Total CVEs

143,232

Critical Severity

4,056

High Severity

14,610

Last 7 Days

1,242
Quick preset (or use dates below)
Clear Filters
πŸ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years β†’
Showing 14,181 - 14,200 of 14,675 CVEs
CVE-2025-13393 MEDIUM - 4.3

The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.3.1. This is due to insufficient validation of user-supplied URLs before passing them to the getimagesize() function in the Elementor widget integration. This ...

Published: Jan 10, 2026
Source: NVD
CVE-2025-12379 MEDIUM - 6.4

The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a combination of the 'tag' and β€˜title_tag’ parameters in all versions up to, and including, 2.17.13 due to insufficient input sanitization and output escaping. This makes...

Published: Jan 10, 2026
Source: NVD
CVE-2025-14555 MEDIUM - 6.4

The Countdown Timer – Widget Countdown plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpdevart_countdown' shortcode in all versions up to, and including, 2.7.7 due to insufficient input sanitization and output escaping on user supplied attributes. ...

Published: Jan 10, 2026
Source: NVD
CVE-2025-15504 MEDIUM - 5.5

A security flaw has been discovered in lief-project LIEF up to 0.17.1. Affected by this issue is the function Parser::parse_binary of the file src/ELF/Parser.tcc of the component ELF Binary Parser. The manipulation results in null pointer dereference. The attack must be initiated from a local positi...

Vendor: lief-project
Product: lief
Published: Jan 10, 2026
Source: NVD
CVE-2025-14506 MEDIUM - 6.4

The ConvertForce Popup Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Gutenberg block's `entrance_animation` attribute in all versions up to, and including, 0.0.7. This is due to insufficient input sanitization and output escaping. This makes it possible for a...

Published: Jan 10, 2026
Source: NVD
CVE-2026-0831 MEDIUM - 5.3

The Templately plugin for WordPress is vulnerable to Arbitrary File Write in all versions up to, and including, 3.4.8. This is due to inadequate input validation in the `save_template_to_file()` function where user-controlled parameters like `session_id`, `content_id`, and `ai_page_ids` are used to ...

Published: Jan 10, 2026
Source: NVD
CVE-2025-14976 MEDIUM - 5.4

The User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.4.8. This is due to missing or incorrect no...

Published: Jan 10, 2026
Source: NVD
CVE-2026-22773 MEDIUM - 6.5

vLLM is an inference and serving engine for large language models (LLMs). In versions from 0.6.4 to before 0.12.0, users can crash the vLLM engine serving multimodal models that use the Idefics3 vision model implementation by sending a specially crafted 1x1 pixel image. This causes a tensor dimensio...

Published: Jan 10, 2026
Source: NVD
CVE-2026-22705 MEDIUM - 6.4

RustCrypto: Signatures offers support for digital signatures, which provide authentication of data using public-key cryptography. Prior to version 0.1.0-rc.2, a timing side-channel was discovered in the Decompose algorithm which is used during ML-DSA signing to generate hints for the signature. This...

Published: Jan 10, 2026
Source: NVD
CVE-2026-22703 MEDIUM - 5.5

Cosign provides code signing and transparency for containers and binaries. Prior to versions 2.6.2 and 3.0.4, Cosign bundle can be crafted to successfully verify an artifact even if the embedded Rekor entry does not reference the artifact's digest, signature or public key. When verifying a Reko...

Published: Jan 10, 2026
Source: NVD
CVE-2026-22702 MEDIUM - 4.5

virtualenv is a tool for creating isolated virtual python environments. Prior to version 20.36.1, TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in virtualenv allow local attackers to perform symlink-based attacks on directory creation operations. An attacker with local access can exploit a race...

Published: Jan 10, 2026
Source: NVD
CVE-2025-14948 MEDIUM - 5.3

The miniOrange OTP Verification and SMS Notification for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `enable_wc_sms_notification` AJAX action in all versions up to, and including, 4.3.8. This makes it possible for unaut...

Published: Jan 10, 2026
Source: NVD
CVE-2025-14943 MEDIUM - 4.3

The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 8.7.2. This is due to a misconfigured authorization check on the 'getShipItemFullText' function which only verifies that a user...

Published: Jan 10, 2026
Source: NVD
CVE-2026-22701 MEDIUM - 5.3

filelock is a platform-independent file lock for Python. Prior to version 3.20.3, a TOCTOU race condition vulnerability exists in the SoftFileLock implementation of the filelock package. An attacker with local filesystem access and permission to create symlinks can exploit a race condition between t...

Published: Jan 10, 2026
Source: NVD
CVE-2026-22693 MEDIUM - 5.3

HarfBuzz is a text shaping engine. Prior to version 12.3.0, a null pointer dereference vulnerability exists in the SubtableUnicodesCache::create function located in src/hb-ot-cmap-table.hh. The function fails to check if hb_malloc returns NULL before using placement new to construct an object at the...

Published: Jan 10, 2026
Source: NVD
CVE-2026-22689 MEDIUM - 6.5

Mailpit is an email testing tool and API for developers. Prior to version 1.28.2, the Mailpit WebSocket server is configured to accept connections from any origin. This lack of Origin header validation introduces a Cross-Site WebSocket Hijacking (CSWSH) vulnerability. An attacker can host a maliciou...

Published: Jan 10, 2026
Source: NVD
CVE-2026-22691 MEDIUM - 5.3

pypdf is a free and open-source pure-python PDF library. Prior to version 6.6.0, pypdf has possible long runtimes for malformed startxref. An attacker who uses this vulnerability can craft a PDF which leads to possibly long runtimes for invalid startxref entries. When rebuilding the cross-reference ...

Vendor: pypdf_project
Product: pypdf
Published: Jan 10, 2026
Source: NVD
CVE-2026-22690 MEDIUM - 5.3

pypdf is a free and open-source pure-python PDF library. Prior to version 6.6.0, pypdf has possible long runtimes for missing /Root object with large /Size values. An attacker who uses this vulnerability can craft a PDF which leads to possibly long runtimes for actually invalid files. This can be ac...

Vendor: pypdf_project
Product: pypdf
Published: Jan 10, 2026
Source: NVD
CVE-2025-65090 MEDIUM - 5.3

XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.6, users with the rights to view the Calendar.JSONService page (including guest users) can exploit the data leak vulnerability by accessing database info, with the exception of passwords. This issue has be...

Published: Jan 10, 2026
Source: NVD
CVE-2025-61676 MEDIUM - 4.8

October is a Content Management System (CMS) and web platform. Prior to versions 3.7.13 and 4.0.12, a cross-site scripting (XSS) vulnerabilities was identified in October CMS backend configuration forms. A user with the Customize Backend Styles permission could inject malicious HTML/JS into the styl...

Vendor: octobercms
Product: october
Published: Jan 10, 2026
Source: NVD