Total CVEs

143,232

Critical Severity

4,056

High Severity

14,610

Last 7 Days

1,261
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 14,161 - 14,180 of 14,675 CVEs
CVE-2026-22784 MEDIUM - 4.3

Lychee is a free, open-source photo-management tool. Prior to 7.1.0, an authorization vulnerability exists in Lychee's album password unlock functionality that allows users to gain possibly unauthorized access to other users' password-protected albums. When a user unlocks a password-protec...

Vendor: lycheeorg
Product: lychee
Published: Jan 12, 2026
Source: NVD
CVE-2026-22251 MEDIUM - 5.3

wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, wlc supported providing unscoped API keys in the setting. This practice was discouraged for years, but the code was never removed. This might cause the API key to be leaked to different servers.

Published: Jan 12, 2026
Source: NVD
CVE-2026-22050 MEDIUM - 4.3

ONTAP versions 9.16.1 prior to 9.16.1P9 and 9.17.1 prior to 9.17.1P2 with snapshot locking enabled are susceptible to a vulnerability which could allow a privileged remote attacker to set the snapshot expiry time to none.

Vendor: netapp
Product: ontap
Published: Jan 12, 2026
Source: NVD
CVE-2025-68657 MEDIUM - 6.4

Espressif ESP-IDF USB Host HID (Human Interface Device) Driver allows access to HID devices. Prior to 1.1.0, calls to hid_host_device_close() can free the same usb_transfer_t twice. The USB event callback and user code share the hid_iface_t state without locking, so both can tear down a READY interf...

Vendor: espressif
Product: usb_host_hid_driver
Published: Jan 12, 2026
Source: NVD
CVE-2025-68656 MEDIUM - 6.8

Espressif ESP-IDF USB Host HID (Human Interface Device) Driver allows access to HID devices. Prior to 1.1.0, usb_class_request_get_descriptor() frees and reallocates hid_device->ctrl_xfer when an oversized descriptor is requested but continues to use the stale local pointer, leading to an immedia...

Vendor: espressif
Product: usb_host_hid_driver
Published: Jan 12, 2026
Source: NVD
CVE-2025-68471 MEDIUM - 6.5

Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending 2 unsolicited announcements with CNAME resource records 2 seconds apart.

Vendor: avahi
Product: avahi
Published: Jan 12, 2026
Source: NVD
CVE-2025-68468 MEDIUM - 6.5

Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending unsolicited announcements containing CNAME resource records pointing it to resource records with short TTLs. As soon as they exp...

Vendor: avahi
Product: avahi
Published: Jan 12, 2026
Source: NVD
CVE-2025-68276 MEDIUM - 5.5

Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, an unprivileged local users can crash avahi-daemon (with wide-area disabled) by creating record browsers with the AVAHI_LOOKUP_USE_WIDE_AREA flag set via D-Bus. This c...

Vendor: avahi
Product: avahi
Published: Jan 12, 2026
Source: NVD
CVE-2025-68622 MEDIUM - 6.8

Espressif ESP-IDF USB Host UVC Class Driver allows video streaming from USB cameras. Prior to 2.4.0, a vulnerability in the esp-usb UVC host implementation allows a malicious USB Video Class (UVC) device to trigger a stack buffer overflow during configuration-descriptor parsing. When UVC configurati...

Vendor: espressif
Product: usb_host_uvc_class_driver
Published: Jan 12, 2026
Source: NVD
CVE-2025-66689 MEDIUM - 6.5

A path traversal vulnerability exists in Zen MCP Server before 9.8.2 that allows authenticated attackers to read arbitrary files on the system. The vulnerability is caused by flawed logic in the is_dangerous_path() validation function that uses exact string matching against a blacklist of system dir...

Vendor: busymac
Product: pal_mcp_server
Published: Jan 12, 2026
Source: NVD
CVE-2025-67813 MEDIUM - 5.3

Quest KACE Desktop Authority through 11.3.1 has Insecure Permissions on the Named Pipes used for inter-process communication

Vendor: quest
Product: kace_desktop_authority
Published: Jan 12, 2026
Source: NVD
CVE-2025-66939 MEDIUM - 5.4

Cross Site Scripting vulnerability in 66biolinks by AltumCode v.61.0.1 allows an attacker to execute arbitrary code via a crafted favicon file

Vendor: altumcode
Product: 66biolinks
Published: Jan 12, 2026
Source: NVD
CVE-2025-65553 MEDIUM - 6.5

D3D Wi-Fi Home Security System ZX-G12 v2.1.17 is susceptible to RF jamming on the 433 MHz alarm sensor channel. An attacker within RF range can transmit continuous interference to block sensor transmissions, resulting in missed alarms and loss of security monitoring. The device lacks jamming detecti...

Vendor: d3dsecurity
Product: xz-g12_firmware
Published: Jan 12, 2026
Source: NVD
CVE-2025-14579 MEDIUM - 4.8

The Quiz Maker WordPress plugin before 6.7.0.89 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Published: Jan 12, 2026
Source: NVD
CVE-2025-69275 MEDIUM - 6.1

Dependency on Vulnerable Third-Party Component vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows DOM-Based XSS.This issue affects DX NetOps Spectrum: 24.3.9 and earlier.

Vendor: broadcom
Product: dx_netops_spectrum
Published: Jan 12, 2026
Source: NVD
CVE-2025-69268 MEDIUM - 6.1

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Reflected XSS.This issue affects DX NetOps Spectrum: 24.3.8 and earlier.

Vendor: broadcom
Product: dx_netops_spectrum
Published: Jan 12, 2026
Source: NVD
CVE-2025-69267 MEDIUM - 6.5

Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Path Traversal.This issue affects DX NetOps Spectrum: 24.3.8 and earlier.

Vendor: broadcom
Product: dx_netops_spectrum
Published: Jan 12, 2026
Source: NVD
CVE-2026-0853 MEDIUM - 5.3

Certain NVR models developed by A-Plus Video Technologies has a Sensitive Data Exposure vulnerability, allowing unauthenticated remote attackers to access the debug page and obtain device status information.

Published: Jan 12, 2026
Source: NVD
CVE-2026-0843 MEDIUM - 6.3

A vulnerability has been found in jiujiujia/victor123/wxw850227 jjjfood and jjjshop_food up to 20260103. This vulnerability affects unknown code of the file /index.php/api/product.category/index. Such manipulation of the argument latitude leads to sql injection. The attack can be launched remotely. ...

Published: Jan 11, 2026
Source: NVD
CVE-2026-0842 MEDIUM - 6.3

A flaw has been found in Flycatcher Toys smART Sketcher up to 2.0. This affects an unknown part of the component Bluetooth Low Energy Interface. This manipulation causes missing authentication. The attack can only be done within the local network. The exploit has been published and may be used. The ...

Published: Jan 11, 2026
Source: NVD