Total CVEs

142,265

Critical Severity

3,947

High Severity

14,217

Last 7 Days

1,831
Quick preset (or use dates below)
Clear Filters
Showing 12,781 - 12,800 of 14,675 CVEs
CVE-2026-24767 MEDIUM - 4.9

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, a blind Server-Side Request Forgery (SSRF) vulnerability exists in the `uploadViaURL` functionality due to an unprotected `HEAD` request. While the subsequent file retrieval logic correctly enforces SSRF protections...

Vendor: nocodb
Product: nocodb
Published: Jan 28, 2026
Source: NVD
CVE-2026-24766 MEDIUM - 4.9

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, an authenticated user with org-level-creator permissions can exploit prototype pollution in the `/api/v2/meta/connection/test` endpoint, causing all database write operations to fail application-wide until server re...

Vendor: nocodb
Product: nocodb
Published: Jan 28, 2026
Source: NVD
CVE-2026-24742 MEDIUM - 6.5

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, non-admin moderators can view sensitive information in staff action logs that should be restricted to administrators only. The exposed information includes webhook payload URLs and secret...

Vendor: discourse
Product: discourse
Published: Jan 28, 2026
Source: NVD
CVE-2026-24739 MEDIUM - 6.3

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to versions 5.4.51, 6.4.33, 7.3.11, 7.4.5, and 8.0.5, the Symfony Process component did not correctly treat some characters (notably `=`) as β€œspecial” when escaping arguments on Windows. When PHP ...

Vendor: symfony
Product: symfony
Published: Jan 28, 2026
Source: NVD
CVE-2026-1533 MEDIUM - 4.7

A security flaw has been discovered in code-projects Online Music Site 1.0. The impacted element is an unknown function of the file /Administrator/PHP/AdminAddCategory.php. The manipulation results in sql injection. The attack may be performed from remote. The exploit has been released to the public...

Published: Jan 28, 2026
Source: NVD
CVE-2025-71006 MEDIUM - 6.5

A floating point exception (FPE) in the oneflow.reshape component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.

Vendor: oneflow
Product: oneflow
Published: Jan 28, 2026
Source: NVD
CVE-2025-71005 MEDIUM - 6.5

A floating point exception (FPE) in the oneflow.view component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.

Vendor: oneflow
Product: oneflow
Published: Jan 28, 2026
Source: NVD
CVE-2025-71004 MEDIUM - 6.5

A segmentation violation in the oneflow.logical_or component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.

Vendor: oneflow
Product: oneflow
Published: Jan 28, 2026
Source: NVD
CVE-2026-21865 MEDIUM - 6.5

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, moderators can convert some personal messages to public topics when they shouldn't have access. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. As a work...

Vendor: discourse
Product: discourse
Published: Jan 28, 2026
Source: NVD
CVE-2025-71002 MEDIUM - 6.5

A floating-point exception (FPE) in the flow.column_stack component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.

Vendor: oneflow
Product: oneflow
Published: Jan 28, 2026
Source: NVD
CVE-2025-69289 MEDIUM - 5.4

Discourse is an open source discussion platform. A privilege escalation vulnerability in versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 allows a non-admin moderator to bypass email-change restrictions, allowing a takeover of non-staff accounts. This issue is patched in versions 3.5.4, 2...

Vendor: discourse
Product: discourse
Published: Jan 28, 2026
Source: NVD
CVE-2025-69218 MEDIUM - 6.5

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, moderators can access the `top_uploads` admin report which should be restricted to admins only. This report displays direct URLs to all uploaded files on the site, including sensitive con...

Vendor: discourse
Product: discourse
Published: Jan 28, 2026
Source: NVD
CVE-2025-68934 MEDIUM - 6.5

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, authenticated users can submit crafted payloads to /drafts.json that cause O(n^2) processing in Base62.decode, tying up workers for 35-60 seconds per request. This affects all users as th...

Vendor: discourse
Product: discourse
Published: Jan 28, 2026
Source: NVD
CVE-2025-68933 MEDIUM - 6.9

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, non-admin moderators with the `moderators_change_post_ownership` setting enabled can change ownership of posts in private messages and restricted categories they cannot access, then expor...

Vendor: discourse
Product: discourse
Published: Jan 28, 2026
Source: NVD
CVE-2025-68666 MEDIUM - 6.5

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, users archives are viewable by users with moderation privileges even though moderators should not have access to the archives. Private topic/post content made by the users are leaked thro...

Vendor: discourse
Product: discourse
Published: Jan 28, 2026
Source: NVD
CVE-2025-61730 MEDIUM - 6.2

During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosur...

Vendor: Go standard library
Product: crypto/tls
Published: Jan 28, 2026
Source: NVD
CVE-2025-61728 MEDIUM - 6.5

archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.

Vendor: Go standard library
Product: archive/zip
Published: Jan 28, 2026
Source: NVD
CVE-2025-13985 MEDIUM - 5.3

Incorrect Authorization vulnerability in Drupal Entity Share allows Forceful Browsing.This issue affects Entity Share: from 0.0.0 before 3.13.0.

Vendor: Drupal
Product: Entity Share
Published: Jan 28, 2026
Source: NVD
CVE-2025-13984 MEDIUM - 6.1

Permissive Cross-domain Security Policy with Untrusted Domains vulnerability in Drupal Next.Js allows Cross-Site Scripting (XSS).This issue affects Next.Js: from 0.0.0 before 1.6.4, from 2.0.0 before 2.0.1.

Vendor: Drupal
Product: Next.js
Published: Jan 28, 2026
Source: NVD
CVE-2025-13983 MEDIUM - 5.4

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Tagify allows Cross-Site Scripting (XSS).This issue affects Tagify: from 0.0.0 before 1.2.44.

Vendor: Drupal
Product: Tagify
Published: Jan 28, 2026
Source: NVD