.4

EVerest is an EV charging software stack. Prior to version 2025.10.0, the use of the `assert` function to handle errors frequently causes the module to crash. This is particularly critical because the manager shuts down all other modules and exits when any one of them terminates, leading to a denial...

Vendor: EVerest
Product: everest-core
Published: Jan 21, 2026
Source: NVD
CVE-2025-66960 HIGH - 7.5

An issue in ollama v.0.12.10 allows a remote attacker to cause a denial of service via the fs/ggml/gguf.go, function readGGUFV1String reads a string length from untrusted GGUF metadata

Vendor: n/a
Product: n/a
Published: Jan 21, 2026
Source: NVD
CVE-2025-66959 HIGH - 7.5

An issue in ollama v.0.12.10 allows a remote attacker to cause a denial of service via the GGUF decoder

Vendor: n/a
Product: n/a
Published: Jan 21, 2026
Source: NVD
CVE-2021-47887 HIGH - 7.8

OKI Print Job Accounting 4.4.10 contains an unquoted service path vulnerability in the OkiJaSvc service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files\Okidata\Print Job Accounting\' to inject malicious executa...

Vendor: OKI
Product: Print Job Accounting
Published: Jan 21, 2026
Source: NVD
CVE-2021-47886 HIGH - 7.8

Pingzapper 2.3.1 contains an unquoted service path vulnerability in the PingzapperSvc service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files (x86)\Pingzapper\PZService.exe' to inject malicious executables and ...

Vendor: Fyrolabs LLC.
Product: Pingzapper
Published: Jan 21, 2026
Source: NVD
CVE-2021-47884 HIGH - 7.8

OKI Configuration Tool 1.6.53 contains an unquoted service path vulnerability in the OKI Local Port Manager service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files\Okidata\Common\extend3\portmgrsrv.exe' to inje...

Vendor: OKI
Product: Configuration Tool
Published: Jan 21, 2026
Source: NVD
CVE-2021-47883 HIGH - 7.8

Sandboxie Plus 0.7.2 contains an unquoted service path vulnerability in the SbieSvc service that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted binary path to inject malicious executables that will be launched with LocalSystem permissions during s...

Vendor: Sandboxie-Plus
Product: Sandboxie Plus
Published: Jan 21, 2026
Source: NVD
CVE-2021-47882 HIGH - 7.8

FreeLAN 2.2 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to execute arbitrary code. Attackers can exploit the unquoted binary path to inject malicious executables that will be launched with elevated LocalSystem privileges during ser...

Vendor: FreeLAN
Product: FreeLAN
Published: Jan 21, 2026
Source: NVD