Total CVEs

142,518

Critical Severity

3,992

High Severity

14,327

Last 7 Days

1,871
Quick preset (or use dates below)
Clear Filters
Showing 13,641 - 13,660 of 14,756 CVEs
CVE-2025-15265 MEDIUM - 6.1

An SSR XSS exists in async hydration when attacker‑controlled keys are passed to hydratable. The key is embedded inside a <script> block without HTML‑safe escaping, allowing </script> to terminate the script and inject arbitrary JavaScript. This enables remote script execution in users&#...

Vendor: svelte
Product: svelte
Published: Jan 15, 2026
Source: NVD
CVE-2025-70303 MEDIUM - 5.5

A heap overflow in the uncv_parse_config() function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.

Vendor: gpac
Product: gpac
Published: Jan 15, 2026
Source: NVD
CVE-2025-70302 MEDIUM - 5.5

A heap overflow in the ghi_dmx_declare_opid_bin() function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.

Vendor: gpac
Product: gpac
Published: Jan 15, 2026
Source: NVD
CVE-2025-70299 MEDIUM - 6.5

A heap overflow in the avi_parse_input_file() function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted AVI file.

Vendor: n/a
Product: n/a
Published: Jan 15, 2026
Source: NVD
CVE-2026-23496 MEDIUM - 5.4

Pimcore Web2Print Tools Bundle adds tools for web-to-print use cases to Pimcore. Prior to 5.2.2 and 6.1.1, the application fails to enforce proper server-side authorization checks on the API endpoint responsible for managing "Favourite Output Channel Configurations." Testing revealed that ...

Vendor: pimcore
Product: pimcore
Published: Jan 15, 2026
Source: NVD
CVE-2026-23495 MEDIUM - 4.3

Pimcore's Admin Classic Bundle provides a Backend UI for Pimcore. Prior to 2.2.3 and 1.7.16, the API endpoint for listing Predefined Properties in the Pimcore platform lacks adequate server-side authorization checks. Predefined Properties are configurable metadata definitions (e.g., name, key, ...

Vendor: pimcore
Product: pimcore
Published: Jan 15, 2026
Source: NVD
CVE-2026-23494 MEDIUM - 6.5

Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the application fails to enforce proper server-side authorization checks on the API endpoint responsible for reading or listing static routes. In Pimcore, static routes are custom URL patterns defined v...

Vendor: pimcore
Product: pimcore
Published: Jan 15, 2026
Source: NVD
CVE-2026-23493 MEDIUM - 4.9

Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the http_error_log file stores the $_COOKIE and $_SERVER variables, which means sensitive information such as database passwords, cookie session data, and other details can be accessed or recovered thro...

Vendor: pimcore
Product: pimcore
Published: Jan 15, 2026
Source: NVD
CVE-2026-20076 MEDIUM - 4.8

A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface. This vulnerability is due to insufficient validation of user-supplied ...

Vendor: Cisco
Product: Cisco Identity Services Engine Software
Published: Jan 15, 2026
Source: NVD
CVE-2026-20075 MEDIUM - 4.8

A vulnerability in the web-based management interface of Cisco Evolved Programmable Network Manager (EPNM) and Cisco Prime Infrastructure could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against users of the interface of an affected system. This ...

Vendor: Cisco
Product: Cisco Evolved Programmable Network Manager (EPNM), Cisco Prime Infrastructure
Published: Jan 15, 2026
Source: NVD
CVE-2026-20047 MEDIUM - 4.8

A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface. This vulnerability is due t...

Vendor: Cisco
Product: Cisco Identity Services Engine Software
Published: Jan 15, 2026
Source: NVD
CVE-2025-70310 MEDIUM - 5.5

A heap overflow in the vorbis_to_intern() function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted .ogg file.

Vendor: gpac
Product: gpac
Published: Jan 15, 2026
Source: NVD
CVE-2025-70309 MEDIUM - 5.5

A stack overflow in the pcmreframe_flush_packet function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted WAV file.

Vendor: gpac
Product: gpac
Published: Jan 15, 2026
Source: NVD
CVE-2025-70305 MEDIUM - 5.5

A stack overflow in the dmx_saf function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted .saf file.

Vendor: gpac
Product: gpac
Published: Jan 15, 2026
Source: NVD
CVE-2025-67078 MEDIUM - 6.1

Cross site scripting (XSS) vulnerability in Omnispace Agora Project before 25.10 allowing attackers to execute arbitrary code via the notify parameter of the file controller used to display errors.

Vendor: agora-project
Product: agora-project
Published: Jan 15, 2026
Source: NVD
CVE-2021-47799 MEDIUM - 6.2

Visual Tools DVR VX16 version 4.2.28 contains a local privilege escalation vulnerability in its Sudo configuration that allows attackers to gain root access. Attackers can exploit the unsafe Sudo settings by using mount commands to bind a shell, enabling unauthorized system-level privileges.

Vendor: Visual-Tools
Product: Visual Tools DVR VX16
Published: Jan 15, 2026
Source: NVD
CVE-2021-47776 MEDIUM - 5.3

Umbraco CMS v8.14.1 contains a server-side request forgery vulnerability that allows attackers to manipulate baseUrl parameters in multiple dashboard and help controller endpoints. Attackers can craft malicious requests to the GetContextHelpForPage, GetRemoteDashboardContent, and GetRemoteDashboardC...

Vendor: umbraco
Product: umbraco_cms
Published: Jan 15, 2026
Source: NVD
CVE-2021-47771 MEDIUM - 5.5

RDP Manager 4.9.9.3 contains a denial of service vulnerability in connection input fields that allows local attackers to crash the application. Attackers can add oversized entries in Verbindungsname and Server fields to permanently freeze and crash the software, potentially requiring full reinstalla...

Vendor: cinspiration
Product: rdp_manager
Published: Jan 15, 2026
Source: NVD
CVE-2021-47769 MEDIUM - 4.8

Isshue Shopping Cart 3.5 contains a persistent cross-site scripting vulnerability in title input fields across stock, customer, and invoice modules. Attackers with privileged user accounts can inject malicious scripts that execute on preview, potentially enabling session hijacking and persistent phi...

Vendor: bdtask
Product: isshue
Published: Jan 15, 2026
Source: NVD
CVE-2021-47768 MEDIUM - 6.1

ImportExportTools NG 10.0.4 contains a persistent HTML injection vulnerability in the email export module that allows remote attackers to inject malicious HTML payloads. Attackers can send emails with crafted HTML in the subject that execute during HTML export, potentially compromising user data or ...

Vendor: thundernest
Product: ImportExportTools NG
Published: Jan 15, 2026
Source: NVD