Total CVEs

142,432

Critical Severity

3,972

High Severity

14,286

Last 7 Days

1,840
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 12,961 - 12,980 of 14,345 CVEs

pypdf is a free and open-source pure-python PDF library. An attacker who uses an infinite loop vulnerability that is present in versions prior to 6.6.2 can craft a PDF which leads to an infinite loop. This requires accessing the outlines/bookmarks. This has been fixed in pypdf 6.6.2. If projects can...

Vendor: pip
Product: pypdf
Published: Jan 26, 2026
Source: GitHub
CVE-2026-24489 MEDIUM - 5.3

Gakido is a Python HTTP client focused on browser impersonation and anti-bot evasion. A vulnerability was discovered in Gakido prior to version 0.1.1 that allowed HTTP header injection through CRLF (Carriage Return Line Feed) sequences in user-supplied header values and names. When making HTTP reque...

Vendor: pip
Product: gakido
Published: Jan 26, 2026
Source: GitHub
CVE-2026-24131 MEDIUM - 5.5

pnpm is a package manager. Prior to version 10.28.2, when pnpm processes a package's `directories.bin` field, it uses `path.join()` without validating the result stays within the package root. A malicious npm package can specify `"directories": {"bin": "../../../../tmp&...

Vendor: pnpm
Product: pnpm
Published: Jan 26, 2026
Source: NVD
CVE-2026-24056 MEDIUM - 6.5

pnpm is a package manager. Prior to version 10.28.2, when pnpm installs a `file:` (directory) or `git:` dependency, it follows symlinks and reads their target contents without constraining them to the package root. A malicious package containing a symlink to an absolute path (e.g., `/etc/passwd`, `~...

Vendor: pnpm
Product: pnpm
Published: Jan 26, 2026
Source: NVD
CVE-2026-24003 MEDIUM - 4.3

EVerest is an EV charging software stack. In versions up to and including 2025.12.1, it is possible to bypass the sequence state verification including authentication, and send requests that transition to forbidden states relative to the current one, thereby updating the current context with illegit...

Vendor: EVerest
Product: everest-core
Published: Jan 26, 2026
Source: NVD
CVE-2026-23890 MEDIUM - 6.5

pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's bin linking allows malicious npm packages to create executable shims or symlinks outside of `node_modules/.bin`. Bin names starting with `@` bypass validation, and after scope normalization, path trave...

Vendor: pnpm
Product: pnpm
Published: Jan 26, 2026
Source: NVD
CVE-2026-23889 MEDIUM - 6.5

pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's tarball extraction allows malicious packages to write files outside the package directory on Windows. The path normalization only checks for `./` but not `.\`. On Windows, backslashes are directory sep...

Vendor: pnpm
Product: pnpm
Published: Jan 26, 2026
Source: NVD
CVE-2026-23888 MEDIUM - 6.5

pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's binary fetcher allows malicious packages to write files outside the intended extraction directory. The vulnerability has two attack vectors: (1) Malicious ZIP entries containing `../` or absolute paths...

Vendor: pnpm
Product: pnpm
Published: Jan 26, 2026
Source: NVD
CVE-2026-1445 MEDIUM - 4.7

A vulnerability was found in iJason-Liu Books_Manager up to 298ba736387ca37810466349af13a0fdf828e99c. This vulnerability affects unknown code of the file controllers/books_center/upload_bookCover.php. Performing a manipulation of the argument book_cover results in unrestricted upload. The attack may...

Published: Jan 26, 2026
Source: NVD
CVE-2025-59473 MEDIUM - 6.0

SQL Injection vulnerability in the Structure for Admin authenticated user

Vendor: ExpressionEngine
Product: ExpressionEngine
Published: Jan 26, 2026
Source: NVD
CVE-2025-59472 MEDIUM - 5.9

A denial of service vulnerability exists in Next.js versions with Partial Prerendering (PPR) enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the `Next-Resume: 1` header and processes attacker-controlled postponed state data. Two closely relate...

Vendor: vercel
Product: next
Published: Jan 26, 2026
Source: NVD
CVE-2025-59471 MEDIUM - 5.9

A denial of service vulnerability exists in self-hosted Next.js applications that have `remotePatterns` configured for the Image Optimizer. The image optimization endpoint (`/_next/image`) loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to caus...

Vendor: vercel
Product: next
Published: Jan 26, 2026
Source: NVD
CVE-2026-0810 MEDIUM - 6.8

A flaw was found in gix-date. The `gix_date::parse::TimeBuf::as_str` function can generate strings containing invalid non-UTF8 characters. This issue violates the internal safety invariants of the `TimeBuf` component, leading to undefined behavior when these malformed strings are subsequently proces...

Published: Jan 26, 2026
Source: NVD
CVE-2025-9820 MEDIUM - 4.0

A flaw was found in the GnuTLS library, specifically in the gnutls_pkcs11_token_init() function that handles PKCS#11 token initialization. When a token label longer than expected is processed, the function writes past the end of a fixed-size stack buffer. This programming error can cause the applica...

Published: Jan 26, 2026
Source: NVD
CVE-2025-14969 MEDIUM - 4.3

A flaw was found in Hibernate Reactive. When an HTTP endpoint is exposed to perform database operations, a remote client can prematurely close the HTTP connection. This action may lead to leaking connections from the database connection pool, potentially causing a Denial of Service (DoS) by exhausti...

Vendor: Red Hat
Product: Red Hat build of Quarkus, Red Hat JBoss Enterprise Application Platform 8, Red Hat JBoss Enterprise Application Platform Expansion Pack, Red Hat OpenShift Dev Spaces
Published: Jan 26, 2026
Source: NVD
CVE-2025-14525 MEDIUM - 6.4

A flaw was found in kubevirt. A user within a virtual machine (VM), if the guest agent is active, can exploit this by causing the agent to report an excessive number of network interfaces. This action can overwhelm the system's ability to store VM configuration updates, effectively blocking cha...

Vendor: Red Hat
Product: Red Hat OpenShift Virtualization 4
Published: Jan 26, 2026
Source: NVD
CVE-2025-11687 MEDIUM - 6.1

A flaw was found in the gi-docgen. This vulnerability allows arbitrary JavaScript execution in the context of the page โ€” enabling DOM access, session cookie theft and other client-side attacks โ€” via a crafted URL that supplies a malicious value to the q GET parameter (reflected DOM XSS).

Vendor: pip
Product: gi-docgen
Published: Jan 26, 2026
Source: NVD
CVE-2025-11065 MEDIUM - 5.3

A flaw was found in github.com/go-viper/mapstructure/v2, in the field processing component using mapstructure.WeakDecode. This vulnerability allows information disclosure through detailed error messages that may leak sensitive input values via malformed user-supplied data processed in security-criti...

Published: Jan 26, 2026
Source: NVD
CVE-2025-70368 MEDIUM - 5.4

Worklenz version 2.1.5 contains a Stored Cross-Site Scripting (XSS) vulnerability in the Project Updates feature. An attacker can submit a malicious payload in the Updates text field which is then rendered in the reporting view without proper sanitization. Malicious JavaScript may be executed in a v...

Published: Jan 26, 2026
Source: NVD
CVE-2026-24439 MEDIUM - 6.5

Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) fail to include the X-Content-Type-Options: nosniff response header on web management interfaces. As a result, browsers that perform MIME sniffing may incorrectly interpret attacker-influenced responses as executable scri...

Vendor: Shenzhen Tenda Technology Co., Ltd.
Product: W30E V2
Published: Jan 26, 2026
Source: NVD