Total CVEs

142,265

Critical Severity

3,947

High Severity

14,217

Last 7 Days

1,787
Quick preset (or use dates below)
Clear Filters
Showing 12,861 - 12,880 of 14,675 CVEs
CVE-2026-24850 MEDIUM - 5.3

The ML-DSA crate is a Rust implementation of the Module-Lattice-Based Digital Signature Standard (ML-DSA). Starting in version 0.0.4 and prior to version 0.1.0-rc.4, the ML-DSA signature verification implementation in the RustCrypto `ml-dsa` crate incorrectly accepts signatures with repeated (duplic...

Vendor: RustCrypto
Product: signatures
Published: Jan 28, 2026
Source: NVD
CVE-2026-24839 MEDIUM - 4.7

Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, the Dokploy web interface is vulnerable to Clickjacking attacks due to missing frame-busting headers. This allows attackers to embed Dokploy pages in malicious iframes and trick authenticated users into perfo...

Vendor: Dokploy
Product: dokploy
Published: Jan 28, 2026
Source: NVD
CVE-2026-24784 MEDIUM - 6.8

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 9.0.0 and prior to versions 9.13.10 and 10.2.0, a content editor could inject scripts in module headers/footers that would run for other users. Versions 9.13.10 and 10.2....

Vendor: dnnsoftware
Product: Dnn.Platform
Published: Jan 28, 2026
Source: NVD
CVE-2026-24910 MEDIUM - 5.9

In Bun before 1.3.5, the default trusted dependencies list (aka trust allow list) can be spoofed by a non-npm package in the case of a matching name (for file, link, git, or github).

Vendor: Bun
Product: Bun
Published: Jan 27, 2026
Source: NVD
CVE-2026-24909 MEDIUM - 5.9

vlt before 1.0.0-rc.10 mishandles path sanitization for tar, leading to path traversal during extraction.

Vendor: vlt
Product: vlt
Published: Jan 27, 2026
Source: NVD

Kargo manages and automates the promotion of software artifacts. Prior to versions 1.8.7, 1.7.7, and 1.6.3, a bug was found with authentication checks on the `GetConfig()` API endpoint. This allowed unauthenticated users to access this endpoint by specifying an `Authorization` header with any non-em...

Vendor: akuity
Product: kargo
Published: Jan 27, 2026
Source: NVD
CVE-2026-24134 MEDIUM - 6.5

StudioCMS is a server-side-rendered, Astro native, headless content management system. Versions prior to 0.2.0 contain a Broken Object Level Authorization (BOLA) vulnerability in the Content Management feature that allows users with the "Visitor" role to access draft content created by Edi...

Vendor: npm
Product: studiocms
Published: Jan 27, 2026
Source: GitHub
CVE-2026-1504 MEDIUM - 6.5

Inappropriate implementation in Background Fetch API in Google Chrome prior to 144.0.7559.110 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

Published: Jan 27, 2026
Source: NVD
CVE-2026-24771 MEDIUM - 4.7

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, a Cross-Site Scripting (XSS) vulnerability exists in the `ErrorBoundary` component of the hono/jsx library. Under certain usage patterns, untrusted user-controlled strings may be rendered a...

Vendor: honojs
Product: hono
Published: Jan 27, 2026
Source: NVD
CVE-2026-24398 MEDIUM - 4.8

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, IP Restriction Middleware in Hono is vulnerable to an IP address validation bypass. The `IPV4_REGEX` pattern and `convertIPv4ToBinary` function in `src/utils/ipaddr.ts` do not properly vali...

Vendor: honojs
Product: hono
Published: Jan 27, 2026
Source: NVD
CVE-2026-23892 MEDIUM - 5.9

OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up to and including 1.11.5 are affected by a (theoretical) timing attack vulnerability that allows API key extraction over the network. Due to using character based comparison that short-circuits on the first...

Vendor: OctoPrint
Product: OctoPrint
Published: Jan 27, 2026
Source: NVD
CVE-2026-22263 MEDIUM - 5.3

Suricata is a network IDS, IPS and NSM engine. Starting in version 8.0.0 and prior to version 8.0.3, inefficiency in http1 headers parsing can lead to slowdown over multiple packets. Version 8.0.3 patches the issue. No known workarounds are available.

Vendor: OISF
Product: suricata
Published: Jan 27, 2026
Source: NVD
CVE-2026-22262 MEDIUM - 5.9

Suricata is a network IDS, IPS and NSM engine. While saving a dataset a stack buffer is used to prepare the data. Prior to versions 8.0.3 and 7.0.14, if the data in the dataset is too large, this can result in a stack overflow. Versions 8.0.3 and 7.0.14 contain a patch. As a workaround, do not use r...

Vendor: OISF
Product: suricata
Published: Jan 27, 2026
Source: NVD
CVE-2026-0746 MEDIUM - 6.4

The AI Engine plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.3.2 via the 'get_audio' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations ...

Published: Jan 27, 2026
Source: NVD
CVE-2020-36978 MEDIUM - 6.4

Froxlor Server Management Panel 0.10.16 contains a persistent cross-site scripting vulnerability in customer registration input fields. Attackers can inject malicious scripts through username, name, and firstname parameters to execute code when administrators view customer traffic modules.

Vendor: Froxlor
Product: Froxlor Froxlor Server Management Panel
Published: Jan 27, 2026
Source: NVD

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, Serve static Middleware for the Cloudflare Workers adapter contains an information disclosure vulnerability that may allow attackers to read arbitrary keys from the Workers environment. Imp...

Vendor: npm
Product: hono
Published: Jan 27, 2026
Source: GitHub
CVE-2026-24472 MEDIUM - 5.3

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, Cache Middleware contains an information disclosure vulnerability caused by improper handling of HTTP cache control directives. The middleware does not respect standard cache control header...

Vendor: npm
Product: hono
Published: Jan 27, 2026
Source: GitHub
CVE-2025-14911 MEDIUM - 6.5

User-controlled chunkSize metadata from MongoDB lacks appropriate validation allowing malformed GridFS metadata to overflow the bounding container.

Vendor: MongoDB
Product: Mongo-c-driver
Published: Jan 27, 2026
Source: NVD
CVE-2026-0705 MEDIUM - 6.7

Local privilege escalation due to insecure folder permissions. The following products are affected: Acronis Cloud Manager (Windows) before build 6.4.25342.354.

Published: Jan 27, 2026
Source: NVD
CVE-2025-65264 MEDIUM - 5.5

The kernel driver of CPUID CPU-Z v2.17 and earlier does not validate user-supplied values passed via its IOCTL interface, allowing an attacker to access sensitive information via a crafted request.

Published: Jan 27, 2026
Source: NVD