Total CVEs

141,537

Critical Severity

3,871

High Severity

13,923

Last 7 Days

1,636
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 13,001 - 13,020 of 13,618 CVEs
CVE-2021-47843 HIGH - 7.2

Tagstoo 2.0.1 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious payloads through files or custom tags. Attackers can execute arbitrary JavaScript code to spawn system processes, access files, and perform remote code execution on the victim's computer...

Vendor: Tagstoo
Product: Tagstoo
Published: Jan 15, 2026
Source: NVD
CVE-2021-47784 HIGH - 7.5

Cyberfox Web Browser 52.9.1 contains a denial of service vulnerability that allows attackers to crash the application by overflowing the search bar with excessive data. Attackers can generate a 9,000,000 byte payload and paste it into the search bar to trigger an application crash.

Vendor: Cyberfox
Product: Cyberfox Web Browser
Published: Jan 15, 2026
Source: NVD
CVE-2021-47777 HIGH - 8.2

Build Smart ERP 21.0817 contains an unauthenticated SQL injection vulnerability in the 'eidValue' parameter of the login validation endpoint. Attackers can inject stacked SQL queries using payloads like ';WAITFOR DELAY '0:0:3'-- to manipulate database queries and potentially...

Vendor: Ribccs
Product: Build Smart ERP
Published: Jan 15, 2026
Source: NVD
CVE-2021-47775 HIGH - 8.4

YouTube Video Grabber, now referred to as YouTube Downloader, 1.9.9.1 contains a buffer overflow vulnerability that allows attackers to execute arbitrary code by overwriting the Structured Exception Handler. Attackers can craft a malicious payload of 712 bytes with SEH manipulation to trigger a bind...

Vendor: Litexmedia
Product: YouTube Video Grabber
Published: Jan 15, 2026
Source: NVD
CVE-2021-47773 HIGH - 7.8

Dynojet Power Core 2.3.0 contains an unquoted service path vulnerability in the DJ.UpdateService that allows local authenticated users to potentially execute code with elevated privileges. Attackers can exploit the unquoted binary path by placing malicious executables in the service's file path...

Vendor: dynojet
Product: power_core
Published: Jan 15, 2026
Source: NVD
CVE-2021-47767 HIGH - 7.8

10-Strike Network Inventory Explorer Pro 9.31 contains an unquoted service path vulnerability in the srvInventoryWebServer service running with LocalSystem privileges. Attackers can exploit the unquoted path by placing malicious executables in potential path segments to achieve privilege escalation ...

Vendor: 10-Strike
Product: Strike Network Inventory Explorer Pro
Published: Jan 15, 2026
Source: NVD
CVE-2021-47766 HIGH - 7.1

Kmaleon 1.1.0.205 contains an authenticated SQL injection vulnerability in the 'tipocomb' parameter of kmaleonW.php that allows attackers to manipulate database queries. Attackers can exploit this vulnerability using boolean-based, error-based, and time-based blind SQL injection techniques...

Vendor: Levelprograms
Product: Kmaleon
Published: Jan 15, 2026
Source: NVD
CVE-2021-47763 HIGH - 8.2

Aimeos 2021.10 LTS contains a SQL injection vulnerability in the json api 'sort' parameter that allows attackers to inject malicious database queries. Attackers can manipulate the sort parameter to reveal table and column names by sending crafted GET requests to the jsonapi/review endpoint...

Vendor: Aimeos
Product: Aimeos Laravel ecommerce platform
Published: Jan 15, 2026
Source: NVD
CVE-2021-47762 HIGH - 7.8

HTTPDebuggerPro 9.11 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path in the service configuration to inject malicious executables and gain elevated access...

Vendor: Httpdebugger
Product: HTTPDebuggerPro
Published: Jan 15, 2026
Source: NVD
CVE-2021-47761 HIGH - 7.8

MilleGPG5 5.7.2 contains a local privilege escalation vulnerability that allows authenticated users to modify service executable files in the MariaDB bin directory. Attackers can replace the mysqld.exe with a malicious executable, which will execute with system privileges when the computer restarts.

Vendor: Millegpg
Product: MilleGPG5
Published: Jan 15, 2026
Source: NVD
CVE-2021-47758 HIGH - 8.8

Chikitsa Patient Management System 2.0.2 contains an authenticated remote code execution vulnerability that allows attackers to upload malicious PHP plugins through the module upload functionality. Authenticated attackers can generate and upload a ZIP plugin with a PHP backdoor that enables arbitrar...

Vendor: dharashah
Product: Chikitsa Patient Management System
Published: Jan 15, 2026
Source: NVD
CVE-2021-47757 HIGH - 8.8

Chikitsa Patient Management System 2.0.2 contains an authenticated remote code execution vulnerability in the backup restoration functionality. Authenticated attackers can upload a modified backup zip file with a malicious PHP shell to execute arbitrary system commands on the server.

Vendor: chikitsa
Product: patient_management_system
Published: Jan 15, 2026
Source: NVD
CVE-2021-47755 HIGH - 7.5

Oliver Library Server v5 contains a file download vulnerability that allows unauthenticated attackers to access arbitrary system files through unsanitized input in the FileServlet endpoint. Attackers can exploit the vulnerability by manipulating the 'fileName' parameter to download sensiti...

Vendor: softlinkint
Product: oliver_v5_library
Published: Jan 15, 2026
Source: NVD
CVE-2021-47752 HIGH - 7.5

AWebServer GhostBuilding 18 contains a denial of service vulnerability that allows remote attackers to overwhelm the server by sending multiple concurrent HTTP requests. Attackers can generate high-volume requests to multiple endpoints including /mysqladmin to potentially crash or render the service...

Vendor: sylkat-tools
Product: awebserver
Published: Jan 15, 2026
Source: NVD
CVE-2025-71019 HIGH - 7.5

Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the wanSpeed parameter of the sub_65B5C function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request.

Vendor: tenda
Product: ax1806_firmware
Published: Jan 15, 2026
Source: NVD
CVE-2025-70744 HIGH - 7.5

Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the cloneType parameter of the sub_65B5C function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request.

Vendor: tenda
Product: ax1806_firmware
Published: Jan 15, 2026
Source: NVD
CVE-2026-0897 HIGH - 7.5

Allocation of Resources Without Limits or Throttling in the HDF5 weight loading component in Google Keras 3.0.0 through 3.13.0 on all platforms allows a remote attacker to cause a Denial of Service (DoS) through memory exhaustion and a crash of the Python interpreter via a crafted .keras archive con...

Vendor: keras
Product: keras
Published: Jan 15, 2026
Source: NVD
CVE-2025-13062 HIGH - 8.8

The Supreme Modules Lite plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 2.5.62. This is due to insufficient file type validation detecting JSON files, allowing double extension files to bypass sanitization while being accepted as a valid JSON file. ...

Vendor: divisupreme
Product: Supreme Modules Lite – Divi Theme, Extra Theme and Divi Builder
Published: Jan 15, 2026
Source: NVD
CVE-2026-22920 HIGH - 7.5

The device's passwords have not been adequately salted, making them vulnerable to password extraction attacks.

Vendor: sick
Product: tdc-x401gl_firmware
Published: Jan 15, 2026
Source: NVD
CVE-2026-22918 HIGH - 8.2

An attacker may exploit missing protection against clickjacking by tricking users into performing unintended actions through maliciously crafted web pages, leading to the extraction of sensitive data.

Vendor: sick
Product: tdc-x401gl_firmware
Published: Jan 15, 2026
Source: NVD