Total CVEs

142,588

Critical Severity

4,002

High Severity

14,356

Last 7 Days

1,347
Quick preset (or use dates below)
Clear Filters
Showing 14,021 - 14,040 of 14,783 CVEs
CVE-2026-22486 MEDIUM - 5.3

Missing Authorization vulnerability in Hakob Re Gallery & Responsive Photo Gallery Plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Re Gallery & Responsive Photo Gallery Plugin: from n/a through 1.17.18.

Published: Jan 08, 2026
Source: NVD
CVE-2026-21639 MEDIUM - 5.4

A malicious actor in Wi-Fi range of the affected product could leverage a vulnerability in the airMAX Wireless Protocol to achieve a remote code execution (RCE) within the affected product. Affected Products: airMAX AC (Version 8.7.20 and earlier) airMAX M (Version 6.3.22 and earlier) a...

Vendor: ui
Product: airmax_ac_firmware
Published: Jan 08, 2026
Source: NVD
CVE-2026-0671 MEDIUM - 6.1

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki - UploadWizard extension allows Cross-Site Scripting (XSS).This issue affects MediaWiki - UploadWizard extension: 1.45, 1.44, 1.43, 1.39.

Vendor: wikimedia
Product: mediawiki-extensions-uploadwizard
Published: Jan 08, 2026
Source: NVD
CVE-2025-61550 MEDIUM - 5.4

Cross-Site Scripting (XSS) is present on the ctl00_Content01_fieldValue parameters on the /psp/appNet/TemplateOrder/TemplatePreview.aspx endpoint in edu Business Solutions Print Shop Pro WebDesk version 18.34. User-supplied input is stored and later rendered in HTML pages without proper output encod...

Vendor: edubusinesssolutions
Product: print_shop_pro_webdesk
Published: Jan 08, 2026
Source: NVD
CVE-2025-61549 MEDIUM - 6.1

Cross-Site Scripting (XSS) is present on the LoginID parameter on the /PSP/app/web/reg/reg_display.asp endpoint in edu Business Solutions Print Shop Pro WebDesk version 18.34. Unsanitized user input is reflected in HTTP responses without proper HTML encoding or escaping. This allows attackers to exe...

Vendor: edubusinesssolutions
Product: print_shop_pro_webdesk
Published: Jan 08, 2026
Source: NVD
CVE-2025-61547 MEDIUM - 6.8

Cross-Site Request Forgery (CSRF) is present on all functions in edu Business Solutions Print Shop Pro WebDesk version 18.34. The application does not implement proper CSRF tokens or other other protective measures, allowing a remote attacker to trick authenticated users into unknowingly executing u...

Vendor: edubusinesssolutions
Product: print_shop_pro_webdesk
Published: Jan 08, 2026
Source: NVD
CVE-2026-22246 MEDIUM - 4.3

Mastodon is a free, open-source social network server based on ActivityPub. Mastodon 4.3 added notifications of severed relationships, allowing end-users to inspect the relationships they lost as the result of a moderation action. The code allowing users to download lists of severed relationships fo...

Vendor: joinmastodon
Product: mastodon
Published: Jan 08, 2026
Source: NVD
CVE-2025-67091 MEDIUM - 6.5

An issue in GL Inet GL.Inet AX1800 Version 4.6.4 & 4.6.8 are vulnerable. GL.Inet AX1800 Version 4.6.4 & 4.6.8 in the GL.iNet custom opkg wrapper script located at /usr/libexec/opkg-call. The script is executed with root privileges when triggered via the LuCI web interface or authenticated AP...

Vendor: gl-inet
Product: ax1800_firmware
Published: Jan 08, 2026
Source: NVD
CVE-2025-67090 MEDIUM - 5.1

The LuCI web interface on Gl Inet GL.Inet AX1800 Version 4.6.4 & 4.6.8 are vulnerable. Fix available in version 4.8.2 GL.Inet AX1800 Version 4.6.4 & 4.6.8 lacks rate limiting or account lockout mechanisms on the authentication endpoint (`/cgi-bin/luci`). An unauthenticated attacker on the lo...

Vendor: gl-inet
Product: ax1800_firmware
Published: Jan 08, 2026
Source: NVD
CVE-2026-22041 MEDIUM - 5.3

Logging Redactor is a Python library designed to redact sensitive data in logs based on regex patterns and / or dictionary keys. Prior to version 0.0.6, non-string types are converted into string types, leading to type errors in %d conversions. The problem has been patched in version 0.0.6. No known...

Vendor: armurox
Product: logging_redactor
Published: Jan 08, 2026
Source: NVD
CVE-2026-22032 MEDIUM - 6.1

Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.14.0, an open redirect vulnerability exists in the Directus SAML authentication callback endpoint. During SAML authentication, the `RelayState` parameter is intended to preserve the user's origi...

Vendor: monospace
Product: directus
Published: Jan 08, 2026
Source: NVD
CVE-2026-22028 MEDIUM - 6.1

Preact, a lightweight web development framework, JSON serialization protection to prevent Virtual DOM elements from being constructed from arbitrary JSON. A regression introduced in Preact 10.26.5 caused this protection to be softened. In applications where values from JSON payloads are assumed to b...

Vendor: preactjs
Product: preact
Published: Jan 08, 2026
Source: NVD
CVE-2026-21885 MEDIUM - 6.5

Miniflux 2 is an open source feed reader. Prior to version 2.2.16, Miniflux's media proxy endpoint (`GET /proxy/{encodedDigest}/{encodedURL}`) can be abused to perform Server-Side Request Forgery (SSRF). An authenticated user can cause Miniflux to generate a signed proxy URL for attacker-chosen...

Vendor: miniflux_project
Product: miniflux
Published: Jan 08, 2026
Source: NVD
CVE-2026-22242 MEDIUM - 4.9

CoreShop is a Pimcore enhanced eCommerce solution. Prior to version 4.1.8, a blind SQL injection vulnerability exists in the application that allows an authenticated administrator-level user to extract database contents using boolean-based or time-based techniques. The database account used by the a...

Vendor: coreshop
Product: coreshop
Published: Jan 08, 2026
Source: NVD
CVE-2026-21894 MEDIUM - 6.5

n8n is an open source workflow automation platform. In versions from 0.150.0 to before 2.2.2, an authentication bypass vulnerability in the Stripe Trigger node allows unauthenticated parties to trigger workflows by sending forged Stripe webhook events. The Stripe Trigger creates and stores a Stripe ...

Vendor: n8n
Product: n8n
Published: Jan 08, 2026
Source: NVD
CVE-2026-21874 MEDIUM - 5.3

NiceGUI is a Python-based UI framework. From versions v2.10.0 to 3.4.1, an unauthenticated attacker can exhaust Redis connections by repeatedly opening and closing browser tabs on any NiceGUI application using Redis-backed storage. Connections are never released, leading to service degradation when ...

Vendor: zauberzeug
Product: nicegui
Published: Jan 08, 2026
Source: NVD
CVE-2026-21873 MEDIUM - 6.1

NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the pushstate event listener used by ui.sub_pages allows an attacker to manipulate the fragment identifier of the URL, which they can do despite being cross-site, using an iframe. This issue has been p...

Vendor: zauberzeug
Product: nicegui
Published: Jan 08, 2026
Source: NVD
CVE-2026-21872 MEDIUM - 6.1

NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the click event listener used by ui.sub_pages, combined with attacker-controlled link rendering on the page, causes XSS when the user actively clicks on the link. This issue has been patched in version...

Vendor: zauberzeug
Product: nicegui
Published: Jan 08, 2026
Source: NVD
CVE-2026-21871 MEDIUM - 6.1

NiceGUI is a Python-based UI framework. From versions 2.13.0 to 3.4.1, there is a XSS risk in NiceGUI when developers pass attacker-controlled strings into ui.navigate.history.push() or ui.navigate.history.replace(). These helpers are documented as History API wrappers for updating the browser URL w...

Vendor: zauberzeug
Product: nicegui
Published: Jan 08, 2026
Source: NVD
CVE-2026-0676 MEDIUM - 5.3

Missing Authorization vulnerability in G5Theme Zorka zorka allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Zorka: from n/a through <= 1.5.7.

Published: Jan 08, 2026
Source: NVD