Total CVEs

142,588

Critical Severity

4,002

High Severity

14,356

Last 7 Days

1,844
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 13,721 - 13,740 of 14,399 CVEs
CVE-2025-14556 MEDIUM - 5.4

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Flag allows Cross-Site Scripting (XSS).This issue affects Flag: from 7.X-3.0 through 7.X-3.9.

Vendor: flag_module_project
Product: flag
Published: Jan 14, 2026
Source: NVD
CVE-2025-11224 MEDIUM - 5.4

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.10 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated user to execute stored cross-site scripting through improper input validation in the Kubernetes proxy functionality.

Vendor: gitlab
Product: gitlab
Published: Jan 14, 2026
Source: NVD
CVE-2026-22851 MEDIUM - 5.9

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a race condition between the RDPGFX dynamic virtual channel thread and the SDL render thread leads to a heap use-after-free. Specifically, an escaped pointer to sdl->primary (SDL_Surface) is accessed after it has be...

Vendor: freerdp
Product: freerdp
Published: Jan 14, 2026
Source: NVD
CVE-2025-65397 MEDIUM - 6.8

An insecure authentication mechanism in the safe_exec.sh startup script of Blurams Flare Camera version 24.1114.151.929 and earlier allows an attacker with physical access to the device to execute arbitrary commands with root privileges, if file /opt/images/public_key.der is not present in the file ...

Published: Jan 14, 2026
Source: NVD
CVE-2025-63644 MEDIUM - 5.4

A stored cross-site scripting (XSS) vulnerability exists in pH7Software pH7-Social-Dating-CMS 17.9.1 in the user profile Description field.

Vendor: ph7builder
Product: ph7_social_dating_builder
Published: Jan 14, 2026
Source: NVD
CVE-2026-22779 MEDIUM - 5.3

BlackSheep is an asynchronous web framework to build event based web applications with Python. Prior to 2.4.6, the HTTP Client implementation in BlackSheep is vulnerable to CRLF injection. Missing headers validation makes it possible for an attacker to modify the HTTP requests (e.g. insert a new hea...

Vendor: neoteroi
Product: blacksheep
Published: Jan 14, 2026
Source: NVD
CVE-2026-22694 MEDIUM - 6.1

AliasVault is a privacy-first password manager with built-in email aliasing. AliasVault Android versions 0.24.0 through 0.25.2 contained an issue in how passkey requests from Android apps were validated. Under certain local conditions, a malicious app could attempt to obtain a passkey response for a...

Published: Jan 14, 2026
Source: NVD
CVE-2025-67835 MEDIUM - 6.5

Paessler PRTG Network Monitor before 25.4.114 allows Denial-of-Service (DoS) by an authenticated attacker via the Notification Contacts functionality.

Vendor: paessler
Product: prtg_network_monitor
Published: Jan 14, 2026
Source: NVD
CVE-2025-67834 MEDIUM - 5.4

Paessler PRTG Network Monitor before 25.4.114 allows XSS by an unauthenticated attacker via the filter parameter.

Vendor: paessler
Product: prtg_network_monitor
Published: Jan 14, 2026
Source: NVD
CVE-2025-67833 MEDIUM - 6.1

Paessler PRTG Network Monitor before 25.4.114 allows XSS by an unauthenticated attacker via the tag parameter.

Vendor: paessler
Product: prtg_network_monitor
Published: Jan 14, 2026
Source: NVD
CVE-2025-65396 MEDIUM - 6.1

A vulnerability in the boot process of Blurams Flare Camera version 24.1114.151.929 and earlier allows a physically proximate attacker to hijack the boot mechanism and gain a bootloader shell via the UART interface. This is achieved by inducing a read error from the SPI flash memory during the boot,...

Published: Jan 14, 2026
Source: NVD
CVE-2025-37185 MEDIUM - 4.8

Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attacks against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary s...

Vendor: arubanetworks
Product: edgeconnect_sd-wan_orchestrator
Published: Jan 14, 2026
Source: NVD
CVE-2025-67399 MEDIUM - 4.6

An issue in AIRTH SMART HOME AQI MONITOR Bootloader v.1.005 allows a physically proximate attacker to obtain sensitive information via the UART port of the BK7231N controller (Wi-Fi and BLE module) on the device is open to access

Published: Jan 14, 2026
Source: NVD
CVE-2025-14242 MEDIUM - 6.5

A flaw was found in vsftpd. This vulnerability allows a denial of service (DoS) via an integer overflow in the ls command parameter parsing, triggered by a remote, authenticated attacker sending a crafted STAT command with a specific byte sequence.

Published: Jan 14, 2026
Source: NVD
CVE-2025-56226 MEDIUM - 5.3

Libsndfile <=1.2.2 contains a memory leak vulnerability in the mpeg_l3_encoder_init() function within the mpeg_l3_encode.c file.

Vendor: libsndfile_project
Product: libsndfile
Published: Jan 14, 2026
Source: NVD
CVE-2025-66169 MEDIUM - 5.3

Cypher Injection vulnerability in Apache Camel camel-neo4j component. This issue affects Apache Camel: from 4.10.0 before 4.10.8, from 4.14.0 before 4.14.3, from 4.15.0 before 4.17.0 Users are recommended to upgrade to version 4.10.8 for 4.10.x LTS and 4.14.3 for 4.14.x LTS and 4.17.0.

Vendor: apache
Product: camel
Published: Jan 14, 2026
Source: NVD
CVE-2026-0529 MEDIUM - 6.5

Improper Validation of Array Index (CWE-129) in Packetbeatโ€™s MongoDB protocol parser can allow an attacker to cause Overflow Buffers (CAPEC-100) through specially crafted network traffic. This requires an attacker to send a malformed payload to a monitored network interface where MongoDB protocol pa...

Published: Jan 14, 2026
Source: NVD
CVE-2026-0813 MEDIUM - 4.4

The Short Link plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'short_link_post_title' and 'short_link_page_title' parameters in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for...

Published: Jan 14, 2026
Source: NVD
CVE-2026-0812 MEDIUM - 4.4

The LinkedIn SC plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'linkedin_sc_date_format', 'linkedin_sc_api_key', and 'linkedin_sc_secret_key' parameters in all versions up to, and including, 1.1.9 due to insufficient input sanitization and out...

Published: Jan 14, 2026
Source: NVD
CVE-2026-0741 MEDIUM - 4.4

The Electric Studio Download Counter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-...

Published: Jan 14, 2026
Source: NVD