Total CVEs

142,588

Critical Severity

4,002

High Severity

14,356

Last 7 Days

1,782
Quick preset (or use dates below)
Clear Filters
Showing 14,001 - 14,020 of 14,783 CVEs
CVE-2026-0731 MEDIUM - 5.3

A vulnerability has been found in TOTOLINK WA1200 5.9c.2914. The impacted element is an unknown function of the file cstecgi.cgi of the component HTTP Request Handler. The manipulation leads to null pointer dereference. The attack is possible to be carried out remotely. The exploit has been disclose...

Published: Jan 08, 2026
Source: NVD
CVE-2026-0730 MEDIUM - 4.8

A flaw has been found in PHPGurukul Staff Leave Management System 1.0. The affected element is the function ADD_STAFF/UPDATE_STAFF of the file /staffleave/slms/slms/adminviews.py of the component SVG File Handler. Executing a manipulation of the argument profile_pic can lead to cross site scripting....

Vendor: phpgurukul
Product: staff_leave_management_system
Published: Jan 08, 2026
Source: NVD
CVE-2026-22588 MEDIUM - 6.5

Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Authenticated Insecure Direct Object Reference (IDOR) vulnerability was identified that allows an authenticated user to retrieve other users’ address information by modifying a...

Published: Jan 08, 2026
Source: NVD
CVE-2025-68718 MEDIUM - 5.4

KAYSUS KS-WR1200 routers with firmware 107 expose SSH and TELNET services on the LAN interface with hardcoded root credentials (root:12345678). The administrator cannot disable these services or change the hardcoded password. (Changing the management GUI password does not affect SSH/TELNET authentic...

Published: Jan 08, 2026
Source: NVD
CVE-2025-14505 MEDIUM - 5.6

The ECDSA implementation of the Elliptic package generates incorrect signatures if an interim value of 'k' (as computed based on step 3.2 of RFC 6979 https://datatracker.ietf.org/doc/html/rfc6979 ) has leading zeros and is susceptible to cryptanalysis, which can lead to secret key exposur...

Published: Jan 08, 2026
Source: NVD
CVE-2026-22253 MEDIUM - 5.4

Soft Serve is a self-hostable Git server for the command line. Prior to version 0.11.2, an authorization bypass in the LFS lock deletion endpoint allows any authenticated user with repository write access to delete locks owned by other users by setting the force flag. The vulnerable code path proces...

Published: Jan 08, 2026
Source: NVD
CVE-2025-65731 MEDIUM - 6.8

An issue was discovered in D-Link Router DIR-605L (Hardware version F1; Firmware version: V6.02CN02) allowing an attacker with physical access to the UART pins to execute arbitrary commands due to presence of root terminal access on a serial interface without proper access control.

Published: Jan 08, 2026
Source: NVD
CVE-2026-22587 MEDIUM - 5.5

Ideagen DevonWay contains a stored cross site scripting vulnerability. A remote, authenticated attacker could craft a payload in the 'Reports' page that executes when another user views the report. Fixed in 2.62.4 and 2.62 LTS.

Published: Jan 08, 2026
Source: NVD
CVE-2026-22233 MEDIUM - 5.5

OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript as a comment in the "Estimated Staff Hours" field. The JavaScript is executed whenever another user visits the Project Cost tab. Fixed in OPEXUS eCASE Audit 11.14.2.0.

Published: Jan 08, 2026
Source: NVD
CVE-2026-22232 MEDIUM - 5.5

OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript in the "A or SIC Number" field within the Project Setup functionality. The JavaScript is executed whenever another user views the project. Fixed in OPEXUS eCASE Audit 11.14.2.0.

Published: Jan 08, 2026
Source: NVD
CVE-2026-22231 MEDIUM - 5.5

OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript as a comment within the Document Check Out functionality. The JavaScript is executed whenever another user views the Action History Log. Fixed in OPEXUS eCASE Platform 11.14.1.0.

Published: Jan 08, 2026
Source: NVD
CVE-2026-22522 MEDIUM - 6.5

Missing Authorization vulnerability in Munir Kamal Block Slider allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Block Slider: from n/a through 2.2.3.

Published: Jan 08, 2026
Source: NVD
CVE-2026-22519 MEDIUM - 6.5

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BuddyDev MediaPress allows Stored XSS.This issue affects MediaPress: from n/a through 1.6.2.

Published: Jan 08, 2026
Source: NVD
CVE-2026-22518 MEDIUM - 6.5

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pencilwp X Addons for Elementor allows DOM-Based XSS.This issue affects X Addons for Elementor: from n/a through 1.0.23.

Published: Jan 08, 2026
Source: NVD
CVE-2026-22517 MEDIUM - 5.4

Missing Authorization vulnerability in Passionate Brains GA4WP: Google Analytics for WordPress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GA4WP: Google Analytics for WordPress: from n/a through 2.10.0.

Published: Jan 08, 2026
Source: NVD
CVE-2026-22492 MEDIUM - 4.3

Missing Authorization vulnerability in Nawawi Jamili Docket Cache allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Docket Cache: from n/a through 24.07.04.

Published: Jan 08, 2026
Source: NVD
CVE-2026-22490 MEDIUM - 5.4

Missing Authorization vulnerability in niklaslindemann Bulk Landing Page Creator for WordPress LPagery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Bulk Landing Page Creator for WordPress LPagery: from n/a through 2.4.9.

Published: Jan 08, 2026
Source: NVD
CVE-2026-22489 MEDIUM - 4.3

Authorization Bypass Through User-Controlled Key vulnerability in Wptexture Image Slider Slideshow allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Image Slider Slideshow: from n/a through 1.8.

Published: Jan 08, 2026
Source: NVD
CVE-2026-22488 MEDIUM - 5.3

Missing Authorization vulnerability in IdeaBox Creations Dashboard Welcome for Beaver Builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Dashboard Welcome for Beaver Builder: from n/a through 1.0.8.

Published: Jan 08, 2026
Source: NVD
CVE-2026-22487 MEDIUM - 4.3

Missing Authorization vulnerability in baqend Speed Kit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Speed Kit: from n/a through 2.0.2.

Published: Jan 08, 2026
Source: NVD