Total CVEs

142,518

Critical Severity

3,992

High Severity

14,327

Last 7 Days

1,847
Quick preset (or use dates below)
Clear Filters
Showing 13,421 - 13,440 of 14,327 CVEs
CVE-2026-0897 HIGH - 7.5

Allocation of Resources Without Limits or Throttling in the HDF5 weight loading component in Google Keras 3.0.0 through 3.13.0 on all platforms allows a remote attacker to cause a Denial of Service (DoS) through memory exhaustion and a crash of the Python interpreter via a crafted .keras archive con...

Vendor: keras
Product: keras
Published: Jan 15, 2026
Source: NVD
CVE-2025-13062 HIGH - 8.8

The Supreme Modules Lite plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 2.5.62. This is due to insufficient file type validation detecting JSON files, allowing double extension files to bypass sanitization while being accepted as a valid JSON file. ...

Vendor: divisupreme
Product: Supreme Modules Lite – Divi Theme, Extra Theme and Divi Builder
Published: Jan 15, 2026
Source: NVD
CVE-2026-22920 HIGH - 7.5

The device's passwords have not been adequately salted, making them vulnerable to password extraction attacks.

Vendor: sick
Product: tdc-x401gl_firmware
Published: Jan 15, 2026
Source: NVD
CVE-2026-22918 HIGH - 8.2

An attacker may exploit missing protection against clickjacking by tricking users into performing unintended actions through maliciously crafted web pages, leading to the extraction of sensitive data.

Vendor: sick
Product: tdc-x401gl_firmware
Published: Jan 15, 2026
Source: NVD
CVE-2026-22917 HIGH - 7.5

Improper input handling in a system endpoint may allow attackers to overload resources, causing a denial of service.

Vendor: sick
Product: tdc-x401gl_firmware
Published: Jan 15, 2026
Source: NVD
CVE-2026-22911 HIGH - 7.5

Firmware update files may expose password hashes for system accounts, which could allow a remote attacker to recover credentials and gain unauthorized access to the device.

Vendor: sick
Product: tdc-x401gl_firmware
Published: Jan 15, 2026
Source: NVD
CVE-2025-14457 HIGH - 7.4

The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing ownership check in the dnd_codedropz_upload_delete() function in all versions up to, and including, 1.3.9.2. This makes it possible for unauthenticated a...

Vendor: codedropz
Product: contact_form_7
Published: Jan 15, 2026
Source: NVD
CVE-2025-13455 HIGH - 7.8

A vulnerability was reported in ThinkPlus configuration software that could allow a local authenticated user to bypass ThinkPlus device authentication and enroll an untrusted fingerprint.

Published: Jan 14, 2026
Source: NVD
CVE-2025-12166 HIGH - 7.5

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to blind SQL Injection via the `order` and `append_where_sql` parameters in all versions up to, and including, 1.6.9.9 due to insufficient escaping on the user supplied parameter and lac...

Published: Jan 14, 2026
Source: NVD
CVE-2026-23512 HIGH - 8.6

SumatraPDF is a multi-format reader for Windows. In 3.5.2 and earlier, there is a Untrusted Search Path vulnerability when Advanced Options setting is trigger. The application executes notepad.exe without specifying an absolute path when using the Advanced Options setting. On Windows, this allows ex...

Published: Jan 14, 2026
Source: NVD
CVE-2026-0861 HIGH - 8.4

Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption. Note that the attacker must have control over both, the size...

Published: Jan 14, 2026
Source: NVD
CVE-2026-23498 HIGH - 7.2

Shopware is an open commerce platform. From 6.7.0.0 to before 6.7.6.1, a regression of CVE-2023-2017 leads to an array and array crafted PHP Closure not checked being against allow list for the map(...) override. This vulnerability is fixed in 6.7.6.1.

Published: Jan 14, 2026
Source: NVD
CVE-2026-23477 HIGH - 7.7

Rocket.Chat is an open-source, secure, fully customizable communications platform. In Rocket.Chat versions up to 6.12.0, the API endpoint GET /api/v1/oauth-apps.get is exposed to any authenticated user, regardless of their role or permissions. This endpoint returns an OAuth application, as long as t...

Published: Jan 14, 2026
Source: NVD
CVE-2026-22036 HIGH - 7.5

Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This vulnerabilit...

Vendor: nodejs
Product: undici
Published: Jan 14, 2026
Source: NVD
CVE-2025-33206 HIGH - 7.8

NVIDIA NSIGHT Graphics for Linux contains a vulnerability where an attacker could cause command injection. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, and denial of service.

Published: Jan 14, 2026
Source: NVD
CVE-2026-22856 HIGH - 8.1

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a race in the serial channel IRP thread tracking allows a heap use‑after‑free when one thread removes an entry from serial->IrpThreads while another reads it. This vulnerability is fixed in 3.20.1.

Vendor: freerdp
Product: freerdp
Published: Jan 14, 2026
Source: NVD
CVE-2025-71021 HIGH - 7.5

Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the serverName parameter of the sub_65A28 function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request.

Vendor: tenda
Product: ax1806_firmware
Published: Jan 14, 2026
Source: NVD
CVE-2025-70747 HIGH - 7.5

Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the serviceName parameter of the sub_65A28 function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request.

Vendor: tenda
Product: ax1806_firmware
Published: Jan 14, 2026
Source: NVD
CVE-2026-21889 HIGH - 7.5

Weblate is a web based localization tool. Prior to 5.15.2, the screenshot images were served directly by the HTTP server without proper access control. This could allow an unauthenticated user to access screenshots after guessing their filename. This vulnerability is fixed in 5.15.2.

Vendor: weblate
Product: weblate
Published: Jan 14, 2026
Source: NVD
CVE-2025-37183 HIGH - 7.2

Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to perform SQL injection attacks. Successful exploitation could allow an attacker to execute arbitrary SQL commands on the underlying database, potentially leading t...

Vendor: arubanetworks
Product: edgeconnect_sd-wan_orchestrator
Published: Jan 14, 2026
Source: NVD