Total CVEs

142,265

Critical Severity

3,947

High Severity

14,217

Last 7 Days

1,745
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 12,801 - 12,820 of 14,292 CVEs
CVE-2025-13981 MEDIUM - 4.4

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal AI (Artificial Intelligence) allows Cross-Site Scripting (XSS).This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.0.7, from 1.1.0 before 1.1.7, from 1.2.0 before 1...

Vendor: Drupal
Product: AI (Artificial Intelligence)
Published: Jan 28, 2026
Source: NVD
CVE-2025-13980 MEDIUM - 5.3

Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal CKEditor 5 Premium Features allows Functionality Bypass.This issue affects CKEditor 5 Premium Features: from 0.0.0 before 1.2.10, from 1.3.0 before 1.3.6, from 1.4.0 before 1.4.3, from 1.5.0 before 1.5.1, from 1.6.0 bef...

Vendor: Drupal
Product: CKEditor 5 Premium Features
Published: Jan 28, 2026
Source: NVD
CVE-2025-13979 MEDIUM - 5.4

Privilege Defined With Unsafe Actions vulnerability in Drupal Mini site allows Stored XSS.This issue affects Mini site: from 0.0.0 before 3.0.2.

Vendor: Drupal
Product: Mini site
Published: Jan 28, 2026
Source: NVD
CVE-2023-37525 MEDIUM - 5.3

A sensitive information disclosure in HCL BigFix Compliance allows a remote attacker to access files under the WEB-INF directory, which may contain Java class files and configuration information, leading to unauthorized access to application internals.

Vendor: HCLSoftware
Product: BigFix Compliance
Published: Jan 28, 2026
Source: NVD
CVE-2026-24775 MEDIUM - 6.3

OpenProject is an open-source, web-based project management software. In the new editor for collaborative documents based on BlockNote, OpenProject maintainers added a custom extension in OpenProject version 17.0.0 that allows to mention OpenProject work packages in the document. To show work packag...

Vendor: opf
Product: openproject
Published: Jan 28, 2026
Source: NVD
CVE-2025-71001 MEDIUM - 6.5

A segmentation violation in the flow.column_stack component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.

Vendor: oneflow
Product: oneflow
Published: Jan 28, 2026
Source: NVD
CVE-2025-69601 MEDIUM - 5.1

A directory traversal (Zip Slip) vulnerability exists in the โ€œStatic Sitesโ€ feature of 66biolinks v44.0.0 by AltumCode. Uploaded ZIP archives are automatically extracted without validating or sanitizing file paths. An attacker can include traversal sequences (e.g., ../) in ZIP entries to write files...

Published: Jan 28, 2026
Source: NVD
CVE-2025-68660 MEDIUM - 5.4

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, an endpoint lets any authenticated user bypass the ai_discover_persona access controls and gain ongoing DM access to personas that may be wired to staff-only categories, RAG document sets...

Vendor: discourse
Product: discourse
Published: Jan 28, 2026
Source: NVD
CVE-2025-68659 MEDIUM - 4.3

Discourse is an open source discussion platform. Versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 have an application level denial of service vulnerabilityin the username change functionality at try.discourse.org. The vulnerability allows attackers to cause noticeable server delays and re...

Vendor: discourse
Product: discourse
Published: Jan 28, 2026
Source: NVD
CVE-2025-67723 MEDIUM - 4.6

Discourse is an open source discussion platform. Versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 have a content-security-policy-mitigated cross-site scriptinv vulnerability on the Discourse Math plugin when using its KaTeX variant. This issue is patched in versions 3.5.4, 2025.11.2, 2025...

Vendor: discourse
Product: discourse
Published: Jan 28, 2026
Source: NVD
CVE-2025-66488 MEDIUM - 4.6

Discourse is an open source discussion platform. A vulnerability present in versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 affects anyone who uses S3 for uploads. While scripts may be executed, they will only be run in the context of the S3/CDN domain, with no site credentials. Versions...

Vendor: discourse
Product: discourse
Published: Jan 28, 2026
Source: NVD
CVE-2025-57796 MEDIUM - 6.8

Explorance Blue versions prior to 8.14.12 use reversible symmetric encryption with a hardcoded static key to protect sensitive data, including user passwords and system configurations. This approach allows stored values to be decrypted offline if the encrypted data are obtained.

Vendor: Explorance
Product: Blue
Published: Jan 28, 2026
Source: NVD
CVE-2025-46316 MEDIUM - 4.3

An out-of-bounds read was addressed with improved input validation. This issue is fixed in iOS 26.1 and iPadOS 26.1, Pages 15.1, macOS Tahoe 26.1. Processing a maliciously crafted Pages document may result in unexpected termination or disclosure of process memory.

Vendor: Apple
Product: macOS, Pages, iOS and iPadOS
Published: Jan 28, 2026
Source: NVD
CVE-2025-46306 MEDIUM - 5.5

The issue was addressed with improved bounds checks. This issue is fixed in macOS Tahoe 26, Keynote 15.1, iOS 26 and iPadOS 26. Processing a maliciously crafted Keynote file may disclose memory contents.

Vendor: Apple
Product: iOS and iPadOS, Keynote, macOS
Published: Jan 28, 2026
Source: NVD
CVE-2025-33237 MEDIUM - 5.5

NVIDIA HD Audio Driver for Windows contains a vulnerability where an attacker could exploit a NULL pointer dereference issue. A successful exploit of this vulnerability might lead to a denial of service.

Vendor: NVIDIA
Product: GeForce, RTX, Quadro, NVS
Published: Jan 28, 2026
Source: NVD
CVE-2020-36973 MEDIUM - 6.5

PDW File Browser 1.3 contains a remote code execution vulnerability that allows authenticated users to upload and rename webshell files to arbitrary web server locations. Attackers can upload a .txt webshell, rename it to .php, and move it to accessible directories using double-encoded path traversa...

Vendor: michalc
Product: PDW File Browser
Published: Jan 28, 2026
Source: NVD
CVE-2020-36968 MEDIUM - 6.5

M/Monit 3.7.4 contains an authentication vulnerability that allows authenticated attackers to retrieve user password hashes through an administrative API endpoint. Attackers can send requests to the /api/1/admin/users/list and /api/1/admin/users/get endpoints to extract MD5 password hashes for all u...

Vendor: Tildeslash Ltd.
Product: M/Monit
Published: Jan 28, 2026
Source: NVD
CVE-2020-36944 MEDIUM - 4.0

ILIAS Learning Management System 4.3 contains a server-side request forgery vulnerability that allows attackers to read local files through portfolio PDF export functionality. Attackers can inject a script that uses XMLHttpRequest to retrieve local file contents when the portfolio is exported to PDF...

Vendor: ilias.de
Product: ILIAS Learning Management System
Published: Jan 28, 2026
Source: NVD
CVE-2026-1522 MEDIUM - 5.3

A weakness has been identified in Open5GS up to 2.7.6. This vulnerability affects the function sgwc_s5c_handle_modify_bearer_response of the file src/sgwc/s5c-handler.c of the component SGWC. Executing a manipulation can lead to denial of service. The attack can be launched remotely. The exploit has...

Vendor: open5gs
Product: open5gs
Published: Jan 28, 2026
Source: NVD
CVE-2025-65887 MEDIUM - 6.5

A division-by-zero vulnerability in the flow.floor_divide() component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input tensor with zero.

Vendor: oneflow
Product: oneflow
Published: Jan 28, 2026
Source: NVD