Total CVEs

142,027

Critical Severity

3,943

High Severity

14,108

Last 7 Days

1,916
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 13,541 - 13,560 of 13,803 CVEs
CVE-2026-21638 HIGH - 8.8

A malicious actor in Wi-Fi range of the affected product could leverage a vulnerability in the airMAX Wireless Protocol to achieve a remote code execution (RCE) within the affected product. Affected Products: UBB-XG (Version 1.2.2 and earlier) UDB-Pro/UDB-Pro-Sector (Version 1.4.1 and earli...

Vendor: ui
Product: ubb-xg_firmware
Published: Jan 08, 2026
Source: NVD
CVE-2025-56424 HIGH - 7.5

An issue in Insiders Technologies GmbH e-invoice pro before release 1 Service Pack 2 allows a remote attacker to cause a denial of service via a crafted script

Vendor: insiders-technologies
Product: e-invoice_pro
Published: Jan 08, 2026
Source: NVD
CVE-2025-50334 HIGH - 7.5

An issue in Technitium DNS Server v.13.5 allows a remote attacker to cause a denial of service via the rate-limiting component

Vendor: technitium
Product: dnsserver
Published: Jan 08, 2026
Source: NVD
CVE-2026-22255 HIGH - 8.8

iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a heap-buffer-overflow vulnerability in `CIccCLUT::Init()` at `IccProfLib/IccTagLut.cpp`. This ...

Vendor: color
Product: iccdev
Published: Jan 08, 2026
Source: NVD
CVE-2026-22245 HIGH - 7.5

Mastodon is a free, open-source social network server based on ActivityPub. By nature, Mastodon performs a lot of outbound requests to user-provided domains. Mastodon, however, has some protection mechanism to disallow requests to local IP addresses (unless specified in `ALLOWED_PRIVATE_ADDRESSES`) ...

Vendor: joinmastodon
Product: mastodon
Published: Jan 08, 2026
Source: NVD
CVE-2026-22244 HIGH - 7.2

OpenMetadata is a unified metadata platform. Versions prior to 1.11.4 are vulnerable to remote code execution via Server-Side Template Injection (SSTI) in FreeMarker email templates. An attacker must have administrative privileges to exploit the vulnerability. Version 1.11.4 contains a patch.

Vendor: open-metadata
Product: openmetadata
Published: Jan 08, 2026
Source: NVD
CVE-2025-68151 HIGH - 7.5

CoreDNS is a DNS server that chains plugins. Prior to version 1.14.0, multiple CoreDNS server implementations (gRPC, HTTPS, and HTTP/3) lack critical resource-limiting controls. An unauthenticated remote attacker can exhaust memory and degrade or crash the server by opening many concurrent connectio...

Vendor: coredns.io
Product: coredns
Published: Jan 08, 2026
Source: NVD
CVE-2025-67089 HIGH - 8.1

A command injection vulnerability exists in the GL-iNet GL-AXT1800 router firmware v4.6.8. The vulnerability is present in the `plugins.install_package` RPC method, which fails to properly sanitize user input in package names. Authenticated attackers can exploit this to execute arbitrary commands wi...

Vendor: gl-inet
Product: gl-axt1800_firmware
Published: Jan 08, 2026
Source: NVD
CVE-2025-63611 HIGH - 8.7

Cross-Site Scripting in phpgurukul Hostel Management System v2.1 user-provided complaint fields (Explain the Complaint) submitted via /register-complaint.php are stored and rendered unescaped in the admin viewer (/admin/complaint-details.php?cid=<id>). When an administrator opens the complaint...

Vendor: phpgurukul
Product: hostel_management_system
Published: Jan 08, 2026
Source: NVD
CVE-2026-22241 HIGH - 7.2

The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, an arbitrary file upload vulnerability in the theme import functionality enables an attacker with administrative privileges to upload arbitrary files on the server's file syst...

Vendor: openeclass
Product: openeclass
Published: Jan 08, 2026
Source: NVD
CVE-2026-22042 HIGH - 8.8

RustFS is a distributed object storage system built in Rust. Prior to version 1.0.0-alpha.79, he `ImportIam` admin API validates permissions using `ExportIAMAction` instead of `ImportIAMAction`, allowing a principal with export-only IAM permissions to perform import operations. Since importing IAM d...

Vendor: rustfs
Product: rustfs
Published: Jan 08, 2026
Source: NVD
CVE-2026-21892 HIGH - 7.3

Parsl is a Python parallel scripting library. A SQL Injection vulnerability exists in the parsl-visualize component of versions prior to 2026.01.05. The application constructs SQL queries using unsafe string formatting (Python % operator) with user-supplied input (workflow_id) directly from URL rout...

Vendor: uchicago
Product: parsl
Published: Jan 08, 2026
Source: NVD
CVE-2025-14025 HIGH - 8.5

A flaw was found in Ansible Automation Platform (AAP). Read-only scoped OAuth2 API Tokens in AAP, are enforced at the Gateway level for Gateway-specific operations. However, this vulnerability allows read-only tokens to perform write operations on backend services (e.g., Controller, Hub, EDA). If th...

Published: Jan 08, 2026
Source: NVD
CVE-2026-0719 HIGH - 8.6

A flaw was identified in the NTLM authentication handling of the libsoup HTTP library, used by GNOME and other applications for network communication. When processing extremely long passwords, an internal size calculation can overflow due to improper use of signed integers. This results in incorrect...

Published: Jan 08, 2026
Source: NVD
CVE-2025-69260 HIGH - 7.5

A message out-of-bounds read vulnerability in Trend Micro Apex Central could allow a remote attacker to create a denial-of-service condition on affected installations. Please note: authentication is not required in order to exploit this vulnerability.

Vendor: trendmicro
Product: apex_central
Published: Jan 08, 2026
Source: NVD
CVE-2025-69259 HIGH - 7.5

A message unchecked NULL return value vulnerability in Trend Micro Apex Central could allow a remote attacker to create a denial-of-service condition on affected installations. Please note: authentication is not required in order to exploit this vulnerability..

Vendor: trendmicro
Product: apex_central
Published: Jan 08, 2026
Source: NVD
CVE-2025-66001 HIGH - 8.8

NeuVector supports login authentication through OpenID Connect. However, the TLS verification (which verifies the remote server's authenticity and integrity) for OpenID Connect is not enforced by default. As a result this may expose the system to man-in-the-middle (MITM) attacks.

Published: Jan 08, 2026
Source: NVD
CVE-2025-68889 HIGH - 7.1

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pinpoll Pinpoll pinpoll allows Reflected XSS.This issue affects Pinpoll: from n/a through <= 4.0.0.

Published: Jan 08, 2026
Source: NVD
CVE-2025-68887 HIGH - 7.1

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CMSJunkie - WordPress Business Directory Plugins WP-BusinessDirectory wp-businessdirectory allows Reflected XSS.This issue affects WP-BusinessDirectory: from n/a through <= 3.1.5.

Published: Jan 08, 2026
Source: NVD
CVE-2025-68874 HIGH - 7.1

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Shahjada Visitor Stats Widget visitor-stats-widget allows Reflected XSS.This issue affects Visitor Stats Widget: from n/a through <= 1.5.0.

Published: Jan 08, 2026
Source: NVD