Total CVEs

142,518

Critical Severity

3,992

High Severity

14,327

Last 7 Days

1,904
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 13,321 - 13,340 of 14,373 CVEs
CVE-2026-24332 MEDIUM - 4.3

Discord through 2026-01-16 allows gathering information about whether a user's client state is Invisible (and not actually offline) because the response to a WebSocket API request includes the user in the presences array (with "status": "offline"), whereas offline users are ...

Vendor: Discord
Product: WebSocket API service
Published: Jan 22, 2026
Source: NVD
CVE-2025-71176 MEDIUM - 6.8

pytest through 9.0.2 on UNIX relies on directories with the /tmp/pytest-of-{user} name pattern, which allows local users to cause a denial of service or possibly gain privileges.

Vendor: pytest
Product: pytest
Published: Jan 22, 2026
Source: NVD
CVE-2026-24039 MEDIUM - 4.3

Horilla is a free and open source Human Resource Management System (HRMS). Version 1.4.0 has Improper Access Control, allowing low-privileged employees to self-approve documents they have uploaded. The document-approval UI is intended to be restricted to administrator or high-privilege roles only; h...

Vendor: horilla-opensource
Product: horilla
Published: Jan 22, 2026
Source: NVD
CVE-2026-24037 MEDIUM - 4.8

Horilla is a free and open source Human Resource Management System (HRMS). In version 1.4.0, the has_xss() function attempts to block XSS by matching input against a set of regex patterns. However, the regexes are incomplete and context-agnostic, making them easy to bypass. Attackers are able to red...

Vendor: horilla-opensource
Product: horilla
Published: Jan 22, 2026
Source: NVD
CVE-2026-24036 MEDIUM - 5.3

Horilla is a free and open source Human Resource Management System (HRMS). Versions 1.4.0 and above expose unpublished job postings through the /recruitment/recruitment-details// endpoint without authentication. The response includes draft job titles, descriptions and application link allowing unaut...

Vendor: horilla-opensource
Product: horilla
Published: Jan 22, 2026
Source: NVD
CVE-2026-24035 MEDIUM - 4.3

Horilla is a free and open source Human Resource Management System (HRMS). An Improper Access Control vulnerability exists in Horilla HR Software starting in version 1.4.0 and prior to version 1.5.0, allowing any authenticated employee to upload documents on behalf of another employee without proper...

Vendor: horilla-opensource
Product: horilla
Published: Jan 22, 2026
Source: NVD
CVE-2026-24034 MEDIUM - 5.4

Horilla is a free and open source Human Resource Management System (HRMS). In versions prior to 1.5.0, a cross-site scripting vulnerability can be triggered because the extension and content-type are not checked during the profile photo update step. Version 1.5.0 fixes the issue.

Vendor: horilla-opensource
Product: horilla
Published: Jan 22, 2026
Source: NVD
CVE-2026-23964 MEDIUM - 6.5

Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.5, 4.4.12, and 4.3.18, an insecure direct object reference in the web push subscription update endpoint lets any authenticated user update another user's push subscription by guessing or obtaining ...

Vendor: mastodon
Product: mastodon
Published: Jan 22, 2026
Source: NVD
CVE-2026-23963 MEDIUM - 4.3

Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.5, 4.4.12, and 4.3.18, the server does not enforce a maximum length for the names of lists or filters, or for filter keywords, allowing any user to set an arbitrarily long string as the name or keyword....

Vendor: mastodon
Product: mastodon
Published: Jan 22, 2026
Source: NVD
CVE-2026-23961 MEDIUM - 5.3

Mastodon is a free, open-source social network server based on ActivityPub. Mastodon allows server administrators to suspend remote users to prevent interactions. However, some logic errors allow already-known posts from such suspended users to appear in timelines if boosted. Furthermore, under cert...

Vendor: mastodon
Product: mastodon
Published: Jan 22, 2026
Source: NVD
CVE-2025-27379 MEDIUM - 6.8

A stored cross-site scripting (XSS) vulnerability in the BOM Viewer in Altium AES 7.0.3 allows an authenticated attacker to inject arbitrary JavaScript into the Description field of a schematic, which is executed when the BOM Viewer renders the affected content.

Vendor: Altium
Product: AES
Published: Jan 22, 2026
Source: NVD
CVE-2026-23951 MEDIUM - 5.5

SumatraPDF is a multi-format reader for Windows. All versions contain an off-by-one error in the validation code that only triggers with exactly 2 records, causing an integer underflow in the size calculation. This bug exists in PalmDbReader::GetRecord when opening a crafted Mobi file, resulting in ...

Vendor: sumatrapdfreader
Product: sumatrapdf
Published: Jan 22, 2026
Source: NVD
CVE-2026-23893 MEDIUM - 6.8

openCryptoki is a PKCS#11 library and provides tooling for Linux and AIX. Versions 2.3.2 and above are vulnerable to symlink-following when running in privileged contexts. A token-group user can redirect file operations to arbitrary filesystem targets by planting symlinks in group-writable token dir...

Vendor: opencryptoki
Product: opencryptoki
Published: Jan 22, 2026
Source: NVD
CVE-2025-27377 MEDIUM - 5.3

Altium Designer version 24.9.0 does not validate self-signed server certificates for cloud connections. An attacker capable of performing a man-in-the-middle (MITM) attack could exploit this issue to intercept or manipulate network traffic, potentially exposing authentication credentials or sensitiv...

Vendor: Altium
Product: Altium Designer
Published: Jan 22, 2026
Source: NVD
CVE-2026-1036 MEDIUM - 5.3

The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the delete_comment() function in all versions up to, and including, 1.8.36. This makes it possible for unauthenticated attackers to ...

Published: Jan 22, 2026
Source: NVD
CVE-2025-13465 MEDIUM - 6.5

Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwriting their original beh...

Vendor: npm
Product: lodash
Published: Jan 21, 2026
Source: GitHub
CVE-2026-24047 MEDIUM - 6.3

Backstage is an open framework for building developer portals, and @backstage/cli-common provides config loading functionality used by the backend and command line interface of Backstage. Prior to version 0.1.17, the `resolveSafeChildPath` utility function in `@backstage/backend-plugin-api`, which i...

Vendor: npm
Product: @backstage/cli-common
Published: Jan 21, 2026
Source: GitHub
CVE-2026-23990 MEDIUM - 5.3

The Flux Operator is a Kubernetes CRD controller that manages the lifecycle of CNCF Flux CD and the ControlPlane enterprise distribution. Starting in version 0.36.0 and prior to version 0.40.0, a privilege escalation vulnerability exists in the Flux Operator Web UI authentication code that allows an...

Vendor: go
Product: github.com/controlplaneio-fluxcd/flux-operator
Published: Jan 21, 2026
Source: GitHub

Copier is a library and CLI app for rendering project templates. Prior to version 9.11.2, Copier suggests that it's safe to generate a project from a safe template, i.e. one that doesn't use unsafe features like custom Jinja extensions which would require passing the `--UNSAFE,--trust` fla...

Vendor: pip
Product: copier
Published: Jan 21, 2026
Source: GitHub

Copier is a library and CLI app for rendering project templates. Prior to version 9.11.2, Copier suggests that it's safe to generate a project from a safe template, i.e. one that doesn't use unsafe features like custom Jinja extensions which would require passing the `--UNSAFE,--trust` fla...

Vendor: pip
Product: copier
Published: Jan 21, 2026
Source: GitHub