Total CVEs

142,888

Critical Severity

4,037

High Severity

14,476

Last 7 Days

1,350
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 13,841 - 13,860 of 14,508 CVEs
CVE-2025-37185 MEDIUM - 4.8

Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attacks against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary s...

Vendor: arubanetworks
Product: edgeconnect_sd-wan_orchestrator
Published: Jan 14, 2026
Source: NVD
CVE-2025-67399 MEDIUM - 4.6

An issue in AIRTH SMART HOME AQI MONITOR Bootloader v.1.005 allows a physically proximate attacker to obtain sensitive information via the UART port of the BK7231N controller (Wi-Fi and BLE module) on the device is open to access

Published: Jan 14, 2026
Source: NVD
CVE-2025-14242 MEDIUM - 6.5

A flaw was found in vsftpd. This vulnerability allows a denial of service (DoS) via an integer overflow in the ls command parameter parsing, triggered by a remote, authenticated attacker sending a crafted STAT command with a specific byte sequence.

Published: Jan 14, 2026
Source: NVD
CVE-2025-56226 MEDIUM - 5.3

Libsndfile <=1.2.2 contains a memory leak vulnerability in the mpeg_l3_encoder_init() function within the mpeg_l3_encode.c file.

Vendor: libsndfile_project
Product: libsndfile
Published: Jan 14, 2026
Source: NVD
CVE-2025-66169 MEDIUM - 5.3

Cypher Injection vulnerability in Apache Camel camel-neo4j component. This issue affects Apache Camel: from 4.10.0 before 4.10.8, from 4.14.0 before 4.14.3, from 4.15.0 before 4.17.0 Users are recommended to upgrade to version 4.10.8 for 4.10.x LTS and 4.14.3 for 4.14.x LTS and 4.17.0.

Vendor: apache
Product: camel
Published: Jan 14, 2026
Source: NVD
CVE-2026-0529 MEDIUM - 6.5

Improper Validation of Array Index (CWE-129) in Packetbeatโ€™s MongoDB protocol parser can allow an attacker to cause Overflow Buffers (CAPEC-100) through specially crafted network traffic. This requires an attacker to send a malformed payload to a monitored network interface where MongoDB protocol pa...

Published: Jan 14, 2026
Source: NVD
CVE-2026-0813 MEDIUM - 4.4

The Short Link plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'short_link_post_title' and 'short_link_page_title' parameters in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for...

Published: Jan 14, 2026
Source: NVD
CVE-2026-0812 MEDIUM - 4.4

The LinkedIn SC plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'linkedin_sc_date_format', 'linkedin_sc_api_key', and 'linkedin_sc_secret_key' parameters in all versions up to, and including, 1.1.9 due to insufficient input sanitization and out...

Published: Jan 14, 2026
Source: NVD
CVE-2026-0741 MEDIUM - 4.4

The Electric Studio Download Counter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-...

Published: Jan 14, 2026
Source: NVD
CVE-2026-0739 MEDIUM - 4.4

The WMF Mobile Redirector plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level acces...

Published: Jan 14, 2026
Source: NVD
CVE-2026-0734 MEDIUM - 4.4

The WP Allowed Hosts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'allowed-hosts' parameter in all versions up to, and including, 1.0.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administ...

Published: Jan 14, 2026
Source: NVD
CVE-2025-68492 MEDIUM - 4.2

Chainlit versions prior to 2.8.5 contain an authorization bypass through user-controlled key vulnerability. If this vulnerability is exploited, threads may be viewed or thread ownership may be obtained by an attacker who can log in to the product.

Published: Jan 14, 2026
Source: NVD
CVE-2025-15513 MEDIUM - 5.3

The Float Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to improper error handling in the verifyFloatResponse() function in all versions up to, and including, 1.1.9. This makes it possible for unauthenticated attackers to mark any WooCommerce order as fa...

Published: Jan 14, 2026
Source: NVD
CVE-2025-15512 MEDIUM - 5.3

The Aplazo Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the check_success_response() function in all versions up to, and including, 1.4.2. This makes it possible for unauthenticated attackers to set any WooCommerce order...

Published: Jan 14, 2026
Source: NVD
CVE-2025-15475 MEDIUM - 5.3

The PayHere Payment Gateway Plugin for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to an improper validation logic in the check_payhere_response function in all versions up to, and including, 2.3.9. This makes it possible for unauthenticated attackers to c...

Published: Jan 14, 2026
Source: NVD
CVE-2025-15376 MEDIUM - 4.3

The Stopwords for comments plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing nonce validation on the 'set_stopwords_for_comments' and 'delete_stopwords_for_comments' functions. This makes it possible...

Published: Jan 14, 2026
Source: NVD
CVE-2025-14846 MEDIUM - 4.3

The SocialChamp with WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.3. This is due to missing nonce validation on the wpsc_settings_tab_menu function. This makes it possible for unauthenticated attackers to modify plugin settings ...

Published: Jan 14, 2026
Source: NVD
CVE-2025-14173 MEDIUM - 5.3

The Perfit WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.1. This is due to missing authorization checks on the `logout` function called via the `actions` function hooked to `admin_init`. This makes it possible for unauthenticated at...

Published: Jan 14, 2026
Source: NVD
CVE-2026-0717 MEDIUM - 5.3

The LottieFiles โ€“ Lottie block for Gutenberg plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.0.0 via the `/wp-json/lottiefiles/v1/settings/` REST API endpoint. This makes it possible for unauthenticated attackers to retrieve the site owner...

Published: Jan 14, 2026
Source: NVD
CVE-2026-0694 MEDIUM - 6.4

The SearchWiz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post titles in search results in all versions up to, and including, 1.0.0. This is due to the plugin using `esc_attr()` instead of `esc_html()` when outputting post titles in search results. This makes it possible fo...

Published: Jan 14, 2026
Source: NVD