Total CVEs

142,518

Critical Severity

3,992

High Severity

14,327

Last 7 Days

1,922
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 13,181 - 13,200 of 14,373 CVEs
CVE-2026-22276 MEDIUM - 5.5

Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0, contains a Cleartext Storage of Sensitive Information vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information disclosure.

Vendor: Dell
Product: ObjectScale
Published: Jan 23, 2026
Source: NVD
CVE-2026-22275 MEDIUM - 4.4

Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0, contains an Inclusion of Sensitive Information in Source Code vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information exposure.

Vendor: Dell
Product: ObjectScale
Published: Jan 23, 2026
Source: NVD
CVE-2026-22274 MEDIUM - 6.5

Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0, contains a Cleartext Transmission of Sensitive Information vulnerability in the Fabric Syslog. An unauthenticated attacker with remote access could potentially exploit this vulnerability to intercept and modi...

Vendor: Dell
Product: ObjectScale
Published: Jan 23, 2026
Source: NVD
CVE-2025-46699 MEDIUM - 4.3

Dell Data Protection Advisor, versions prior to 19.12, contains an Improper Neutralization of Special Elements Used in a Template Engine vulnerability in the Server. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Information exposure.

Vendor: Dell
Product: Data Protection Advisor
Published: Jan 23, 2026
Source: NVD
CVE-2026-0927 MEDIUM - 5.3

The KiviCare โ€“ Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to arbitrary file uploads due to missing authorization checks in the uploadMedicalReport() function in all versions up to, and including, 3.6.15. This makes it possible for unauthenticated attackers to upl...

Published: Jan 23, 2026
Source: NVD
CVE-2025-14745 MEDIUM - 6.4

The RSS Aggregator โ€“ RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wp-rss-aggregator' shortcode in all versions up to, and including, 5.0.10 due to insufficient input sanitization and output e...

Vendor: rebelcode
Product: RSS Aggregator โ€“ RSS Import, News Feeds, Feed to Post, and Autoblogging
Published: Jan 23, 2026
Source: NVD
CVE-2025-14069 MEDIUM - 6.4

The Schema & Structured Data for WP & AMP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'saswp_custom_schema_field' profile field in all versions up to, and including, 1.54 due to insufficient input sanitization and output escaping. This makes it possibl...

Vendor: magazine3
Product: Schema & Structured Data for WP & AMP
Published: Jan 23, 2026
Source: NVD
CVE-2025-15522 MEDIUM - 6.4

The Uncanny Automator โ€“ Easy Automation, Integration, Webhooks & Workflow Builder Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the automator_discord_user_mapping shortcode in all versions up to, and including, 6.10.0.2 due to insufficient input sanitization and ou...

Vendor: uncannyowl
Product: Uncanny Automator โ€“ Easy Automation, Integration, Webhooks & Workflow Builder Plugin
Published: Jan 23, 2026
Source: NVD
CVE-2026-0790 MEDIUM - 5.3

ALGO 8180 IP Audio Alerter Web UI Direct Request Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is not required to exploit this vulnerability. The spec...

Published: Jan 23, 2026
Source: NVD
CVE-2026-0789 MEDIUM - 5.3

ALGO 8180 IP Audio Alerter Web UI Inclusion of Authentication Cookie in Response Body Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is not required to ...

Published: Jan 23, 2026
Source: NVD
CVE-2026-0788 MEDIUM - 5.3

ALGO 8180 IP Audio Alerter Web UI Persistent Cross-Site Scripting Vulnerability. This vulnerability allows remote attackers to execute web requests with a target user's privileges on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is not required to exploit this vul...

Published: Jan 23, 2026
Source: NVD
CVE-2026-0767 MEDIUM - 5.3

Open WebUI Cleartext Transmission of Credentials Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of Open WebUI. Authentication is not required to exploit this vulnerability. The specific flaw exis...

Vendor: openwebui
Product: open_webui
Published: Jan 23, 2026
Source: NVD
CVE-2026-20912 MEDIUM - 9.1

Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized users.

Vendor: go
Product: github.com/go-gitea/gitea
Published: Jan 23, 2026
Source: GitHub
CVE-2026-20904 MEDIUM - 6.5

Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other users' OpenID identities.

Vendor: go
Product: github.com/go-gitea/gitea
Published: Jan 23, 2026
Source: GitHub
CVE-2026-20750 MEDIUM - 9.1

Gitea does not properly validate project ownership in organization project operations. A user with project write access in one organization may be able to modify projects belonging to a different organization.

Vendor: go
Product: github.com/go-gitea/gitea
Published: Jan 23, 2026
Source: GitHub
CVE-2026-20888 MEDIUM - 4.3

Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface. A user with read access to pull requests may be able to cancel auto-merges scheduled by other users.

Vendor: go
Product: github.com/go-gitea/gitea
Published: Jan 23, 2026
Source: GitHub
CVE-2026-20897 MEDIUM - 9.1

Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories.

Vendor: go
Product: github.com/go-gitea/gitea
Published: Jan 23, 2026
Source: GitHub
CVE-2025-67652 MEDIUM - 6.1

An attacker with access to the project file could use the exposed credentials to impersonate users, escalate privileges, or gain unauthorized access to systems and services. The absence of robust encryption or secure handling mechanisms increases the likelihood of this type of exploitation, leav...

Vendor: AutomationDirect
Product: CLICK Programmable Logic Controller
Published: Jan 22, 2026
Source: NVD
CVE-2025-25051 MEDIUM - 6.1

An attacker could decrypt sensitive data, impersonate legitimate users or devices, and potentially gain access to network resources for lateral attacks.

Vendor: AutomationDirect
Product: CLICK Programmable Logic Controller
Published: Jan 22, 2026
Source: NVD
CVE-2025-22234 MEDIUM - 5.3

The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations.

Vendor: maven
Product: org.springframework.security:spring-security-core
Published: Jan 22, 2026
Source: GitHub