Total CVEs

142,588

Critical Severity

4,002

High Severity

14,356

Last 7 Days

1,814
Quick preset (or use dates below)
Clear Filters
Showing 13,921 - 13,940 of 14,783 CVEs
CVE-2026-22691 MEDIUM - 5.3

pypdf is a free and open-source pure-python PDF library. Prior to version 6.6.0, pypdf has possible long runtimes for malformed startxref. An attacker who uses this vulnerability can craft a PDF which leads to possibly long runtimes for invalid startxref entries. When rebuilding the cross-reference ...

Vendor: pypdf_project
Product: pypdf
Published: Jan 10, 2026
Source: NVD
CVE-2026-22690 MEDIUM - 5.3

pypdf is a free and open-source pure-python PDF library. Prior to version 6.6.0, pypdf has possible long runtimes for missing /Root object with large /Size values. An attacker who uses this vulnerability can craft a PDF which leads to possibly long runtimes for actually invalid files. This can be ac...

Vendor: pypdf_project
Product: pypdf
Published: Jan 10, 2026
Source: NVD
CVE-2025-65090 MEDIUM - 5.3

XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.6, users with the rights to view the Calendar.JSONService page (including guest users) can exploit the data leak vulnerability by accessing database info, with the exception of passwords. This issue has be...

Published: Jan 10, 2026
Source: NVD
CVE-2025-61676 MEDIUM - 4.8

October is a Content Management System (CMS) and web platform. Prior to versions 3.7.13 and 4.0.12, a cross-site scripting (XSS) vulnerabilities was identified in October CMS backend configuration forms. A user with the Customize Backend Styles permission could inject malicious HTML/JS into the styl...

Vendor: octobercms
Product: october
Published: Jan 10, 2026
Source: NVD
CVE-2025-61674 MEDIUM - 4.8

October is a Content Management System (CMS) and web platform. Prior to versions 3.7.13 and 4.0.12, a cross-site scripting (XSS) vulnerability was identified in October CMS backend configuration forms. A user with the Global Editor Settings permission could inject malicious HTML/JS into the styleshe...

Vendor: octobercms
Product: october
Published: Jan 10, 2026
Source: NVD
CVE-2026-22030 MEDIUM - 6.5

React Router is a router for React. In @remix-run/server-runtime version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, React Router (or Remix v2) is vulnerable to CSRF attacks on document POST requests to UI routes when using server-side route action handlers in Framework Mode, or when usi...

Published: Jan 10, 2026
Source: NVD
CVE-2025-68470 MEDIUM - 6.5

React Router is a router for React. In versions 6.0.0 through 6.30.1 and 7.0.0 through 7.9.5, an attacker-supplied path can be crafted so that when a React Router application navigates to it via navigate(), <Link>, or redirect(), the app performs a navigation/redirect to an external URL. This ...

Published: Jan 10, 2026
Source: NVD
CVE-2026-22605 MEDIUM - 4.3

OpenProject is an open-source, web-based project management software. OpenProject versions prior to version 16.6.3, allowed users with the View Meetings permission on any project, to access meeting details of meetings that belonged to projects, the user does not have access to. This issue has been p...

Vendor: openproject
Product: openproject
Published: Jan 10, 2026
Source: NVD
CVE-2026-22604 MEDIUM - 5.3

OpenProject is an open-source, web-based project management software. For OpenProject versions from 11.2.1 to before 16.6.2, when sending a POST request to the /account/change_password endpoint with an arbitrary User ID as the password_change_user_id parameter, the resulting error page would show th...

Vendor: openproject
Product: openproject
Published: Jan 10, 2026
Source: NVD
CVE-2026-22603 MEDIUM - 6.5

OpenProject is an open-source, web-based project management software. Prior to version 16.6.2, OpenProject’s unauthenticated password-change endpoint (/account/change_password) was not protected by the same brute-force safeguards that apply to the normal login form. In affected versions, an attacker...

Vendor: openproject
Product: openproject
Published: Jan 10, 2026
Source: NVD
CVE-2026-22027 MEDIUM - 6.0

CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, the convert_hexstring_to_byte_array() functio...

Vendor: nasa
Product: cryptolib
Published: Jan 10, 2026
Source: NVD
CVE-2026-22024 MEDIUM - 5.3

CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, the cryptography_encrypt() function allocates...

Vendor: nasa
Product: cryptolib
Published: Jan 10, 2026
Source: NVD
CVE-2026-21900 MEDIUM - 5.9

CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, an out-of-bounds heap read vulnerability in c...

Vendor: nasa
Product: cryptolib
Published: Jan 10, 2026
Source: NVD
CVE-2026-21899 MEDIUM - 4.9

CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, in base64urlDecode, padding-stripping derefer...

Vendor: nasa
Product: cryptolib
Published: Jan 10, 2026
Source: NVD
CVE-2025-46299 MEDIUM - 4.3

A memory initialization issue was addressed with improved memory handling. This issue is fixed in tvOS 26.2, Safari 26.2, watchOS 26.2, visionOS 26.2, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2. Processing maliciously crafted web content may disclose internal states of the app.

Vendor: apple
Product: safari
Published: Jan 09, 2026
Source: NVD
CVE-2025-46298 MEDIUM - 6.5

The issue was addressed with improved memory handling. This issue is fixed in tvOS 26.2, Safari 26.2, watchOS 26.2, visionOS 26.2, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2. Processing maliciously crafted web content may lead to an unexpected process crash.

Vendor: apple
Product: safari
Published: Jan 09, 2026
Source: NVD
CVE-2025-46297 MEDIUM - 5.5

A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Tahoe 26.2. An app may be able to access protected files within an App Sandbox container.

Vendor: apple
Product: macos
Published: Jan 09, 2026
Source: NVD
CVE-2025-46286 MEDIUM - 4.3

A logic issue was addressed with improved validation. This issue is fixed in iOS 26.2 and iPadOS 26.2. Restoring from a backup may prevent passcode from being required immediately after Face ID enrollment.

Vendor: apple
Product: ipados
Published: Jan 09, 2026
Source: NVD
CVE-2025-60538 MEDIUM - 6.5

A lack of rate limiting in the login page of shiori v1.7.4 and below allows attackers to bypass authentication via a brute force attack.

Vendor: go-shiori
Product: shiori
Published: Jan 09, 2026
Source: NVD
CVE-2025-51626 MEDIUM - 6.5

SQL injection vulnerability in pss.sale.com 1.0 via the id parameter to the userfiles/php/cancel_order.php endpoint.

Vendor: xiaoliuchu
Product: pss.sale.com
Published: Jan 09, 2026
Source: NVD