Total CVEs

142,588

Critical Severity

4,002

High Severity

14,355

Last 7 Days

1,883
Quick preset (or use dates below)
Clear Filters
πŸ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years β†’
Showing 13,601 - 13,620 of 14,399 CVEs
CVE-2021-47841 MEDIUM - 6.1

SnipCommand 0.1.0 contains a cross-site scripting vulnerability that allows attackers to inject malicious payloads into command snippets. Attackers can execute arbitrary code by embedding malicious JavaScript that triggers remote command execution through file or title inputs.

Vendor: gurayyarar
Product: SnipCommand
Published: Jan 16, 2026
Source: NVD
CVE-2021-47836 MEDIUM - 6.1

Markdown Explorer 0.1.1 contains a cross-site scripting vulnerability that allows attackers to inject malicious code through file uploads and editor inputs. Attackers can upload markdown files with embedded JavaScript payloads to execute remote commands and potentially gain system access.

Vendor: jersou
Product: Markdown Explorer
Published: Jan 16, 2026
Source: NVD
CVE-2021-47834 MEDIUM - 6.4

Schlix CMS 2.2.6-6 contains a persistent cross-site scripting vulnerability that allows authenticated users to inject malicious scripts into category titles. Attackers can create a new contact category with a script payload that will execute when the page is viewed by other users.

Vendor: Schlix
Product: Schlix CMS
Published: Jan 16, 2026
Source: NVD
CVE-2021-47820 MEDIUM - 5.3

Ubee EVW327 contains a cross-site request forgery vulnerability that allows attackers to enable remote access without user interaction. Attackers can craft a malicious webpage that automatically submits a form to change router remote access settings to port 8080 without the user's consent.

Vendor: Ubeeinteractive
Product: Ubee EVW327
Published: Jan 16, 2026
Source: NVD
CVE-2025-51602 MEDIUM - 4.8

mmstu.c in VideoLAN VLC media player before 3.0.22 allows an out-of-bounds read and denial of service via a crafted 0x01 response from an MMS server.

Vendor: VideoLAN
Product: VLC media player
Published: Jan 16, 2026
Source: NVD
CVE-2025-43904 MEDIUM - 4.2

In SchedMD Slurm before 24.11.5, 24.05.8, and 23.11.11, the accounting system can allow a Coordinator to promote a user to Administrator.

Vendor: SchedMD
Product: Slurm
Published: Jan 16, 2026
Source: NVD
CVE-2025-43508 MEDIUM - 5.5

A logging issue was addressed with improved data redaction. This issue is fixed in macOS Tahoe 26.1. An app may be able to access sensitive user data.

Vendor: Apple
Product: macOS
Published: Jan 16, 2026
Source: NVD
CVE-2025-24531 MEDIUM - 6.7

In OpenSC pam_pkcs11 before 0.6.13, pam_sm_authenticate() wrongly returns PAM_IGNORE in many error situations (such as an error triggered by a smartcard before login), allowing authentication bypass.

Vendor: OpenSC project
Product: pam_pkcs11
Published: Jan 16, 2026
Source: NVD
CVE-2025-24089 MEDIUM - 5.3

A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 18.3 and iPadOS 18.3. An app may be able to enumerate a user's installed apps.

Vendor: Apple
Product: iOS and iPadOS
Published: Jan 16, 2026
Source: NVD
CVE-2026-0949 MEDIUM - 6.5

PEM versions prior to 9.8.1 are affected by a stored Cross-site Scripting (XSS) vulnerability that allows users with access to the Manage Charts menu to inject arbitrary JavaScript when creating a new chart, which is then executed by any user accessing the chart. By default only the superuser and us...

Published: Jan 16, 2026
Source: NVD
CVE-2026-0696 MEDIUM - 6.5

In ConnectWise PSA versions older than 2026.1, certain session cookies were not set with the HttpOnly attribute. In some scenarios, this could allow client-side scripts access to session cookie values.

Vendor: connectwise
Product: professional_service_automation
Published: Jan 16, 2026
Source: NVD
CVE-2026-0695 MEDIUM - 5.4

In ConnectWise PSA versions older than 2026.1, Time Entry notes stored in the Time Entry Audit Trail may be rendered without applying output encoding to certain content. Under specific conditions, this may allow stored script code to execute in the context of a user’s browser when the affected conte...

Vendor: connectwise
Product: professional_service_automation
Published: Jan 16, 2026
Source: NVD
CVE-2025-15104 MEDIUM - 5.3

Nu Html Checker (validator.nu) contains a restriction bypass that allows remote attackers to make the server perform arbitrary HTTP/HTTPS requests to internal resources, including localhost services. While the validator implements hostname-based protections to block direct access to localhost and 12...

Vendor: validator
Product: validator
Published: Jan 16, 2026
Source: NVD
CVE-2025-14435 MEDIUM - 6.5

Mattermost versions 10.11.x <= 10.11.8, 11.1.x <= 11.1.1, 11.0.x <= 11.0.6 fail to prevent infinite re-renders on API errors which allows authenticated users to cause application-level DoS via triggering unbounded component re-render loops.

Vendor: mattermost
Product: mattermost_server
Published: Jan 16, 2026
Source: NVD
CVE-2026-22876 MEDIUM - 6.5

Path Traversal vulnerability exists in multiple Network Cameras TRIFORA 3 series provided by TOA Corporation. If this vulnerability is exploited, arbitrary files on the affected product may be retrieved by a logged-in user with the low("monitoring user") or higher privilege.

Vendor: TOA Corporation
Product: Multiple Network Cameras TRIFORA 3 series
Published: Jan 16, 2026
Source: NVD
CVE-2026-20894 MEDIUM - 4.8

Cross-site scripting vulnerability exists in multiple Network Cameras TRIFORA 3 series provided by TOA Corporation. If an attacking administrator configures the affected product with some malicious input, an arbitrary script may be executed on the web browser of a victim administrator who accesses t...

Vendor: TOA Corporation
Product: Multiple Network Cameras TRIFORA 3 series
Published: Jan 16, 2026
Source: NVD
CVE-2026-1004 MEDIUM - 5.3

The Essential Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to and including 6.5.5 via the 'eael_product_quickview_popup' function. This makes it possible for unauthenticated attackers to retrieve WooCommerce product informatio...

Published: Jan 16, 2026
Source: NVD
CVE-2026-0913 MEDIUM - 6.4

The User Submitted Posts – Enable Users to Submit Posts from the Front End plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'usp_access' shortcode in all versions up to, and including, 20260110 due to insufficient input sanitization and output escapin...

Published: Jan 16, 2026
Source: NVD
CVE-2025-14822 MEDIUM - 6.5

Mattermost versions 10.11.x <= 10.11.8 fail to validate input size before processing hashtags which allows an authenticated attacker to exhaust CPU resources via a single HTTP request containing a post with thousands space-separated tokens

Vendor: mattermost
Product: mattermost_server
Published: Jan 16, 2026
Source: NVD
CVE-2025-14757 MEDIUM - 5.3

The Cost Calculator Builder plugin for WordPress is vulnerable to Unauthenticated Payment Status Bypass in all versions up to, and including, 3.6.9 only when used in combination with Cost Calculator Builder PRO. This is due to the complete_payment AJAX action being registered via wp_ajax_nopriv, mak...

Vendor: stylemixthemes
Product: cost_calculator_builder
Published: Jan 16, 2026
Source: NVD