Total CVEs

142,888

Critical Severity

4,037

High Severity

14,476

Last 7 Days

1,302
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 13,901 - 13,920 of 14,508 CVEs
CVE-2022-50899 MEDIUM - 6.5

Geonetwork 3.10 through 4.2.0 contains an XML external entity vulnerability in PDF rendering that allows attackers to retrieve arbitrary files from the server. Attackers can exploit the insecure XML parser by crafting a malicious XML document with external entity references to read system files thro...

Published: Jan 13, 2026
Source: NVD
CVE-2022-50897 MEDIUM - 6.2

mPDF 7.0 contains a local file inclusion vulnerability that allows attackers to read arbitrary system files by manipulating annotation file parameters. Attackers can generate URL-encoded or base64 payloads to include local files through crafted annotation content with file path specifications.

Published: Jan 13, 2026
Source: NVD
CVE-2022-50896 MEDIUM - 6.1

Testa 3.5.1 contains a reflected cross-site scripting vulnerability in the login.php redirect parameter that allows attackers to inject malicious scripts. Attackers can craft a specially encoded payload in the redirect parameter to execute arbitrary JavaScript in victim's browser context.

Published: Jan 13, 2026
Source: NVD
CVE-2022-50894 MEDIUM - 6.5

VIAVIWEB Wallpaper Admin 1.0 contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the img_id parameter. Attackers can send GET requests to edit_gallery_image.php with malicious img_id values to extract database infor...

Vendor: viaviweb
Product: wallpaper_admin
Published: Jan 13, 2026
Source: NVD
CVE-2022-50891 MEDIUM - 6.2

Owlfiles File Manager 12.0.1 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts through the path parameter in HTTP server endpoints. Attackers can craft URLs targeting the download and list endpoints with embedded script tags to execute arbitrary JavaScri...

Published: Jan 13, 2026
Source: NVD
CVE-2021-47750 MEDIUM - 6.1

YouPHPTube <= 7.8 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts through the redirectUri parameter in the signup page. Attackers can craft special signup URLs with embedded script tags to execute arbitrary JavaScript in victims' browsers when ...

Vendor: youphptube
Product: youphptube
Published: Jan 13, 2026
Source: NVD
CVE-2021-47749 MEDIUM - 5.5

YouPHPTube <= 7.8 contains a local file inclusion vulnerability that allows unauthenticated attackers to access arbitrary files by manipulating the 'lang' parameter in GET requests. Attackers can exploit the path traversal flaw in locale/function.php to include and view PHP files outsid...

Vendor: youphptube
Product: youphptube
Published: Jan 13, 2026
Source: NVD
CVE-2020-36919 MEDIUM - 6.1

WPForms 1.7.8 contains a cross-site scripting vulnerability in the slider import search feature and tab parameter. Attackers can inject malicious scripts through the ListTable.php endpoint to execute arbitrary JavaScript in victim's browser.

Published: Jan 13, 2026
Source: NVD
CVE-2025-68947 MEDIUM - 4.7

NSecsoft 'NSecKrnl' is a Windows driver that allows a local, authenticated attacker to terminate processes owned by other users, including SYSTEM and Protected Processes by issuing crafted IOCTL requests to the driver.

Published: Jan 13, 2026
Source: NVD
CVE-2025-68658 MEDIUM - 4.8

Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP using CodeIgniter framework. opensourcepos 3.4.0 and 3.4.1 has a stored XSS vulnerability exists in the Configuration (Information) functionality. An authenticated user with the permission “Configuratio...

Vendor: opensourcepos
Product: open_source_point_of_sale
Published: Jan 13, 2026
Source: NVD
CVE-2026-21303 MEDIUM - 5.5

Substance3D - Modeler versions 1.22.4 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose sensitive information stored in memory. Exploitation of this issue requires user interaction in that a v...

Vendor: adobe
Product: substance_3d_modeler
Published: Jan 13, 2026
Source: NVD
CVE-2026-21302 MEDIUM - 5.5

Substance3D - Modeler versions 1.22.4 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose sensitive information stored in memory. Exploitation of this issue requires user interaction in that a v...

Vendor: adobe
Product: substance_3d_modeler
Published: Jan 13, 2026
Source: NVD
CVE-2026-21301 MEDIUM - 5.5

Substance3D - Modeler versions 1.22.4 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Vendor: adobe
Product: substance_3d_modeler
Published: Jan 13, 2026
Source: NVD
CVE-2026-21300 MEDIUM - 5.5

Substance3D - Modeler versions 1.22.4 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Vendor: adobe
Product: substance_3d_modeler
Published: Jan 13, 2026
Source: NVD
CVE-2026-0543 MEDIUM - 6.5

Improper Input Validation (CWE-20) in Kibana's Email Connector can allow an attacker to cause an Excessive Allocation (CAPEC-130) through a specially crafted email address parameter. This requires an attacker to have authenticated access with view-level privileges sufficient to execute connecto...

Vendor: elastic
Product: kibana
Published: Jan 13, 2026
Source: NVD
CVE-2026-0531 MEDIUM - 6.5

Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted bulk retrieval request. This requires an attacker to have low-level privileges equivalent to the viewer role, which grants read access to agent policies...

Vendor: elastic
Product: kibana
Published: Jan 13, 2026
Source: NVD
CVE-2026-0530 MEDIUM - 6.5

Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted request. This causes the application to perform redundant processing operations that continuously consume system resources until service degradation or ...

Vendor: elastic
Product: kibana
Published: Jan 13, 2026
Source: NVD
CVE-2026-22818 MEDIUM - 6.5

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.11.4, there is a flaw in Hono’s JWK/JWKS JWT verification middleware allowed the algorithm specified in the JWT header to influence signature verification when the selected JWK did not explicitly define ...

Vendor: hono
Product: hono
Published: Jan 13, 2026
Source: NVD
CVE-2026-22817 MEDIUM - 6.5

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.11.4, there is a flaw in Hono’s JWK/JWKS JWT verification middleware allowed the JWT header’s alg value to influence signature verification when the selected JWK did not explicitly specify an algorithm. ...

Vendor: hono
Product: hono
Published: Jan 13, 2026
Source: NVD
CVE-2026-22809 MEDIUM - 4.4

tarteaucitron.js is a compliant and accessible cookie banner. Prior to 1.29.0, a Regular Expression Denial of Service (ReDoS) vulnerability was identified in tarteaucitron.js in the handling of the issuu_id parameter. This vulnerability is fixed in 1.29.0.

Vendor: amauri
Product: tarteaucitronjs
Published: Jan 13, 2026
Source: NVD