Total CVEs

141,537

Critical Severity

3,871

High Severity

13,923

Last 7 Days

1,598
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 13,321 - 13,340 of 13,618 CVEs
CVE-2026-22194 HIGH - 8.8

GestSup versions up to and including 3.2.60 contain a cross-site request forgery (CSRF) vulnerability where the application does not verify the authenticity of client requests. An attacker can induce a logged-in user to submit crafted requests that perform actions with the victim's privileges. ...

Vendor: gestsup
Product: gestsup
Published: Jan 09, 2026
Source: NVD
CVE-2025-66744 HIGH - 7.5

In Yonyou YonBIP v3 and before, the LoginWithV8 interface in the series data application service system is vulnerable to path traversal, allowing unauthorized access to sensitive information within the system

Published: Jan 09, 2026
Source: NVD
CVE-2025-15495 HIGH - 7.2

A vulnerability was found in BiggiDroid Simple PHP CMS 1.0. This impacts an unknown function of the file /admin/editsite.php. The manipulation of the argument image results in unrestricted upload. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was...

Vendor: biggidroid
Product: simple_php_cms
Published: Jan 09, 2026
Source: NVD
CVE-2025-15494 HIGH - 8.8

A vulnerability has been found in RainyGao DocSys up to 2.02.37. This affects an unknown function of the file com/DocSystem/mapping/UserMapper.xml. The manipulation of the argument Username leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and...

Vendor: docsys_project
Product: docsys
Published: Jan 09, 2026
Source: NVD
CVE-2026-0803 HIGH - 8.8

A vulnerability was found in PHPGurukul Online Course Registration System up to 3.1. This affects an unknown part of the file /enroll.php. The manipulation of the argument studentregno/Pincode/session/department/level/course/sem results in sql injection. The attack may be launched remotely. The expl...

Vendor: phpgurukul
Product: online_course_registration_system
Published: Jan 09, 2026
Source: NVD
CVE-2025-67133 HIGH - 7.5

An issue in Hero Motocorp Vida V1 Pro 2.0.7 allows a local attacker to cause a denial of service via the BLE component

Published: Jan 09, 2026
Source: NVD
CVE-2025-56225 HIGH - 7.5

fluidsynth-2.4.6 and earlier versions is vulnerable to Null pointer dereference in fluid_synth_monopoly.c, that can be triggered when loading an invalid midi file.

Vendor: fluidsynth
Product: fluidsynth
Published: Jan 09, 2026
Source: NVD
CVE-2025-15492 HIGH - 8.8

A vulnerability was detected in RainyGao DocSys up to 2.02.36. The affected element is an unknown function of the file src/com/DocSystem/mapping/GroupMemberMapper.xml. Performing a manipulation of the argument searchWord results in sql injection. It is possible to initiate the attack remotely. The e...

Vendor: docsys_project
Product: docsys
Published: Jan 09, 2026
Source: NVD
CVE-2025-66052 HIGH - 7.2

Vivotek IP7137 camera with firmware version 0200a is vulnerable to command injection. Parameter "system_ntpIt" used by "/cgi-bin/admin/setparam.cgi" endpoint is not sanitized properly, allowing a user with administrative privileges to perform an attack. Due to CVE-2025-66050, adm...

Vendor: vivotek
Product: ip7137_firmware
Published: Jan 09, 2026
Source: NVD
CVE-2025-66049 HIGH - 7.5

Vivotek IP7137 camera with firmware version 0200a is vulnerable to an information disclosure issue where live camera footage can be accessed through the RTSP protocol on port 8554 without requiring authentication. This allows unauthorized users with network access to view the camera's feed, pot...

Vendor: vivotek
Product: ip7137_firmware
Published: Jan 09, 2026
Source: NVD
CVE-2025-64092 HIGH - 7.5

This vulnerability allows unauthenticated attackers to inject an SQL request into GET request parameters and directly query the underlying database.

Published: Jan 09, 2026
Source: NVD
CVE-2025-64091 HIGH - 8.6

This vulnerability allows authenticated attackers to execute commands via the NTP-configuration of the device.

Published: Jan 09, 2026
Source: NVD
CVE-2025-69195 HIGH - 7.6

A flaw was found in GNU Wget2. This vulnerability, a stack-based buffer overflow, occurs in the filename sanitization logic when processing attacker-controlled URL paths, particularly when filename restriction options are active. A remote attacker can exploit this by providing a specially crafted UR...

Published: Jan 09, 2026
Source: NVD
CVE-2025-69194 HIGH - 8.8

A security issue was discovered in GNU Wget2 when handling Metalink documents. The application fails to properly validate file paths provided in Metalink <file name> elements. An attacker can abuse this behavior to write files to unintended locations on the system. This can lead to data loss o...

Published: Jan 09, 2026
Source: NVD
CVE-2025-14937 HIGH - 7.2

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'acff' parameter in the 'frontend_admin/forms/update_field' AJAX action in all versions up to, and including, 3.28.23 due to insufficient input sanitization and output escap...

Published: Jan 09, 2026
Source: NVD
CVE-2025-14657 HIGH - 7.2

The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for u...

Published: Jan 09, 2026
Source: NVD
CVE-2026-20976 HIGH - 7.8

Improper input validation in Galaxy Store prior to version 4.6.02 allows local attacker to execute arbitrary script.

Vendor: samsung
Product: galaxy_store
Published: Jan 09, 2026
Source: NVD
CVE-2026-20971 HIGH - 7.8

Use After Free in PROCA driver prior to SMR Jan-2026 Release 1 allows local attackers to potentially execute arbitrary code.

Vendor: samsung
Product: android
Published: Jan 09, 2026
Source: NVD
CVE-2026-20970 HIGH - 7.8

Improper access control in SLocation prior to SMR Jan-2026 Release 1 allows local attackers to execute the privileged APIs.

Vendor: samsung
Product: android
Published: Jan 09, 2026
Source: NVD
CVE-2025-15057 HIGH - 7.2

The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `fh` (fingerprint) parameter in all versions up to, and including, 5.3.3. This is due to insufficient input sanitization and output escaping on the fingerprint value stored in the database. This makes it...

Published: Jan 09, 2026
Source: NVD