Total CVEs

142,265

Critical Severity

3,947

High Severity

14,217

Last 7 Days

1,850
Quick preset (or use dates below)
Clear Filters
Showing 12,721 - 12,740 of 14,675 CVEs
CVE-2025-9226 MEDIUM - 4.6

Zohocorp ManageEngine OpManager, NetFlow Analyzer, and OpUtils versions prior to 128582 are affected by a stored cross-site scripting vulnerability in the Subnet Details.

Published: Jan 30, 2026
Source: NVD
CVE-2026-22626 MEDIUM - 4.9

Due to insufficient input parameter validation on the interface, authenticated users of certain HIKSEMI NAS products can cause abnormal device behavior by crafting specific messages.

Vendor: HIKSEMI
Product: HS-AFS-S1H1
Published: Jan 30, 2026
Source: NVD
CVE-2026-22625 MEDIUM - 4.6

Improper handling of filenames in certain HIKSEMI NAS products may lead to the exposure of sensitive system files.

Vendor: HIKSEMI
Product: HS-AFS-S1H1
Published: Jan 30, 2026
Source: NVD
CVE-2026-22624 MEDIUM - 4.3

Due to inadequate access control, authenticated users of certain HIKSEMI NAS products can manipulate other users' file resources without proper authorization.

Vendor: HIKSEMI
Product: HS-AFS-S1H1
Published: Jan 30, 2026
Source: NVD
CVE-2026-25210 MEDIUM - 6.9

In libexpat before 2.7.4, the doContent function does not properly determine the buffer size bufSize because there is no integer overflow check for tag buffer reallocation.

Vendor: libexpat project
Product: libexpat
Published: Jan 30, 2026
Source: NVD
CVE-2025-12899 MEDIUM - 6.5

A flaw in Zephyrโ€™s network stack allows an IPv4 packet containing ICMP type 128 to be misclassified as an ICMPv6 Echo Request. This results in an out-of-bounds memory read and creates a potential information-leak vulnerability in the networking subsystem.

Vendor: zephyrproject-rtos
Product: Zephyr
Published: Jan 30, 2026
Source: NVD
CVE-2025-15322 MEDIUM - 4.3

Tanium addressed an improper access controls vulnerability in Tanium Server.

Vendor: Tanium
Product: Tanium Server
Published: Jan 30, 2026
Source: NVD
CVE-2026-1638 MEDIUM - 6.3

A security flaw has been discovered in Tenda AC21 1.1.1.1/1.dmzip/16.03.08.16. The impacted element is the function mDMZSetCfg of the file /goform/mDMZSetCfg. The manipulation of the argument dmzIp results in command injection. The attack can be executed remotely. The exploit has been released to th...

Published: Jan 30, 2026
Source: NVD

Inspektor Gadget is a set of tools and framework for data collection and system inspection on Kubernetes clusters and Linux hosts using eBPF. The `ig` binary provides a subcommand for image building, used to generate custom gadget OCI images. A part of this functionality is implemented in the file `...

Vendor: inspektor-gadget
Product: inspektor-gadget
Published: Jan 29, 2026
Source: NVD
CVE-2026-24904 MEDIUM - 5.3

TrustTunnel is an open-source VPN protocol with a rule bypass issue in versions prior to 0.9.115. In `tls_listener.rs`, `TlsListener::listen()` peeks 1024 bytes and calls `extract_client_random(...)`. If `parse_tls_plaintext` fails (for example, a fragmented/partial ClientHello split across TCP writ...

Vendor: TrustTunnel
Product: TrustTunnel
Published: Jan 29, 2026
Source: NVD
CVE-2026-24846 MEDIUM - 5.5

malcontent discovers supply-chain compromises through. context, differential analysis, and YARA. Starting in version 1.8.0 and prior to version 1.20.3, malcontent could be made to create symlinks outside the intended extraction directory when scanning a specially crafted tar or deb archive. The `han...

Vendor: chainguard-dev
Product: malcontent
Published: Jan 29, 2026
Source: NVD
CVE-2026-24845 MEDIUM - 6.5

malcontent discovers supply-chain compromises through. context, differential analysis, and YARA. Starting in version 0.10.0 and prior to version 1.20.3, malcontent could be made to expose Docker registry credentials if it scanned a specially crafted OCI image reference. malcontent uses google/go-con...

Vendor: chainguard-dev
Product: malcontent
Published: Jan 29, 2026
Source: NVD
CVE-2026-1625 MEDIUM - 6.3

A vulnerability was detected in D-Link DWR-M961 1.1.47. The impacted element is the function sub_4250E0 of the file /boafrm/formSmsManage of the component SMS Message. Performing a manipulation of the argument action_value results in command injection. The attack may be initiated remotely. The explo...

Published: Jan 29, 2026
Source: NVD
CVE-2026-1624 MEDIUM - 6.3

A security vulnerability has been detected in D-Link DWR-M961 1.1.47. The affected element is an unknown function of the file /boafrm/formLtefotaUpgradeFibocom. Such manipulation of the argument fota_url leads to command injection. The attack can be launched remotely. The exploit has been disclosed ...

Published: Jan 29, 2026
Source: NVD
CVE-2026-1623 MEDIUM - 6.3

A weakness has been identified in Totolink A7000R 4.1cu.4154. Impacted is the function setUpgradeFW of the file /cgi-bin/cstecgi.cgi. This manipulation of the argument FileName causes command injection. The attack can be initiated remotely. The exploit has been made available to the public and could...

Published: Jan 29, 2026
Source: NVD

Umbraco Forms is a form builder that integrates with the Umbraco content management system. It's possible for an authenticated backoffice-user to enumerate and traverse paths/files on the systems filesystem and read their contents, on Mac/Linux Umbraco installations using Forms. As Umbraco Clou...

Vendor: umbraco
Product: Umbraco.Forms.Issues
Published: Jan 29, 2026
Source: NVD
CVE-2025-15550 MEDIUM - 5.3

birkir prime <= 0.4.0.beta.0 contains a cross-site request forgery vulnerability in its GraphQL endpoint that allows attackers to exploit GET-based query requests. Attackers can craft malicious GET requests to trigger unauthorized actions against privileged users by manipulating GraphQL query par...

Vendor: birkir
Product: prime
Published: Jan 29, 2026
Source: NVD
CVE-2025-15549 MEDIUM - 4.8

FluentCMS 2026 contains a stored cross-site scripting vulnerability that allows authenticated administrators to upload SVG files with embedded JavaScript via the File Management module. Attackers can upload malicious SVG files that execute JavaScript in the browser of any user accessing the uploaded...

Vendor: FluentCMS
Product: FluentCMS
Published: Jan 29, 2026
Source: NVD
CVE-2026-1601 MEDIUM - 6.3

A weakness has been identified in Totolink A7000R 4.1cu.4154. The impacted element is the function setUploadUserData of the file /cgi-bin/cstecgi.cgi. Executing a manipulation of the argument FileName can lead to command injection. The attack can be launched remotely. The exploit has been made avail...

Published: Jan 29, 2026
Source: NVD
CVE-2025-69749 MEDIUM - 6.1

Cross Site Scripting vulnerability in tale v.2.0.5 allows an attacker to execute arbitrary code.

Published: Jan 29, 2026
Source: NVD