Total CVEs

142,432

Critical Severity

3,972

High Severity

14,286

Last 7 Days

1,840
Quick preset (or use dates below)
Clear Filters
Showing 13,161 - 13,180 of 14,728 CVEs
CVE-2026-0790 MEDIUM - 5.3

ALGO 8180 IP Audio Alerter Web UI Direct Request Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is not required to exploit this vulnerability. The spec...

Published: Jan 23, 2026
Source: NVD
CVE-2026-0789 MEDIUM - 5.3

ALGO 8180 IP Audio Alerter Web UI Inclusion of Authentication Cookie in Response Body Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is not required to ...

Published: Jan 23, 2026
Source: NVD
CVE-2026-0788 MEDIUM - 5.3

ALGO 8180 IP Audio Alerter Web UI Persistent Cross-Site Scripting Vulnerability. This vulnerability allows remote attackers to execute web requests with a target user's privileges on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is not required to exploit this vul...

Published: Jan 23, 2026
Source: NVD
CVE-2026-0767 MEDIUM - 5.3

Open WebUI Cleartext Transmission of Credentials Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of Open WebUI. Authentication is not required to exploit this vulnerability. The specific flaw exis...

Vendor: openwebui
Product: open_webui
Published: Jan 23, 2026
Source: NVD
CVE-2026-20912 MEDIUM - 9.1

Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized users.

Vendor: go
Product: github.com/go-gitea/gitea
Published: Jan 23, 2026
Source: GitHub
CVE-2026-20904 MEDIUM - 6.5

Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other users' OpenID identities.

Vendor: go
Product: github.com/go-gitea/gitea
Published: Jan 23, 2026
Source: GitHub
CVE-2026-20750 MEDIUM - 9.1

Gitea does not properly validate project ownership in organization project operations. A user with project write access in one organization may be able to modify projects belonging to a different organization.

Vendor: go
Product: github.com/go-gitea/gitea
Published: Jan 23, 2026
Source: GitHub
CVE-2026-20888 MEDIUM - 4.3

Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface. A user with read access to pull requests may be able to cancel auto-merges scheduled by other users.

Vendor: go
Product: github.com/go-gitea/gitea
Published: Jan 23, 2026
Source: GitHub
CVE-2026-20897 MEDIUM - 9.1

Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories.

Vendor: go
Product: github.com/go-gitea/gitea
Published: Jan 23, 2026
Source: GitHub
CVE-2025-67652 MEDIUM - 6.1

An attacker with access to the project file could use the exposed credentials to impersonate users, escalate privileges, or gain unauthorized access to systems and services. The absence of robust encryption or secure handling mechanisms increases the likelihood of this type of exploitation, leav...

Vendor: AutomationDirect
Product: CLICK Programmable Logic Controller
Published: Jan 22, 2026
Source: NVD
CVE-2025-25051 MEDIUM - 6.1

An attacker could decrypt sensitive data, impersonate legitimate users or devices, and potentially gain access to network resources for lateral attacks.

Vendor: AutomationDirect
Product: CLICK Programmable Logic Controller
Published: Jan 22, 2026
Source: NVD
CVE-2025-22234 MEDIUM - 5.3

The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations.

Vendor: maven
Product: org.springframework.security:spring-security-core
Published: Jan 22, 2026
Source: GitHub
CVE-2026-24137 MEDIUM - 5.8

sigstore framework is a common go library shared across sigstore services and clients. In versions 1.10.3 and below, the legacy TUF client (pkg/tuf/client.go) supports caching target files to disk. It constructs a filesystem path by joining a cache base directory with a target name sourced from sign...

Vendor: go
Product: github.com/sigstore/sigstore
Published: Jan 22, 2026
Source: GitHub
CVE-2026-22280 MEDIUM - 5.0

Dell PowerScale OneFS, versions 9.5.0.0 through 9.5.1.5, versions 9.6.0.0 through 9.7.1.10, versions 9.8.0.0 through 9.10.1.3, versions starting from 9.11.0.0 and prior to 9.13.0.0, contains an incorrect permission assignment for critical resource vulnerability. A low privileged attacker with local ...

Vendor: Dell
Product: PowerScale OneFS
Published: Jan 22, 2026
Source: NVD
CVE-2026-22279 MEDIUM - 4.3

Dell PowerScale OneFS, versions prior 9.13.0.0, contains an insufficient logging vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to information tampering.

Vendor: Dell
Product: PowerScale OneFS
Published: Jan 22, 2026
Source: NVD
CVE-2025-68609 MEDIUM - 6.6

A vulnerability in Palantir's Aries service allowed unauthenticated access to log viewing and management functionality on Apollo instances using default configuration. The defect resulted in both authentication and authorization checks being bypassed, potentially allowing any network-accessible...

Vendor: Palantir
Product: com.palantir.aries:aries
Published: Jan 22, 2026
Source: NVD
CVE-2026-24117 MEDIUM - 5.3

Rekor is a software supply chain transparency log. In versions 1.4.3 and below, attackers can trigger SSRF to arbitrary internal services because /api/v1/index/retrieve supports retrieving a public key via user-provided URL. Since the SSRF only can trigger GET requests, the request cannot mutate sta...

Vendor: go
Product: github.com/sigstore/rekor
Published: Jan 22, 2026
Source: GitHub
CVE-2026-23831 MEDIUM - 5.3

Rekor is a software supply chain transparency log. In versions 1.4.3 and below, the entry implementation can panic on attacker-controlled input when canonicalizing a proposed entry with an empty spec.message, causing nil Pointer Dereference. Function validate() returns nil (success) when message is ...

Vendor: go
Product: github.com/sigstore/rekor
Published: Jan 22, 2026
Source: GitHub
CVE-2025-67221 MEDIUM - 7.5

The orjson.dumps function in orjson thru 3.11.4 does not limit recursion for deeply nested JSON documents.

Vendor: pip
Product: orjson
Published: Jan 22, 2026
Source: GitHub
CVE-2026-24389 MEDIUM - 6.5

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Chill Gallery PhotoBlocks photoblocks-grid-gallery allows DOM-Based XSS.This issue affects Gallery PhotoBlocks: from n/a through <= 1.3.2.

Vendor: WP Chill
Product: Gallery PhotoBlocks
Published: Jan 22, 2026
Source: NVD