Total CVEs

142,518

Critical Severity

3,992

High Severity

14,327

Last 7 Days

1,906
Quick preset (or use dates below)
Clear Filters
Showing 13,161 - 13,180 of 14,327 CVEs
CVE-2025-70644 HIGH - 7.5

Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the time parameter of the sub_60CFC function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request.

Vendor: n/a
Product: n/a
Published: Jan 21, 2026
Source: NVD
CVE-2026-23957 HIGH - 7.5

seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, overriding encoded array lengths by replacing them with an excessively large value causes the deserialization process to significantly increase processing time....

Vendor: npm
Product: seroval
Published: Jan 21, 2026
Source: GitHub
CVE-2026-23956 HIGH - 7.5

seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, overriding RegExp serialization with extremely large patterns can exhaust JavaScript runtime memory during deserialization. Additionally, overriding RegExp seri...

Vendor: npm
Product: seroval
Published: Jan 21, 2026
Source: GitHub
CVE-2025-70651 HIGH - 7.5

Tenda AX-1803 v1.0.0.1 was discovered to contain a stack overflow in the ssid parameter of the form_fast_setting_wifi_set function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request.

Vendor: n/a
Product: n/a
Published: Jan 21, 2026
Source: NVD
CVE-2025-70650 HIGH - 7.5

Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the deviceList parameter of the formSetMacFilterCfg function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request.

Vendor: n/a
Product: n/a
Published: Jan 21, 2026
Source: NVD
CVE-2025-70645 HIGH - 7.5

Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the deviceList parameter of the formSetWifiMacFilterCfg function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request.

Vendor: n/a
Product: n/a
Published: Jan 21, 2026
Source: NVD
CVE-2026-23965 HIGH - 7.5

sm-crypto provides JavaScript implementations of the Chinese cryptographic algorithms SM2, SM3, and SM4. A signature forgery vulnerability exists in the SM2 signature verification logic of sm-crypto prior to version 0.4.0. Under default configurations, an attacker can forge valid signatures for arbi...

Vendor: npm
Product: sm-crypto
Published: Jan 21, 2026
Source: GitHub
CVE-2026-23967 HIGH - 7.5

sm-crypto provides JavaScript implementations of the Chinese cryptographic algorithms SM2, SM3, and SM4. A signature malleability vulnerability exists in the SM2 signature verification logic of the sm-crypto library prior to version 0.3.14. An attacker can derive a new valid signature for a previous...

Vendor: npm
Product: sm-crypto
Published: Jan 21, 2026
Source: GitHub
CVE-2026-22807 HIGH - 8.8

vLLM is an inference and serving engine for large language models (LLMs). Starting in version 0.10.1 and prior to version 0.14.0, vLLM loads Hugging Face `auto_map` dynamic modules during model resolution without gating on `trust_remote_code`, allowing attacker-controlled Python code in a model repo...

Vendor: pip
Product: vllm
Published: Jan 21, 2026
Source: GitHub
CVE-2026-23737 HIGH - 7.5

seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, improper input handling in the JSON deserialization component can lead to arbitrary JavaScript code execution. Exploitation is possible via overriding constant ...

Vendor: npm
Product: seroval
Published: Jan 21, 2026
Source: GitHub
CVE-2026-23736 HIGH - 7.3

seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, due to improper input validation, a malicious object key can lead to prototype pollution during JSON deserialization. This vulnerability affects only JSON deser...

Vendor: npm
Product: seroval
Published: Jan 21, 2026
Source: GitHub
CVE-2026-22444 HIGH - 7.1

The "create core" API of Apache Solr 8.6 through 9.10.0 lacks sufficient input validation on some API parameters, which can cause Solr to check the existence of and attempt to read file-system paths that should be disallowed by Solr's "allowPaths" security setting https://h...

Vendor: maven
Product: org.apache.solr:solr-core
Published: Jan 21, 2026
Source: GitHub
CVE-2026-22022 HIGH - 8.2

Deployments of Apache Solr 5.3.0 through 9.10.0 that rely on Solr's "Rule Based Authorization Plugin" are vulnerable to allowing unauthorized access to certain Solr APIs, due to insufficiently strict input validation in those components.ย  Only deployments that meet all of the followin...

Vendor: maven
Product: org.apache.solr:solr-core
Published: Jan 21, 2026
Source: GitHub
CVE-2025-13878 HIGH - 7.5

Malformed BRID/HHIT records can cause `named` to terminate unexpectedly. This issue affects BIND 9 versions 9.18.40 through 9.18.43, 9.20.13 through 9.20.17, 9.21.12 through 9.21.16, 9.18.40-S1 through 9.18.43-S1, and 9.20.13-S1 through 9.20.17-S1.

Vendor: ISC
Product: BIND 9
Published: Jan 21, 2026
Source: NVD
CVE-2026-24016 HIGH - 7.8

The installer of ServerView Agents for Windows provided by Fsas Technologies Inc. may insecurely load Dynamic Link Libraries. Arbitrary code may be executed with the administrator privilege when the installer is executed.

Vendor: Fsas Technologies Inc.
Product: ServerView Agents for Windows
Published: Jan 21, 2026
Source: NVD
CVE-2025-68133 HIGH - 7.4

EVerest is an EV charging software stack. In versions 2025.9.0 and below, an attacker can exhaust the operating system's memory and cause the module to terminate by initiating an unlimited number of TCP connections that never proceed to ISO 15118-2 communication. This is possible because a new ...

Vendor: EVerest
Product: everest-core
Published: Jan 21, 2026
Source: NVD
CVE-2026-23950 HIGH - 8.8

node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the `path-reservations` system. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has ...

Vendor: npm
Product: tar
Published: Jan 21, 2026
Source: GitHub

SiYuan is a personal knowledge management system. In versions prior to 3.5.4, the markdown feature allows unrestricted server side html-rendering which allows arbitrary file read (LFD). Version 3.5.4 fixes the issue.

Vendor: go
Product: github.com/siyuan-note/siyuan/kernel
Published: Jan 21, 2026
Source: GitHub

SiYuan is a personal knowledge management system. Versions prior to 3.5.4 contain a logic vulnerability in the /api/file/globalCopyFiles endpoint. The function allows authenticated users to copy files from any location on the server's filesystem into the application's workspace without pro...

Vendor: go
Product: github.com/siyuan-note/siyuan/kernel
Published: Jan 21, 2026
Source: GitHub
CVE-2026-21990 HIGH - 8.2

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...

Published: Jan 20, 2026
Source: NVD