Total CVEs

142,398

Critical Severity

3,966

High Severity

14,271

Last 7 Days

1,878
Quick preset (or use dates below)
Clear Filters
πŸ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years β†’
Showing 12,821 - 12,840 of 14,330 CVEs
CVE-2026-24742 MEDIUM - 6.5

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, non-admin moderators can view sensitive information in staff action logs that should be restricted to administrators only. The exposed information includes webhook payload URLs and secret...

Vendor: discourse
Product: discourse
Published: Jan 28, 2026
Source: NVD
CVE-2026-24739 MEDIUM - 6.3

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to versions 5.4.51, 6.4.33, 7.3.11, 7.4.5, and 8.0.5, the Symfony Process component did not correctly treat some characters (notably `=`) as β€œspecial” when escaping arguments on Windows. When PHP ...

Vendor: symfony
Product: symfony
Published: Jan 28, 2026
Source: NVD
CVE-2026-1533 MEDIUM - 4.7

A security flaw has been discovered in code-projects Online Music Site 1.0. The impacted element is an unknown function of the file /Administrator/PHP/AdminAddCategory.php. The manipulation results in sql injection. The attack may be performed from remote. The exploit has been released to the public...

Published: Jan 28, 2026
Source: NVD
CVE-2025-71006 MEDIUM - 6.5

A floating point exception (FPE) in the oneflow.reshape component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.

Vendor: oneflow
Product: oneflow
Published: Jan 28, 2026
Source: NVD
CVE-2025-71005 MEDIUM - 6.5

A floating point exception (FPE) in the oneflow.view component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.

Vendor: oneflow
Product: oneflow
Published: Jan 28, 2026
Source: NVD
CVE-2025-71004 MEDIUM - 6.5

A segmentation violation in the oneflow.logical_or component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.

Vendor: oneflow
Product: oneflow
Published: Jan 28, 2026
Source: NVD
CVE-2026-21865 MEDIUM - 6.5

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, moderators can convert some personal messages to public topics when they shouldn't have access. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. As a work...

Vendor: discourse
Product: discourse
Published: Jan 28, 2026
Source: NVD
CVE-2025-71002 MEDIUM - 6.5

A floating-point exception (FPE) in the flow.column_stack component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.

Vendor: oneflow
Product: oneflow
Published: Jan 28, 2026
Source: NVD
CVE-2025-69289 MEDIUM - 5.4

Discourse is an open source discussion platform. A privilege escalation vulnerability in versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 allows a non-admin moderator to bypass email-change restrictions, allowing a takeover of non-staff accounts. This issue is patched in versions 3.5.4, 2...

Vendor: discourse
Product: discourse
Published: Jan 28, 2026
Source: NVD
CVE-2025-69218 MEDIUM - 6.5

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, moderators can access the `top_uploads` admin report which should be restricted to admins only. This report displays direct URLs to all uploaded files on the site, including sensitive con...

Vendor: discourse
Product: discourse
Published: Jan 28, 2026
Source: NVD
CVE-2025-68934 MEDIUM - 6.5

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, authenticated users can submit crafted payloads to /drafts.json that cause O(n^2) processing in Base62.decode, tying up workers for 35-60 seconds per request. This affects all users as th...

Vendor: discourse
Product: discourse
Published: Jan 28, 2026
Source: NVD
CVE-2025-68933 MEDIUM - 6.9

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, non-admin moderators with the `moderators_change_post_ownership` setting enabled can change ownership of posts in private messages and restricted categories they cannot access, then expor...

Vendor: discourse
Product: discourse
Published: Jan 28, 2026
Source: NVD
CVE-2025-68666 MEDIUM - 6.5

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, users archives are viewable by users with moderation privileges even though moderators should not have access to the archives. Private topic/post content made by the users are leaked thro...

Vendor: discourse
Product: discourse
Published: Jan 28, 2026
Source: NVD
CVE-2025-61730 MEDIUM - 6.2

During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosur...

Vendor: Go standard library
Product: crypto/tls
Published: Jan 28, 2026
Source: NVD
CVE-2025-61728 MEDIUM - 6.5

archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.

Vendor: Go standard library
Product: archive/zip
Published: Jan 28, 2026
Source: NVD
CVE-2025-13985 MEDIUM - 5.3

Incorrect Authorization vulnerability in Drupal Entity Share allows Forceful Browsing.This issue affects Entity Share: from 0.0.0 before 3.13.0.

Vendor: Drupal
Product: Entity Share
Published: Jan 28, 2026
Source: NVD
CVE-2025-13984 MEDIUM - 6.1

Permissive Cross-domain Security Policy with Untrusted Domains vulnerability in Drupal Next.Js allows Cross-Site Scripting (XSS).This issue affects Next.Js: from 0.0.0 before 1.6.4, from 2.0.0 before 2.0.1.

Vendor: Drupal
Product: Next.js
Published: Jan 28, 2026
Source: NVD
CVE-2025-13983 MEDIUM - 5.4

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Tagify allows Cross-Site Scripting (XSS).This issue affects Tagify: from 0.0.0 before 1.2.44.

Vendor: Drupal
Product: Tagify
Published: Jan 28, 2026
Source: NVD
CVE-2025-13981 MEDIUM - 4.4

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal AI (Artificial Intelligence) allows Cross-Site Scripting (XSS).This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.0.7, from 1.1.0 before 1.1.7, from 1.2.0 before 1...

Vendor: Drupal
Product: AI (Artificial Intelligence)
Published: Jan 28, 2026
Source: NVD
CVE-2025-13980 MEDIUM - 5.3

Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal CKEditor 5 Premium Features allows Functionality Bypass.This issue affects CKEditor 5 Premium Features: from 0.0.0 before 1.2.10, from 1.3.0 before 1.3.6, from 1.4.0 before 1.4.3, from 1.5.0 before 1.5.1, from 1.6.0 bef...

Vendor: Drupal
Product: CKEditor 5 Premium Features
Published: Jan 28, 2026
Source: NVD