Total CVEs

141,537

Critical Severity

3,871

High Severity

13,923

Last 7 Days

1,619
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 13,041 - 13,060 of 13,618 CVEs
CVE-2025-0647 HIGH - 7.9

In certain Arm CPUs, a CPP RCTX instruction executed on one Processing Element (PE) may inhibit TLB invalidation when a TLBI is issued to the PE, either by the same PE or another PE in the shareability domain. In this case, the PE may retain stale TLB entries which should have been invalidated by th...

Published: Jan 14, 2026
Source: NVD
CVE-2025-14770 HIGH - 7.5

The Shipping Rate By Cities plugin for WordPress is vulnerable to SQL Injection via the 'city' parameter in all versions up to, and including, 2.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possi...

Published: Jan 14, 2026
Source: NVD
CVE-2025-15378 HIGH - 7.2

The AJS Footnotes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'note_list_class' and 'popup_display_effect_in' parameters in all versions up to, and including, 1.0 due to missing authorization and nonce verification on settings save, as well as insuff...

Published: Jan 14, 2026
Source: NVD
CVE-2025-15283 HIGH - 7.2

The Name Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name_directory_name' and 'name_directory_description' parameters in all versions up to, and including, 1.30.3 due to insufficient input sanitization and output escaping. This makes it p...

Published: Jan 14, 2026
Source: NVD
CVE-2025-15266 HIGH - 7.2

The GeekyBot โ€” Generate AI Content Without Prompt, Chatbot and Lead Generation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the chat message field in all versions up to, and including, 1.1.7 due to insufficient input sanitization and output escaping. This makes it possible f...

Published: Jan 14, 2026
Source: NVD
CVE-2025-14615 HIGH - 7.1

The DASHBOARD BUILDER โ€“ WordPress plugin for Charts and Graphs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.7. This is due to missing nonce validation on the settings handler in dashboardbuilder-admin.php. This makes it possible for unaut...

Published: Jan 14, 2026
Source: NVD
CVE-2025-14613 HIGH - 7.2

The GetContentFromURL plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0. This is due to the plugin using wp_remote_get() instead of wp_safe_remote_get() to fetch content from a user-supplied URL in the 'url' parameter of the [gcfu] ...

Published: Jan 14, 2026
Source: NVD
CVE-2025-68968 HIGH - 7.8

Double free vulnerability in the multi-mode input module. Impact: Successful exploitation of this vulnerability may affect the input function.

Vendor: huawei
Product: harmonyos
Published: Jan 14, 2026
Source: NVD
CVE-2025-12053 HIGH - 7.8

The drivers in the tool packages use RTL_QUERY_REGISTRY_DIRECT flag to read a registry value to which an untrusted user-mode application may be able to cause a buffer overflow.

Published: Jan 14, 2026
Source: NVD
CVE-2025-12052 HIGH - 7.8

The drivers in the tool packages use RTL_QUERY_REGISTRY_DIRECT flag to read a registry value to which an untrusted user-mode application may be able to cause a buffer overflow.

Published: Jan 14, 2026
Source: NVD
CVE-2025-12051 HIGH - 7.8

The drivers in the tool packages use RTL_QUERY_REGISTRY_DIRECT flag to read a registry value to which an untrusted user-mode application may be able to cause a buffer overflow.

Published: Jan 14, 2026
Source: NVD
CVE-2025-12050 HIGH - 7.8

The drivers in the tool packages use RTL_QUERY_REGISTRY_DIRECT flag to read a registry value to which an untrusted user-mode application may be able to cause a buffer overflow.

Published: Jan 14, 2026
Source: NVD
CVE-2023-54340 HIGH - 8.2

WorkOrder CMS 0.1.0 contains a SQL injection vulnerability that allows unauthenticated attackers to bypass login by manipulating username and password parameters. Attackers can inject malicious SQL queries using techniques like OR '1'='1' and stacked queries to access database in...

Published: Jan 13, 2026
Source: NVD
CVE-2023-54338 HIGH - 8.4

Tftpd32 SE 4.60 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious executables that will be run with system-level permissi...

Published: Jan 13, 2026
Source: NVD
CVE-2023-54336 HIGH - 8.4

Mediconta 3.7.27 contains an unquoted service path vulnerability in the servermedicontservice that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in C:\Program Files (x86)\medicont3\ to inject malicious code that would execute with Lo...

Published: Jan 13, 2026
Source: NVD
CVE-2023-54333 HIGH - 8.2

Social-Share-Buttons 2.2.3 contains a critical SQL injection vulnerability in the project_id parameter that allows attackers to manipulate database queries. Attackers can exploit this vulnerability by sending crafted POST requests with malicious SQL payloads to retrieve and potentially steal entire ...

Published: Jan 13, 2026
Source: NVD
CVE-2023-54331 HIGH - 8.4

Outline 1.6.0 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted service path in the OutlineService executable to inject malicious code that will be executed with LocalS...

Published: Jan 13, 2026
Source: NVD
CVE-2023-53984 HIGH - 8.4

Clevo HotKey Clipboard 2.1.0.6 contains an unquoted service path vulnerability in the HKClipSvc service that allows local non-privileged users to potentially execute code with system privileges. Attackers can exploit the misconfigured service path to inject and execute arbitrary code by placing mali...

Published: Jan 13, 2026
Source: NVD
CVE-2022-50939 HIGH - 7.2

e107 CMS version 3.2.1 contains a critical file upload vulnerability that allows authenticated administrators to override arbitrary server files through path traversal. The vulnerability exists in the Media Manager's remote URL upload functionality (image.php) where the upload_caption parameter...

Vendor: e107
Product: e107
Published: Jan 13, 2026
Source: NVD
CVE-2022-50938 HIGH - 8.4

CONTPAQi AdminPAQ 14.0.0 contains an unquoted service path vulnerability in the AppKeyLicenseServer service running with LocalSystem privileges. Attackers can exploit the unquoted path to inject malicious code in the service binary path, potentially executing arbitrary code with elevated system priv...

Published: Jan 13, 2026
Source: NVD