Total CVEs

142,588

Critical Severity

4,002

High Severity

14,355

Last 7 Days

1,844
Quick preset (or use dates below)
Clear Filters
Showing 13,881 - 13,900 of 14,782 CVEs
CVE-2026-22800 MEDIUM - 4.5

PILOS (Platform for Interactive Live-Online Seminars) is a frontend for BigBlueButton. Prior to 4.10.0, Cross-Site Request Forgery (CSRF) vulnerability exists in an administrative API endpoint responsible for terminating all active video conferences on a single server. The affected endpoint performs...

Vendor: thm
Product: pilos
Published: Jan 12, 2026
Source: NVD
CVE-2026-22798 MEDIUM - 5.9

hermes is an implementation of the HERMES workflow to automatize software publication with rich metadata. From 0.8.1 to before 0.9.1, hermes subcommands take arbitrary options under the -O argument. These have been logged in raw form. If users provide sensitive data such as API tokens (e.g., via her...

Published: Jan 12, 2026
Source: NVD
CVE-2026-22772 MEDIUM - 5.8

Fulcio is a certificate authority for issuing code signing certificates for an OpenID Connect (OIDC) identity. Prior to 1.8.5, Fulcio's metaRegex() function uses unanchored regex, allowing attackers to bypass MetaIssuer URL validation and trigger SSRF to arbitrary internal services. Since the S...

Published: Jan 12, 2026
Source: NVD
CVE-2021-41074 MEDIUM - 5.4

A CSRF issue in index.php in QloApps hotel eCommerce 1.5.1 allows an attacker to change the admin's email address via a crafted HTML document.

Vendor: webkul
Product: qloapps
Published: Jan 12, 2026
Source: NVD
CVE-2026-22784 MEDIUM - 4.3

Lychee is a free, open-source photo-management tool. Prior to 7.1.0, an authorization vulnerability exists in Lychee's album password unlock functionality that allows users to gain possibly unauthorized access to other users' password-protected albums. When a user unlocks a password-protec...

Vendor: lycheeorg
Product: lychee
Published: Jan 12, 2026
Source: NVD
CVE-2026-22251 MEDIUM - 5.3

wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, wlc supported providing unscoped API keys in the setting. This practice was discouraged for years, but the code was never removed. This might cause the API key to be leaked to different servers.

Published: Jan 12, 2026
Source: NVD
CVE-2026-22050 MEDIUM - 4.3

ONTAP versions 9.16.1 prior to 9.16.1P9 and 9.17.1 prior to 9.17.1P2 with snapshot locking enabled are susceptible to a vulnerability which could allow a privileged remote attacker to set the snapshot expiry time to none.

Vendor: netapp
Product: ontap
Published: Jan 12, 2026
Source: NVD
CVE-2025-68657 MEDIUM - 6.4

Espressif ESP-IDF USB Host HID (Human Interface Device) Driver allows access to HID devices. Prior to 1.1.0, calls to hid_host_device_close() can free the same usb_transfer_t twice. The USB event callback and user code share the hid_iface_t state without locking, so both can tear down a READY interf...

Vendor: espressif
Product: usb_host_hid_driver
Published: Jan 12, 2026
Source: NVD
CVE-2025-68656 MEDIUM - 6.8

Espressif ESP-IDF USB Host HID (Human Interface Device) Driver allows access to HID devices. Prior to 1.1.0, usb_class_request_get_descriptor() frees and reallocates hid_device->ctrl_xfer when an oversized descriptor is requested but continues to use the stale local pointer, leading to an immedia...

Vendor: espressif
Product: usb_host_hid_driver
Published: Jan 12, 2026
Source: NVD
CVE-2025-68471 MEDIUM - 6.5

Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending 2 unsolicited announcements with CNAME resource records 2 seconds apart.

Vendor: avahi
Product: avahi
Published: Jan 12, 2026
Source: NVD
CVE-2025-68468 MEDIUM - 6.5

Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending unsolicited announcements containing CNAME resource records pointing it to resource records with short TTLs. As soon as they exp...

Vendor: avahi
Product: avahi
Published: Jan 12, 2026
Source: NVD
CVE-2025-68276 MEDIUM - 5.5

Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, an unprivileged local users can crash avahi-daemon (with wide-area disabled) by creating record browsers with the AVAHI_LOOKUP_USE_WIDE_AREA flag set via D-Bus. This c...

Vendor: avahi
Product: avahi
Published: Jan 12, 2026
Source: NVD
CVE-2025-68622 MEDIUM - 6.8

Espressif ESP-IDF USB Host UVC Class Driver allows video streaming from USB cameras. Prior to 2.4.0, a vulnerability in the esp-usb UVC host implementation allows a malicious USB Video Class (UVC) device to trigger a stack buffer overflow during configuration-descriptor parsing. When UVC configurati...

Vendor: espressif
Product: usb_host_uvc_class_driver
Published: Jan 12, 2026
Source: NVD
CVE-2025-66689 MEDIUM - 6.5

A path traversal vulnerability exists in Zen MCP Server before 9.8.2 that allows authenticated attackers to read arbitrary files on the system. The vulnerability is caused by flawed logic in the is_dangerous_path() validation function that uses exact string matching against a blacklist of system dir...

Vendor: busymac
Product: pal_mcp_server
Published: Jan 12, 2026
Source: NVD
CVE-2025-67813 MEDIUM - 5.3

Quest KACE Desktop Authority through 11.3.1 has Insecure Permissions on the Named Pipes used for inter-process communication

Vendor: quest
Product: kace_desktop_authority
Published: Jan 12, 2026
Source: NVD
CVE-2025-66939 MEDIUM - 5.4

Cross Site Scripting vulnerability in 66biolinks by AltumCode v.61.0.1 allows an attacker to execute arbitrary code via a crafted favicon file

Vendor: altumcode
Product: 66biolinks
Published: Jan 12, 2026
Source: NVD
CVE-2025-65553 MEDIUM - 6.5

D3D Wi-Fi Home Security System ZX-G12 v2.1.17 is susceptible to RF jamming on the 433 MHz alarm sensor channel. An attacker within RF range can transmit continuous interference to block sensor transmissions, resulting in missed alarms and loss of security monitoring. The device lacks jamming detecti...

Vendor: d3dsecurity
Product: xz-g12_firmware
Published: Jan 12, 2026
Source: NVD
CVE-2025-14579 MEDIUM - 4.8

The Quiz Maker WordPress plugin before 6.7.0.89 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Published: Jan 12, 2026
Source: NVD
CVE-2025-69275 MEDIUM - 6.1

Dependency on Vulnerable Third-Party Component vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows DOM-Based XSS.This issue affects DX NetOps Spectrum: 24.3.9 and earlier.

Vendor: broadcom
Product: dx_netops_spectrum
Published: Jan 12, 2026
Source: NVD
CVE-2025-69268 MEDIUM - 6.1

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Reflected XSS.This issue affects DX NetOps Spectrum: 24.3.8 and earlier.

Vendor: broadcom
Product: dx_netops_spectrum
Published: Jan 12, 2026
Source: NVD