Total CVEs

142,265

Critical Severity

3,947

High Severity

14,217

Last 7 Days

1,745
Quick preset (or use dates below)
Clear Filters
Showing 13,001 - 13,020 of 14,675 CVEs
CVE-2025-52022 MEDIUM - 5.3

A vulnerability in the PHP backend of gemsloyalty.aptsys.com.sg thru 2025-05-28 allows unauthenticated remote attackers to trigger detailed error messages that disclose internal file paths, code snippets, and stack traces. This occurs when specially crafted HTTP GET/POST requests are sent to public ...

Vendor: n/a
Product: n/a
Published: Jan 23, 2026
Source: NVD
CVE-2026-24422 MEDIUM - 5.3

phpMyFAQ is an open source FAQ web application. In versions 4.0.16 and below, multiple public API endpoints improperly expose sensitive user information due to insufficient access controls. The OpenQuestionController::list() endpoint calls Question::getAll() with showAll=true by default, returning r...

Vendor: composer
Product: phpmyfaq/phpmyfaq
Published: Jan 23, 2026
Source: GitHub
CVE-2026-24421 MEDIUM - 6.5

phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below have flawed authorization logic which exposes the /api/setup/backup endpoint to any authenticated user despite their permissions. SetupController.php uses userIsAuthenticated() but does not verify that the requester has config...

Vendor: composer
Product: phpmyfaq/phpmyfaq
Published: Jan 23, 2026
Source: GitHub
CVE-2026-24420 MEDIUM - 6.5

phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below allow an authenticated user without the dlattachment permission to download FAQ attachments due to a incomprehensive permissions check. The presence of a right key is improperly validated as proof of authorization in attachmen...

Vendor: composer
Product: phpmyfaq/phpmyfaq
Published: Jan 23, 2026
Source: GitHub
CVE-2025-71177 MEDIUM - 5.4

LavaLite CMS versions up to and including 10.1.0 contain a stored cross-site scripting vulnerability in the package creation and search functionality. Authenticated users can supply crafted HTML or JavaScript in the package Name or Description fields that is stored and later rendered without proper ...

Vendor: composer
Product: lavalite/cms
Published: Jan 23, 2026
Source: GitHub
CVE-2025-67124 MEDIUM - 6.8

A TOCTOU and symlink race in svenstaro/miniserve 0.32.0 upload finalization (when uploads are enabled) can allow an attacker to overwrite arbitrary files outside the intended upload/document root in deployments where the attacker can create/replace filesystem entries in the upload destination direct...

Vendor: rust
Product: miniserve
Published: Jan 23, 2026
Source: GitHub
CVE-2025-14947 MEDIUM - 6.5

The All-in-One Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `ajax_callback_create_bunny_stream_video`, `ajax_callback_get_bunny_stream_video`, and `ajax_callback_delete_bunny_stream_video` functions in all versions up ...

Vendor: plugins360
Product: All-in-One Video Gallery
Published: Jan 23, 2026
Source: NVD
CVE-2025-67231 MEDIUM - 5.9

A reflected cross-site scripting (XSS) vulnerability in ToDesktop Builder v0.33.1 allows attackers to execute arbitrary code in the context of a user's browser via a crafted payload.

Vendor: n/a
Product: n/a
Published: Jan 23, 2026
Source: NVD
CVE-2021-47906 MEDIUM - 6.4

BloofoxCMS 0.5.2.1 contains a stored cross-site scripting vulnerability in the articles text parameter that allows authenticated attackers to inject malicious scripts. Attackers can insert malicious javascript payloads in the text field to execute scripts and potentially steal authenticated users�...

Vendor: BloofoxCMS
Product: BloofoxCMS
Published: Jan 23, 2026
Source: NVD
CVE-2021-47905 MEDIUM - 6.1

MyBB Delete Account Plugin 1.4 contains a cross-site scripting vulnerability in the account deletion reason input field. Attackers can inject malicious scripts that will execute in the admin interface when viewing delete account reasons.

Vendor: vintagedaddyo
Product: MyBB Delete Account Plugin
Published: Jan 23, 2026
Source: NVD
CVE-2021-47899 MEDIUM - 4.0

YetiShare File Hosting Script 5.1.0 contains a server-side request forgery vulnerability that allows attackers to read local system files through the remote file upload feature. Attackers can exploit the url parameter in the url_upload_handler endpoint to access sensitive files like /etc/passwd by u...

Vendor: Mfscripts
Product: YetiShare File Hosting Script
Published: Jan 23, 2026
Source: NVD
CVE-2018-25132 MEDIUM - 6.1

MyBB Trending Widget Plugin 1.2 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts through thread titles. Attackers can modify thread titles with script payloads that will execute when other users view the trending widget.

Vendor: zainali99
Product: MyBB Trending Widget Plugin
Published: Jan 23, 2026
Source: NVD
CVE-2018-25116 MEDIUM - 6.1

MyBB Thread Redirect Plugin 0.2.1 contains a cross-site scripting vulnerability in the custom text input field for thread redirects. Attackers can inject malicious SVG scripts that will execute when other users view the thread, allowing arbitrary script execution.

Vendor: jamiesage123
Product: MyBB Thread Redirect Plugin
Published: Jan 23, 2026
Source: NVD

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 7.0-milestone-2 through 16.10.11, 17.0.0-rc-1 through 17.4.4, and 17.5.0-rc-1 through 17.7.0 contain a reflected Cross-site Scripting (XSS) vulnerability, which allows an attacker to cra...

Vendor: maven
Product: org.xwiki.platform:xwiki-platform-web-templates
Published: Jan 23, 2026
Source: GitHub
CVE-2025-67125 MEDIUM - 4.4

A signed integer overflow in docopt.cpp v0.6.2 (LeafPattern::match in docopt_private.h) when merging occurrence counters (e.g., default LONG_MAX + first user "-v/--verbose") can cause counter wrap (negative/unbounded semantics) and lead to logic/policy bypass in applications that rely on o...

Vendor: n/a
Product: n/a
Published: Jan 23, 2026
Source: NVD
CVE-2026-24636 MEDIUM - 4.3

Missing Authorization vulnerability in Syed Balkhi Sugar Calendar (Lite) sugar-calendar-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sugar Calendar (Lite): from n/a through <= 3.10.1.

Vendor: Syed Balkhi
Product: Sugar Calendar (Lite)
Published: Jan 23, 2026
Source: NVD
CVE-2026-24634 MEDIUM - 5.3

Authorization Bypass Through User-Controlled Key vulnerability in Rustaurius Ultimate Reviews ultimate-reviews allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Reviews: from n/a through <= 3.2.16.

Vendor: Rustaurius
Product: Ultimate Reviews
Published: Jan 23, 2026
Source: NVD
CVE-2026-24633 MEDIUM - 5.3

Missing Authorization vulnerability in Passionate Brains Add Expires Headers & Optimized Minify add-expires-headers allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Add Expires Headers & Optimized Minify: from n/a through <= 3.1.0.

Vendor: Passionate Brains
Product: Add Expires Headers & Optimized Minify
Published: Jan 23, 2026
Source: NVD
CVE-2026-24632 MEDIUM - 5.9

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jagdish1o1 Delay Redirects delay-redirects allows DOM-Based XSS.This issue affects Delay Redirects: from n/a through <= 1.0.0.

Vendor: jagdish1o1
Product: Delay Redirects
Published: Jan 23, 2026
Source: NVD
CVE-2026-24631 MEDIUM - 5.4

Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Rosebud rosebud allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Rosebud: from n/a through <= 1.4.

Vendor: Mikado-Themes
Product: Rosebud
Published: Jan 23, 2026
Source: NVD