Total CVEs

141,492

Critical Severity

3,867

High Severity

13,899

Last 7 Days

1,646
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 12,881 - 12,900 of 13,594 CVEs
CVE-2021-47816 HIGH - 8.8

Thecus N4800Eco NAS Server Control Panel contains a command injection vulnerability that allows authenticated attackers to execute arbitrary system commands through user management endpoints. Attackers can inject commands via username and batch user creation parameters to execute shell commands with...

Vendor: Thecus
Product: Thecus N4800Eco Nas Server Control Panel
Published: Jan 16, 2026
Source: NVD
CVE-2025-31510 HIGH - 7.2

In the portal in LemonLDAP::NG before 2.21.0, cross-site scripting (XSS) allows remote attackers to inject arbitrary web script or HTML (into the login page) via the tab parameter, for Choice authentication.

Vendor: lemonldap-ng
Product: LemonLDAP::NG
Published: Jan 16, 2026
Source: NVD
CVE-2025-24528 HIGH - 7.1

In MIT Kerberos 5 (aka krb5) before 1.22 (with incremental propagation), there is an integer overflow for a large update size to resize() in kdb_log.c. An authenticated attacker can cause an out-of-bounds write and kadmind daemon crash.

Vendor: MIT
Product: Kerberos 5
Published: Jan 16, 2026
Source: NVD
CVE-2024-44238 HIGH - 7.8

The issue was addressed with improved bounds checks. This issue is fixed in iOS 18.1 and iPadOS 18.1. An app may be able to corrupt coprocessor memory.

Vendor: Apple
Product: iOS and iPadOS
Published: Jan 16, 2026
Source: NVD
CVE-2026-23529 HIGH - 7.7

Kafka Connect BigQuery Connector is an implementation of a sink connector from Apache Kafka to Google BigQuery. Prior to 2.11.0, there is an arbitrary file read in Google BigQuery Sink connector. Aiven's Google BigQuery Kafka Connect Sink connector requires Google Cloud credential configuration...

Vendor: Aiven-Open
Product: bigquery-connector-for-apache-kafka
Published: Jan 16, 2026
Source: NVD
CVE-2025-71020 HIGH - 7.5

Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the security parameter of the sub_4C408 function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request.

Vendor: n/a
Product: n/a
Published: Jan 16, 2026
Source: NVD
CVE-2025-70746 HIGH - 7.5

Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the timeZone parameter of the fromSetSysTime function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request.

Vendor: n/a
Product: n/a
Published: Jan 16, 2026
Source: NVD
CVE-2025-68921 HIGH - 7.8

SteelSeries Nahimic 3 1.10.7 allows Directory traversal.

Vendor: steelseries
Product: nahimic
Published: Jan 16, 2026
Source: NVD
CVE-2026-0616 HIGH - 7.5

TheLibrarians web_fetch tool can be used to retrieve the Adminer interface content, which can then be used to log into the internal TheLibrarian backend system. The vendor has fixed the vulnerability in all affected versions.

Vendor: thelibrarian
Product: the_librarian
Published: Jan 16, 2026
Source: NVD
CVE-2026-0615 HIGH - 7.3

The Librarian `supervisord` status page can be retrieved by the `web_fetch` tool, which can be used to retrieve running processes within TheLibrarian backend. The vendor has fixed the vulnerability in all affected versions.

Vendor: thelibrarian
Product: the_librarian
Published: Jan 16, 2026
Source: NVD
CVE-2026-0613 HIGH - 7.5

The Librarian contains an internal port scanning vulnerability, facilitated by the `web_fetch` tool, which can be used with SSRF-style behavior to perform GET requests to internal IP addresses and services, enabling scanning of the Hertzner cloud environment that TheLibrarian uses. The vendor has fi...

Vendor: thelibrarian
Product: the_librarian
Published: Jan 16, 2026
Source: NVD
CVE-2026-0612 HIGH - 7.5

The Librarian contains a information leakage vulnerability through the `web_fetch` tool, which can be used to retrieve arbitrary external content provided by an attacker, which can be used to proxy requests through The Librarian infrastructure. The vendor has fixed the vulnerability in all versions ...

Vendor: thelibrarian
Product: the_librarian
Published: Jan 16, 2026
Source: NVD
CVE-2025-14510 HIGH - 8.1

Incorrect Implementation of Authentication Algorithm vulnerability in ABB ABB Ability OPTIMAX.This issue affects ABB Ability OPTIMAX: 6.1, 6.2, from 6.3.0 before 6.3.1-251120, from 6.4.0 before 6.4.1-251120.

Vendor: ABB
Product: ABB Ability OPTIMAX
Published: Jan 16, 2026
Source: NVD
CVE-2025-68675 HIGH - 7.5

In Apache Airflow versions before 3.1.6, the proxies and proxy fields within a Connection may include proxy URLs containing embedded authentication information. These fields were not treated as sensitive by default and therefore were not automatically masked in log output. As a result, when such con...

Vendor: apache
Product: airflow
Published: Jan 16, 2026
Source: NVD
CVE-2025-68438 HIGH - 7.5

In Apache Airflow versions before 3.1.6, when rendered template fields in a Dag exceed [core]ย max_templated_field_length, sensitive values could be exposed in cleartext in the Rendered Templates UI. This occurred because serialization of those fields used a secrets masker instance that did not inclu...

Vendor: apache
Product: airflow
Published: Jan 16, 2026
Source: NVD
CVE-2025-14844 HIGH - 7.5

The Membership Plugin โ€“ Restrict Content plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 3.2.16 via the 'rcp_stripe_create_setup_intent_for_saved_card' function due to missing capability check. Additionally, the plugin does not check a use...

Vendor: liquidweb
Product: restrict_content
Published: Jan 16, 2026
Source: NVD
CVE-2026-20759 HIGH - 8.8

OS Command Injection vulnerability exists in multiple Network Cameras TRIFORA 3 series provided by TOA Corporation, which may allow a logged-in user with the low("monitoring user") or higher privilege to execute an arbitrary OS command.

Vendor: TOA Corporation
Product: Multiple Network Cameras TRIFORA 3 series
Published: Jan 16, 2026
Source: NVD
CVE-2025-12007 HIGH - 7.2

There is a vulnerability in the Supermicro BMC firmware validation logic at Supermicro MBD-X13SEM-F . An attacker can update the system firmware with a specially crafted image.

Vendor: SMCI
Product: X13SEM-F
Published: Jan 16, 2026
Source: NVD
CVE-2025-12006 HIGH - 7.2

There is a vulnerability in the Supermicro BMC firmware validation logic at Supermicro MBD-X12STW-F . An attacker can update the system firmware with a specially crafted image.

Vendor: SMCI
Product: X12STW-F
Published: Jan 16, 2026
Source: NVD
CVE-2025-12957 HIGH - 8.8

The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 4.5.7. This is due to insufficient file type validation detecting VTT files, allowing double extension files to bypass sanitization while being accepted as a valid VTT file....

Vendor: plugins360
Product: All-in-One Video Gallery
Published: Jan 16, 2026
Source: NVD