Total CVEs

142,518

Critical Severity

3,992

High Severity

14,327

Last 7 Days

1,830
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 13,561 - 13,580 of 14,373 CVEs
CVE-2025-14632 MEDIUM - 4.4

The Filr โ€“ Secure document library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via unrestricted file upload in all versions up to, and including, 1.2.11 due to insufficient file type restrictions in the FILR_Uploader class. This makes it possible for authenticated attackers, wi...

Vendor: wpchill
Product: Filr โ€“ Secure document library
Published: Jan 17, 2026
Source: NVD
CVE-2025-14450 MEDIUM - 6.5

The Wallet System for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'change_wallet_fund_request_status_callback' function in all versions up to, and including, 2.7.2. This makes it possible for authenticated att...

Vendor: wpswings
Product: Wallet System for WooCommerce โ€“ Digital Wallet, Buy Now Pay Later (BNPL), Instant Cashback, Referral program, Partial & Subscription Payments
Published: Jan 17, 2026
Source: NVD
CVE-2025-14075 MEDIUM - 5.3

The WP Hotel Booking plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.7. This is due to the plugin exposing the 'hotel_booking_fetch_customer_info' AJAX action to unauthenticated users without proper capability checks, relying o...

Vendor: thimpress
Product: WP Hotel Booking
Published: Jan 17, 2026
Source: NVD
CVE-2025-12718 MEDIUM - 5.8

The Quick Contact Form plugin for WordPress is vulnerable to Open Mail Relay in all versions up to, and including, 8.2.6. This is due to the 'qcf_validate_form' AJAX endpoint allowing a user controlled parameter to set the 'from' email address. This makes it possible for unauthen...

Vendor: saadiqbal
Product: Quick Contact Form
Published: Jan 17, 2026
Source: NVD
CVE-2025-12002 MEDIUM - 5.9

The Feeds for YouTube Pro plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 2.6.0 via the 'sby_check_wp_submit' AJAX action. This is due to insufficient sanitization of user-supplied data and the use of that data in a file operation. This makes...

Vendor: Awesome Motive
Product: YouTube Feed Pro
Published: Jan 17, 2026
Source: NVD
CVE-2026-21223 MEDIUM - 5.1

Microsoft Edge Elevation Service exposes a privileged COM interface that inadequately validates the privileges of the calling process. A standard (nonโ€‘administrator) local user can invoke the IElevatorEdge interface method LaunchUpdateCmdElevatedAndWait, causing the service to execute privileged upd...

Published: Jan 16, 2026
Source: NVD
CVE-2025-56451 MEDIUM - 6.1

Cross site scripting vulnerability in seeyon Zhiyuan A8+ Collaborative Management Software 7.0 via the topValue parameter to the seeyon/main.do endpoint.

Vendor: n/a
Product: n/a
Published: Jan 16, 2026
Source: NVD
CVE-2025-15529 MEDIUM - 5.3

A vulnerability was found in Open5GS up to 2.7.6. Affected by this issue is the function sgwc_s5c_handle_create_session_response of the file src/sgwc/s5c-handler.c. Performing a manipulation results in denial of service. Remote exploitation of the attack is possible. The exploit has been made public...

Vendor: n/a
Product: Open5GS
Published: Jan 16, 2026
Source: NVD
CVE-2025-15528 MEDIUM - 5.3

A vulnerability has been found in Open5GS up to 2.7.6. Affected by this vulnerability is an unknown functionality of the component GTPv2 Bearer Response Handler. Such manipulation leads to denial of service. The attack may be launched remotely. The exploit has been disclosed to the public and may be...

Vendor: n/a
Product: Open5GS
Published: Jan 16, 2026
Source: NVD
CVE-2026-23643 MEDIUM - 5.4

CakePHP is a rapid development framework for PHP. The PaginatorHelper::limitControl() method has a cross-site-scripting vulnerability via query string parameter manipulation. This issue has been fixed in 5.2.12 and 5.3.1.

Vendor: cakephp
Product: cakephp
Published: Jan 16, 2026
Source: NVD
CVE-2026-23731 MEDIUM - 4.3

WeGIA is a web manager for charitable institutions. Prior to 3.6.2, The web application is vulnerable to clickjacking attacks. The WeGIA application does not send any defensive HTTP headers related to framing protection. In particular, X-Frame-Options is missing andContent-Security-Policy with frame...

Vendor: LabRedesCefetRJ
Product: WeGIA
Published: Jan 16, 2026
Source: NVD
CVE-2026-23724 MEDIUM - 4.3

WeGIA is a web manager for charitable institutions. Prior to 3.6.2, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the html/atendido/cadastro_ocorrencia.php endpoint of the WeGIA application. The application does not sanitize user-controlled data before rendering it inside the โ€œ...

Vendor: LabRedesCefetRJ
Product: WeGIA
Published: Jan 16, 2026
Source: NVD
CVE-2025-69581 MEDIUM - 5.5

An issue was discovered in Chamillo LMS 1.11.2. The Social Network /personal_data endpoint exposes full sensitive user information even after logout because proper cache-control is missing. Using the browser back button restores all personal data, allowing unauthorized users on the same device to vi...

Vendor: n/a
Product: n/a
Published: Jan 16, 2026
Source: NVD
CVE-2021-47844 MEDIUM - 6.1

Xmind 2020 contains a cross-site scripting vulnerability that allows attackers to inject malicious payloads into mind mapping files or custom headers. Attackers can craft malicious files with embedded JavaScript that execute system commands when opened, enabling remote code execution through mouse i...

Vendor: Xmind
Product: Xmind
Published: Jan 16, 2026
Source: NVD
CVE-2021-47841 MEDIUM - 6.1

SnipCommand 0.1.0 contains a cross-site scripting vulnerability that allows attackers to inject malicious payloads into command snippets. Attackers can execute arbitrary code by embedding malicious JavaScript that triggers remote command execution through file or title inputs.

Vendor: gurayyarar
Product: SnipCommand
Published: Jan 16, 2026
Source: NVD
CVE-2021-47836 MEDIUM - 6.1

Markdown Explorer 0.1.1 contains a cross-site scripting vulnerability that allows attackers to inject malicious code through file uploads and editor inputs. Attackers can upload markdown files with embedded JavaScript payloads to execute remote commands and potentially gain system access.

Vendor: jersou
Product: Markdown Explorer
Published: Jan 16, 2026
Source: NVD
CVE-2021-47834 MEDIUM - 6.4

Schlix CMS 2.2.6-6 contains a persistent cross-site scripting vulnerability that allows authenticated users to inject malicious scripts into category titles. Attackers can create a new contact category with a script payload that will execute when the page is viewed by other users.

Vendor: Schlix
Product: Schlix CMS
Published: Jan 16, 2026
Source: NVD
CVE-2021-47820 MEDIUM - 5.3

Ubee EVW327 contains a cross-site request forgery vulnerability that allows attackers to enable remote access without user interaction. Attackers can craft a malicious webpage that automatically submits a form to change router remote access settings to port 8080 without the user's consent.

Vendor: Ubeeinteractive
Product: Ubee EVW327
Published: Jan 16, 2026
Source: NVD
CVE-2025-51602 MEDIUM - 4.8

mmstu.c in VideoLAN VLC media player before 3.0.22 allows an out-of-bounds read and denial of service via a crafted 0x01 response from an MMS server.

Vendor: VideoLAN
Product: VLC media player
Published: Jan 16, 2026
Source: NVD
CVE-2025-43904 MEDIUM - 4.2

In SchedMD Slurm before 24.11.5, 24.05.8, and 23.11.11, the accounting system can allow a Coordinator to promote a user to Administrator.

Vendor: SchedMD
Product: Slurm
Published: Jan 16, 2026
Source: NVD