Total CVEs

142,518

Critical Severity

3,992

High Severity

14,327

Last 7 Days

1,922
Quick preset (or use dates below)
Clear Filters
Showing 13,101 - 13,120 of 14,327 CVEs
CVE-2025-13928 HIGH - 7.5

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.7 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that could have allowed an unauthenticated user to cause a denial of service condition by exploiting incorrect authorization validation in API endpoints.

Vendor: GitLab
Product: GitLab
Published: Jan 22, 2026
Source: NVD
CVE-2025-13927 HIGH - 7.5

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.9 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that could have allowed an unauthenticated user to create a denial of service condition by sending crafted requests with malformed authentication data.

Vendor: GitLab
Product: GitLab
Published: Jan 22, 2026
Source: NVD
CVE-2025-10856 HIGH - 8.1

Unrestricted Upload of File with Dangerous Type vulnerability in Solvera Software Services Trade Inc. Teknoera allows File Content Injection.This issue affects Teknoera: through 01102025.

Vendor: Solvera Software Services Trade Inc.
Product: Teknoera
Published: Jan 22, 2026
Source: NVD
CVE-2025-10855 HIGH - 7.5

Authorization Bypass Through User-Controlled Key vulnerability in Solvera Software Services Trade Inc. Teknoera allows Exploitation of Trusted Identifiers.This issue affects Teknoera: through 01102025.

Vendor: Solvera Software Services Trade Inc.
Product: Teknoera
Published: Jan 22, 2026
Source: NVD
CVE-2025-10024 HIGH - 7.5

Authorization Bypass Through User-Controlled Key vulnerability in EXERT Computer Technologies Software Ltd. Co. Education Management System allows Parameter Injection.This issue affects Education Management System: through 23.09.2025.

Vendor: EXERT Computer Technologies Software Ltd. Co.
Product: Education Management System
Published: Jan 22, 2026
Source: NVD
CVE-2025-4764 HIGH - 8.0

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aida Computer Information Technology Inc. Hotel Guest Hotspot allows SQL Injection.This issue affects Hotel Guest Hotspot: through 22012026.  NOTE: The vendor was contacted early about th...

Published: Jan 22, 2026
Source: NVD
CVE-2026-1330 HIGH - 7.5

MeetingHub developed by HAMASTAR Technology has an Arbitrary File Read vulnerability, allowing unauthenticated remote attackers to exploit Absolute Path Traversal to download arbitrary system files.

Published: Jan 22, 2026
Source: NVD
CVE-2026-24038 HIGH - 8.1

Horilla is a free and open source Human Resource Management System (HRMS). In version 1.4.0, the OTP handling logic has a flawed equality check that can be bypassed. When an OTP expires, the server returns None, and if an attacker omits the otp field from their POST request, the user-supplied OTP is...

Vendor: horilla-opensource
Product: horilla
Published: Jan 22, 2026
Source: NVD
CVE-2026-24010 HIGH - 8.8

Horilla is a free and open source Human Resource Management System (HRMS). A critical File Upload vulnerability in versions prior to 1.5.0, with Social Engineering, allows authenticated users to deploy phishing attacks. By uploading a malicious HTML file disguised as a profile picture, an attacker c...

Vendor: horilla-opensource
Product: horilla
Published: Jan 22, 2026
Source: NVD
CVE-2026-23962 HIGH - 7.5

Mastodon is a free, open-source social network server based on ActivityPub. Mastodon versions before v4.3.18, v4.4.12, and v4.5.5 do not have a limit on the maximum number of poll options for remote posts, allowing attackers to create polls with a very large amount of options, greatly increasing res...

Vendor: mastodon
Product: mastodon
Published: Jan 22, 2026
Source: NVD
CVE-2026-23699 HIGH - 7.2

AP180 series with firmware versions prior to AP_RGOS 11.9(4)B1P8 contains an OS command injection vulnerability. If this vulnerability is exploited, arbitrary commands may be executed on the devices.

Vendor: Ruijie Networks Co., Ltd.
Product: AP180(JA) V1.xx, AP180(JP) V1.xx, AP180-AC V1.xx, AP180-PE V1.xx, AP180(JA) V2.xx, AP180-AC V2.xx, AP180-PE V2.xx, AP180-AC V3.xx, AP180-PE V3.xx
Published: Jan 22, 2026
Source: NVD
CVE-2025-27380 HIGH - 7.6

HTML injection in Project Release in Altium Enterprise Server (AES) 7.0.3 on all platforms allows an authenticated attacker to execute arbitrary JavaScript in the victim’s browser via crafted HTML content.

Vendor: Altium
Product: AES
Published: Jan 22, 2026
Source: NVD
CVE-2025-27378 HIGH - 8.6

AES contains a SQL injection vulnerability due to an inactive configuration that prevents the latest SQL parsing logic from being applied. When this configuration is not enabled, crafted input may be improperly handled, allowing attackers to inject and execute arbitrary SQL queries.

Vendor: Altium
Product: AES
Published: Jan 22, 2026
Source: NVD

Soft Serve is a self-hostable Git server for the command line. Versions 0.11.2 and below have a critical authentication bypass vulnerability that allows an attacker to impersonate any user (including admin) by "offering" the victim's public key during the SSH handshake before authenti...

Vendor: go
Product: github.com/charmbracelet/soft-serve
Published: Jan 21, 2026
Source: GitHub

SummaryA command injection vulnerability (CWE-78) has been found to exist in the `wrangler pages deploy` command. The issue occurs because the `--commit-hash` parameter is passed directly to a shell command without proper validation or sanitization, allowing an attacker with control of `--commit-has...

Vendor: npm
Product: wrangler
Published: Jan 21, 2026
Source: GitHub
CVE-2026-24046 HIGH - 7.1

Backstage is an open framework for building developer portals. Multiple Scaffolder actions and archive extraction utilities were vulnerable to symlink-based path traversal attacks. An attacker with access to create and execute Scaffolder templates could exploit symlinks to read arbitrary files via t...

Vendor: npm
Product: @backstage/backend-defaults
Published: Jan 21, 2026
Source: GitHub

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.6.17 and 3.7.8, stored XSS in the artifact directory listing allows any workflow author to execute arbitrary JavaScript in another user’s browser under the Argo Server...

Vendor: go
Product: github.com/argoproj/argo-workflows/v3
Published: Jan 21, 2026
Source: GitHub
CVE-2025-68141 HIGH - 7.4

EVerest is an EV charging software stack. Prior to version 2025.10.0, during the deserialization of a `DC_ChargeLoopRes` message that includes Receipt as well as TaxCosts, the vector `<DetailedTax>tax_costs` in the target `Receipt` structure is accessed out of bounds. This occurs in the method...

Vendor: EVerest
Product: everest-core
Published: Jan 21, 2026
Source: NVD
CVE-2025-68137 HIGH - 8.3

EVerest is an EV charging software stack. Prior to version 2025.10.0, an integer overflow occurring in `SdpPacket::parse_header()` allows the current buffer length to be set to 7 after a complete header of size 8 has been read. The remaining length to read is computed using the current length subtra...

Vendor: EVerest
Product: everest-core
Published: Jan 21, 2026
Source: NVD
CVE-2025-68136 HIGH - 7.4

EVerest is an EV charging software stack. Prior to version 2025.10.0, once the module receives a SDP request, it creates a whole new set of objects like `Session`, `IConnection` which open new TCP socket for the ISO15118-20 communications and registers callbacks for the created file descriptor, with...

Vendor: EVerest
Product: everest-core
Published: Jan 21, 2026
Source: NVD