Total CVEs

142,398

Critical Severity

3,966

High Severity

14,271

Last 7 Days

1,806
Quick preset (or use dates below)
Clear Filters
Showing 13,141 - 13,160 of 14,713 CVEs
CVE-2025-46699 MEDIUM - 4.3

Dell Data Protection Advisor, versions prior to 19.12, contains an Improper Neutralization of Special Elements Used in a Template Engine vulnerability in the Server. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Information exposure.

Vendor: Dell
Product: Data Protection Advisor
Published: Jan 23, 2026
Source: NVD
CVE-2026-0927 MEDIUM - 5.3

The KiviCare โ€“ Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to arbitrary file uploads due to missing authorization checks in the uploadMedicalReport() function in all versions up to, and including, 3.6.15. This makes it possible for unauthenticated attackers to upl...

Published: Jan 23, 2026
Source: NVD
CVE-2025-14745 MEDIUM - 6.4

The RSS Aggregator โ€“ RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wp-rss-aggregator' shortcode in all versions up to, and including, 5.0.10 due to insufficient input sanitization and output e...

Vendor: rebelcode
Product: RSS Aggregator โ€“ RSS Import, News Feeds, Feed to Post, and Autoblogging
Published: Jan 23, 2026
Source: NVD
CVE-2025-14069 MEDIUM - 6.4

The Schema & Structured Data for WP & AMP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'saswp_custom_schema_field' profile field in all versions up to, and including, 1.54 due to insufficient input sanitization and output escaping. This makes it possibl...

Vendor: magazine3
Product: Schema & Structured Data for WP & AMP
Published: Jan 23, 2026
Source: NVD
CVE-2025-15522 MEDIUM - 6.4

The Uncanny Automator โ€“ Easy Automation, Integration, Webhooks & Workflow Builder Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the automator_discord_user_mapping shortcode in all versions up to, and including, 6.10.0.2 due to insufficient input sanitization and ou...

Vendor: uncannyowl
Product: Uncanny Automator โ€“ Easy Automation, Integration, Webhooks & Workflow Builder Plugin
Published: Jan 23, 2026
Source: NVD
CVE-2026-0790 MEDIUM - 5.3

ALGO 8180 IP Audio Alerter Web UI Direct Request Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is not required to exploit this vulnerability. The spec...

Published: Jan 23, 2026
Source: NVD
CVE-2026-0789 MEDIUM - 5.3

ALGO 8180 IP Audio Alerter Web UI Inclusion of Authentication Cookie in Response Body Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is not required to ...

Published: Jan 23, 2026
Source: NVD
CVE-2026-0788 MEDIUM - 5.3

ALGO 8180 IP Audio Alerter Web UI Persistent Cross-Site Scripting Vulnerability. This vulnerability allows remote attackers to execute web requests with a target user's privileges on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is not required to exploit this vul...

Published: Jan 23, 2026
Source: NVD
CVE-2026-0767 MEDIUM - 5.3

Open WebUI Cleartext Transmission of Credentials Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of Open WebUI. Authentication is not required to exploit this vulnerability. The specific flaw exis...

Vendor: openwebui
Product: open_webui
Published: Jan 23, 2026
Source: NVD
CVE-2026-20912 MEDIUM - 9.1

Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized users.

Vendor: go
Product: github.com/go-gitea/gitea
Published: Jan 23, 2026
Source: GitHub
CVE-2026-20904 MEDIUM - 6.5

Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other users' OpenID identities.

Vendor: go
Product: github.com/go-gitea/gitea
Published: Jan 23, 2026
Source: GitHub
CVE-2026-20750 MEDIUM - 9.1

Gitea does not properly validate project ownership in organization project operations. A user with project write access in one organization may be able to modify projects belonging to a different organization.

Vendor: go
Product: github.com/go-gitea/gitea
Published: Jan 23, 2026
Source: GitHub
CVE-2026-20888 MEDIUM - 4.3

Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface. A user with read access to pull requests may be able to cancel auto-merges scheduled by other users.

Vendor: go
Product: github.com/go-gitea/gitea
Published: Jan 23, 2026
Source: GitHub
CVE-2026-20897 MEDIUM - 9.1

Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories.

Vendor: go
Product: github.com/go-gitea/gitea
Published: Jan 23, 2026
Source: GitHub
CVE-2025-67652 MEDIUM - 6.1

An attacker with access to the project file could use the exposed credentials to impersonate users, escalate privileges, or gain unauthorized access to systems and services. The absence of robust encryption or secure handling mechanisms increases the likelihood of this type of exploitation, leav...

Vendor: AutomationDirect
Product: CLICK Programmable Logic Controller
Published: Jan 22, 2026
Source: NVD
CVE-2025-25051 MEDIUM - 6.1

An attacker could decrypt sensitive data, impersonate legitimate users or devices, and potentially gain access to network resources for lateral attacks.

Vendor: AutomationDirect
Product: CLICK Programmable Logic Controller
Published: Jan 22, 2026
Source: NVD
CVE-2025-22234 MEDIUM - 5.3

The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations.

Vendor: maven
Product: org.springframework.security:spring-security-core
Published: Jan 22, 2026
Source: GitHub
CVE-2026-24137 MEDIUM - 5.8

sigstore framework is a common go library shared across sigstore services and clients. In versions 1.10.3 and below, the legacy TUF client (pkg/tuf/client.go) supports caching target files to disk. It constructs a filesystem path by joining a cache base directory with a target name sourced from sign...

Vendor: go
Product: github.com/sigstore/sigstore
Published: Jan 22, 2026
Source: GitHub
CVE-2026-22280 MEDIUM - 5.0

Dell PowerScale OneFS, versions 9.5.0.0 through 9.5.1.5, versions 9.6.0.0 through 9.7.1.10, versions 9.8.0.0 through 9.10.1.3, versions starting from 9.11.0.0 and prior to 9.13.0.0, contains an incorrect permission assignment for critical resource vulnerability. A low privileged attacker with local ...

Vendor: Dell
Product: PowerScale OneFS
Published: Jan 22, 2026
Source: NVD
CVE-2026-22279 MEDIUM - 4.3

Dell PowerScale OneFS, versions prior 9.13.0.0, contains an insufficient logging vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to information tampering.

Vendor: Dell
Product: PowerScale OneFS
Published: Jan 22, 2026
Source: NVD