Total CVEs

142,588

Critical Severity

4,002

High Severity

14,356

Last 7 Days

1,797
Quick preset (or use dates below)
Clear Filters
Showing 13,941 - 13,960 of 14,783 CVEs
CVE-2025-67811 MEDIUM - 6.5

Area9 Rhapsode 1.47.3 allows SQL Injection via multiple API endpoints accessible to authenticated users. Insufficient input validation allows remote attackers to inject arbitrary SQL commands, resulting in unauthorized database access and potential compromise of sensitive data. Fixed in v.1.47.4 and...

Vendor: area9lyceum
Product: rhapsode_learner
Published: Jan 09, 2026
Source: NVD
CVE-2025-67810 MEDIUM - 6.5

In Area9 Rhapsode 1.47.3, an authenticated attacker can exploit the operation, url, and filename parameters via POST request to read arbitrary files from the server filesystem. Fixed in 1.47.4 (#7254) and further versions.

Published: Jan 09, 2026
Source: NVD
CVE-2025-66715 MEDIUM - 6.5

A DLL hijacking vulnerability in Axtion ODISSAAS ODIS v1.8.4 allows attackers to execute arbitrary code via a crafted DLL file.

Vendor: axtion
Product: odis
Published: Jan 09, 2026
Source: NVD
CVE-2026-22198 MEDIUM - 6.1

GestSup versions prior to 3.2.60 contain a pre-authentication stored cross-site scripting (XSS) vulnerability in the API error logging functionality. By sending an API request with a crafted X-API-KEY header value (for example, to /api/v1/ticket.php), an unauthenticated attacker can cause attacker-c...

Vendor: gestsup
Product: gestsup
Published: Jan 09, 2026
Source: NVD
CVE-2025-67004 MEDIUM - 6.5

** Disputed ** An Information Disclosure vulnerability in CouchCMS 2.4 allow an Admin user to read arbitrary files via traversing directories back after back. It can Disclosure the source code or any other confidential information if weaponize accordingly. NOTE: A community member states that this i...

Vendor: couchcms
Product: couchcms
Published: Jan 09, 2026
Source: NVD
CVE-2025-46645 MEDIUM - 6.5

Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.4.0.0, LTS2025 release version 8.3.1.10, LTS2024 release versions 7.13.1.0 through 7.13.1.40, LTS 2023 release versions 7.10.1.0 through 7.10.1.70, contain an Improper Neutralization...

Published: Jan 09, 2026
Source: NVD
CVE-2026-0817 MEDIUM - 5.3

Missing Authorization vulnerability in Wikimedia Foundation MediaWiki - CampaignEvents extension allows Privilege Abuse.This issue affects MediaWiki - CampaignEvents extension: 1.45, 1.44, 1.43, 1.39.

Published: Jan 09, 2026
Source: NVD
CVE-2025-67282 MEDIUM - 5.4

In TIM BPM Suite/ TIM FLOW through 9.1.2 multiple Authorization Bypass vulnerabilities exists which allow a low privileged user to download password hashes of other user, access work items of other user, modify restricted content in workflows, modify the applications logo and manipulate the profile ...

Vendor: tim-solutions
Product: tim_flow
Published: Jan 09, 2026
Source: NVD
CVE-2025-67281 MEDIUM - 5.4

In TIM BPM Suite/ TIM FLOW through 9.1.2 multiple SQL injection vulnerabilities exists which allow a low privileged and administrative user to access the database and its content.

Vendor: tim-solutions
Product: tim_flow
Published: Jan 09, 2026
Source: NVD
CVE-2025-67280 MEDIUM - 5.4

In TIM BPM Suite/ TIM FLOW through 9.1.2 multiple Hibernate Query Language injection vulnerabilities exist which allow a low privileged user to extract passwords of other users and access sensitive data of another user.

Vendor: tim-solutions
Product: tim_flow
Published: Jan 09, 2026
Source: NVD
CVE-2025-67279 MEDIUM - 5.3

An issue in TIM Solution GmbH TIM BPM Suite & TIM FLOW before v.9.1.2 allows a remote attacker to escalate privileges via the application stores password hashes in MD5 format

Vendor: tim-solutions
Product: tim_flow
Published: Jan 09, 2026
Source: NVD
CVE-2025-67278 MEDIUM - 6.5

An issue in TIM Solution GmbH TIM BPM Suite & TIM FLOW before v.9.1.2 allows a remote attacker to escalate privileges via a crafted HTTP request

Vendor: tim-solutions
Product: tim_flow
Published: Jan 09, 2026
Source: NVD
CVE-2025-46644 MEDIUM - 6.0

Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.4.0.0, LTS2025 release version 8.3.1.10, LTS2024 release versions 7.13.1.0 through 7.13.1.40, LTS2023 release versions 7.10.1.0 through 7.10.1.70, contain an Improper Neutralization ...

Published: Jan 09, 2026
Source: NVD
CVE-2025-66051 MEDIUM - 6.5

Vivotek IP7137 camera with firmware version 0200a is vulnerable to path traversal. It is possible for an authenticated attacker to access resources beyond webroot directory using a direct HTTP request. Due to CVE-2025-66050, a password for administration panel is not set by default. The vendor has n...

Vendor: vivotek
Product: ip7137_firmware
Published: Jan 09, 2026
Source: NVD
CVE-2025-14172 MEDIUM - 6.5

The WP Page Permalink Extension plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.5.4. This is due to missing authorization checks on the `cwpp_trigger_flush_rewrite_rules` function hooked to `wp_ajax_cwpp_trigger_flush_rewrite_rules`. This makes it ...

Published: Jan 09, 2026
Source: NVD
CVE-2025-13967 MEDIUM - 6.4

The Woodpecker for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'form_name' parameter of the [woodpecker-connector] shortcode in all versions up to, and including, 3.0.4 due to insufficient input sanitization and output escaping. This makes it possibl...

Published: Jan 09, 2026
Source: NVD
CVE-2025-13908 MEDIUM - 6.4

The The Tooltip plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'the_tooltip' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for aut...

Published: Jan 09, 2026
Source: NVD
CVE-2025-13903 MEDIUM - 6.4

The PullQuote plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'pullquote' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authentic...

Published: Jan 09, 2026
Source: NVD
CVE-2025-13897 MEDIUM - 6.4

The Client Testimonial Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'aft_testimonial_meta_name' custom field in the Client Information metabox in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping on user-su...

Published: Jan 09, 2026
Source: NVD
CVE-2025-13893 MEDIUM - 6.1

The Lesson Plan Book plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to in...

Published: Jan 09, 2026
Source: NVD