Total CVEs

141,537

Critical Severity

3,871

High Severity

13,923

Last 7 Days

1,592
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 13,361 - 13,380 of 13,618 CVEs
CVE-2026-22244 HIGH - 7.2

OpenMetadata is a unified metadata platform. Versions prior to 1.11.4 are vulnerable to remote code execution via Server-Side Template Injection (SSTI) in FreeMarker email templates. An attacker must have administrative privileges to exploit the vulnerability. Version 1.11.4 contains a patch.

Vendor: open-metadata
Product: openmetadata
Published: Jan 08, 2026
Source: NVD
CVE-2025-68151 HIGH - 7.5

CoreDNS is a DNS server that chains plugins. Prior to version 1.14.0, multiple CoreDNS server implementations (gRPC, HTTPS, and HTTP/3) lack critical resource-limiting controls. An unauthenticated remote attacker can exhaust memory and degrade or crash the server by opening many concurrent connectio...

Vendor: coredns.io
Product: coredns
Published: Jan 08, 2026
Source: NVD
CVE-2025-67089 HIGH - 8.1

A command injection vulnerability exists in the GL-iNet GL-AXT1800 router firmware v4.6.8. The vulnerability is present in the `plugins.install_package` RPC method, which fails to properly sanitize user input in package names. Authenticated attackers can exploit this to execute arbitrary commands wi...

Vendor: gl-inet
Product: gl-axt1800_firmware
Published: Jan 08, 2026
Source: NVD
CVE-2025-63611 HIGH - 8.7

Cross-Site Scripting in phpgurukul Hostel Management System v2.1 user-provided complaint fields (Explain the Complaint) submitted via /register-complaint.php are stored and rendered unescaped in the admin viewer (/admin/complaint-details.php?cid=<id>). When an administrator opens the complaint...

Vendor: phpgurukul
Product: hostel_management_system
Published: Jan 08, 2026
Source: NVD
CVE-2026-22241 HIGH - 7.2

The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, an arbitrary file upload vulnerability in the theme import functionality enables an attacker with administrative privileges to upload arbitrary files on the server's file syst...

Vendor: openeclass
Product: openeclass
Published: Jan 08, 2026
Source: NVD
CVE-2026-22042 HIGH - 8.8

RustFS is a distributed object storage system built in Rust. Prior to version 1.0.0-alpha.79, he `ImportIam` admin API validates permissions using `ExportIAMAction` instead of `ImportIAMAction`, allowing a principal with export-only IAM permissions to perform import operations. Since importing IAM d...

Vendor: rustfs
Product: rustfs
Published: Jan 08, 2026
Source: NVD
CVE-2026-21892 HIGH - 7.3

Parsl is a Python parallel scripting library. A SQL Injection vulnerability exists in the parsl-visualize component of versions prior to 2026.01.05. The application constructs SQL queries using unsafe string formatting (Python % operator) with user-supplied input (workflow_id) directly from URL rout...

Vendor: uchicago
Product: parsl
Published: Jan 08, 2026
Source: NVD
CVE-2025-14025 HIGH - 8.5

A flaw was found in Ansible Automation Platform (AAP). Read-only scoped OAuth2 API Tokens in AAP, are enforced at the Gateway level for Gateway-specific operations. However, this vulnerability allows read-only tokens to perform write operations on backend services (e.g., Controller, Hub, EDA). If th...

Published: Jan 08, 2026
Source: NVD
CVE-2026-0719 HIGH - 8.6

A flaw was identified in the NTLM authentication handling of the libsoup HTTP library, used by GNOME and other applications for network communication. When processing extremely long passwords, an internal size calculation can overflow due to improper use of signed integers. This results in incorrect...

Published: Jan 08, 2026
Source: NVD
CVE-2025-69260 HIGH - 7.5

A message out-of-bounds read vulnerability in Trend Micro Apex Central could allow a remote attacker to create a denial-of-service condition on affected installations. Please note: authentication is not required in order to exploit this vulnerability.

Vendor: trendmicro
Product: apex_central
Published: Jan 08, 2026
Source: NVD
CVE-2025-69259 HIGH - 7.5

A message unchecked NULL return value vulnerability in Trend Micro Apex Central could allow a remote attacker to create a denial-of-service condition on affected installations. Please note: authentication is not required in order to exploit this vulnerability..

Vendor: trendmicro
Product: apex_central
Published: Jan 08, 2026
Source: NVD
CVE-2025-66001 HIGH - 8.8

NeuVector supports login authentication through OpenID Connect. However, the TLS verification (which verifies the remote server's authenticity and integrity) for OpenID Connect is not enforced by default. As a result this may expose the system to man-in-the-middle (MITM) attacks.

Published: Jan 08, 2026
Source: NVD
CVE-2025-68889 HIGH - 7.1

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pinpoll Pinpoll pinpoll allows Reflected XSS.This issue affects Pinpoll: from n/a through <= 4.0.0.

Published: Jan 08, 2026
Source: NVD
CVE-2025-68887 HIGH - 7.1

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CMSJunkie - WordPress Business Directory Plugins WP-BusinessDirectory wp-businessdirectory allows Reflected XSS.This issue affects WP-BusinessDirectory: from n/a through <= 3.1.5.

Published: Jan 08, 2026
Source: NVD
CVE-2025-68874 HIGH - 7.1

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Shahjada Visitor Stats Widget visitor-stats-widget allows Reflected XSS.This issue affects Visitor Stats Widget: from n/a through <= 1.5.0.

Published: Jan 08, 2026
Source: NVD
CVE-2025-68873 HIGH - 7.1

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in chloédigital PRIMER by chloédigital primer-by-chloedigital allows Reflected XSS.This issue affects PRIMER by chloédigital: from n/a through <= 1.0.25.

Published: Jan 08, 2026
Source: NVD
CVE-2025-67937 HIGH - 8.1

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Hendon hendon allows PHP Local File Inclusion.This issue affects Hendon: from n/a through < 1.7.

Published: Jan 08, 2026
Source: NVD
CVE-2025-67936 HIGH - 8.1

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Curly curly allows PHP Local File Inclusion.This issue affects Curly: from n/a through < 3.3.

Published: Jan 08, 2026
Source: NVD
CVE-2025-67935 HIGH - 8.1

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Optimize optimizewp allows PHP Local File Inclusion.This issue affects Optimize: from n/a through < 2.4.

Published: Jan 08, 2026
Source: NVD
CVE-2025-67934 HIGH - 8.1

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Wellspring wellspring allows PHP Local File Inclusion.This issue affects Wellspring: from n/a through < 2.8.

Published: Jan 08, 2026
Source: NVD