Total CVEs

142,588

Critical Severity

4,002

High Severity

14,355

Last 7 Days

1,847
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 13,681 - 13,700 of 14,399 CVEs
CVE-2025-67078 MEDIUM - 6.1

Cross site scripting (XSS) vulnerability in Omnispace Agora Project before 25.10 allowing attackers to execute arbitrary code via the notify parameter of the file controller used to display errors.

Vendor: agora-project
Product: agora-project
Published: Jan 15, 2026
Source: NVD
CVE-2021-47799 MEDIUM - 6.2

Visual Tools DVR VX16 version 4.2.28 contains a local privilege escalation vulnerability in its Sudo configuration that allows attackers to gain root access. Attackers can exploit the unsafe Sudo settings by using mount commands to bind a shell, enabling unauthorized system-level privileges.

Vendor: Visual-Tools
Product: Visual Tools DVR VX16
Published: Jan 15, 2026
Source: NVD
CVE-2021-47776 MEDIUM - 5.3

Umbraco CMS v8.14.1 contains a server-side request forgery vulnerability that allows attackers to manipulate baseUrl parameters in multiple dashboard and help controller endpoints. Attackers can craft malicious requests to the GetContextHelpForPage, GetRemoteDashboardContent, and GetRemoteDashboardC...

Vendor: umbraco
Product: umbraco_cms
Published: Jan 15, 2026
Source: NVD
CVE-2021-47771 MEDIUM - 5.5

RDP Manager 4.9.9.3 contains a denial of service vulnerability in connection input fields that allows local attackers to crash the application. Attackers can add oversized entries in Verbindungsname and Server fields to permanently freeze and crash the software, potentially requiring full reinstalla...

Vendor: cinspiration
Product: rdp_manager
Published: Jan 15, 2026
Source: NVD
CVE-2021-47769 MEDIUM - 4.8

Isshue Shopping Cart 3.5 contains a persistent cross-site scripting vulnerability in title input fields across stock, customer, and invoice modules. Attackers with privileged user accounts can inject malicious scripts that execute on preview, potentially enabling session hijacking and persistent phi...

Vendor: bdtask
Product: isshue
Published: Jan 15, 2026
Source: NVD
CVE-2021-47768 MEDIUM - 6.1

ImportExportTools NG 10.0.4 contains a persistent HTML injection vulnerability in the email export module that allows remote attackers to inject malicious HTML payloads. Attackers can send emails with crafted HTML in the subject that execute during HTML export, potentially compromising user data or ...

Vendor: thundernest
Product: ImportExportTools NG
Published: Jan 15, 2026
Source: NVD
CVE-2021-47765 MEDIUM - 5.5

AbsoluteTelnet 11.24 contains a denial of service vulnerability that allows local attackers to crash the application by manipulating username and error report fields. Attackers can trigger the crash by inserting 1000 characters into the username or email address fields, causing the application to be...

Vendor: celestialsoftware
Product: absolutetelnet
Published: Jan 15, 2026
Source: NVD
CVE-2021-47764 MEDIUM - 5.5

AbsoluteTelnet 11.24 contains a denial of service vulnerability that allows local attackers to crash the application by manipulating DialUp connection and license name fields. Attackers can generate a 1000-character payload and paste it into specific input fields to trigger application crashes and f...

Vendor: celestialsoftware
Product: absolutetelnet
Published: Jan 15, 2026
Source: NVD
CVE-2021-47759 MEDIUM - 6.2

MTPutty 1.0.1.21 contains a sensitive information disclosure vulnerability that allows local attackers to view SSH connection passwords through Windows PowerShell process listing. Attackers can run a PowerShell command to retrieve the full command line of MTPutty processes, exposing plaintext SSH cr...

Vendor: Ttyplus
Product: MTPutty
Published: Jan 15, 2026
Source: NVD
CVE-2021-47754 MEDIUM - 6.5

Arunna 1.0.0 contains a cross-site request forgery vulnerability that allows attackers to manipulate user profile settings without authentication. Attackers can craft a malicious form to change user details, including passwords, email, and administrative privileges by tricking authenticated users in...

Vendor: arunna
Product: arunna
Published: Jan 15, 2026
Source: NVD
CVE-2026-0990 MEDIUM - 5.9

A flaw was found in libxml2, an XML parsing library. This uncontrolled recursion vulnerability occurs in the xmlCatalogXMLResolveURI function when an XML catalog contains a delegate URI entry that references itself. A remote attacker could exploit this configuration-dependent issue by providing a sp...

Published: Jan 15, 2026
Source: NVD
CVE-2025-67083 MEDIUM - 5.3

Directory traversal vulnerability in InvoicePlane through 1.6.3 allows unauthenticated attackers to read files from the server. The ability to read files and the file type depends on the web server and its configuration.

Vendor: invoiceplane
Product: invoiceplane
Published: Jan 15, 2026
Source: NVD
CVE-2025-67082 MEDIUM - 6.5

An SQL injection vulnerability in InvoicePlane through 1.6.3 has been identified in "maxQuantity" and "minQuantity" parameters when generating a report. An authenticated attacker can exploit this issue via error-based SQL injection, allowing for the extraction of arbitrary data f...

Vendor: invoiceplane
Product: invoiceplane
Published: Jan 15, 2026
Source: NVD
CVE-2025-67081 MEDIUM - 4.9

An SQL injection vulnerability in Itflow through 25.06 has been identified in the "role_id" parameter when editing a profile. An attacker with admin account can exploit this issue via blind SQL injection, allowing for the extraction of arbitrary data from the database. The vulnerability ar...

Vendor: itflow
Product: itflow
Published: Jan 15, 2026
Source: NVD
CVE-2026-22646 MEDIUM - 4.3

Certain error messages returned by the application expose internal system details that should not be visible to end users, providing attackers with valuable reconnaissance information (like file paths, database errors, or software versions) that can be used to map the application's internal str...

Vendor: SICK AG
Product: Incoming Goods Suite
Published: Jan 15, 2026
Source: NVD
CVE-2026-22645 MEDIUM - 5.3

The application discloses all used components, versions and license information to unauthenticated actors, giving attackers the opportunity to target known security vulnerabilities of used components.

Vendor: SICK AG
Product: Incoming Goods Suite
Published: Jan 15, 2026
Source: NVD
CVE-2026-22644 MEDIUM - 5.3

Certain requests pass the authentication token in the URL as string query parameter, making it vulnerable to theft through server logs, proxy logs and Referer headers, which could allow an attacker to hijack the user's session and gain unauthorized access.

Vendor: SICK AG
Product: Incoming Goods Suite
Published: Jan 15, 2026
Source: NVD
CVE-2025-13859 MEDIUM - 6.4

The AffiliateX โ€“ Amazon Affiliate Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_customization_settings AJAX action in versions 1.0.0 to 1.3.9.3. This makes it possible for authenticated attackers, with Subscriber-level ac...

Vendor: wpcenter
Product: AffiliateX โ€“ Amazon Affiliate Plugin
Published: Jan 15, 2026
Source: NVD
CVE-2025-12895 MEDIUM - 5.3

The Kalium 3 | Creative WordPress & WooCommerce Theme theme for WordPress is vulnerable to unauthorized email sending due to a missing capability check on the kalium_vc_contact_form_request() function in all versions up to, and including, 3.29. This makes it possible for unauthenticated attacker...

Vendor: Laborator
Product: Kalium 3 | Creative WordPress & WooCommerce Theme
Published: Jan 15, 2026
Source: NVD
CVE-2026-22919 MEDIUM - 4.8

An attacker with administrative access may inject malicious content into the login page, potentially enabling cross-site scripting (XSS) attacks, leading to the extraction of sensitive data.

Vendor: sick
Product: tdc-x401gl_firmware
Published: Jan 15, 2026
Source: NVD