Total CVEs

142,027

Critical Severity

3,943

High Severity

14,108

Last 7 Days

1,760
Quick preset (or use dates below)
Clear Filters
πŸ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years β†’
Showing 13,741 - 13,760 of 13,803 CVEs
CVE-2025-67303 HIGH - 7.5

An issue in ComfyUI-Manager prior to version 3.38 allowed remote attackers to potentially manipulate its configuration and critical data. This was due to the application storing its files in an insufficiently protected location that was accessible via the web interface

Vendor: pip
Product: comfyui-manager
Published: Jan 05, 2026
Source: NVD
CVE-2025-66376 HIGH - 7.2

Zimbra Collaboration (ZCS) 10 before 10.0.18 and 10.1 before 10.1.13 allows Classic UI stored XSS via Cascading Style Sheets (CSS) @import directives in an HTML e-mail message.

Published: Jan 05, 2026
Source: NVD
CVE-2023-49186 HIGH - 7.1

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in KlbTheme Machic Core allows DOM-Based XSS.This issue affects Machic Core: from n/a through 1.2.6.

Published: Jan 05, 2026
Source: NVD
CVE-2026-0589 HIGH - 7.3

A vulnerability was found in code-projects Online Product Reservation System 1.0. Impacted is an unknown function of the component Administration Backend. The manipulation results in improper authentication. The attack may be performed from remote. The exploit has been made public and could be used.

Vendor: fabian
Product: online_product_reservation_system
Published: Jan 05, 2026
Source: NVD
CVE-2025-69087 HIGH - 8.1

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jwsthemes FreeAgent allows PHP Local File Inclusion.This issue affects FreeAgent: from n/a through 2.1.2.

Published: Jan 05, 2026
Source: NVD
CVE-2025-68850 HIGH - 7.5

Missing Authorization vulnerability in Codepeople Sell Downloads allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sell Downloads: from n/a through 1.1.12.

Published: Jan 05, 2026
Source: NVD
CVE-2025-68547 HIGH - 7.5

Missing Authorization vulnerability in WPweb Follow My Blog Post allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Follow My Blog Post: from n/a through 2.4.0.

Published: Jan 05, 2026
Source: NVD
CVE-2025-68044 HIGH - 8.6

Authorization Bypass Through User-Controlled Key vulnerability in Rustaurius Five Star Restaurant Reservations allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Five Star Restaurant Reservations: from n/a through 2.7.8.

Published: Jan 05, 2026
Source: NVD
CVE-2025-68033 HIGH - 7.5

Insertion of Sensitive Information Into Sent Data vulnerability in Brecht Custom Related Posts allows Retrieve Embedded Sensitive Data.This issue affects Custom Related Posts: from n/a through 1.8.0.

Published: Jan 05, 2026
Source: NVD
CVE-2025-31047 HIGH - 8.8

Deserialization of Untrusted Data vulnerability in Themify Themify Edmin allows Object Injection.This issue affects Themify Edmin: from n/a through 2.0.0.

Published: Jan 05, 2026
Source: NVD
CVE-2025-31044 HIGH - 8.5

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AA-Team Premium SEO Pack allows SQL Injection.This issue affects Premium SEO Pack: from n/a through 3.3.2.

Published: Jan 05, 2026
Source: NVD
CVE-2025-5965 HIGH - 7.2

In the backup parameters, a user with high privilege is able to concatenate custom instructions to the backup setup. Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Centreon Infra Monitoring (Backup configuration in the administra...

Published: Jan 05, 2026
Source: NVD
CVE-2025-15240 HIGH - 8.8

QOCA aim AI Medical Cloud Platform developed by Quanta Computer has an Arbitrary File Upload vulnerability, allowing authenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.

Vendor: quantatw
Product: qoca_aim
Published: Jan 05, 2026
Source: NVD
CVE-2025-15462 HIGH - 8.8

A vulnerability has been found in UTT 进取 520W 1.7.7-180627. This issue affects the function strcpy of the file /goform/ConfigAdvideo. The manipulation of the argument timestart leads to buffer overflow. The attack is possible to be carried out remotely. The exploit has been disclosed to the public a...

Vendor: utt
Product: 520w_firmware
Published: Jan 05, 2026
Source: NVD
CVE-2025-15461 HIGH - 8.8

A flaw has been found in UTT 进取 520W 1.7.7-180627. This vulnerability affects the function strcpy of the file /goform/formTaskEdit. Executing a manipulation of the argument selDateType can lead to buffer overflow. The attack can be executed remotely. The exploit has been published and may be used. T...

Vendor: utt
Product: 520w_firmware
Published: Jan 05, 2026
Source: NVD
CVE-2025-15460 HIGH - 8.8

A vulnerability was detected in UTT 进取 520W 1.7.7-180627. This affects the function strcpy of the file /goform/formPptpClientConfig. Performing a manipulation of the argument EncryptionMode results in buffer overflow. Remote exploitation of the attack is possible. The exploit is now public and may b...

Vendor: utt
Product: 520w_firmware
Published: Jan 05, 2026
Source: NVD
CVE-2025-15459 HIGH - 8.8

A security vulnerability has been detected in UTT 进取 520W 1.7.7-180627. Affected by this issue is the function strcpy of the file /goform/formUser. Such manipulation of the argument passwd1 leads to buffer overflow. The attack may be launched remotely. The exploit has been disclosed publicly and may...

Vendor: utt
Product: 520w_firmware
Published: Jan 05, 2026
Source: NVD
CVE-2025-14124 HIGH - 8.6

The Team WordPress plugin before 5.0.11 does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.

Published: Jan 05, 2026
Source: NVD
CVE-2025-15456 HIGH - 7.5

A vulnerability has been found in bg5sbk MiniCMS up to 1.8. The affected element is an unknown function of the file /mc-admin/page-edit.php of the component Publish Page Handler. Such manipulation leads to improper authentication. The attack may be performed from remote. The exploit has been disclos...

Vendor: 1234n
Product: minicms
Published: Jan 05, 2026
Source: NVD
CVE-2025-15443 HIGH - 7.2

A vulnerability was identified in CRMEB up to 5.6.1. This issue affects some unknown processing of the file /adminapi/product/product_export. Such manipulation of the argument cate_id leads to sql injection. The attack may be launched remotely. The exploit is publicly available and might be used. Th...

Vendor: crmeb
Product: crmeb
Published: Jan 04, 2026
Source: NVD