Total CVEs

142,518

Critical Severity

3,992

High Severity

14,327

Last 7 Days

1,906
Quick preset (or use dates below)
Clear Filters
Showing 13,201 - 13,220 of 14,327 CVEs
CVE-2025-66692 HIGH - 7.5

A buffer over-read in the PublicKey::verify() method of Binance - Trust Wallet Core before commit 5668c67 allows attackers to cause a Denial of Service (DoS) via a crafted input.

Vendor: n/a
Product: n/a
Published: Jan 20, 2026
Source: NVD
CVE-2025-63648 HIGH - 7.5

A NULL pointer dereference in the dacp_reply_playqueueedit_move function (src/httpd_dacp.c) of owntone-server commit b7e385f allows attackers to cause a Denial of Service (DoS) via sending a crafted DACP request to the server.

Vendor: n/a
Product: n/a
Published: Jan 20, 2026
Source: NVD
CVE-2025-63647 HIGH - 7.5

A NULL pointer dereference in the parse_meta function (src/httpd_daap.c) of owntone-server commit 334beb allows attackers to cause a Denial of Service (DoS) via sending a crafted DAAP request to the server.

Vendor: n/a
Product: n/a
Published: Jan 20, 2026
Source: NVD
CVE-2025-59465 HIGH - 7.5

A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that d...

Vendor: nodejs
Product: node
Published: Jan 20, 2026
Source: NVD
CVE-2025-57156 HIGH - 7.5

NULL pointer dereference in the dacp_reply_playqueueedit_clear function in src/httpd_dacp.c in owntone-server through commit 6d604a1 (newer commit after version 28.12) allows remote attackers to cause a Denial of Service (crash).

Vendor: n/a
Product: n/a
Published: Jan 20, 2026
Source: NVD
CVE-2025-57155 HIGH - 7.5

NULL pointer dereference in the daap_reply_groups function in src/httpd_daap.c in owntone-server through commit 5e6f19a (newer commit after version 28.2) allows remote attackers to cause a Denial of Service.

Vendor: n/a
Product: n/a
Published: Jan 20, 2026
Source: NVD
CVE-2025-55131 HIGH - 7.1

A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contai...

Vendor: nodejs
Product: node
Published: Jan 20, 2026
Source: NVD
CVE-2025-55130 HIGH - 7.1

A flaw in Node.jsโ€™s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive file...

Vendor: nodejs
Product: node
Published: Jan 20, 2026
Source: NVD

Fleet is open source device management software. A broken access control issue in versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 allowed authenticated users to access debug and profiling endpoints regardless of role. As a result, low-privilege users could view internal server diagnosti...

Vendor: go
Product: github.com/fleetdm/fleet
Published: Jan 20, 2026
Source: GitHub
CVE-2026-23842 HIGH - 7.5

ChatterBot is a machine learning, conversational dialog engine for creating chat bots. ChatterBot versions up to 1.2.10 are vulnerable to a denial-of-service condition caused by improper database session and connection pool management. Concurrent invocations of the get_response() method can exhaust ...

Vendor: pip
Product: chatterbot
Published: Jan 20, 2026
Source: GitHub
CVE-2025-33233 HIGH - 7.8

NVIDIA Merlin Transformers4Rec for all platforms contains a vulnerability where an attacker could cause code injection. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering.

Vendor: NVIDIA
Product: Merlin Transformers4Rec
Published: Jan 20, 2026
Source: NVD
CVE-2025-33230 HIGH - 7.3

NVIDIA Nsight Systems for Linux contains a vulnerability in the .run installer, where an attacker could cause an OS command injection by supplying a malicious string to the installation path. A successful exploit of this vulnerability might lead to escalation of privileges, code execution, data tamp...

Vendor: NVIDIA
Product: CUDA Toolkit
Published: Jan 20, 2026
Source: NVD
CVE-2025-33229 HIGH - 7.3

NVIDIA Nsight Visual Studio for Windows contains a vulnerability in Nsight Monitor where an attacker can execute arbitrary code with the same privileges as the NVIDIA Nsight Visual Studio Edition Monitor application. A successful exploit of this vulnerability may lead to escalation of privileges, co...

Vendor: NVIDIA
Product: CUDA Toolkit
Published: Jan 20, 2026
Source: NVD
CVE-2025-33228 HIGH - 7.3

NVIDIA Nsight Systems contains a vulnerability in the gfx_hotspot recipe, where an attacker could cause an OS command injection by supplying a malicious string to the process_nsys_rep_cli.py script if the script is invoked manually. A successful exploit of this vulnerability might lead to code execu...

Vendor: NVIDIA
Product: CUDA Toolkit
Published: Jan 20, 2026
Source: NVD

esm.sh is a no-build content delivery network (CDN) for web development. Prior to Go pseeudoversion 0.0.0-20260116051925-c62ab83c589e, the software has a path traversal vulnerability due to an incomplete fix. `path.Clean` normalizes a path but does not prevent absolute paths in a malicious tar file....

Vendor: go
Product: github.com/esm-dev/esm.sh
Published: Jan 20, 2026
Source: GitHub
CVE-2025-56353 HIGH - 7.5

In tinyMQTT commit 6226ade15bd4f97be2d196352e64dd10937c1962 (2024-02-18), a memory leak occurs due to the broker's failure to validate or reject malformed UTF-8 strings in topic filters. An attacker can exploit this by sending repeated subscription requests with arbitrarily large or invalid fil...

Vendor: n/a
Product: n/a
Published: Jan 20, 2026
Source: NVD
CVE-2025-36418 HIGH - 7.3

IBM ApplinX 11.1 is vulnerable due to a privilege escalation vulnerability due to improper verification of JWT tokens. An attacker may be able to craft or modify a JSON web token in order to impersonate another user or to elevate their privileges.

Vendor: IBM
Product: ApplinX
Published: Jan 20, 2026
Source: NVD
CVE-2025-33015 HIGH - 8.8

IBM Concert 1.0.0 through 2.1.0 is vulnerable to malicious file upload by not validating the content of the file uploaded to the web interface.

Vendor: IBM
Product: Concert
Published: Jan 20, 2026
Source: NVD
CVE-2026-0726 HIGH - 8.1

The Nexter Extension โ€“ Site Enhancements Toolkit plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.4.6 via deserialization of untrusted input in the 'nxt_unserialize_replace' function. This makes it possible for unauthenticated attackers to ...

Published: Jan 20, 2026
Source: NVD
CVE-2025-15380 HIGH - 7.2

The NotificationX โ€“ FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting via the 'nx-preview' POST parameter in all versions up to, and including,...

Vendor: wpdevteam
Product: NotificationX โ€“ FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar
Published: Jan 20, 2026
Source: NVD