Total CVEs

141,537

Critical Severity

3,871

High Severity

13,923

Last 7 Days

1,602
Quick preset (or use dates below)
Clear Filters
πŸ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years β†’
Showing 13,261 - 13,280 of 13,618 CVEs
CVE-2026-22789 HIGH - 8.8

WebErpMesv2 is a Resource Management and Manufacturing execution system Web for industry. Prior to 1.19, WebErpMesv2 contains a file upload validation bypass vulnerability in multiple controllers that allows authenticated users to upload arbitrary files, including PHP scripts, leading to Remote Code...

Vendor: wem-project
Product: wem
Published: Jan 12, 2026
Source: NVD
CVE-2026-22788 HIGH - 8.2

WebErpMesv2 is a Resource Management and Manufacturing execution system Web for industry. Prior to 1.19, the WebErpMesV2 application exposes multiple sensitive API endpoints without authentication middleware. An unauthenticated remote attacker can read business-critical data including companies, quo...

Vendor: wem-project
Product: wem
Published: Jan 12, 2026
Source: NVD
CVE-2023-36331 HIGH - 8.2

Incorrect access control in the /member/orderList API of xmall v1.1 allows attackers to arbitrarily access other users' order details via manipulation of the query parameter userId.

Vendor: exrick
Product: xmall
Published: Jan 12, 2026
Source: NVD
CVE-2026-22783 HIGH - 8.1

Iris is a web collaborative platform that helps incident responders share technical details during investigations. Prior to 2.4.24, the DFIR-IRIS datastore file management system has a vulnerability where mass assignment of the file_local_name field combined with path trust in the delete operation e...

Vendor: dfir-iris
Product: iris
Published: Jan 12, 2026
Source: NVD
CVE-2026-22776 HIGH - 7.5

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.1, a Denial of Service (DoS) vulnerability exists in cpp-httplib due to the unsafe handling of compressed HTTP request bodies (Content-Encoding: gzip, br, etc.). The library validates the payload_...

Vendor: yhirose
Product: cpp-httplib
Published: Jan 12, 2026
Source: NVD
CVE-2026-22771 HIGH - 8.8

Envoy Gateway is an open source project for managing Envoy Proxy as a standalone or Kubernetes-based application gateway. Prior to 1.5.7 and 1.6.2, EnvoyExtensionPolicy Lua scripts executed by Envoy proxy can be used to leak the proxy's credentials. These credentials can then be used to communi...

Published: Jan 12, 2026
Source: NVD
CVE-2025-68472 HIGH - 8.1

MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 25.11.1, an unauthenticated path traversal in the file upload API lets any caller read arbitrary files from the server filesystem and move them into MindsDB’s storage, exposing sensitive data. The PUT h...

Published: Jan 12, 2026
Source: NVD
CVE-2025-46068 HIGH - 8.8

An issue in Automai Director v.25.2.0 allows a remote attacker to execute arbitrary code via the update mechanism

Vendor: automai
Product: director
Published: Jan 12, 2026
Source: NVD
CVE-2025-46067 HIGH - 8.2

An issue in Automai Director v.25.2.0 allows a remote attacker to escalate privileges and obtain sensitive information via a crafted js file

Vendor: automai
Product: director
Published: Jan 12, 2026
Source: NVD
CVE-2025-71063 HIGH - 8.2

Errands before 46.2.10 does not verify TLS certificates for CalDAV servers.

Published: Jan 12, 2026
Source: NVD
CVE-2025-14279 HIGH - 8.1

MLFlow versions up to and including 3.4.0 are vulnerable to DNS rebinding attacks due to a lack of Origin header validation in the MLFlow REST server. This vulnerability allows malicious websites to bypass Same-Origin Policy protections and execute unauthorized calls against REST endpoints. An attac...

Published: Jan 12, 2026
Source: NVD
CVE-2026-0855 HIGH - 8.8

Certain IP Camera models developed by Merit LILIN has a OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the device.

Published: Jan 12, 2026
Source: NVD
CVE-2026-0854 HIGH - 8.8

Certain DVR/NVR models developed by Merit LILIN has a OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the device.

Published: Jan 12, 2026
Source: NVD
CVE-2025-69276 HIGH - 8.8

Deserialization of Untrusted Data vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Object Injection.This issue affects DX NetOps Spectrum: 24.3.13 and earlier.

Vendor: broadcom
Product: dx_netops_spectrum
Published: Jan 12, 2026
Source: NVD
CVE-2025-69274 HIGH - 8.8

Authorization Bypass Through User-Controlled Key vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Privilege Escalation.This issue affects DX NetOps Spectrum: 24.3.10 and earlier.

Vendor: broadcom
Product: dx_netops_spectrum
Published: Jan 12, 2026
Source: NVD
CVE-2025-69273 HIGH - 7.5

Improper Authentication vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Authentication Bypass.This issue affects DX NetOps Spectrum: 24.3.10 and earlier.

Vendor: broadcom
Product: dx_netops_spectrum
Published: Jan 12, 2026
Source: NVD
CVE-2025-69272 HIGH - 7.5

Cleartext Transmission of Sensitive Information vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Sniffing Attacks.This issue affects DX NetOps Spectrum: 21.2.1 and earlier.

Vendor: broadcom
Product: dx_netops_spectrum
Published: Jan 12, 2026
Source: NVD
CVE-2025-69271 HIGH - 7.5

Insufficiently Protected Credentials vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Sniffing Attacks.This issue affects DX NetOps Spectrum: 24.3.13 and earlier.

Vendor: broadcom
Product: dx_netops_spectrum
Published: Jan 12, 2026
Source: NVD
CVE-2026-0850 HIGH - 7.2

A vulnerability was determined in code-projects Intern Membership Management System 1.0. Impacted is an unknown function of the file /admin/delete_activity.php. Executing a manipulation of the argument activity_id can lead to sql injection. The attack may be launched remotely. The exploit has been p...

Vendor: carmelo
Product: intern_membership_management_system
Published: Jan 11, 2026
Source: NVD
CVE-2025-68493 HIGH - 8.1

Missing XML Validation vulnerability in Apache Struts, Apache Struts. This issue affects Apache Struts: from 2.0.0 before 2.2.1; Apache Struts: from 2.2.1 through 6.1.0. Users are recommended to upgrade to version 6.1.1, which fixes the issue.

Vendor: apache
Product: struts
Published: Jan 11, 2026
Source: NVD