Total CVEs

142,265

Critical Severity

3,947

High Severity

14,217

Last 7 Days

1,776
Quick preset (or use dates below)
Clear Filters
Showing 12,921 - 12,940 of 14,675 CVEs
CVE-2025-9820 MEDIUM - 4.0

A flaw was found in the GnuTLS library, specifically in the gnutls_pkcs11_token_init() function that handles PKCS#11 token initialization. When a token label longer than expected is processed, the function writes past the end of a fixed-size stack buffer. This programming error can cause the applica...

Published: Jan 26, 2026
Source: NVD
CVE-2025-14969 MEDIUM - 4.3

A flaw was found in Hibernate Reactive. When an HTTP endpoint is exposed to perform database operations, a remote client can prematurely close the HTTP connection. This action may lead to leaking connections from the database connection pool, potentially causing a Denial of Service (DoS) by exhausti...

Vendor: Red Hat
Product: Red Hat build of Quarkus, Red Hat JBoss Enterprise Application Platform 8, Red Hat JBoss Enterprise Application Platform Expansion Pack, Red Hat OpenShift Dev Spaces
Published: Jan 26, 2026
Source: NVD
CVE-2025-14525 MEDIUM - 6.4

A flaw was found in kubevirt. A user within a virtual machine (VM), if the guest agent is active, can exploit this by causing the agent to report an excessive number of network interfaces. This action can overwhelm the system's ability to store VM configuration updates, effectively blocking cha...

Vendor: Red Hat
Product: Red Hat OpenShift Virtualization 4
Published: Jan 26, 2026
Source: NVD
CVE-2025-11687 MEDIUM - 6.1

A flaw was found in the gi-docgen. This vulnerability allows arbitrary JavaScript execution in the context of the page โ€” enabling DOM access, session cookie theft and other client-side attacks โ€” via a crafted URL that supplies a malicious value to the q GET parameter (reflected DOM XSS).

Vendor: pip
Product: gi-docgen
Published: Jan 26, 2026
Source: NVD
CVE-2025-11065 MEDIUM - 5.3

A flaw was found in github.com/go-viper/mapstructure/v2, in the field processing component using mapstructure.WeakDecode. This vulnerability allows information disclosure through detailed error messages that may leak sensitive input values via malformed user-supplied data processed in security-criti...

Published: Jan 26, 2026
Source: NVD
CVE-2025-70368 MEDIUM - 5.4

Worklenz version 2.1.5 contains a Stored Cross-Site Scripting (XSS) vulnerability in the Project Updates feature. An attacker can submit a malicious payload in the Updates text field which is then rendered in the reporting view without proper sanitization. Malicious JavaScript may be executed in a v...

Published: Jan 26, 2026
Source: NVD
CVE-2026-24439 MEDIUM - 6.5

Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) fail to include the X-Content-Type-Options: nosniff response header on web management interfaces. As a result, browsers that perform MIME sniffing may incorrectly interpret attacker-influenced responses as executable scri...

Vendor: Shenzhen Tenda Technology Co., Ltd.
Product: W30E V2
Published: Jan 26, 2026
Source: NVD
CVE-2026-24437 MEDIUM - 5.5

Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) serve sensitive administrative content without appropriate cache-control directives. As a result, browsers may store credential-bearing responses locally, exposing them to subsequent unauthorized access.

Vendor: Shenzhen Tenda Technology Co., Ltd.
Product: W30E V2
Published: Jan 26, 2026
Source: NVD
CVE-2026-24435 MEDIUM - 6.5

Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) implement an insecure Cross-Origin Resource Sharing (CORS) policy on authenticated administrative endpoints. The device sets Access-Control-Allow-Origin: * in combination with Access-Control-Allow-Credentials: true, allow...

Vendor: Shenzhen Tenda Technology Co., Ltd.
Product: W30E V2
Published: Jan 26, 2026
Source: NVD
CVE-2026-24433 MEDIUM - 5.4

Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) contain a stored cross-site scripting vulnerability in the user creation functionality. Insufficient input validation allows attacker-controlled script content to be stored and later executed when administrative users acc...

Vendor: Shenzhen Tenda Technology Co., Ltd.
Product: W30E V2
Published: Jan 26, 2026
Source: NVD
CVE-2026-24432 MEDIUM - 4.3

Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) lack cross-site request forgery (CSRF) protections on administrative endpoints, including those used to change administrator account credentials. As a result, an attacker can craft malicious requests that, when triggered ...

Vendor: Shenzhen Tenda Technology Co., Ltd.
Product: W30E V2
Published: Jan 26, 2026
Source: NVD
CVE-2026-24431 MEDIUM - 6.5

Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) display stored user account passwords in plaintext within the administrative web interface. Any user with access to the affected management pages can directly view credentials.

Vendor: Shenzhen Tenda Technology Co., Ltd.
Product: W30E V2
Published: Jan 26, 2026
Source: NVD
CVE-2026-1446 MEDIUM - 5.0

There is a Cross Site Scripting issue in Esri ArcGIS Pro versions 3.6.0 and earlier. A local attacker could supply malicious strings into ArcGIS Pro which may execute when a specific dialog is opened. This issue is fixed in ArcGIS Pro 3.6.1.

Vendor: esri
Product: arcgis_pro
Published: Jan 26, 2026
Source: NVD
CVE-2026-1224 MEDIUM - 4.9

Tanium addressed an uncontrolled resource consumption vulnerability in Discover.

Published: Jan 26, 2026
Source: NVD
CVE-2025-57785 MEDIUM - 6.5

A Double Free in XSLT `show_index` has been identified in Hiawatha webserver version 11.7 which allows an unauthenticated attacker to corrupt data which may lead to arbitrary code execution.

Vendor: Hiawatha
Product: Hiawatha Web server
Published: Jan 26, 2026
Source: NVD
CVE-2025-57784 MEDIUM - 4.0

Tomahawk auth timing attack due to usage of `strcmp` has been identified in Hiawatha webserver version 11.7 which allows a local attacker to access the management client.

Vendor: Hiawatha
Product: Hiawatha Web server
Published: Jan 26, 2026
Source: NVD
CVE-2025-57783 MEDIUM - 5.3

Improper header parsing may lead to request smuggling has been identified in Hiawatha webserver version 11.7 which allows an unauthenticated attacker to access restricted resources managed by Hiawatha webserver.

Vendor: Hiawatha
Product: Hiawatha Web server
Published: Jan 26, 2026
Source: NVD
CVE-2020-36960 MEDIUM - 6.4

Forma LMS 2.3 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts into user profile first and last name fields. Attackers can craft scripts like '<script>alert(document.cookie)</script>' to execute arbitrary JavaScript when the...

Vendor: Formalms
Product: Forma LMS
Published: Jan 26, 2026
Source: NVD
CVE-2020-36956 MEDIUM - 6.4

Openfire 4.6.0 contains a stored cross-site scripting vulnerability in the nodejs plugin that allows attackers to inject malicious scripts through the 'path' parameter. Attackers can craft a payload with script tags to execute arbitrary JavaScript in the context of administrative users vie...

Vendor: igniterealtime
Product: Openfire
Published: Jan 26, 2026
Source: NVD
CVE-2020-36955 MEDIUM - 6.4

Grav CMS 1.6.30 with Admin Plugin 1.9.18 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the page title field. Attackers can create a new page with a malicious script in the title, which will be executed when the page i...

Vendor: Getgrav
Product: Grav CMS Admin Plugin
Published: Jan 26, 2026
Source: NVD