Total CVEs

142,027

Critical Severity

3,943

High Severity

14,108

Last 7 Days

1,921
Quick preset (or use dates below)
Clear Filters
πŸ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years β†’
Showing 13,521 - 13,540 of 13,803 CVEs
CVE-2025-14657 HIGH - 7.2

The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for u...

Published: Jan 09, 2026
Source: NVD
CVE-2026-20976 HIGH - 7.8

Improper input validation in Galaxy Store prior to version 4.6.02 allows local attacker to execute arbitrary script.

Vendor: samsung
Product: galaxy_store
Published: Jan 09, 2026
Source: NVD
CVE-2026-20971 HIGH - 7.8

Use After Free in PROCA driver prior to SMR Jan-2026 Release 1 allows local attackers to potentially execute arbitrary code.

Vendor: samsung
Product: android
Published: Jan 09, 2026
Source: NVD
CVE-2026-20970 HIGH - 7.8

Improper access control in SLocation prior to SMR Jan-2026 Release 1 allows local attackers to execute the privileged APIs.

Vendor: samsung
Product: android
Published: Jan 09, 2026
Source: NVD
CVE-2025-15057 HIGH - 7.2

The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `fh` (fingerprint) parameter in all versions up to, and including, 5.3.3. This is due to insufficient input sanitization and output escaping on the fingerprint value stored in the database. This makes it...

Published: Jan 09, 2026
Source: NVD
CVE-2025-15055 HIGH - 7.2

The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'notes' and 'resource' parameters in all versions up to, and including, 5.3.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated at...

Published: Jan 09, 2026
Source: NVD
CVE-2026-0733 HIGH - 8.8

A vulnerability was determined in PHPGurukul Online Course Registration System up to 3.1. This impacts an unknown function of the file /onlinecourse/admin/manage-students.php. This manipulation of the argument id/cid causes sql injection. It is possible to initiate the attack remotely. The exploit h...

Vendor: phpgurukul
Product: online_course_registration_system
Published: Jan 09, 2026
Source: NVD
CVE-2026-0729 HIGH - 7.2

A vulnerability was detected in code-projects Intern Membership Management System 1.0. Impacted is an unknown function of the file /intern/admin/add_activity.php. Performing a manipulation of the argument Title results in sql injection. Remote exploitation of the attack is possible. The exploit is n...

Vendor: carmelo
Product: intern_membership_management_system
Published: Jan 08, 2026
Source: NVD
CVE-2025-14436 HIGH - 7.2

The Brevo for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the β€˜user_connection_id’ parameter in all versions up to, and including, 4.0.49 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject a...

Published: Jan 08, 2026
Source: NVD
CVE-2026-0728 HIGH - 7.2

A security vulnerability has been detected in code-projects Intern Membership Management System 1.0. This issue affects some unknown processing of the file /intern/admin/delete_admin.php. Such manipulation of the argument admin_id leads to sql injection. The attack may be launched remotely. The expl...

Vendor: carmelo
Product: intern_membership_management_system
Published: Jan 08, 2026
Source: NVD
CVE-2025-68719 HIGH - 8.8

KAYSUS KS-WR3600 routers with firmware 1.0.5.9.1 mishandle configuration management. Once any user is logged in and maintains an active session, an attacker can directly query the backup endpoint and download a full configuration archive. This archive contains sensitive files such as /etc/shadow, en...

Published: Jan 08, 2026
Source: NVD
CVE-2025-68716 HIGH - 8.4

KAYSUS KS-WR3600 routers with firmware 1.0.5.9.1 enable the SSH service enabled by default on the LAN interface. The root account is configured with no password, and administrators cannot disable SSH or enforce authentication via the CLI or web GUI. This allows any LAN-adjacent attacker to trivially...

Published: Jan 08, 2026
Source: NVD
CVE-2025-15464 HIGH - 7.5

Exported Activity allows external applications to gain application context and directly launch Gmail with inbox access, bypassing security controls.

Published: Jan 08, 2026
Source: NVD
CVE-2026-22257 HIGH - 8.8

Salvo is a Rust web backend framework. Prior to version 0.88.1, the function list_html generates a file view of a folder without sanitizing the files or folders names, this may potentially lead to XSS in cases where a website allow the access to public files using this feature and anyone can upload ...

Published: Jan 08, 2026
Source: NVD
CVE-2026-22256 HIGH - 8.8

Salvo is a Rust web backend framework. Prior to version 0.88.1, the function list_html generate an file view of a folder which include a render of the current path, in which its inserted in the HTML without proper sanitation, this leads to reflected XSS using the fact that request path is decoded an...

Published: Jan 08, 2026
Source: NVD
CVE-2025-65518 HIGH - 7.5

Plesk Obsidian versions 8.0.1 through 18.0.73 are vulnerable to a Denial of Service (DoS) condition. The vulnerability exists in the get_password.php endpoint, where a crafted request containing a malicious payload can cause the affected web interface to continuously reload, rendering the service un...

Published: Jan 08, 2026
Source: NVD
CVE-2026-22235 HIGH - 7.5

OPEXUS eComplaint before version 9.0.45.0 allows an attacker to visit the the 'DocumentOpen.aspx' endpoint, iterate through predictable values of 'chargeNumber', and download any uploaded files.

Published: Jan 08, 2026
Source: NVD
CVE-2026-22230 HIGH - 7.6

OPEXUS eCASE Audit allows an authenticated attacker to modify client-side JavaScript or craft HTTP requests to access functions or buttons that have been disabled or blocked by an administrator. Fixed in eCASE Platform 11.14.1.0.

Published: Jan 08, 2026
Source: NVD
CVE-2025-68158 HIGH - 8.8

Authlib is a Python library which builds OAuth and OpenID Connect servers. In version 1.6.5 and prior, cache-backed state/request-token storage is not tied to the initiating user session, so CSRF is possible for any attacker that has a valid state (easily obtainable via an attacker-initiated authent...

Vendor: authlib
Product: authlib
Published: Jan 08, 2026
Source: NVD
CVE-2026-22521 HIGH - 7.5

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in G5Theme Handmade Framework allows PHP Local File Inclusion.This issue affects Handmade Framework: from n/a through 3.9.

Published: Jan 08, 2026
Source: NVD