Total CVEs

142,518

Critical Severity

3,992

High Severity

14,327

Last 7 Days

1,917
Quick preset (or use dates below)
Clear Filters
Showing 13,401 - 13,420 of 14,756 CVEs
CVE-2026-21933 MEDIUM - 6.1

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 ...

Published: Jan 20, 2026
Source: NVD
CVE-2026-21931 MEDIUM - 5.4

Vulnerability in the Oracle APEX Sample Applications product of Oracle APEX (component: Brookstrut Sample App). Supported versions that are affected are 23.2.0, 23.2.1, 24.1.0, 24.2.0 and 24.2.1. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compro...

Published: Jan 20, 2026
Source: NVD
CVE-2026-21929 MEDIUM - 5.3

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Parser). Supported versions that are affected are 9.0.0-9.5.0. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks o...

Published: Jan 20, 2026
Source: NVD
CVE-2026-21928 MEDIUM - 5.3

Vulnerability in the Oracle Solaris product of Oracle Systems (component: Kernel). The supported version that is affected is 11. Easily exploitable vulnerability allows unauthenticated attacker with network access via TCP to compromise Oracle Solaris. Successful attacks of this vulnerability can ...

Published: Jan 20, 2026
Source: NVD
CVE-2026-21927 MEDIUM - 5.8

Vulnerability in the Oracle Solaris product of Oracle Systems (component: Driver). The supported version that is affected is 11. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. Successful...

Published: Jan 20, 2026
Source: NVD
CVE-2026-21925 MEDIUM - 4.8

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: RMI). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21...

Published: Jan 20, 2026
Source: NVD
CVE-2026-21924 MEDIUM - 5.4

Vulnerability in the Oracle Utilities Application Framework product of Oracle Utilities Applications (component: General). Supported versions that are affected are 4.4.0.3.0, 4.5.0.0.0, 4.5.0.1.1, 4.5.0.1.3, 4.5.0.2.0, 25.4 and 25.10. Easily exploitable vulnerability allows low privileged attacker...

Published: Jan 20, 2026
Source: NVD
CVE-2026-21923 MEDIUM - 6.5

Vulnerability in the Oracle Life Sciences Central Designer product of Oracle Health Sciences Applications (component: Platform). The supported version that is affected is 7.0.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Lif...

Published: Jan 20, 2026
Source: NVD
CVE-2026-21922 MEDIUM - 4.2

Vulnerability in the Oracle Planning and Budgeting Cloud Service product of Oracle Hyperion (component: EPM Agent). The supported version that is affected is 25.04.07. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle Planning and Budget...

Published: Jan 20, 2026
Source: NVD
CVE-2026-1245 MEDIUM - 6.5

A code injection vulnerability in the binary-parser library prior to version 2.3.0 allows arbitrary JavaScript code execution when untrusted values are used in parser field names or encoding parameters. The library directly interpolates these values into dynamically generated code without sanitizati...

Vendor: npm
Product: binary-parser
Published: Jan 20, 2026
Source: GitHub
CVE-2026-21664 MEDIUM - 6.1

HackerOne community member Huynh Pham Thanh Luc (nigh7c0r3) has reported a reflected XSS vulnerability in the afr.php delivery script of Revive Adserver. An attacker can craft a specific URL that includes an HTML payload in a parameter. If a logged in administrator visits the URL, the HTML is sent t...

Vendor: Revive
Product: Revive Adserver
Published: Jan 20, 2026
Source: NVD
CVE-2026-21663 MEDIUM - 6.1

HackerOne community member Patrick Lang (7yr) has reported a reflected XSS vulnerability in the banner-acl.php script of Revive Adserver. An attacker can craft a specific URL that includes an HTML payload in a parameter. If a logged in administrator visits the URL, the HTML is sent to the browser an...

Vendor: Revive
Product: Revive Adserver
Published: Jan 20, 2026
Source: NVD
CVE-2026-21642 MEDIUM - 6.1

HackerOne community member Patrick Lang (7yr) has reported a reflected XSS vulnerability in the `banner-acl.php` and `channel-acl.php` scripts of Revive Adserver. An attacker can craft a specific URL that includes an HTML payload in a parameter. If a logged in administrator visits the URL, the HTML ...

Vendor: Revive
Product: Revive Adserver
Published: Jan 20, 2026
Source: NVD
CVE-2026-21637 MEDIUM - 5.9

A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immedia...

Vendor: nodejs
Product: node
Published: Jan 20, 2026
Source: NVD
CVE-2026-21636 MEDIUM - 5.8

A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when `--permission` is enabled. Even without `--allow-net`, attacker-controlled inputs (such as URLs or socketPath options) can connect to arbitrary local sockets via net, tls, or und...

Vendor: nodejs
Product: node
Published: Jan 20, 2026
Source: NVD
CVE-2025-59466 MEDIUM - 5.9

We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applica...

Vendor: nodejs
Product: node
Published: Jan 20, 2026
Source: NVD
CVE-2025-59464 MEDIUM - 6.5

A memory leak in Node.jsโ€™s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, each certificate field leaks memory, allowing remote clients to trigger steady memory growth throu...

Vendor: nodejs
Product: node
Published: Jan 20, 2026
Source: NVD

fleetdm/fleet is open source device management software. Prior to versions 4.78.2, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, if Windows MDM is enabled, an unauthenticated attacker can exploit this XSS vulnerability to steal a Fleet administrator's authentication token (FLEET::auth_token) from localSt...

Vendor: go
Product: github.com/fleetdm/fleet
Published: Jan 20, 2026
Source: GitHub
CVE-2026-0622 MEDIUM - 6.5

Open 5GS WebUI uses a hard-coded JWT signing key (change-me) whenever the environment variable JWT_SECRET_KEY is unset

Published: Jan 20, 2026
Source: NVD
CVE-2025-67263 MEDIUM - 6.1

Abacre Retail Point of Sale 14.0.0.396 is affected by a stored cross-site scripting (XSS) vulnerability in the Clients module. The application fails to properly sanitize user-supplied input stored in the Name and Surname fields. An attacker can insert malicious HTML or script content into these fiel...

Vendor: n/a
Product: n/a
Published: Jan 20, 2026
Source: NVD