Total CVEs

142,588

Critical Severity

4,002

High Severity

14,356

Last 7 Days

1,814
Quick preset (or use dates below)
Clear Filters
Showing 13,901 - 13,920 of 14,783 CVEs
CVE-2025-69267 MEDIUM - 6.5

Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Path Traversal.This issue affects DX NetOps Spectrum: 24.3.8 and earlier.

Vendor: broadcom
Product: dx_netops_spectrum
Published: Jan 12, 2026
Source: NVD
CVE-2026-0853 MEDIUM - 5.3

Certain NVR models developed by A-Plus Video Technologies has a Sensitive Data Exposure vulnerability, allowing unauthenticated remote attackers to access the debug page and obtain device status information.

Published: Jan 12, 2026
Source: NVD
CVE-2026-0843 MEDIUM - 6.3

A vulnerability has been found in jiujiujia/victor123/wxw850227 jjjfood and jjjshop_food up to 20260103. This vulnerability affects unknown code of the file /index.php/api/product.category/index. Such manipulation of the argument latitude leads to sql injection. The attack can be launched remotely. ...

Published: Jan 11, 2026
Source: NVD
CVE-2026-0842 MEDIUM - 6.3

A flaw has been found in Flycatcher Toys smART Sketcher up to 2.0. This affects an unknown part of the component Bluetooth Low Energy Interface. This manipulation causes missing authentication. The attack can only be done within the local network. The exploit has been published and may be used. The ...

Published: Jan 11, 2026
Source: NVD
CVE-2025-13393 MEDIUM - 4.3

The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.3.1. This is due to insufficient validation of user-supplied URLs before passing them to the getimagesize() function in the Elementor widget integration. This ...

Published: Jan 10, 2026
Source: NVD
CVE-2025-12379 MEDIUM - 6.4

The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a combination of the 'tag' and β€˜title_tag’ parameters in all versions up to, and including, 2.17.13 due to insufficient input sanitization and output escaping. This makes...

Published: Jan 10, 2026
Source: NVD
CVE-2025-14555 MEDIUM - 6.4

The Countdown Timer – Widget Countdown plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpdevart_countdown' shortcode in all versions up to, and including, 2.7.7 due to insufficient input sanitization and output escaping on user supplied attributes. ...

Published: Jan 10, 2026
Source: NVD
CVE-2025-15504 MEDIUM - 5.5

A security flaw has been discovered in lief-project LIEF up to 0.17.1. Affected by this issue is the function Parser::parse_binary of the file src/ELF/Parser.tcc of the component ELF Binary Parser. The manipulation results in null pointer dereference. The attack must be initiated from a local positi...

Vendor: lief-project
Product: lief
Published: Jan 10, 2026
Source: NVD
CVE-2025-14506 MEDIUM - 6.4

The ConvertForce Popup Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Gutenberg block's `entrance_animation` attribute in all versions up to, and including, 0.0.7. This is due to insufficient input sanitization and output escaping. This makes it possible for a...

Published: Jan 10, 2026
Source: NVD
CVE-2026-0831 MEDIUM - 5.3

The Templately plugin for WordPress is vulnerable to Arbitrary File Write in all versions up to, and including, 3.4.8. This is due to inadequate input validation in the `save_template_to_file()` function where user-controlled parameters like `session_id`, `content_id`, and `ai_page_ids` are used to ...

Published: Jan 10, 2026
Source: NVD
CVE-2025-14976 MEDIUM - 5.4

The User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.4.8. This is due to missing or incorrect no...

Published: Jan 10, 2026
Source: NVD
CVE-2026-22773 MEDIUM - 6.5

vLLM is an inference and serving engine for large language models (LLMs). In versions from 0.6.4 to before 0.12.0, users can crash the vLLM engine serving multimodal models that use the Idefics3 vision model implementation by sending a specially crafted 1x1 pixel image. This causes a tensor dimensio...

Published: Jan 10, 2026
Source: NVD
CVE-2026-22705 MEDIUM - 6.4

RustCrypto: Signatures offers support for digital signatures, which provide authentication of data using public-key cryptography. Prior to version 0.1.0-rc.2, a timing side-channel was discovered in the Decompose algorithm which is used during ML-DSA signing to generate hints for the signature. This...

Published: Jan 10, 2026
Source: NVD
CVE-2026-22703 MEDIUM - 5.5

Cosign provides code signing and transparency for containers and binaries. Prior to versions 2.6.2 and 3.0.4, Cosign bundle can be crafted to successfully verify an artifact even if the embedded Rekor entry does not reference the artifact's digest, signature or public key. When verifying a Reko...

Published: Jan 10, 2026
Source: NVD
CVE-2026-22702 MEDIUM - 4.5

virtualenv is a tool for creating isolated virtual python environments. Prior to version 20.36.1, TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in virtualenv allow local attackers to perform symlink-based attacks on directory creation operations. An attacker with local access can exploit a race...

Published: Jan 10, 2026
Source: NVD
CVE-2025-14948 MEDIUM - 5.3

The miniOrange OTP Verification and SMS Notification for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `enable_wc_sms_notification` AJAX action in all versions up to, and including, 4.3.8. This makes it possible for unaut...

Published: Jan 10, 2026
Source: NVD
CVE-2025-14943 MEDIUM - 4.3

The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 8.7.2. This is due to a misconfigured authorization check on the 'getShipItemFullText' function which only verifies that a user...

Published: Jan 10, 2026
Source: NVD
CVE-2026-22701 MEDIUM - 5.3

filelock is a platform-independent file lock for Python. Prior to version 3.20.3, a TOCTOU race condition vulnerability exists in the SoftFileLock implementation of the filelock package. An attacker with local filesystem access and permission to create symlinks can exploit a race condition between t...

Published: Jan 10, 2026
Source: NVD
CVE-2026-22693 MEDIUM - 5.3

HarfBuzz is a text shaping engine. Prior to version 12.3.0, a null pointer dereference vulnerability exists in the SubtableUnicodesCache::create function located in src/hb-ot-cmap-table.hh. The function fails to check if hb_malloc returns NULL before using placement new to construct an object at the...

Published: Jan 10, 2026
Source: NVD
CVE-2026-22689 MEDIUM - 6.5

Mailpit is an email testing tool and API for developers. Prior to version 1.28.2, the Mailpit WebSocket server is configured to accept connections from any origin. This lack of Origin header validation introduces a Cross-Site WebSocket Hijacking (CSWSH) vulnerability. An attacker can host a maliciou...

Published: Jan 10, 2026
Source: NVD