Total CVEs

142,666

Critical Severity

4,018

High Severity

14,386

Last 7 Days

1,420
Quick preset (or use dates below)
Clear Filters
Showing 14,101 - 14,120 of 14,805 CVEs
CVE-2019-25277 MEDIUM - 6.1

FaceSentry Access Control System 6.4.8 contains a cross-site scripting vulnerability in the 'msg' parameter of pluginInstall.php that allows attackers to inject malicious scripts. Attackers can exploit the unvalidated input to execute arbitrary JavaScript in victim browsers, potentially st...

Vendor: iwt
Product: facesentry_access_control_system_firmware
Published: Jan 08, 2026
Source: NVD
CVE-2019-25270 MEDIUM - 6.1

SOCA Access Control System 180612 contains a cross-site scripting vulnerability in the 'senddata' POST parameter of logged_page.php that allows attackers to inject malicious scripts. Attackers can exploit this weakness by sending crafted POST requests to execute arbitrary HTML and script c...

Published: Jan 08, 2026
Source: NVD
CVE-2019-25259 MEDIUM - 5.3

Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without request validation. Attackers can trick logged-in users into executing unauthorized actions by crafting malicious web pages that subm...

Published: Jan 08, 2026
Source: NVD
CVE-2017-20212 MEDIUM - 6.2

FLIR Thermal Camera F/FC/PT/D firmware version 8.0.0.64 contains an information disclosure vulnerability that allows unauthenticated attackers to read arbitrary files through unverified input parameters. Attackers can exploit the /var/www/data/controllers/api/xml.php readFile() function to access lo...

Published: Jan 08, 2026
Source: NVD
CVE-2026-21857 MEDIUM - 6.5

REDAXO is a PHP-based content management system. Prior to version 5.20.2, authenticated users with backup permissions can read arbitrary files within the webroot via path traversal in the Backup addon's file export functionality. The Backup addon does not validate the `EXPDIR` POST parameter ag...

Vendor: redaxo
Product: redaxo
Published: Jan 07, 2026
Source: NVD
CVE-2026-21851 MEDIUM - 5.3

MONAI (Medical Open Network for AI) is an AI toolkit for health care imaging. In versions up to and including 1.5.1, a Path Traversal (Zip Slip) vulnerability exists in MONAI's `_download_from_ngc_private()` function. The function uses `zipfile.ZipFile.extractall()` without path validation, whi...

Published: Jan 07, 2026
Source: NVD
CVE-2025-62224 MEDIUM - 5.5

User interface (ui) misrepresentation of critical information in Microsoft Edge for Android allows an authorized attacker to perform spoofing over a network.

Published: Jan 07, 2026
Source: NVD
CVE-2023-7333 MEDIUM - 5.3

A weakness has been identified in bluelabsio records-mover up to 1.5.4. The affected element is an unknown function of the component Table Object Handler. This manipulation causes sql injection. The attack needs to be launched locally. Upgrading to version 1.6.0 is sufficient to fix this issue. Patc...

Published: Jan 07, 2026
Source: NVD
CVE-2026-21691 MEDIUM - 6.5

iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a Type Confusion vulnerability in `CIccTag:IsTypeCompressed()`. This vulnerability affects user...

Vendor: color
Product: iccdev
Published: Jan 07, 2026
Source: NVD
CVE-2026-21690 MEDIUM - 6.3

iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a Type Confusion vulnerability in `CIccTagXmlTagData::ToXml()`. This vulnerability affects user...

Vendor: color
Product: iccdev
Published: Jan 07, 2026
Source: NVD
CVE-2026-21689 MEDIUM - 6.5

iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a Type Confusion vulnerability in `CIccProfileXml::ParseBasic()` at `IccXML/IccLibXML/IccProfil...

Vendor: color
Product: iccdev
Published: Jan 07, 2026
Source: NVD
CVE-2026-22188 MEDIUM - 5.5

Panda3D versions up to and including 1.10.16 deploy-stub contains a denial of service vulnerability due to unbounded stack allocation. The deploy-stub executable allocates argv_copy and argv_copy2 using alloca() based directly on the attacker-controlled argc value without validation. Supplying a lar...

Vendor: cmu
Product: panda3d
Published: Jan 07, 2026
Source: NVD
CVE-2025-69255 MEDIUM - 4.0

RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.13 to 1.0.0-alpha.77, a malformed gRPC GetMetrics request causes get_metrics to unwrap() failed deserialization of metric_type/opts, panicking the handler thread and enabling remote denial of service of the metrics ...

Vendor: rustfs
Product: rustfs
Published: Jan 07, 2026
Source: NVD
CVE-2025-69221 MEDIUM - 4.3

LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 does not enforce proper access control when querying agent permissions. An authenticated attacker can read the permissions of arbitrary agents, even if they have no permissions for this agent. LibreChat allows the configuration...

Vendor: librechat
Product: librechat
Published: Jan 07, 2026
Source: NVD
CVE-2025-69220 MEDIUM - 5.9

LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 does not enforce proper access control for file uploads to an agents file context and file search. An authenticated attacker with access to the agent ID can change the behavior of arbitrary agents by uploading new files to the ...

Vendor: librechat
Product: librechat
Published: Jan 07, 2026
Source: NVD
CVE-2025-64305 MEDIUM - 6.5

MicroServer copies parts of the system firmware to an unencrypted external SD card on boot, which contains user and vendor secrets. An attacker can utilize these plaintext secrets to modify the vendor firmware, or gain admin access to the web portal.

Published: Jan 07, 2026
Source: NVD
CVE-2025-61939 MEDIUM - 4.4

An unused function in MicroServer can start a reverse SSH connection to a vendor registered domain, without mutual authentication. An attacker on the local network with admin access to the web server, and the ability to manipulate DNS responses, can redirect the SSH connection to an attacker control...

Vendor: columbiaweather
Product: weather_microserver_firmware
Published: Jan 07, 2026
Source: NVD
CVE-2026-0670 MEDIUM - 6.1

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki - ProofreadPage Extension allows Cross-Site Scripting (XSS).This issue affects MediaWiki - ProofreadPage Extension: 1.45, 1.44, 1.43, 1.39.

Published: Jan 07, 2026
Source: NVD
CVE-2026-21506 MEDIUM - 5.5

iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to Null pointer dereference in CIccProfileXml::ParseBasic(), leading to denial of service. This issue has been p...

Vendor: color
Product: iccdev
Published: Jan 07, 2026
Source: NVD
CVE-2026-21503 MEDIUM - 5.5

iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV has undefined behavior due to a null pointer passed to memcpy() in CIccTagSparseMatrixArray. This issue has been patched in ve...

Vendor: color
Product: iccdev
Published: Jan 07, 2026
Source: NVD