Total CVEs

142,518

Critical Severity

3,992

High Severity

14,327

Last 7 Days

1,917
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 13,201 - 13,220 of 14,373 CVEs
CVE-2026-24137 MEDIUM - 5.8

sigstore framework is a common go library shared across sigstore services and clients. In versions 1.10.3 and below, the legacy TUF client (pkg/tuf/client.go) supports caching target files to disk. It constructs a filesystem path by joining a cache base directory with a target name sourced from sign...

Vendor: go
Product: github.com/sigstore/sigstore
Published: Jan 22, 2026
Source: GitHub
CVE-2026-22280 MEDIUM - 5.0

Dell PowerScale OneFS, versions 9.5.0.0 through 9.5.1.5, versions 9.6.0.0 through 9.7.1.10, versions 9.8.0.0 through 9.10.1.3, versions starting from 9.11.0.0 and prior to 9.13.0.0, contains an incorrect permission assignment for critical resource vulnerability. A low privileged attacker with local ...

Vendor: Dell
Product: PowerScale OneFS
Published: Jan 22, 2026
Source: NVD
CVE-2026-22279 MEDIUM - 4.3

Dell PowerScale OneFS, versions prior 9.13.0.0, contains an insufficient logging vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to information tampering.

Vendor: Dell
Product: PowerScale OneFS
Published: Jan 22, 2026
Source: NVD
CVE-2025-68609 MEDIUM - 6.6

A vulnerability in Palantir's Aries service allowed unauthenticated access to log viewing and management functionality on Apollo instances using default configuration. The defect resulted in both authentication and authorization checks being bypassed, potentially allowing any network-accessible...

Vendor: Palantir
Product: com.palantir.aries:aries
Published: Jan 22, 2026
Source: NVD
CVE-2026-24117 MEDIUM - 5.3

Rekor is a software supply chain transparency log. In versions 1.4.3 and below, attackers can trigger SSRF to arbitrary internal services because /api/v1/index/retrieve supports retrieving a public key via user-provided URL. Since the SSRF only can trigger GET requests, the request cannot mutate sta...

Vendor: go
Product: github.com/sigstore/rekor
Published: Jan 22, 2026
Source: GitHub
CVE-2026-23831 MEDIUM - 5.3

Rekor is a software supply chain transparency log. In versions 1.4.3 and below, the entry implementation can panic on attacker-controlled input when canonicalizing a proposed entry with an empty spec.message, causing nil Pointer Dereference. Function validate() returns nil (success) when message is ...

Vendor: go
Product: github.com/sigstore/rekor
Published: Jan 22, 2026
Source: GitHub
CVE-2025-67221 MEDIUM - 7.5

The orjson.dumps function in orjson thru 3.11.4 does not limit recursion for deeply nested JSON documents.

Vendor: pip
Product: orjson
Published: Jan 22, 2026
Source: GitHub
CVE-2026-24389 MEDIUM - 6.5

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Chill Gallery PhotoBlocks photoblocks-grid-gallery allows DOM-Based XSS.This issue affects Gallery PhotoBlocks: from n/a through <= 1.3.2.

Vendor: WP Chill
Product: Gallery PhotoBlocks
Published: Jan 22, 2026
Source: NVD
CVE-2026-24388 MEDIUM - 4.3

Missing Authorization vulnerability in Ludwig You WPMasterToolKit wpmastertoolkit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPMasterToolKit: from n/a through <= 2.14.0.

Vendor: Ludwig You
Product: WPMasterToolKit
Published: Jan 22, 2026
Source: NVD
CVE-2026-24387 MEDIUM - 4.3

Missing Authorization vulnerability in Arul Prasad J WP Quick Post Duplicator wp-quick-post-duplicator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Quick Post Duplicator: from n/a through <= 2.1.

Vendor: Arul Prasad J
Product: WP Quick Post Duplicator
Published: Jan 22, 2026
Source: NVD
CVE-2026-24386 MEDIUM - 4.3

Missing Authorization vulnerability in Element Invader Element Invader &#8211; Template Kits for Elementor elementinvader allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Element Invader &#8211; Template Kits for Elementor: from n/a through <= 1.2...

Vendor: Element Invader
Product: Element Invader &#8211; Template Kits for Elementor
Published: Jan 22, 2026
Source: NVD
CVE-2026-24384 MEDIUM - 5.4

Cross-Site Request Forgery (CSRF) vulnerability in launchinteractive Merge + Minify + Refresh merge-minify-refresh allows Cross Site Request Forgery.This issue affects Merge + Minify + Refresh: from n/a through <= 2.14.

Vendor: launchinteractive
Product: Merge + Minify + Refresh
Published: Jan 22, 2026
Source: NVD
CVE-2026-24383 MEDIUM - 6.5

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bPlugins B Slider b-slider allows DOM-Based XSS.This issue affects B Slider: from n/a through <= 2.0.6.

Vendor: bPlugins
Product: B Slider
Published: Jan 22, 2026
Source: NVD
CVE-2026-24381 MEDIUM - 5.4

Server-Side Request Forgery (SSRF) vulnerability in ThemeGoods PhotoMe photome allows Server Side Request Forgery.This issue affects PhotoMe: from n/a through < 5.7.2.

Vendor: ThemeGoods
Product: PhotoMe
Published: Jan 22, 2026
Source: NVD
CVE-2026-24374 MEDIUM - 5.4

Cross-Site Request Forgery (CSRF) vulnerability in Metagauss RegistrationMagic custom-registration-form-builder-with-submission-manager allows Cross Site Request Forgery.This issue affects RegistrationMagic: from n/a through <= 6.0.6.9.

Vendor: Metagauss
Product: RegistrationMagic
Published: Jan 22, 2026
Source: NVD
CVE-2026-24366 MEDIUM - 5.3

Missing Authorization vulnerability in YITHEMES YITH WooCommerce Request A Quote yith-woocommerce-request-a-quote allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects YITH WooCommerce Request A Quote: from n/a through <= 2.46.0.

Vendor: YITHEMES
Product: YITH WooCommerce Request A Quote
Published: Jan 22, 2026
Source: NVD
CVE-2026-24365 MEDIUM - 5.4

Cross-Site Request Forgery (CSRF) vulnerability in storeapps Stock Manager for WooCommerce woocommerce-stock-manager allows Cross Site Request Forgery.This issue affects Stock Manager for WooCommerce: from n/a through < 3.6.0.

Vendor: storeapps
Product: Stock Manager for WooCommerce
Published: Jan 22, 2026
Source: NVD
CVE-2026-24361 MEDIUM - 6.5

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress LearnPress &#8211; Course Review learnpress-course-review allows Stored XSS.This issue affects LearnPress &#8211; Course Review: from n/a through <= 4.1.9.

Vendor: ThimPress
Product: LearnPress &#8211; Course Review
Published: Jan 22, 2026
Source: NVD
CVE-2026-24360 MEDIUM - 4.6

Server-Side Request Forgery (SSRF) vulnerability in Craig Hewitt Seriously Simple Podcasting seriously-simple-podcasting allows Server Side Request Forgery.This issue affects Seriously Simple Podcasting: from n/a through <= 3.14.1.

Vendor: Craig Hewitt
Product: Seriously Simple Podcasting
Published: Jan 22, 2026
Source: NVD
CVE-2026-24355 MEDIUM - 5.4

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in favethemes Houzez Theme - Functionality houzez-theme-functionality allows Stored XSS.This issue affects Houzez Theme - Functionality: from n/a through <= 4.2.6.

Vendor: favethemes
Product: Houzez Theme - Functionality
Published: Jan 22, 2026
Source: NVD