Total CVEs

142,027

Critical Severity

3,943

High Severity

14,108

Last 7 Days

1,755
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 13,761 - 13,780 of 13,803 CVEs
CVE-2025-15442 HIGH - 7.2

A vulnerability was determined in CRMEB up to 5.6.1. This vulnerability affects unknown code of the file /adminapi/export/product_list. This manipulation of the argument cate_id causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. T...

Vendor: crmeb
Product: crmeb
Published: Jan 04, 2026
Source: NVD
CVE-2025-3653 HIGH - 7.3

Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an improper access control vulnerability that allows unauthorized device manipulation by accepting arbitrary serial numbers without ownership verification. Attackers can control any device by sending serial numbers to device control A...

Published: Jan 04, 2026
Source: NVD
CVE-2025-3646 HIGH - 7.3

Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an authorization bypass vulnerability that allows unauthorized users to add users as shared owners to any device by exploiting missing permission checks. Attackers can send requests to the device share API to gain unauthorized access ...

Published: Jan 04, 2026
Source: NVD
CVE-2026-21452 HIGH - 7.5

MessagePack for Java is a serializer implementation for Java. A denial-of-service vulnerability exists in versions prior to 0.9.11 when deserializing .msgpack files containing EXT32 objects with attacker-controlled payload lengths. While MessagePack-Java parses extension headers lazily, it later tru...

Published: Jan 02, 2026
Source: NVD
CVE-2026-21451 HIGH - 8.4

Bagisto is an open source laravel eCommerce platform. A stored Cross-Site Scripting (XSS) vulnerability exists in Bagisto prior to version 2.3.10 within the CMS page editor. Although the platform normally attempts to sanitize `<script>` tags, the filtering can be bypassed by manipulating the r...

Vendor: webkul
Product: bagisto
Published: Jan 02, 2026
Source: NVD
CVE-2026-21449 HIGH - 8.8

Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection via first name and last name from a low-privilege user. Version 2.3.10 fixes the issue.

Vendor: webkul
Product: bagisto
Published: Jan 02, 2026
Source: NVD
CVE-2026-21447 HIGH - 7.1

Bagisto is an open source laravel eCommerce platform. Prior to version 2.3.10, an Insecure Direct Object Reference vulnerability in the customer order reorder function allows any authenticated customer to add items from another customer's order to their own shopping cart by manipulating the ord...

Vendor: webkul
Product: bagisto
Published: Jan 02, 2026
Source: NVD
CVE-2026-21433 HIGH - 7.7

Emlog is an open source website building system. Versions up to and including 2.5.19 are vulnerable to server-side Out-of-Band (OOB) requests / SSRF via uploaded SVG files. An attacker can upload a crafted SVG to http[:]//emblog/admin/media[.]php which contains external resource references. When the...

Vendor: emlog
Product: emlog
Published: Jan 02, 2026
Source: NVD
CVE-2025-69415 HIGH - 7.1

In Plex Media Server (PMS) through 1.42.2.10156, ability to access /myplex/account with a device token is not properly aligned with whether the device is currently associated with an account.

Published: Jan 02, 2026
Source: NVD
CVE-2025-69414 HIGH - 8.5

Plex Media Server (PMS) through 1.42.2.10156 allows retrieval of a permanent access token via a /myplex/account call with a transient access token.

Published: Jan 02, 2026
Source: NVD
CVE-2025-67160 HIGH - 7.5

An issue in Vatilon v1.12.37-20240124 allows attackers to access sensitive directories and files via a directory traversal.

Published: Jan 02, 2026
Source: NVD
CVE-2025-67159 HIGH - 7.5

Vatilon v1.12.37-20240124 was discovered to transmit user credentials in plaintext.

Published: Jan 02, 2026
Source: NVD
CVE-2025-67158 HIGH - 7.5

An authentication bypass in the /cgi-bin/jvsweb.cgi endpoint of Revotech I6032W-FHW v1.0.0014 - 20210517 allows attackers to access sensitive information and escalate privileges via a crafted HTTP request.

Published: Jan 02, 2026
Source: NVD
CVE-2025-9110 HIGH - 7.5

An exposure of sensitive system information to an unauthorized control sphere vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to read application data. We have already fixed the vulnerability in the following ...

Vendor: qnap
Product: qts
Published: Jan 02, 2026
Source: NVD
CVE-2025-67269 HIGH - 7.5

An integer underflow vulnerability exists in the `nextstate()` function in `gpsd/packet.c` of gpsd versions prior to commit `ffa1d6f40bca0b035fc7f5e563160ebb67199da7`. When parsing a NAVCOM packet, the payload length is calculated using `lexer->length = (size_t)c - 4` without checking if the inpu...

Vendor: gpsd_project
Product: gpsd
Published: Jan 02, 2026
Source: NVD
CVE-2025-59384 HIGH - 7.5

A path traversal vulnerability has been reported to affect Qfiling. The remote attackers can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: Qfiling 3.13.1 and later

Vendor: qnap
Product: qfiling
Published: Jan 02, 2026
Source: NVD
CVE-2025-52872 HIGH - 8.1

A buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following versions: QTS 5.2.7.32...

Vendor: qnap
Product: quts_hero
Published: Jan 02, 2026
Source: NVD
CVE-2025-52864 HIGH - 8.1

A buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following versions: QTS 5.2.7.32...

Vendor: qnap
Product: quts_hero
Published: Jan 02, 2026
Source: NVD
CVE-2025-52863 HIGH - 8.1

A buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following versions: QTS 5.2.7.32...

Vendor: qnap
Product: quts_hero
Published: Jan 02, 2026
Source: NVD
CVE-2026-0547 HIGH - 8.8

A vulnerability was found in PHPGurukul Online Course Registration up to 3.1. This issue affects some unknown processing of the file /admin/edit-student-profile.php of the component Student Registration Page. The manipulation of the argument photo results in unrestricted upload. The attack may be la...

Vendor: phpgurukul
Product: online_course_registration
Published: Jan 02, 2026
Source: NVD