Total CVEs

141,492

Critical Severity

3,867

High Severity

13,899

Last 7 Days

1,679
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 12,801 - 12,820 of 13,594 CVEs
CVE-2026-0899 HIGH - 8.8

Out of bounds memory access in V8 in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High)

Published: Jan 20, 2026
Source: NVD
CVE-2025-14977 HIGH - 8.1

The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 4.2.4 via the `/wp-json/dokan/v1/settings` REST API endpoint due to missing validation on a ...

Vendor: dokaninc
Product: Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy
Published: Jan 20, 2026
Source: NVD
CVE-2026-23949 HIGH - 8.6

jaraco.context, an open-source software package that provides some useful decorators and context managers, has a Zip Slip path traversal vulnerability in the `jaraco.context.tarball()` function starting in version 5.2.0 and prior to version 6.1.0. The vulnerability may allow attackers to extract fil...

Vendor: jaraco
Product: jaraco.context
Published: Jan 20, 2026
Source: NVD
CVE-2026-23876 HIGH - 8.1

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-13 and 6.9.13-38, a heap buffer overflow vulnerability in the XBM image decoder (ReadXBMImage) allows an attacker to write controlled data past the allocated heap buffer when proces...

Vendor: ImageMagick
Product: ImageMagick
Published: Jan 20, 2026
Source: NVD
CVE-2026-1202 HIGH - 7.3

A security flaw has been discovered in CRMEB up to 5.6.3. The affected element is the function appleLogin of the file crmeb/app/api/controller/v1/LoginController.php. Performing a manipulation of the argument openId results in improper authentication. The attack is possible to be carried out remotel...

Published: Jan 20, 2026
Source: NVD
CVE-2026-1192 HIGH - 7.3

A vulnerability was determined in Tosei Online Store Management System ネット店舗管理システム 1.01. The affected element is an unknown function of the file /cgi-bin/imode_alldata.php. Executing a manipulation of the argument DevId can lead to command injection. The attack can be executed remotely. The exploit ...

Published: Jan 19, 2026
Source: NVD
CVE-2026-1179 HIGH - 7.3

A vulnerability was detected in Yonyou KSOA 9.0. This affects an unknown part of the file /kmf/user_popedom.jsp of the component HTTP GET Parameter Handler. The manipulation of the argument folderid results in sql injection. The attack can be launched remotely. The exploit is now public and may be u...

Published: Jan 19, 2026
Source: NVD
CVE-2026-1178 HIGH - 7.3

A security vulnerability has been detected in Yonyou KSOA 9.0. Affected by this issue is some unknown functionality of the file /kmf/select.jsp of the component HTTP GET Parameter Handler. The manipulation of the argument folderid leads to sql injection. The attack can be initiated remotely. The exp...

Published: Jan 19, 2026
Source: NVD
CVE-2026-1177 HIGH - 7.3

A weakness has been identified in Yonyou KSOA 9.0. Affected by this vulnerability is an unknown functionality of the file /kmf/save_folder.jsp of the component HTTP GET Parameter Handler. Executing a manipulation of the argument folderid can lead to sql injection. It is possible to launch the attack...

Published: Jan 19, 2026
Source: NVD
CVE-2026-23880 HIGH - 7.3

OnboardLite is a comprehensive membership lifecycle platform built for student organizations at the University of Central Florida. Versions of the software prior to commit 1d32081a66f21bcf41df1ecb672490b13f6e429f have a stored cross-site scripting vulnerability that can be rendered to an admin when ...

Vendor: HackUCF
Product: OnboardLite
Published: Jan 19, 2026
Source: NVD
CVE-2026-1176 HIGH - 7.3

A security flaw has been discovered in itsourcecode School Management System 1.0. Affected is an unknown function of the file /subject/index.php. Performing a manipulation of the argument ID results in sql injection. It is possible to initiate the attack remotely. The exploit has been released to th...

Published: Jan 19, 2026
Source: NVD
CVE-2026-23846 HIGH - 8.1

Tugtainer is a self-hosted app for automating updates of Docker containers. In versions prior to 1.16.1, the password authentication mechanism transmits passwords via URL query parameters instead of the HTTP request body. This causes passwords to be logged in server access logs and potentially expos...

Vendor: Quenary
Product: tugtainer
Published: Jan 19, 2026
Source: NVD
CVE-2026-23843 HIGH - 7.1

teklifolustur_app is a web-based PHP application that allows users to create, manage, and track quotes for their clients. Prior to commit dd082a134a225b8dcd401b6224eead4fb183ea1c, an Insecure Direct Object Reference (IDOR) vulnerability exists in the offer view functionality. Authenticated users can...

Vendor: sibercii6-crypto
Product: teklifolustur_app
Published: Jan 19, 2026
Source: NVD
CVE-2026-23625 HIGH - 8.7

OpenProject is an open-source, web-based project management software. Versions 16.3.0 through 16.6.4 are affected by a stored cross-site scripting vulnerability in the Roadmap view. OpenProject’s roadmap view renders the “Related work packages” list for each version. When a version contains work pac...

Vendor: opf
Product: openproject
Published: Jan 19, 2026
Source: NVD
CVE-2026-22850 HIGH - 8.3

Koko Analytics is an open-source analytics plugin for WordPress. Versions prior to 2.1.3 are vulnerable to arbitrary SQL execution through unescaped analytics export/import and permissive admin SQL import. Unauthenticated visitors can submit arbitrary path (`pa`) and referrer (`r`) values to the pub...

Vendor: ibericode
Product: koko-analytics
Published: Jan 19, 2026
Source: NVD
CVE-2026-22037 HIGH - 8.4

The @fastify/express plugin adds full Express compatibility to Fastify. A security vulnerability exists in @fastify/express prior to version 4.0.3 where middleware registered with a specific path prefix can be bypassed using URL-encoded characters (e.g., `/%61dmin` instead of `/admin`). While the mi...

Vendor: fastify
Product: fastify-express
Published: Jan 19, 2026
Source: NVD
CVE-2026-22031 HIGH - 8.4

@fastify/middie is the plugin that adds middleware support on steroids to Fastify. A security vulnerability exists in @fastify/middie prior to version 9.1.0 where middleware registered with a specific path prefix can be bypassed using URL-encoded characters (e.g., `/%61dmin` instead of `/admin`). Wh...

Vendor: fastify
Product: middie
Published: Jan 19, 2026
Source: NVD
CVE-2026-1160 HIGH - 7.3

A security vulnerability has been detected in PHPGurukul Directory Management System 1.0. Impacted is an unknown function of the file /index.php of the component Search. The manipulation of the argument searchdata leads to sql injection. The attack may be initiated remotely. The exploit has been dis...

Published: Jan 19, 2026
Source: NVD
CVE-2025-68616 HIGH - 7.5

WeasyPrint helps web developers to create PDF documents. Prior to version 68.0, a server-side request forgery (SSRF) protection bypass exists in WeasyPrint's `default_url_fetcher`. The vulnerability allows attackers to access internal network resources (such as `localhost` services or cloud met...

Vendor: Kozea
Product: WeasyPrint
Published: Jan 19, 2026
Source: NVD
CVE-2025-61684 HIGH - 7.5

Quicly, an IETF QUIC protocol implementation, is susceptible to a denial-of-service attack prior to commit d9d3df6a8530a102b57d840e39b0311ce5c9e14e. A remote attacker can exploit these bugs to trigger an assertion failure that crashes process using Quicly. Commit d9d3df6a8530a102b57d840e39b0311ce5c9...

Vendor: h2o
Product: quicly
Published: Jan 19, 2026
Source: NVD