Total CVEs

142,588

Critical Severity

4,002

High Severity

14,356

Last 7 Days

1,782
Quick preset (or use dates below)
Clear Filters
Showing 13,741 - 13,760 of 14,356 CVEs
CVE-2026-22606 HIGH - 7.8

Fickling is a Python pickling decompiler and static analyzer. Fickling versions up to and including 0.1.6 do not treat Python’s runpy module as unsafe. Because of this, a malicious pickle that uses runpy.run_path() or runpy.run_module() is classified as SUSPICIOUS instead of OVERTLY_MALICIOUS. If a ...

Vendor: trailofbits
Product: fickling
Published: Jan 10, 2026
Source: NVD
CVE-2026-22601 HIGH - 7.2

OpenProject is an open-source, web-based project management software. For OpenProject version 16.6.1 and below, a registered administrator can execute arbitrary command by configuring sendmail binary path and sending a test email. This issue has been patched in version 16.6.2.

Vendor: openproject
Product: openproject
Published: Jan 10, 2026
Source: NVD
CVE-2026-22697 HIGH - 7.5

CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, CryptoLib’s KMC crypto service integration is...

Vendor: nasa
Product: cryptolib
Published: Jan 10, 2026
Source: NVD
CVE-2026-22026 HIGH - 7.5

CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, the libcurl write_callback function in the KM...

Vendor: nasa
Product: cryptolib
Published: Jan 10, 2026
Source: NVD
CVE-2026-22023 HIGH - 7.5

CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, there is an out-of-bounds heap read vulnerabi...

Vendor: nasa
Product: cryptolib
Published: Jan 10, 2026
Source: NVD
CVE-2026-21898 HIGH - 8.2

CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, the Crypto_AOS_ProcessSecurity function reads...

Vendor: nasa
Product: cryptolib
Published: Jan 10, 2026
Source: NVD
CVE-2026-21897 HIGH - 7.3

CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, the Crypto_Config_Add_Gvcid_Managed_Parameter...

Vendor: nasa
Product: cryptolib
Published: Jan 10, 2026
Source: NVD
CVE-2026-0830 HIGH - 7.8

Processing specially crafted workspace folder names could allow for arbitrary command injection in the Kiro GitLab Merge-Request helper in Kiro IDE before version 0.6.18 when opening maliciously crafted workspaces. To mitigate, users should update to the latest version.

Published: Jan 09, 2026
Source: NVD
CVE-2025-67070 HIGH - 8.2

A vulnerability exists in Intelbras CFTV IP NVD 9032 R Ftd V2.800.00IB00C.0.T, which allows an unauthenticated attacker to bypass the multi-factor authentication (MFA) mechanism during the password recovery process. This results in the ability to change the admin password and gain full access to the...

Published: Jan 09, 2026
Source: NVD
CVE-2026-22197 HIGH - 8.1

GestSup versions prior to 3.2.60 contain multiple SQL injection vulnerabilities in the asset list functionality. Multiple request parameters used to filter, search, or sort assets are incorporated into SQL queries without sufficient neutralization, allowing an authenticated attacker to manipulate da...

Vendor: gestsup
Product: gestsup
Published: Jan 09, 2026
Source: NVD
CVE-2026-22196 HIGH - 8.1

GestSup versions prior to 3.2.60 contain a SQL injection vulnerability in ticket creation functionality. User-controlled input provided during ticket creation is incorporated into SQL queries without sufficient neutralization, allowing an authenticated attacker to manipulate database queries. Succes...

Vendor: gestsup
Product: gestsup
Published: Jan 09, 2026
Source: NVD
CVE-2026-22195 HIGH - 8.1

GestSup versions prior to 3.2.60 contain a SQL injection vulnerability in the search bar functionality. User-controlled search input is incorporated into SQL queries without sufficient neutralization, allowing an authenticated attacker to manipulate database queries. Successful exploitation can resu...

Vendor: gestsup
Product: gestsup
Published: Jan 09, 2026
Source: NVD
CVE-2026-22194 HIGH - 8.8

GestSup versions up to and including 3.2.60 contain a cross-site request forgery (CSRF) vulnerability where the application does not verify the authenticity of client requests. An attacker can induce a logged-in user to submit crafted requests that perform actions with the victim's privileges. ...

Vendor: gestsup
Product: gestsup
Published: Jan 09, 2026
Source: NVD
CVE-2025-66744 HIGH - 7.5

In Yonyou YonBIP v3 and before, the LoginWithV8 interface in the series data application service system is vulnerable to path traversal, allowing unauthorized access to sensitive information within the system

Published: Jan 09, 2026
Source: NVD
CVE-2025-15495 HIGH - 7.2

A vulnerability was found in BiggiDroid Simple PHP CMS 1.0. This impacts an unknown function of the file /admin/editsite.php. The manipulation of the argument image results in unrestricted upload. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was...

Vendor: biggidroid
Product: simple_php_cms
Published: Jan 09, 2026
Source: NVD
CVE-2025-15494 HIGH - 8.8

A vulnerability has been found in RainyGao DocSys up to 2.02.37. This affects an unknown function of the file com/DocSystem/mapping/UserMapper.xml. The manipulation of the argument Username leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and...

Vendor: docsys_project
Product: docsys
Published: Jan 09, 2026
Source: NVD
CVE-2026-0803 HIGH - 8.8

A vulnerability was found in PHPGurukul Online Course Registration System up to 3.1. This affects an unknown part of the file /enroll.php. The manipulation of the argument studentregno/Pincode/session/department/level/course/sem results in sql injection. The attack may be launched remotely. The expl...

Vendor: phpgurukul
Product: online_course_registration_system
Published: Jan 09, 2026
Source: NVD
CVE-2025-67133 HIGH - 7.5

An issue in Hero Motocorp Vida V1 Pro 2.0.7 allows a local attacker to cause a denial of service via the BLE component

Published: Jan 09, 2026
Source: NVD
CVE-2025-56225 HIGH - 7.5

fluidsynth-2.4.6 and earlier versions is vulnerable to Null pointer dereference in fluid_synth_monopoly.c, that can be triggered when loading an invalid midi file.

Vendor: fluidsynth
Product: fluidsynth
Published: Jan 09, 2026
Source: NVD
CVE-2025-15492 HIGH - 8.8

A vulnerability was detected in RainyGao DocSys up to 2.02.36. The affected element is an unknown function of the file src/com/DocSystem/mapping/GroupMemberMapper.xml. Performing a manipulation of the argument searchWord results in sql injection. It is possible to initiate the attack remotely. The e...

Vendor: docsys_project
Product: docsys
Published: Jan 09, 2026
Source: NVD