Total CVEs

143,226

Critical Severity

4,056

High Severity

14,605

Last 7 Days

1,273
Quick preset (or use dates below)
Clear Filters
πŸ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years β†’
Showing 13,961 - 13,980 of 14,668 CVEs
CVE-2025-67083 MEDIUM - 5.3

Directory traversal vulnerability in InvoicePlane through 1.6.3 allows unauthenticated attackers to read files from the server. The ability to read files and the file type depends on the web server and its configuration.

Vendor: invoiceplane
Product: invoiceplane
Published: Jan 15, 2026
Source: NVD
CVE-2025-67082 MEDIUM - 6.5

An SQL injection vulnerability in InvoicePlane through 1.6.3 has been identified in "maxQuantity" and "minQuantity" parameters when generating a report. An authenticated attacker can exploit this issue via error-based SQL injection, allowing for the extraction of arbitrary data f...

Vendor: invoiceplane
Product: invoiceplane
Published: Jan 15, 2026
Source: NVD
CVE-2025-67081 MEDIUM - 4.9

An SQL injection vulnerability in Itflow through 25.06 has been identified in the "role_id" parameter when editing a profile. An attacker with admin account can exploit this issue via blind SQL injection, allowing for the extraction of arbitrary data from the database. The vulnerability ar...

Vendor: itflow
Product: itflow
Published: Jan 15, 2026
Source: NVD
CVE-2026-22646 MEDIUM - 4.3

Certain error messages returned by the application expose internal system details that should not be visible to end users, providing attackers with valuable reconnaissance information (like file paths, database errors, or software versions) that can be used to map the application's internal str...

Vendor: SICK AG
Product: Incoming Goods Suite
Published: Jan 15, 2026
Source: NVD
CVE-2026-22645 MEDIUM - 5.3

The application discloses all used components, versions and license information to unauthenticated actors, giving attackers the opportunity to target known security vulnerabilities of used components.

Vendor: SICK AG
Product: Incoming Goods Suite
Published: Jan 15, 2026
Source: NVD
CVE-2026-22644 MEDIUM - 5.3

Certain requests pass the authentication token in the URL as string query parameter, making it vulnerable to theft through server logs, proxy logs and Referer headers, which could allow an attacker to hijack the user's session and gain unauthorized access.

Vendor: SICK AG
Product: Incoming Goods Suite
Published: Jan 15, 2026
Source: NVD
CVE-2025-13859 MEDIUM - 6.4

The AffiliateX – Amazon Affiliate Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_customization_settings AJAX action in versions 1.0.0 to 1.3.9.3. This makes it possible for authenticated attackers, with Subscriber-level ac...

Vendor: wpcenter
Product: AffiliateX – Amazon Affiliate Plugin
Published: Jan 15, 2026
Source: NVD
CVE-2025-12895 MEDIUM - 5.3

The Kalium 3 | Creative WordPress & WooCommerce Theme theme for WordPress is vulnerable to unauthorized email sending due to a missing capability check on the kalium_vc_contact_form_request() function in all versions up to, and including, 3.29. This makes it possible for unauthenticated attacker...

Vendor: Laborator
Product: Kalium 3 | Creative WordPress & WooCommerce Theme
Published: Jan 15, 2026
Source: NVD
CVE-2026-22919 MEDIUM - 4.8

An attacker with administrative access may inject malicious content into the login page, potentially enabling cross-site scripting (XSS) attacks, leading to the extraction of sensitive data.

Vendor: sick
Product: tdc-x401gl_firmware
Published: Jan 15, 2026
Source: NVD
CVE-2026-22916 MEDIUM - 5.4

An attacker with low privileges may be able to trigger critical system functions such as reboot or factory reset without proper restrictions, potentially leading to service disruption or loss of configuration.

Vendor: sick
Product: tdc-x401gl_firmware
Published: Jan 15, 2026
Source: NVD
CVE-2026-22915 MEDIUM - 6.5

An attacker with low privileges may be able to read files from specific directories on the device, potentially exposing sensitive information.

Vendor: sick
Product: tdc-x401gl_firmware
Published: Jan 15, 2026
Source: NVD
CVE-2026-22914 MEDIUM - 6.5

An attacker with limited permissions may still be able to write files to specific locations on the device, potentially leading to system manipulation.

Vendor: sick
Product: tdc-x401gl_firmware
Published: Jan 15, 2026
Source: NVD
CVE-2026-22913 MEDIUM - 6.1

Improper handling of a URL parameter may allow attackers to execute code in a user's browser after login. This can lead to the extraction of sensitive data.

Vendor: sick
Product: tdc-x401gl_firmware
Published: Jan 15, 2026
Source: NVD
CVE-2026-22912 MEDIUM - 6.1

Improper validation of a login parameter may allow attackers to redirect users to malicious websites after authentication. This can lead to various risk including stealing credentials from unsuspecting users.

Vendor: sick
Product: tdc-x401gl_firmware
Published: Jan 15, 2026
Source: NVD
CVE-2025-14448 MEDIUM - 5.4

The WP-Members Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Multiple Checkbox and Multiple Select user profile fields in all versions up to, and including, 3.5.4.3 due to insufficient input sanitization and output escaping. This makes it possible for au...

Vendor: cbutlerjr
Product: wp-members_membership_plugin
Published: Jan 15, 2026
Source: NVD
CVE-2026-0421 MEDIUM - 6.5

A potential vulnerability was reported in the BIOS of L13 Gen 6, L13 Gen 6 2-in-1, L14 Gen 6, and L16 Gen 2 ThinkPads which could result in Secure Boot being disabled even when configured as β€œOn” in the BIOS setup menu. This issue only affects systems where Secure Boot is set to User Mode.

Published: Jan 14, 2026
Source: NVD
CVE-2025-13454 MEDIUM - 4.7

A potential vulnerability was reported in ThinkPlus configuration software that could allow a local authenticated user to gain access to sensitive device information.

Published: Jan 14, 2026
Source: NVD
CVE-2025-13453 MEDIUM - 6.8

A potential vulnerability was reported in some ThinkPlus USB drives that could allow a user with physical access to read data stored on the drive.

Published: Jan 14, 2026
Source: NVD
CVE-2025-13154 MEDIUM - 5.5

An improper link following vulnerability was reported in the SmartPerformanceAddin for Lenovo Vantage that could allow an authenticated local user to perform an arbitrary file deletion with elevated privileges.

Published: Jan 14, 2026
Source: NVD
CVE-2026-0962 MEDIUM - 6.5

SOME/IP-SD protocol dissector crash in Wireshark 4.6.0 to 4.6.2 and 4.4.0 to 4.4.12 allows denial of service

Vendor: wireshark
Product: wireshark
Published: Jan 14, 2026
Source: NVD