Total CVEs

142,588

Critical Severity

4,002

High Severity

14,355

Last 7 Days

1,844
Quick preset (or use dates below)
Clear Filters
Showing 13,861 - 13,880 of 14,782 CVEs
CVE-2026-0886 MEDIUM - 5.3

Incorrect boundary conditions in the Graphics component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.

Vendor: mozilla
Product: firefox
Published: Jan 13, 2026
Source: NVD
CVE-2026-0885 MEDIUM - 6.5

Use-after-free in the JavaScript: GC component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.

Vendor: mozilla
Product: firefox
Published: Jan 13, 2026
Source: NVD
CVE-2026-0883 MEDIUM - 5.3

Information disclosure in the Networking component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.

Vendor: mozilla
Product: firefox
Published: Jan 13, 2026
Source: NVD
CVE-2026-0684 MEDIUM - 4.3

The CP Image Store with Slideshow plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.9 due to a logic error in the 'cpis_admin_init' function's permission check. This makes it possible for authenticated attackers, with Contributor-leve...

Published: Jan 13, 2026
Source: NVD
CVE-2025-9435 MEDIUM - 5.5

Zohocorp ManageEngine ADManager Plus versions below 7230 are vulnerable to Path Traversal in the User Management module

Published: Jan 13, 2026
Source: NVD
CVE-2025-14507 MEDIUM - 5.3

The EventPrime - Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.2.7.0 via the REST API. This makes it possible for unauthenticated attackers to extract sensitive booking data including user names, ema...

Published: Jan 13, 2026
Source: NVD
CVE-2025-59021 MEDIUM - 6.4

Backend users with access to the redirects module and write permission on the sys_redirect table were able to read, create, and modify any redirect record without restriction to the user’s own file-mounts or web-mounts. This allowed attackers to insert or alter redirects pointing to arbitrary URLs –...

Vendor: typo3
Product: typo3
Published: Jan 13, 2026
Source: NVD
CVE-2025-59020 MEDIUM - 6.5

By exploiting the defVals parameter, attackers could bypass field‑level access checks during record creation in the TYPO3 backend. This gave them the ability to insert arbitrary data into prohibited exclude fields of a database table for which the user already has write permission for a reduced set ...

Vendor: typo3
Product: typo3
Published: Jan 13, 2026
Source: NVD
CVE-2025-14001 MEDIUM - 5.4

The WP Duplicate Page plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the 'duplicateBulkHandle' and 'duplicateBulkHandleHPOS' functions in all versions up to, and including, 1.8. This makes it possible for authenticated ...

Published: Jan 13, 2026
Source: NVD
CVE-2026-0514 MEDIUM - 6.1

Due to a Cross-Site Scripting (XSS) vulnerability in SAP Business Connector, an unauthenticated attacker could craft a malicious link. When an unsuspecting user clicks this link, the user may be redirected to a site controlled by the attacker. Successful exploitation could allow the attacker to acce...

Vendor: sap
Product: business_connector
Published: Jan 13, 2026
Source: NVD
CVE-2026-0513 MEDIUM - 4.7

Due to an Open Redirect Vulnerability in SAP Supplier Relationship Management (SICF Handler in SRM Catalog), an unauthenticated attacker could craft a malicious URL that, if accessed by a victim, redirects them to an attacker-controlled site.This causes low impact on integrity of the application. Co...

Vendor: sap
Product: supplier_relationship_management
Published: Jan 13, 2026
Source: NVD
CVE-2026-0503 MEDIUM - 6.4

Due to missing authorization check in the SAP ERP Central Component (SAP ECC) and SAP S/4HANA (SAP EHS Management), an attacker could extract hardcoded clear-text credentials and bypass the password authentication check by manipulating user parameters. Upon successful exploitation, the attacker can ...

Published: Jan 13, 2026
Source: NVD
CVE-2026-0499 MEDIUM - 6.1

SAP NetWeaver Enterprise Portal allows an unauthenticated attacker to inject malicious scripts into a URL parameter. The scripts are reflected in the server response and executed in a user's browser when the crafted URL is visited, leading to theft of session information, manipulation of portal...

Published: Jan 13, 2026
Source: NVD
CVE-2026-0497 MEDIUM - 4.3

SAP Product Designer Web UI of Business Server Pages allows authenticated non-administrative users to access non-sensitive information. This results in a low impact on confidentiality, with no impact on integrity or availability of the application.

Published: Jan 13, 2026
Source: NVD
CVE-2026-0496 MEDIUM - 6.6

SAP Fiori App Intercompany Balance Reconciliation allows an attacker with high privileges to upload any file (including script files) without proper file format validation. This has low impact on confidentiality, integrity and availability of the application.

Published: Jan 13, 2026
Source: NVD
CVE-2026-0495 MEDIUM - 5.1

SAP Fiori App Intercompany Balance Reconciliation allows an attacker with high privileges to send uploaded files to arbitrary emails which could enable effective phishing campaigns. This has low impact on confidentiality, integrity and availability of the application.

Published: Jan 13, 2026
Source: NVD
CVE-2026-0494 MEDIUM - 4.3

Under certain conditions SAP Fiori App Intercompany Balance Reconciliation application allows an attacker to access information which would otherwise be restricted. This has low impact on confidentiality of the application, integrity and availability are not impacted.

Published: Jan 13, 2026
Source: NVD
CVE-2026-0493 MEDIUM - 4.3

Due to a Cross-Site Request Forgery (CSRF) vulnerability in SAP Fiori App Intercompany Balance Reconciliation an attacker could execute state?changing actions using an inappropriate request type, this deviation from expected request semantics may allow an attacker to trigger unintended actions on be...

Published: Jan 13, 2026
Source: NVD
CVE-2026-22813 MEDIUM - 6.1

OpenCode is an open source AI coding agent. The markdown renderer used for LLM responses will insert arbitrary HTML into the DOM. There is no sanitization with DOMPurify or even a CSP on the web interface to prevent JavaScript execution via HTML injection. This means controlling the LLM response for...

Vendor: anoma
Product: opencode
Published: Jan 12, 2026
Source: NVD
CVE-2026-22804 MEDIUM - 4.7

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. From 1.7.0 to 1.9.0, Stored Cross-Site Scripting (XSS) vulnerability exists in the Termix File Manager component. The application fails to sanitize SVG file content before rendering it. This...

Vendor: termix
Product: termix
Published: Jan 12, 2026
Source: NVD