Total CVEs

141,492

Critical Severity

3,867

High Severity

13,899

Last 7 Days

1,601
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 12,961 - 12,980 of 13,594 CVEs
CVE-2026-22774 HIGH - 7.5

Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From 5.3.0 to 5.6.1, certain inputs can cause devalue.parse to consume excessive CPU time and/or memory, potentially leading to denial of service in systems that parse in...

Vendor: svelte
Product: devalue
Published: Jan 15, 2026
Source: NVD
CVE-2026-0227 HIGH - 7.5

A vulnerability in Palo Alto Networks PAN-OS software enables an unauthenticated attacker to cause a denial of service (DoS) to the firewall. Repeated attempts to trigger this issue results in the firewall entering into maintenance mode.

Vendor: paloaltonetworks
Product: pan-os
Published: Jan 15, 2026
Source: NVD
CVE-2025-70307 HIGH - 7.5

A stack overflow in the dump_ttxt_sample function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted packet.

Vendor: n/a
Product: n/a
Published: Jan 15, 2026
Source: NVD
CVE-2025-36911 HIGH - 7.1

In key-based pairing, there is a possible ID due to a logic error in the code. This could lead to remote (proximal/adjacent) information disclosure of user's conversations and location with no additional execution privileges needed. User interaction is not needed for exploitation.

Vendor: google
Product: android
Published: Jan 15, 2026
Source: NVD
CVE-2026-22867 HIGH - 8.7

LaSuite Doc is a collaborative note taking, wiki and documentation platform. From 3.8.0 to 4.3.0, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Interlinking feature. When a user creates a link to another document within the editor, the URL of that link is not validated. An attacker...

Vendor: suitenumerique
Product: docs
Published: Jan 15, 2026
Source: NVD
CVE-2026-22265 HIGH - 7.5

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to 8.2.8.2, command injection vulnerability exists in the log viewing functionality that allows authenticated users to execute arbitrary system commands. The vulnerability is in app/modules/roxywi/logs.py li...

Vendor: roxy-wi
Product: roxy-wi
Published: Jan 15, 2026
Source: NVD
CVE-2025-70656 HIGH - 7.5

Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the mac parameter of the sub_65B5C function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request.

Vendor: tenda
Product: ax1806_firmware
Published: Jan 15, 2026
Source: NVD
CVE-2025-70308 HIGH - 7.5

An out-of-bounds read in the GSF demuxer filter component of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted .gsf file.

Vendor: gpac
Product: gpac
Published: Jan 15, 2026
Source: NVD
CVE-2025-70304 HIGH - 7.5

A buffer overflow in the vobsub_get_subpic_duration() function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted packet.

Vendor: gpac
Product: gpac
Published: Jan 15, 2026
Source: NVD
CVE-2025-70298 HIGH - 8.2

GPAC v2.4.0 was discovered to contain an out-of-bounds read in the oggdmx_parse_tags function.

Vendor: gpac
Product: gpac
Published: Jan 15, 2026
Source: NVD
CVE-2025-66292 HIGH - 8.1

DPanel is an open source server management panel written in Go. Prior to 1.9.2, DPanel has an arbitrary file deletion vulnerability in the /api/common/attach/delete interface. Authenticated users can delete arbitrary files on the server via path traversal. When a user logs into the administrative ba...

Vendor: donknap
Product: dpanel
Published: Jan 15, 2026
Source: NVD
CVE-2025-67246 HIGH - 7.3

A local information disclosure vulnerability exists in the Ludashi driver before 5.1025 due to a lack of access control in the IOCTL handler. This driver exposes a device interface accessible to a normal user and handles attacker-controlled structures containing the lower 4GB of physical addresses. ...

Vendor: ludashi
Product: ludashi_driver
Published: Jan 15, 2026
Source: NVD
CVE-2025-67077 HIGH - 8.8

File upload vulnerability in Omnispace Agora Project before 25.10 allowing authenticated, or under certain conditions also guest users, via the UploadTmpFile action.

Vendor: agora-project
Product: agora-project
Published: Jan 15, 2026
Source: NVD
CVE-2025-67076 HIGH - 7.5

Directory traversal vulnerability in Omnispace Agora Project before 25.10 allowing unauthenticated attackers to read files on the system via the misc controller and the ExternalGetFile action. Only files with an extension can be read.

Vendor: agora-project
Product: agora-project
Published: Jan 15, 2026
Source: NVD
CVE-2025-64516 HIGH - 7.5

GLPI is a free asset and IT management software package. Prior to 10.0.21 and 11.0.3, an unauthorized user can access GLPI documents attached to any item (ticket, asset, ...). If the public FAQ is enabled, this unauthorized access can be performed by an anonymous user. This vulnerability is fixed in...

Vendor: glpi-project
Product: glpi
Published: Jan 15, 2026
Source: NVD
CVE-2025-61973 HIGH - 8.8

A local privilege escalation vulnerability exists during the installation of Epic Games Store via the Microsoft Store. A low-privilege user can replace a DLL file during the installation process, which may result in unintended elevation of privileges.

Vendor: Epic Games
Product: Epic Games Store
Published: Jan 15, 2026
Source: NVD
CVE-2021-47843 HIGH - 7.2

Tagstoo 2.0.1 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious payloads through files or custom tags. Attackers can execute arbitrary JavaScript code to spawn system processes, access files, and perform remote code execution on the victim's computer...

Vendor: Tagstoo
Product: Tagstoo
Published: Jan 15, 2026
Source: NVD
CVE-2021-47784 HIGH - 7.5

Cyberfox Web Browser 52.9.1 contains a denial of service vulnerability that allows attackers to crash the application by overflowing the search bar with excessive data. Attackers can generate a 9,000,000 byte payload and paste it into the search bar to trigger an application crash.

Vendor: Cyberfox
Product: Cyberfox Web Browser
Published: Jan 15, 2026
Source: NVD
CVE-2021-47777 HIGH - 8.2

Build Smart ERP 21.0817 contains an unauthenticated SQL injection vulnerability in the 'eidValue' parameter of the login validation endpoint. Attackers can inject stacked SQL queries using payloads like ';WAITFOR DELAY '0:0:3'-- to manipulate database queries and potentially...

Vendor: Ribccs
Product: Build Smart ERP
Published: Jan 15, 2026
Source: NVD
CVE-2021-47775 HIGH - 8.4

YouTube Video Grabber, now referred to as YouTube Downloader, 1.9.9.1 contains a buffer overflow vulnerability that allows attackers to execute arbitrary code by overwriting the Structured Exception Handler. Attackers can craft a malicious payload of 712 bytes with SEH manipulation to trigger a bind...

Vendor: Litexmedia
Product: YouTube Video Grabber
Published: Jan 15, 2026
Source: NVD