Total CVEs

142,265

Critical Severity

3,947

High Severity

14,217

Last 7 Days

1,801
Quick preset (or use dates below)
Clear Filters
Showing 12,821 - 12,840 of 14,675 CVEs
CVE-2025-13919 MEDIUM - 5.4

Symantec Endpoint Protection, prior to 14.3 RU10 Patch 1, RU9 Patch 2, and RU8 Patch 3, may be susceptible to a COM Hijacking vulnerability, which is a type of issue whereby an attacker attempts to establish persistence and evade detection by hijacking COM references in the Windows Registry.

Vendor: Broadcom
Product: Symantec Endpoint Protection Windows Client
Published: Jan 28, 2026
Source: NVD
CVE-2025-13918 MEDIUM - 6.7

Symantec Endpoint Protection, prior to 14.3 RU10 Patch 1, RU9 Patch 2, and RU8 Patch 3, may be susceptible to a Elevation of Privilege vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to gain elevated access to resources that are normally...

Vendor: Broadcom
Product: Symantec Endpoint Protection Windows Client
Published: Jan 28, 2026
Source: NVD
CVE-2026-1539 MEDIUM - 5.8

A flaw was found in the libsoup HTTP library that can cause proxy authentication credentials to be sent to unintended destinations. When handling HTTP redirects, libsoup removes the Authorization header but does not remove the Proxy-Authorization header if the request is redirected to a different ho...

Published: Jan 28, 2026
Source: NVD
CVE-2026-1536 MEDIUM - 5.8

A flaw was found in libsoup. An attacker who can control the input for the Content-Disposition header can inject CRLF (Carriage Return Line Feed) sequences into the header value. These sequences are then interpreted verbatim when the HTTP request or response is constructed, allowing arbitrary HTTP h...

Published: Jan 28, 2026
Source: NVD
CVE-2025-70336 MEDIUM - 4.8

A Stored cross-site scripting (XSS) vulnerability in 'Create New Live Item' in PodcastGenerator 3.2.9 allows remote attackers to inject arbitrary script or HTML via the 'TITLE', 'SHORT DESCRIPTION' and 'LONG DESCRIPTION' parameters. The saved payload gets exec...

Published: Jan 28, 2026
Source: NVD
CVE-2025-57283 MEDIUM - 7.8

The Node.js package browserstack-local 1.5.8 contains a command injection vulnerability. This occurs because the logfile variable is not properly sanitized in lib/Local.js.

Vendor: npm
Product: browserstack-local
Published: Jan 28, 2026
Source: NVD
CVE-2026-1521 MEDIUM - 5.3

A security flaw has been discovered in Open5GS up to 2.7.6. This affects the function sgwc_s5c_handle_bearer_resource_failure_indication of the file src/sgwc/s5c-handler.c of the component SGWC. Performing a manipulation results in denial of service. The attack can be initiated remotely. The exploit...

Vendor: open5gs
Product: open5gs
Published: Jan 28, 2026
Source: NVD
CVE-2026-1060 MEDIUM - 5.3

The WP Adminify plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.7.7 via the /wp-json/adminify/v1/get-addons-list REST API endpoint. The endpoint is registered with permission_callback set to __return_true, allowing unauthenticated attack...

Published: Jan 28, 2026
Source: NVD
CVE-2025-14795 MEDIUM - 4.3

The Stop Spammers Classic plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2026.1. This is due to missing nonce validation in the ss_addtoallowlist class. This makes it possible for unauthenticated attackers to add arbitrary email addresses to th...

Vendor: webguyio
Product: Stop Spammers Classic
Published: Jan 28, 2026
Source: NVD
CVE-2025-14865 MEDIUM - 6.4

The Passster โ€“ Password Protect Pages and Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'content_protector' shortcode in all versions up to, and including, 4.2.24. This makes it possible for authenticated attackers, with Contributor-level a...

Vendor: wpchill
Product: Passster โ€“ Password Protect Pages and Content
Published: Jan 28, 2026
Source: NVD
CVE-2020-36993 MEDIUM - 6.4

LimeSurvey 4.3.10 contains a stored cross-site scripting vulnerability in the Survey Menu functionality of the administration panel. Attackers can inject malicious SVG scripts through the Surveymenu[title] and Surveymenu[parent_id] parameters to execute arbitrary JavaScript in administrative context...

Vendor: Limesurvey
Product: LimeSurvey
Published: Jan 28, 2026
Source: NVD
CVE-2020-36988 MEDIUM - 5.4

PDW File Browser version 1.3 contains stored and reflected cross-site scripting vulnerabilities that allow authenticated attackers to inject malicious scripts through file rename and path parameters. Attackers can craft malicious URLs or rename files with XSS payloads to execute arbitrary JavaScript...

Vendor: GuidoNeele
Product: PDW File Browser
Published: Jan 28, 2026
Source: NVD
CVE-2026-1399 MEDIUM - 4.4

The WP Google Ad Manager Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level pe...

Published: Jan 28, 2026
Source: NVD
CVE-2026-1398 MEDIUM - 4.3

The Change WP URL plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the 'change-wp-url' page. This makes it possible for unauthenticated attackers to change the WP Login URL vi...

Published: Jan 28, 2026
Source: NVD
CVE-2026-1391 MEDIUM - 5.3

The Vzaar Media Management plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping on the $_SERVER['PHP_SELF'] variable. This makes it possible for unauthenticated attackers to...

Published: Jan 28, 2026
Source: NVD
CVE-2026-1380 MEDIUM - 4.3

The Bitcoin Donate Button plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the settings page. This makes it possible for unauthenticated attackers to modify the plugin's settings, ...

Published: Jan 28, 2026
Source: NVD
CVE-2026-1377 MEDIUM - 4.3

The imwptip plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged...

Published: Jan 28, 2026
Source: NVD
CVE-2025-15511 MEDIUM - 5.3

The Rupantorpay plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_webhook() function in all versions up to, and including, 2.0.0. This makes it possible for unauthenticated attackers to modify WooCommerce order statuses by sending...

Vendor: rupantorpay
Product: Rupantorpay
Published: Jan 28, 2026
Source: NVD
CVE-2025-14616 MEDIUM - 4.3

The Recooty โ€“ Job Widget (Old Dashboard) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.6. This is due to missing nonce validation on the recooty_save_maybe() function. This makes it possible for unauthenticated attackers to update the reco...

Vendor: recooty
Product: Recooty โ€“ Job Widget (Old Dashboard)
Published: Jan 28, 2026
Source: NVD
CVE-2025-14283 MEDIUM - 6.4

The BlockArt Blocks โ€“ Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the BlockArt Counter in all versions up to, and including, 2.2.14 due to insufficient input sanitization and outp...

Vendor: wpblockart
Product: BlockArt Blocks โ€“ Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library
Published: Jan 28, 2026
Source: NVD