Total CVEs

142,518

Critical Severity

3,992

High Severity

14,327

Last 7 Days

1,847
Quick preset (or use dates below)
Clear Filters
Showing 13,681 - 13,700 of 14,756 CVEs
CVE-2026-0421 MEDIUM - 6.5

A potential vulnerability was reported in the BIOS of L13 Gen 6, L13 Gen 6 2-in-1, L14 Gen 6, and L16 Gen 2 ThinkPads which could result in Secure Boot being disabled even when configured as β€œOn” in the BIOS setup menu. This issue only affects systems where Secure Boot is set to User Mode.

Published: Jan 14, 2026
Source: NVD
CVE-2025-13454 MEDIUM - 4.7

A potential vulnerability was reported in ThinkPlus configuration software that could allow a local authenticated user to gain access to sensitive device information.

Published: Jan 14, 2026
Source: NVD
CVE-2025-13453 MEDIUM - 6.8

A potential vulnerability was reported in some ThinkPlus USB drives that could allow a user with physical access to read data stored on the drive.

Published: Jan 14, 2026
Source: NVD
CVE-2025-13154 MEDIUM - 5.5

An improper link following vulnerability was reported in the SmartPerformanceAddin for Lenovo Vantage that could allow an authenticated local user to perform an arbitrary file deletion with elevated privileges.

Published: Jan 14, 2026
Source: NVD
CVE-2026-0962 MEDIUM - 6.5

SOME/IP-SD protocol dissector crash in Wireshark 4.6.0 to 4.6.2 and 4.4.0 to 4.4.12 allows denial of service

Vendor: wireshark
Product: wireshark
Published: Jan 14, 2026
Source: NVD
CVE-2026-0961 MEDIUM - 6.5

BLF file parser crash in Wireshark 4.6.0 to 4.6.2 and 4.4.0 to 4.4.12 allows denial of service

Vendor: wireshark
Product: wireshark
Published: Jan 14, 2026
Source: NVD
CVE-2026-0960 MEDIUM - 5.5

HTTP3 protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.2 allows denial of service

Vendor: wireshark
Product: wireshark
Published: Jan 14, 2026
Source: NVD
CVE-2026-0959 MEDIUM - 6.5

IEEE 802.11 protocol dissector crash in Wireshark 4.6.0 to 4.6.2 and 4.4.0 to 4.4.12 allows denial of service

Vendor: wireshark
Product: wireshark
Published: Jan 14, 2026
Source: NVD
CVE-2026-23497 MEDIUM - 5.4

Frappe Learning Management System (LMS) is a learning system that helps users structure their content. In 2.44.0 and earlier, there is a stored XSS vulnerability where a specially crafted image filename could execute malicious JavaScript when rendered on course or jobs pages.

Vendor: frappe
Product: learning
Published: Jan 14, 2026
Source: NVD
CVE-2026-23492 MEDIUM - 4.9

Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, an incomplete SQL injection patch in the Admin Search Find API allows an authenticated attacker to perform blind SQL injection. Although CVE-2023-30848 attempted to mitigate SQL injection by removing SQ...

Vendor: pimcore
Product: pimcore
Published: Jan 14, 2026
Source: NVD
CVE-2025-71166 MEDIUM - 5.4

Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the administrative interface within the Tools Status move message handling. The path parameter is reflected into the HTML output without proper output encoding in include/admin/Tools/Statu...

Vendor: typesettercms
Product: typesetter
Published: Jan 14, 2026
Source: NVD
CVE-2025-71165 MEDIUM - 5.4

Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the administrative interface within the Tools Status functionality. The path parameter is reflected into the HTML response without proper output encoding in include/admin/Tools/Status.php....

Vendor: typesettercms
Product: typesetter
Published: Jan 14, 2026
Source: NVD
CVE-2025-71164 MEDIUM - 5.4

Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the Editing component. The images parameter (submitted as images[] in a POST request) is reflected into an HTML href attribute without proper context-aware output encoding in include/tool/...

Vendor: typesettercms
Product: typesetter
Published: Jan 14, 2026
Source: NVD
CVE-2025-14557 MEDIUM - 4.8

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Facebook Pixel facebook_pixel allows Stored XSS.This issue affects Facebook Pixel: from 7.X-1.0 through 7.X-1.1.

Vendor: facebook_pixel_project
Product: facebook_pixel
Published: Jan 14, 2026
Source: NVD
CVE-2025-14556 MEDIUM - 5.4

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Flag allows Cross-Site Scripting (XSS).This issue affects Flag: from 7.X-3.0 through 7.X-3.9.

Vendor: flag_module_project
Product: flag
Published: Jan 14, 2026
Source: NVD
CVE-2025-11224 MEDIUM - 5.4

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.10 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated user to execute stored cross-site scripting through improper input validation in the Kubernetes proxy functionality.

Vendor: gitlab
Product: gitlab
Published: Jan 14, 2026
Source: NVD
CVE-2026-22851 MEDIUM - 5.9

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a race condition between the RDPGFX dynamic virtual channel thread and the SDL render thread leads to a heap use-after-free. Specifically, an escaped pointer to sdl->primary (SDL_Surface) is accessed after it has be...

Vendor: freerdp
Product: freerdp
Published: Jan 14, 2026
Source: NVD
CVE-2025-65397 MEDIUM - 6.8

An insecure authentication mechanism in the safe_exec.sh startup script of Blurams Flare Camera version 24.1114.151.929 and earlier allows an attacker with physical access to the device to execute arbitrary commands with root privileges, if file /opt/images/public_key.der is not present in the file ...

Published: Jan 14, 2026
Source: NVD
CVE-2025-63644 MEDIUM - 5.4

A stored cross-site scripting (XSS) vulnerability exists in pH7Software pH7-Social-Dating-CMS 17.9.1 in the user profile Description field.

Vendor: ph7builder
Product: ph7_social_dating_builder
Published: Jan 14, 2026
Source: NVD
CVE-2026-22779 MEDIUM - 5.3

BlackSheep is an asynchronous web framework to build event based web applications with Python. Prior to 2.4.6, the HTTP Client implementation in BlackSheep is vulnerable to CRLF injection. Missing headers validation makes it possible for an attacker to modify the HTTP requests (e.g. insert a new hea...

Vendor: neoteroi
Product: blacksheep
Published: Jan 14, 2026
Source: NVD