Total CVEs

142,432

Critical Severity

3,972

High Severity

14,286

Last 7 Days

1,840
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 12,981 - 13,000 of 14,345 CVEs
CVE-2026-24437 MEDIUM - 5.5

Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) serve sensitive administrative content without appropriate cache-control directives. As a result, browsers may store credential-bearing responses locally, exposing them to subsequent unauthorized access.

Vendor: Shenzhen Tenda Technology Co., Ltd.
Product: W30E V2
Published: Jan 26, 2026
Source: NVD
CVE-2026-24435 MEDIUM - 6.5

Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) implement an insecure Cross-Origin Resource Sharing (CORS) policy on authenticated administrative endpoints. The device sets Access-Control-Allow-Origin: * in combination with Access-Control-Allow-Credentials: true, allow...

Vendor: Shenzhen Tenda Technology Co., Ltd.
Product: W30E V2
Published: Jan 26, 2026
Source: NVD
CVE-2026-24433 MEDIUM - 5.4

Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) contain a stored cross-site scripting vulnerability in the user creation functionality. Insufficient input validation allows attacker-controlled script content to be stored and later executed when administrative users acc...

Vendor: Shenzhen Tenda Technology Co., Ltd.
Product: W30E V2
Published: Jan 26, 2026
Source: NVD
CVE-2026-24432 MEDIUM - 4.3

Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) lack cross-site request forgery (CSRF) protections on administrative endpoints, including those used to change administrator account credentials. As a result, an attacker can craft malicious requests that, when triggered ...

Vendor: Shenzhen Tenda Technology Co., Ltd.
Product: W30E V2
Published: Jan 26, 2026
Source: NVD
CVE-2026-24431 MEDIUM - 6.5

Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) display stored user account passwords in plaintext within the administrative web interface. Any user with access to the affected management pages can directly view credentials.

Vendor: Shenzhen Tenda Technology Co., Ltd.
Product: W30E V2
Published: Jan 26, 2026
Source: NVD
CVE-2026-1446 MEDIUM - 5.0

There is a Cross Site Scripting issue in Esri ArcGIS Pro versions 3.6.0 and earlier. A local attacker could supply malicious strings into ArcGIS Pro which may execute when a specific dialog is opened. This issue is fixed in ArcGIS Pro 3.6.1.

Vendor: esri
Product: arcgis_pro
Published: Jan 26, 2026
Source: NVD
CVE-2026-1224 MEDIUM - 4.9

Tanium addressed an uncontrolled resource consumption vulnerability in Discover.

Published: Jan 26, 2026
Source: NVD
CVE-2025-57785 MEDIUM - 6.5

A Double Free in XSLT `show_index` has been identified in Hiawatha webserver version 11.7 which allows an unauthenticated attacker to corrupt data which may lead to arbitrary code execution.

Vendor: Hiawatha
Product: Hiawatha Web server
Published: Jan 26, 2026
Source: NVD
CVE-2025-57784 MEDIUM - 4.0

Tomahawk auth timing attack due to usage of `strcmp` has been identified in Hiawatha webserver version 11.7 which allows a local attacker to access the management client.

Vendor: Hiawatha
Product: Hiawatha Web server
Published: Jan 26, 2026
Source: NVD
CVE-2025-57783 MEDIUM - 5.3

Improper header parsing may lead to request smuggling has been identified in Hiawatha webserver version 11.7 which allows an unauthenticated attacker to access restricted resources managed by Hiawatha webserver.

Vendor: Hiawatha
Product: Hiawatha Web server
Published: Jan 26, 2026
Source: NVD
CVE-2020-36960 MEDIUM - 6.4

Forma LMS 2.3 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts into user profile first and last name fields. Attackers can craft scripts like '<script>alert(document.cookie)</script>' to execute arbitrary JavaScript when the...

Vendor: Formalms
Product: Forma LMS
Published: Jan 26, 2026
Source: NVD
CVE-2020-36956 MEDIUM - 6.4

Openfire 4.6.0 contains a stored cross-site scripting vulnerability in the nodejs plugin that allows attackers to inject malicious scripts through the 'path' parameter. Attackers can craft a payload with script tags to execute arbitrary JavaScript in the context of administrative users vie...

Vendor: igniterealtime
Product: Openfire
Published: Jan 26, 2026
Source: NVD
CVE-2020-36955 MEDIUM - 6.4

Grav CMS 1.6.30 with Admin Plugin 1.9.18 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the page title field. Attackers can create a new page with a malicious script in the title, which will be executed when the page i...

Vendor: Getgrav
Product: Grav CMS Admin Plugin
Published: Jan 26, 2026
Source: NVD
CVE-2020-36954 MEDIUM - 6.4

Xeroneit Library Management System 3.1 contains a stored cross-site scripting vulnerability in the Book Category feature that allows administrators to inject malicious scripts. Attackers can insert a payload in the Category Name field to execute arbitrary JavaScript code when the page is loaded.

Vendor: Xeroneit
Product: Xeroneit Library Management System
Published: Jan 26, 2026
Source: NVD
CVE-2025-50537 MEDIUM - 5.5

Stack overflow vulnerability in eslint before 9.26.0 when serializing objects with circular references in eslint/lib/shared/serialization.js. The exploit is triggered via the RuleTester.run() method, which validates test cases and checks for duplicates. During validation, the internal function check...

Vendor: npm
Product: eslint
Published: Jan 26, 2026
Source: NVD
CVE-2026-1429 MEDIUM - 5.4

Single Sign-On Portal System developed by WellChoose has a Reflected Cross-site Scripting vulnerability, allowing authenticated remote attackers to execute arbitrary JavaScript codes in user's browser through phishing attacks.

Published: Jan 26, 2026
Source: NVD
CVE-2026-1425 MEDIUM - 5.6

A security flaw has been discovered in pymumu SmartDNS up to 47.1. This vulnerability affects the function _dns_decode_rr_head/_dns_decode_SVCB_HTTPS of the file src/dns.c of the component SVBC Record Parser. The manipulation results in stack-based buffer overflow. It is possible to launch the attac...

Published: Jan 26, 2026
Source: NVD
CVE-2026-1424 MEDIUM - 4.7

A vulnerability was identified in PHPGurukul News Portal 1.0. This affects an unknown part of the component Profile Pic Handler. The manipulation leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit is publicly available and might be used.

Vendor: phpgurukul
Product: news_portal
Published: Jan 26, 2026
Source: NVD
CVE-2026-1423 MEDIUM - 6.3

A vulnerability was determined in code-projects Online Examination System 1.0. Affected by this issue is some unknown functionality of the file /admin_pic.php. Executing a manipulation can lead to unrestricted upload. The attack may be performed from remote. The exploit has been publicly disclosed a...

Vendor: fabian
Product: online_examination_system
Published: Jan 26, 2026
Source: NVD
CVE-2025-14973 MEDIUM - 6.8

The Recipe Card Blocks Lite WordPress plugin before 3.4.13 does not sanitize and escape a parameter before using it in a SQL statement, allowing contributors and above to perform SQL injection attacks.

Vendor: Unknown
Product: Recipe Card Blocks Lite
Published: Jan 26, 2026
Source: NVD