Total CVEs

142,588

Critical Severity

4,002

High Severity

14,356

Last 7 Days

1,347
Quick preset (or use dates below)
Clear Filters
Showing 13,761 - 13,780 of 14,356 CVEs
CVE-2025-66052 HIGH - 7.2

Vivotek IP7137 camera with firmware version 0200a is vulnerable to command injection. Parameter "system_ntpIt" used by "/cgi-bin/admin/setparam.cgi" endpoint is not sanitized properly, allowing a user with administrative privileges to perform an attack. Due to CVE-2025-66050, adm...

Vendor: vivotek
Product: ip7137_firmware
Published: Jan 09, 2026
Source: NVD
CVE-2025-66049 HIGH - 7.5

VivotekĀ IP7137Ā camera with firmware versionĀ 0200a is vulnerable to an information disclosure issue where live camera footage can be accessed through the RTSP protocol on port 8554 without requiring authentication. This allows unauthorized users with network access to view the camera's feed, pot...

Vendor: vivotek
Product: ip7137_firmware
Published: Jan 09, 2026
Source: NVD
CVE-2025-64092 HIGH - 7.5

This vulnerability allows unauthenticated attackers to inject an SQL request into GET request parameters and directly query the underlying database.

Published: Jan 09, 2026
Source: NVD
CVE-2025-64091 HIGH - 8.6

This vulnerability allows authenticated attackers to execute commands via the NTP-configuration of the device.

Published: Jan 09, 2026
Source: NVD
CVE-2025-69195 HIGH - 7.6

A flaw was found in GNU Wget2. This vulnerability, a stack-based buffer overflow, occurs in the filename sanitization logic when processing attacker-controlled URL paths, particularly when filename restriction options are active. A remote attacker can exploit this by providing a specially crafted UR...

Published: Jan 09, 2026
Source: NVD
CVE-2025-69194 HIGH - 8.8

A security issue was discovered in GNU Wget2 when handling Metalink documents. The application fails to properly validate file paths provided in Metalink <file name> elements. An attacker can abuse this behavior to write files to unintended locations on the system. This can lead to data loss o...

Published: Jan 09, 2026
Source: NVD
CVE-2025-14937 HIGH - 7.2

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'acff' parameter in the 'frontend_admin/forms/update_field' AJAX action in all versions up to, and including, 3.28.23 due to insufficient input sanitization and output escap...

Published: Jan 09, 2026
Source: NVD
CVE-2025-14657 HIGH - 7.2

The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for u...

Published: Jan 09, 2026
Source: NVD
CVE-2026-20976 HIGH - 7.8

Improper input validation in Galaxy Store prior to version 4.6.02 allows local attacker to execute arbitrary script.

Vendor: samsung
Product: galaxy_store
Published: Jan 09, 2026
Source: NVD
CVE-2026-20971 HIGH - 7.8

Use After Free in PROCA driver prior to SMR Jan-2026 Release 1 allows local attackers to potentially execute arbitrary code.

Vendor: samsung
Product: android
Published: Jan 09, 2026
Source: NVD
CVE-2026-20970 HIGH - 7.8

Improper access control in SLocation prior to SMR Jan-2026 Release 1 allows local attackers to execute the privileged APIs.

Vendor: samsung
Product: android
Published: Jan 09, 2026
Source: NVD
CVE-2025-15057 HIGH - 7.2

The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `fh` (fingerprint) parameter in all versions up to, and including, 5.3.3. This is due to insufficient input sanitization and output escaping on the fingerprint value stored in the database. This makes it...

Published: Jan 09, 2026
Source: NVD
CVE-2025-15055 HIGH - 7.2

The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'notes' and 'resource' parameters in all versions up to, and including, 5.3.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated at...

Published: Jan 09, 2026
Source: NVD
CVE-2026-0733 HIGH - 8.8

A vulnerability was determined in PHPGurukul Online Course Registration System up to 3.1. This impacts an unknown function of the file /onlinecourse/admin/manage-students.php. This manipulation of the argument id/cid causes sql injection. It is possible to initiate the attack remotely. The exploit h...

Vendor: phpgurukul
Product: online_course_registration_system
Published: Jan 09, 2026
Source: NVD
CVE-2026-0729 HIGH - 7.2

A vulnerability was detected in code-projects Intern Membership Management System 1.0. Impacted is an unknown function of the file /intern/admin/add_activity.php. Performing a manipulation of the argument Title results in sql injection. Remote exploitation of the attack is possible. The exploit is n...

Vendor: carmelo
Product: intern_membership_management_system
Published: Jan 08, 2026
Source: NVD
CVE-2025-14436 HIGH - 7.2

The Brevo for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ā€˜user_connection_id’ parameter in all versions up to, and including, 4.0.49 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject a...

Published: Jan 08, 2026
Source: NVD
CVE-2026-0728 HIGH - 7.2

A security vulnerability has been detected in code-projects Intern Membership Management System 1.0. This issue affects some unknown processing of the file /intern/admin/delete_admin.php. Such manipulation of the argument admin_id leads to sql injection. The attack may be launched remotely. The expl...

Vendor: carmelo
Product: intern_membership_management_system
Published: Jan 08, 2026
Source: NVD
CVE-2025-68719 HIGH - 8.8

KAYSUS KS-WR3600 routers with firmware 1.0.5.9.1 mishandle configuration management. Once any user is logged in and maintains an active session, an attacker can directly query the backup endpoint and download a full configuration archive. This archive contains sensitive files such as /etc/shadow, en...

Published: Jan 08, 2026
Source: NVD
CVE-2025-68716 HIGH - 8.4

KAYSUS KS-WR3600 routers with firmware 1.0.5.9.1 enable the SSH service enabled by default on the LAN interface. The root account is configured with no password, and administrators cannot disable SSH or enforce authentication via the CLI or web GUI. This allows any LAN-adjacent attacker to trivially...

Published: Jan 08, 2026
Source: NVD
CVE-2025-15464 HIGH - 7.5

Exported Activity allows external applications to gain application context and directly launch Gmail with inbox access, bypassing security controls.

Published: Jan 08, 2026
Source: NVD