Total CVEs

143,232

Critical Severity

4,056

High Severity

14,610

Last 7 Days

1,261
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 14,141 - 14,160 of 14,675 CVEs
CVE-2025-9435 MEDIUM - 5.5

Zohocorp ManageEngine ADManager Plus versions below 7230 are vulnerable to Path Traversal in the User Management module

Published: Jan 13, 2026
Source: NVD
CVE-2025-14507 MEDIUM - 5.3

The EventPrime - Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.2.7.0 via the REST API. This makes it possible for unauthenticated attackers to extract sensitive booking data including user names, ema...

Published: Jan 13, 2026
Source: NVD
CVE-2025-59021 MEDIUM - 6.4

Backend users with access to the redirects module and write permission on the sys_redirect table were able to read, create, and modify any redirect record without restriction to the user’s own file-mounts or web-mounts. This allowed attackers to insert or alter redirects pointing to arbitrary URLs –...

Vendor: typo3
Product: typo3
Published: Jan 13, 2026
Source: NVD
CVE-2025-59020 MEDIUM - 6.5

By exploiting the defVals parameter, attackers could bypass field‑level access checks during record creation in the TYPO3 backend. This gave them the ability to insert arbitrary data into prohibited exclude fields of a database table for which the user already has write permission for a reduced set ...

Vendor: typo3
Product: typo3
Published: Jan 13, 2026
Source: NVD
CVE-2025-14001 MEDIUM - 5.4

The WP Duplicate Page plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the 'duplicateBulkHandle' and 'duplicateBulkHandleHPOS' functions in all versions up to, and including, 1.8. This makes it possible for authenticated ...

Published: Jan 13, 2026
Source: NVD
CVE-2026-0514 MEDIUM - 6.1

Due to a Cross-Site Scripting (XSS) vulnerability in SAP Business Connector, an unauthenticated attacker could craft a malicious link. When an unsuspecting user clicks this link, the user may be redirected to a site controlled by the attacker. Successful exploitation could allow the attacker to acce...

Vendor: sap
Product: business_connector
Published: Jan 13, 2026
Source: NVD
CVE-2026-0513 MEDIUM - 4.7

Due to an Open Redirect Vulnerability in SAP Supplier Relationship Management (SICF Handler in SRM Catalog), an unauthenticated attacker could craft a malicious URL that, if accessed by a victim, redirects them to an attacker-controlled site.This causes low impact on integrity of the application. Co...

Vendor: sap
Product: supplier_relationship_management
Published: Jan 13, 2026
Source: NVD
CVE-2026-0503 MEDIUM - 6.4

Due to missing authorization check in the SAP ERP Central Component (SAP ECC) and SAP S/4HANA (SAP EHS Management), an attacker could extract hardcoded clear-text credentials and bypass the password authentication check by manipulating user parameters. Upon successful exploitation, the attacker can ...

Published: Jan 13, 2026
Source: NVD
CVE-2026-0499 MEDIUM - 6.1

SAP NetWeaver Enterprise Portal allows an unauthenticated attacker to inject malicious scripts into a URL parameter. The scripts are reflected in the server response and executed in a user's browser when the crafted URL is visited, leading to theft of session information, manipulation of portal...

Published: Jan 13, 2026
Source: NVD
CVE-2026-0497 MEDIUM - 4.3

SAP Product Designer Web UI of Business Server Pages allows authenticated non-administrative users to access non-sensitive information. This results in a low impact on confidentiality, with no impact on integrity or availability of the application.

Published: Jan 13, 2026
Source: NVD
CVE-2026-0496 MEDIUM - 6.6

SAP Fiori App Intercompany Balance Reconciliation allows an attacker with high privileges to upload any file (including script files) without proper file format validation. This has low impact on confidentiality, integrity and availability of the application.

Published: Jan 13, 2026
Source: NVD
CVE-2026-0495 MEDIUM - 5.1

SAP Fiori App Intercompany Balance Reconciliation allows an attacker with high privileges to send uploaded files to arbitrary emails which could enable effective phishing campaigns. This has low impact on confidentiality, integrity and availability of the application.

Published: Jan 13, 2026
Source: NVD
CVE-2026-0494 MEDIUM - 4.3

Under certain conditions SAP Fiori App Intercompany Balance Reconciliation application allows an attacker to access information which would otherwise be restricted. This has low impact on confidentiality of the application, integrity and availability are not impacted.

Published: Jan 13, 2026
Source: NVD
CVE-2026-0493 MEDIUM - 4.3

Due to a Cross-Site Request Forgery (CSRF) vulnerability in SAP Fiori App Intercompany Balance Reconciliation an attacker could execute state?changing actions using an inappropriate request type, this deviation from expected request semantics may allow an attacker to trigger unintended actions on be...

Published: Jan 13, 2026
Source: NVD
CVE-2026-22813 MEDIUM - 6.1

OpenCode is an open source AI coding agent. The markdown renderer used for LLM responses will insert arbitrary HTML into the DOM. There is no sanitization with DOMPurify or even a CSP on the web interface to prevent JavaScript execution via HTML injection. This means controlling the LLM response for...

Vendor: anoma
Product: opencode
Published: Jan 12, 2026
Source: NVD
CVE-2026-22804 MEDIUM - 4.7

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. From 1.7.0 to 1.9.0, Stored Cross-Site Scripting (XSS) vulnerability exists in the Termix File Manager component. The application fails to sanitize SVG file content before rendering it. This...

Vendor: termix
Product: termix
Published: Jan 12, 2026
Source: NVD
CVE-2026-22800 MEDIUM - 4.5

PILOS (Platform for Interactive Live-Online Seminars) is a frontend for BigBlueButton. Prior to 4.10.0, Cross-Site Request Forgery (CSRF) vulnerability exists in an administrative API endpoint responsible for terminating all active video conferences on a single server. The affected endpoint performs...

Vendor: thm
Product: pilos
Published: Jan 12, 2026
Source: NVD
CVE-2026-22798 MEDIUM - 5.9

hermes is an implementation of the HERMES workflow to automatize software publication with rich metadata. From 0.8.1 to before 0.9.1, hermes subcommands take arbitrary options under the -O argument. These have been logged in raw form. If users provide sensitive data such as API tokens (e.g., via her...

Published: Jan 12, 2026
Source: NVD
CVE-2026-22772 MEDIUM - 5.8

Fulcio is a certificate authority for issuing code signing certificates for an OpenID Connect (OIDC) identity. Prior to 1.8.5, Fulcio's metaRegex() function uses unanchored regex, allowing attackers to bypass MetaIssuer URL validation and trigger SSRF to arbitrary internal services. Since the S...

Published: Jan 12, 2026
Source: NVD
CVE-2021-41074 MEDIUM - 5.4

A CSRF issue in index.php in QloApps hotel eCommerce 1.5.1 allows an attacker to change the admin's email address via a crafted HTML document.

Vendor: webkul
Product: qloapps
Published: Jan 12, 2026
Source: NVD