Total CVEs

141,537

Critical Severity

3,871

High Severity

13,923

Last 7 Days

1,592
Quick preset (or use dates below)
Clear Filters
πŸ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years β†’
Showing 13,341 - 13,360 of 13,618 CVEs
CVE-2025-15055 HIGH - 7.2

The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'notes' and 'resource' parameters in all versions up to, and including, 5.3.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated at...

Published: Jan 09, 2026
Source: NVD
CVE-2026-0733 HIGH - 8.8

A vulnerability was determined in PHPGurukul Online Course Registration System up to 3.1. This impacts an unknown function of the file /onlinecourse/admin/manage-students.php. This manipulation of the argument id/cid causes sql injection. It is possible to initiate the attack remotely. The exploit h...

Vendor: phpgurukul
Product: online_course_registration_system
Published: Jan 09, 2026
Source: NVD
CVE-2026-0729 HIGH - 7.2

A vulnerability was detected in code-projects Intern Membership Management System 1.0. Impacted is an unknown function of the file /intern/admin/add_activity.php. Performing a manipulation of the argument Title results in sql injection. Remote exploitation of the attack is possible. The exploit is n...

Vendor: carmelo
Product: intern_membership_management_system
Published: Jan 08, 2026
Source: NVD
CVE-2025-14436 HIGH - 7.2

The Brevo for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the β€˜user_connection_id’ parameter in all versions up to, and including, 4.0.49 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject a...

Published: Jan 08, 2026
Source: NVD
CVE-2026-0728 HIGH - 7.2

A security vulnerability has been detected in code-projects Intern Membership Management System 1.0. This issue affects some unknown processing of the file /intern/admin/delete_admin.php. Such manipulation of the argument admin_id leads to sql injection. The attack may be launched remotely. The expl...

Vendor: carmelo
Product: intern_membership_management_system
Published: Jan 08, 2026
Source: NVD
CVE-2025-68719 HIGH - 8.8

KAYSUS KS-WR3600 routers with firmware 1.0.5.9.1 mishandle configuration management. Once any user is logged in and maintains an active session, an attacker can directly query the backup endpoint and download a full configuration archive. This archive contains sensitive files such as /etc/shadow, en...

Published: Jan 08, 2026
Source: NVD
CVE-2025-68716 HIGH - 8.4

KAYSUS KS-WR3600 routers with firmware 1.0.5.9.1 enable the SSH service enabled by default on the LAN interface. The root account is configured with no password, and administrators cannot disable SSH or enforce authentication via the CLI or web GUI. This allows any LAN-adjacent attacker to trivially...

Published: Jan 08, 2026
Source: NVD
CVE-2025-15464 HIGH - 7.5

Exported Activity allows external applications to gain application context and directly launch Gmail with inbox access, bypassing security controls.

Published: Jan 08, 2026
Source: NVD
CVE-2026-22257 HIGH - 8.8

Salvo is a Rust web backend framework. Prior to version 0.88.1, the function list_html generates a file view of a folder without sanitizing the files or folders names, this may potentially lead to XSS in cases where a website allow the access to public files using this feature and anyone can upload ...

Published: Jan 08, 2026
Source: NVD
CVE-2026-22256 HIGH - 8.8

Salvo is a Rust web backend framework. Prior to version 0.88.1, the function list_html generate an file view of a folder which include a render of the current path, in which its inserted in the HTML without proper sanitation, this leads to reflected XSS using the fact that request path is decoded an...

Published: Jan 08, 2026
Source: NVD
CVE-2025-65518 HIGH - 7.5

Plesk Obsidian versions 8.0.1 through 18.0.73 are vulnerable to a Denial of Service (DoS) condition. The vulnerability exists in the get_password.php endpoint, where a crafted request containing a malicious payload can cause the affected web interface to continuously reload, rendering the service un...

Published: Jan 08, 2026
Source: NVD
CVE-2026-22235 HIGH - 7.5

OPEXUS eComplaint before version 9.0.45.0 allows an attacker to visit the the 'DocumentOpen.aspx' endpoint, iterate through predictable values of 'chargeNumber', and download any uploaded files.

Published: Jan 08, 2026
Source: NVD
CVE-2026-22230 HIGH - 7.6

OPEXUS eCASE Audit allows an authenticated attacker to modify client-side JavaScript or craft HTTP requests to access functions or buttons that have been disabled or blocked by an administrator. Fixed in eCASE Platform 11.14.1.0.

Published: Jan 08, 2026
Source: NVD
CVE-2025-68158 HIGH - 8.8

Authlib is a Python library which builds OAuth and OpenID Connect servers. In version 1.6.5 and prior, cache-backed state/request-token storage is not tied to the initiating user session, so CSRF is possible for any attacker that has a valid state (easily obtainable via an attacker-initiated authent...

Vendor: authlib
Product: authlib
Published: Jan 08, 2026
Source: NVD
CVE-2026-22521 HIGH - 7.5

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in G5Theme Handmade Framework allows PHP Local File Inclusion.This issue affects Handmade Framework: from n/a through 3.9.

Published: Jan 08, 2026
Source: NVD
CVE-2026-21638 HIGH - 8.8

A malicious actor in Wi-Fi range of the affected product could leverage a vulnerability in the airMAX Wireless Protocol to achieve a remote code execution (RCE) within the affected product. Affected Products: UBB-XG (Version 1.2.2 and earlier) UDB-Pro/UDB-Pro-Sector (Version 1.4.1 and earli...

Vendor: ui
Product: ubb-xg_firmware
Published: Jan 08, 2026
Source: NVD
CVE-2025-56424 HIGH - 7.5

An issue in Insiders Technologies GmbH e-invoice pro before release 1 Service Pack 2 allows a remote attacker to cause a denial of service via a crafted script

Vendor: insiders-technologies
Product: e-invoice_pro
Published: Jan 08, 2026
Source: NVD
CVE-2025-50334 HIGH - 7.5

An issue in Technitium DNS Server v.13.5 allows a remote attacker to cause a denial of service via the rate-limiting component

Vendor: technitium
Product: dnsserver
Published: Jan 08, 2026
Source: NVD
CVE-2026-22255 HIGH - 8.8

iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a heap-buffer-overflow vulnerability in `CIccCLUT::Init()` at `IccProfLib/IccTagLut.cpp`. This ...

Vendor: color
Product: iccdev
Published: Jan 08, 2026
Source: NVD
CVE-2026-22245 HIGH - 7.5

Mastodon is a free, open-source social network server based on ActivityPub. By nature, Mastodon performs a lot of outbound requests to user-provided domains. Mastodon, however, has some protection mechanism to disallow requests to local IP addresses (unless specified in `ALLOWED_PRIVATE_ADDRESSES`) ...

Vendor: joinmastodon
Product: mastodon
Published: Jan 08, 2026
Source: NVD