Total CVEs

142,588

Critical Severity

4,002

High Severity

14,356

Last 7 Days

1,814
Quick preset (or use dates below)
Clear Filters
Showing 13,681 - 13,700 of 14,356 CVEs
CVE-2026-0500 HIGH - 8.8

Due to the usage of vulnerable third party component in SAP Wily Introscope Enterprise Manager (WorkStation), an unauthenticated attacker could create a malicious JNLP (Java Network Launch Protocol) file accessible by a public facing URL. When a victim clicks on the URL the accessed Wily Introscope ...

Vendor: sap
Product: introscope_enterprise_manager
Published: Jan 13, 2026
Source: NVD
CVE-2026-0498 HIGH - 7.2

SAP S/4HANA (Private Cloud and On-Premise) allows an attacker with admin privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code/OS commands into the system, bypassing essential authorization checks. This vulnerability effe...

Vendor: sap
Product: s\/4_hana
Published: Jan 13, 2026
Source: NVD
CVE-2026-0492 HIGH - 8.8

SAP HANA database is vulnerable to privilege escalation allowing an attacker with valid credentials of any user to switch to another user potentially gaining administrative access. This exploit could result in a total compromise of the system�s confidentiality, integrity, and availability.

Published: Jan 13, 2026
Source: NVD
CVE-2026-22812 HIGH - 8.8

OpenCode is an open source AI coding agent. Prior to 1.0.216, OpenCode automatically starts an unauthenticated HTTP server that allows any local process (or any website via permissive CORS) to execute arbitrary shell commands with the user's privileges. This vulnerability is fixed in 1.0.216.

Vendor: anoma
Product: opencode
Published: Jan 12, 2026
Source: NVD
CVE-2026-22801 HIGH - 7.8

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.26 to 1.6.53, there is an integer truncation in the libpng simplified write API functions png_write_image_16bit and png_write_image_8bit causes heap bu...

Vendor: libpng
Product: libpng
Published: Jan 12, 2026
Source: NVD
CVE-2026-22695 HIGH - 7.1

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.51 to 1.6.53, there is a heap buffer over-read in the libpng simplified API function png_image_finish_read when processing interlaced 16-bit PNGs with ...

Vendor: libpng
Product: libpng
Published: Jan 12, 2026
Source: NVD
CVE-2025-15514 HIGH - 7.5

Ollama 0.11.5-rc0 through current version 0.13.5 contain a null pointer dereference vulnerability in the multi-modal model image processing functionality. When processing base64-encoded image data via the /api/chat endpoint, the application fails to validate that the decoded data represents valid me...

Vendor: ollama
Product: ollama
Published: Jan 12, 2026
Source: NVD
CVE-2024-58340 HIGH - 7.5

LangChain versions up to and including 0.3.1 contain a regular expression denial-of-service (ReDoS) vulnerability in the MRKLOutputParser.parse() method (libs/langchain/langchain/agents/mrkl/output_parser.py). The parser applies a backtracking-prone regular expression when extracting tool actions fr...

Vendor: langchain
Product: langchain
Published: Jan 12, 2026
Source: NVD
CVE-2024-58339 HIGH - 7.5

LlamaIndex (run-llama/llama_index) versions up to and including 0.12.2 contain an uncontrolled resource consumption vulnerability in the VannaPack VannaQueryEngine implementation. The custom_query() logic generates SQL statements from a user-supplied prompt and executes them via vn.run_sql() without...

Vendor: llamaindex
Product: llamaindex
Published: Jan 12, 2026
Source: NVD
CVE-2024-14021 HIGH - 7.8

LlamaIndex (run-llama/llama_index) versions up to and including 0.11.6 contain an unsafe deserialization vulnerability in BGEM3Index.load_from_disk() in llama_index/indices/managed/bge_m3/base.py. The function uses pickle.load() to deserialize multi_embed_store.pkl from a user-supplied persist_dir w...

Vendor: llamaindex
Product: llamaindex
Published: Jan 12, 2026
Source: NVD
CVE-2026-22799 HIGH - 8.8

Emlog is an open source website building system. emlog v2.6.1 and earlier exposes a REST API endpoint (/index.php?rest-api=upload) for media file uploads. The endpoint fails to implement proper validation of file types, extensions, and content, allowing authenticated attackers (with a valid API key ...

Vendor: emlog
Product: emlog
Published: Jan 12, 2026
Source: NVD
CVE-2026-22794 HIGH - 8.8

Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.93, the server uses the Origin value from the request headers as the email link baseUrl without validation. If an attacker controls the Origin, password reset / email verification links in emails can be generate...

Vendor: appsmith
Product: appsmith
Published: Jan 12, 2026
Source: NVD
CVE-2026-22789 HIGH - 8.8

WebErpMesv2 is a Resource Management and Manufacturing execution system Web for industry. Prior to 1.19, WebErpMesv2 contains a file upload validation bypass vulnerability in multiple controllers that allows authenticated users to upload arbitrary files, including PHP scripts, leading to Remote Code...

Vendor: wem-project
Product: wem
Published: Jan 12, 2026
Source: NVD
CVE-2026-22788 HIGH - 8.2

WebErpMesv2 is a Resource Management and Manufacturing execution system Web for industry. Prior to 1.19, the WebErpMesV2 application exposes multiple sensitive API endpoints without authentication middleware. An unauthenticated remote attacker can read business-critical data including companies, quo...

Vendor: wem-project
Product: wem
Published: Jan 12, 2026
Source: NVD
CVE-2023-36331 HIGH - 8.2

Incorrect access control in the /member/orderList API of xmall v1.1 allows attackers to arbitrarily access other users' order details via manipulation of the query parameter userId.

Vendor: exrick
Product: xmall
Published: Jan 12, 2026
Source: NVD
CVE-2026-22783 HIGH - 8.1

Iris is a web collaborative platform that helps incident responders share technical details during investigations. Prior to 2.4.24, the DFIR-IRIS datastore file management system has a vulnerability where mass assignment of the file_local_name field combined with path trust in the delete operation e...

Vendor: dfir-iris
Product: iris
Published: Jan 12, 2026
Source: NVD
CVE-2026-22776 HIGH - 7.5

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.1, a Denial of Service (DoS) vulnerability exists in cpp-httplib due to the unsafe handling of compressed HTTP request bodies (Content-Encoding: gzip, br, etc.). The library validates the payload_...

Vendor: yhirose
Product: cpp-httplib
Published: Jan 12, 2026
Source: NVD
CVE-2026-22771 HIGH - 8.8

Envoy Gateway is an open source project for managing Envoy Proxy as a standalone or Kubernetes-based application gateway. Prior to 1.5.7 and 1.6.2, EnvoyExtensionPolicy Lua scripts executed by Envoy proxy can be used to leak the proxy's credentials. These credentials can then be used to communi...

Published: Jan 12, 2026
Source: NVD
CVE-2025-68472 HIGH - 8.1

MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 25.11.1, an unauthenticated path traversal in the file upload API lets any caller read arbitrary files from the server filesystem and move them into MindsDB’s storage, exposing sensitive data. The PUT h...

Published: Jan 12, 2026
Source: NVD
CVE-2025-46068 HIGH - 8.8

An issue in Automai Director v.25.2.0 allows a remote attacker to execute arbitrary code via the update mechanism

Vendor: automai
Product: director
Published: Jan 12, 2026
Source: NVD