Total CVEs

141,492

Critical Severity

3,867

High Severity

13,899

Last 7 Days

1,659
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 12,841 - 12,860 of 13,594 CVEs
CVE-2026-1124 HIGH - 7.3

A security flaw has been discovered in Yonyou KSOA 9.0. Affected by this vulnerability is an unknown functionality of the file /worksheet/work_report.jsp of the component HTTP GET Parameter Handler. Performing a manipulation of the argument ID results in sql injection. Remote exploitation of the att...

Published: Jan 18, 2026
Source: NVD
CVE-2026-0863 HIGH - 8.5

Using string formatting and exception handling, an attacker may bypass n8n's python-task-executor sandbox restrictions and run arbitrary unrestricted Python code in the underlying operating system. The vulnerability can be exploited via the Code block by an authenticated user with basic permis...

Published: Jan 18, 2026
Source: NVD
CVE-2026-1123 HIGH - 7.3

A vulnerability was identified in Yonyou KSOA 9.0. Affected is an unknown function of the file /worksheet/work_mod.jsp of the component HTTP GET Parameter Handler. Such manipulation of the argument ID leads to sql injection. The attack may be launched remotely. The exploit is publicly available and ...

Published: Jan 18, 2026
Source: NVD
CVE-2026-1122 HIGH - 7.3

A vulnerability was determined in Yonyou KSOA 9.0. This impacts an unknown function of the file /worksheet/work_info.jsp of the component HTTP GET Parameter Handler. This manipulation of the argument ID causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclos...

Published: Jan 18, 2026
Source: NVD
CVE-2026-1121 HIGH - 7.3

A vulnerability was found in Yonyou KSOA 9.0. This affects an unknown function of the file /worksheet/del_workplan.jsp of the component HTTP GET Parameter Handler. The manipulation of the argument ID results in sql injection. The attack can be launched remotely. The exploit has been made public and ...

Published: Jan 18, 2026
Source: NVD
CVE-2026-1120 HIGH - 7.3

A vulnerability has been found in Yonyou KSOA 9.0. The impacted element is an unknown function of the file /worksheet/del_work.jsp of the component HTTP GET Parameter Handler. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been discl...

Published: Jan 18, 2026
Source: NVD
CVE-2026-1119 HIGH - 7.3

A flaw has been found in itsourcecode Society Management System 1.0. The affected element is an unknown function of the file /admin/delete_activity.php. Executing a manipulation of the argument activity_id can lead to sql injection. It is possible to launch the attack remotely. The exploit has been ...

Published: Jan 18, 2026
Source: NVD
CVE-2026-1105 HIGH - 7.3

A vulnerability was identified in EasyCMS up to 1.6. This vulnerability affects unknown code of the file /UserAction.class.php. Such manipulation of the argument _order leads to sql injection. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor was co...

Published: Jan 18, 2026
Source: NVD
CVE-2026-1059 HIGH - 7.3

A security vulnerability has been detected in FeMiner wms up to 9cad1f1b179a98b9547fd003c23b07c7594775fa. Affected by this vulnerability is an unknown functionality of the file /src/chkuser.php. The manipulation of the argument Username leads to sql injection. The attack is possible to be carried ou...

Published: Jan 17, 2026
Source: NVD
CVE-2026-1050 HIGH - 7.3

A flaw has been found in risesoft-y9 Digital-Infrastructure up to 9.6.7. This affects an unknown function of the file source-code/src/main/java/net/risesoft/util/Y9PlatformUtil.java of the component REST Authenticate Endpoint. Executing a manipulation can lead to sql injection. The attack can be lau...

Published: Jan 17, 2026
Source: NVD
CVE-2025-14478 HIGH - 7.5

The Demo Importer Plus plugin for WordPress is vulnerable to XML External Entity Injection (XXE) in all versions up to, and including, 2.0.9 via the SVG file upload functionality. This makes it possible for authenticated attackers, with Author-level access and above, to achieve code execution in vul...

Vendor: kraftplugins
Product: Demo Importer Plus
Published: Jan 17, 2026
Source: NVD
CVE-2026-20960 HIGH - 8.0

Improper authorization in Microsoft Power Apps allows an authorized attacker to execute code over a network.

Published: Jan 16, 2026
Source: NVD
CVE-2026-23742 HIGH - 8.8

Skipper is an HTTP router and reverse proxy for service composition. The default skipper configuration before 0.23.0 was -lua-sources=inline,file. The problem starts if untrusted users can create lua filters, because of -lua-sources=inline , for example through a Kubernetes Ingress resource. The con...

Vendor: zalando
Product: skipper
Published: Jan 16, 2026
Source: NVD
CVE-2026-23723 HIGH - 7.2

WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an authenticated SQL Injection vulnerability was identified in the Atendido_ocorrenciaControle endpoint via the id_memorando parameter. This flaw allows for full database exfiltration, exposure of sensitive PII, and potential arbitr...

Vendor: LabRedesCefetRJ
Product: WeGIA
Published: Jan 16, 2026
Source: NVD
CVE-2026-23535 HIGH - 8.0

wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.2, the multi-translation download could write to an arbitrary location when instructed by a crafted server. This vulnerability is fixed in 1.17.2.

Vendor: WeblateOrg
Product: wlc
Published: Jan 16, 2026
Source: NVD
CVE-2026-23490 HIGH - 7.5

pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.2, a Denial-of-Service issue has been found that leads to memory exhaustion from malformed RELATIVE-OID with excessive continuation octets. This vulnerability is fixed in 0.6.2.

Vendor: pyasn1
Product: pyasn1
Published: Jan 16, 2026
Source: NVD
CVE-2025-68924 HIGH - 7.5

In Umbraco UmbracoForms through 8.13.16, an authenticated attacker can supply a malicious WSDL (aka Webservice) URL as a data source for remote code execution.

Vendor: Umbraco
Product: Forms
Published: Jan 16, 2026
Source: NVD
CVE-2025-62291 HIGH - 8.1

In the eap-mschapv2 plugin (client-side) in strongSwan before 6.0.3, a malicious EAP-MSCHAPv2 server can send a crafted message of size 6 through 8, and cause an integer underflow that potentially results in a heap-based buffer overflow.

Vendor: strongSwan
Product: strongSwan
Published: Jan 16, 2026
Source: NVD
CVE-2025-48647 HIGH - 7.8

In cpm_fwtp_msg_handler of cpm/google/lib/tracepoint/cpm_fwtp_ipc.c, there is a possible memory overwrite due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Vendor: Google
Product: Google Devices
Published: Jan 16, 2026
Source: NVD
CVE-2025-15032 HIGH - 7.4

Missing about:blank indicator in custom-sized new windows in Dia before 1.9.0 on macOS could allow an attacker to spoof a trusted domain in the window title and mislead users about the current site.

Vendor: The Browser Company of New York
Product: Dia
Published: Jan 16, 2026
Source: NVD