Total CVEs

142,696

Critical Severity

4,021

High Severity

14,390

Last 7 Days

1,393
Quick preset (or use dates below)
Clear Filters
Showing 14,321 - 14,340 of 14,816 CVEs
CVE-2025-68954 MEDIUM - 5.4

Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below do not revoke active SFTP connections when a user is removed from a server instance or has their permissions changes with respect to file access over SFTP. This allows a user that was already connected to SFT...

Vendor: pterodactyl
Product: panel
Published: Jan 06, 2026
Source: NVD
CVE-2026-21439 MEDIUM - 5.3

badkeys is a tool and library for checking cryptographic public keys for known vulnerabilities. In versions 0.0.15 and below, an attacker may inject content with ASCII control characters like vertical tabs, ANSI escape sequences, etc., that can create misleading output of the badkeys command-line to...

Vendor: badkeys
Product: badkeys
Published: Jan 06, 2026
Source: NVD
CVE-2025-69230 MEDIUM - 5.3

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, reading multiple invalid cookies can lead to a logging storm. If the cookies attribute is accessed in an application, then an attacker may be able to trigger a storm of warning-level logs us...

Vendor: aiohttp
Product: aiohttp
Published: Jan 06, 2026
Source: NVD
CVE-2025-69225 MEDIUM - 5.3

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below contain parser logic which allows non-ASCII decimals to be present in the Range header. There is no known impact, but there is the possibility that there's a method to exploit a request smu...

Vendor: aiohttp
Product: aiohttp
Published: Jan 06, 2026
Source: NVD
CVE-2025-69226 MEDIUM - 5.3

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below enable an attacker to ascertain the existence of absolute path components through the path normalization logic for static files meant to prevent path traversal. If an application uses web.static...

Vendor: aiohttp
Product: aiohttp
Published: Jan 05, 2026
Source: NVD
CVE-2025-69224 MEDIUM - 6.5

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below of the Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters. If a pure Python version of AIOHTTP is installed (i.e. without the usual C extensions) o...

Vendor: aiohttp
Product: aiohttp
Published: Jan 05, 2026
Source: NVD
CVE-2025-68437 MEDIUM - 6.8

Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, the Craft CMS GraphQL `save_<VolumeName>_Asset` mutation is vulnerable to Server-Side Request Forgery (SSRF). This vulnerability arises because the `_file` input, specifica...

Vendor: craftcms
Product: craft_cms
Published: Jan 05, 2026
Source: NVD
CVE-2025-68436 MEDIUM - 6.5

Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, authenticated users on a Craft installation could potentially expose sensitive assets via their user profile photo via maliciously crafted requests. Users should update to the pa...

Vendor: craftcms
Product: craft_cms
Published: Jan 05, 2026
Source: NVD
CVE-2025-67732 MEDIUM - 6.5

Dify is an open-source LLM app development platform. Prior to version 1.11.0, the API key is exposed in plaintext to the frontend, allowing non-administrator users to view and reuse it. This can lead to unauthorized access to third-party services, potentially consuming limited quotas. Version 1.11.0...

Vendor: dify
Product: dify
Published: Jan 05, 2026
Source: NVD
CVE-2025-64422 MEDIUM - 4.3

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify vstarting with version 4.0.0-beta.434, the /login endpoint advertises a rate limit of 5 requests but can be trivially bypassed by rotating the X-Forwarded-For header. This enables unlimited...

Vendor: coollabs
Product: coolify
Published: Jan 05, 2026
Source: NVD
CVE-2025-67427 MEDIUM - 6.5

A Blind Server-Side Request Forgery (SSRF) vulnerability in evershop 2.1.0 and prior allows unauthenticated attackers to force the server to initiate an HTTP request via the "GET /images" API. The vulnerability occurs due to insufficient validation of the "src" query parameter, w...

Vendor: evershop
Product: evershop
Published: Jan 05, 2026
Source: NVD
CVE-2025-52517 MEDIUM - 5.9

An issue was discovered in the Camera in Samsung Mobile Processor and Wearable Processor Exynos 1330, 1380, 1480, 2400, 1580, 2500. A race condition in the issimian device driver results in a double free, leading to a denial of service.

Vendor: samsung
Product: exynos_2500_firmware
Published: Jan 05, 2026
Source: NVD
CVE-2025-52516 MEDIUM - 6.2

An issue was discovered in the Camera in Samsung Mobile Processor and Wearable Processor Exynos 1330, 1380, 1480, 2400, 1580, 2500. An invalid kernel address dereference in the issimian device driver leads to a denial of service.

Vendor: samsung
Product: exynos_1330_firmware
Published: Jan 05, 2026
Source: NVD
CVE-2025-52515 MEDIUM - 5.1

An issue was discovered in the Camera in Samsung Mobile Processor and Wearable Processor Exynos 1330, 1380, 1480, 2400, 1580, 2500. A race condition in the issimian device driver results in an out-of-bounds access, leading to a denial of service.

Vendor: samsung
Product: exynos_1330_firmware
Published: Jan 05, 2026
Source: NVD
CVE-2025-65922 MEDIUM - 4.3

PLANKA 2.0.0 lacks X-Frame-Options and CSP frame-ancestors headers, allowing the application to be embedded within malicious iframes. While this does not lead to unintended modification of projects or tasks, it exposes users to Phishing attacks. Attackers can frame the legitimate Planka application ...

Published: Jan 05, 2026
Source: NVD
CVE-2025-59955 MEDIUM - 5.7

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Coolify versions prior to and including v4.0.0-beta.420.8 have an information disclosure vulnerability in the `/api/v1/teams/{team_id}/members` and `/api/v1/teams/current/members` API endpoints allows...

Vendor: coollabs
Product: coolify
Published: Jan 05, 2026
Source: NVD
CVE-2026-21635 MEDIUM - 5.3

An Improper Access Control could allow a malicious actor in Wi-Fi range to the EV Station Lite (v1.5.2 and earlier) to use WiFi AutoLink feature on a device that was only adopted via Ethernet.

Published: Jan 05, 2026
Source: NVD
CVE-2026-21634 MEDIUM - 6.5

A malicious actor with access to the adjacent network could overflow the UniFi Protect Application (Version 6.1.79 and earlier) discovery protocol causing it to restart. Affected Products: UniFi Protect Application (Version 6.1.79 and earlier). Mitigation: Update your UniFi Protect Appli...

Published: Jan 05, 2026
Source: NVD
CVE-2025-67316 MEDIUM - 5.4

An issue in realme Internet browser v.45.13.4.1 allows a remote attacker to execute arbitrary code via a crafted webpage in the built-in HeyTap/ColorOS browser

Published: Jan 05, 2026
Source: NVD
CVE-2025-53344 MEDIUM - 4.3

Cross-Site Request Forgery (CSRF) vulnerability in ThimPress Thim Core allows Cross Site Request Forgery.This issue affects Thim Core: from n/a through 2.3.3.

Published: Jan 05, 2026
Source: NVD