Total CVEs

142,714

Critical Severity

4,025

High Severity

14,400

Last 7 Days

1,395
Quick preset (or use dates below)
Clear Filters
Showing 14,381 - 14,400 of 14,826 CVEs
CVE-2025-15449 MEDIUM - 5.4

A vulnerability was determined in cld378632668 JavaMall up to 994f1e2b019378ec9444cdf3fce2d5b5f72d28f0. Affected is the function delete of the file src/main/java/com/macro/mall/controller/MinioController.java. This manipulation of the argument objectName causes path traversal. The attack can be init...

Published: Jan 05, 2026
Source: NVD
CVE-2025-15448 MEDIUM - 6.3

A vulnerability was found in cld378632668 JavaMall up to 994f1e2b019378ec9444cdf3fce2d5b5f72d28f0. This impacts the function Upload of the file src/main/java/com/macro/mall/controller/MinioController.java. The manipulation results in unrestricted upload. It is possible to launch the attack remotely....

Published: Jan 05, 2026
Source: NVD
CVE-2025-14830 MEDIUM - 4.9

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in JFrog Artifactory (Workers) allows Cross-Site Scripting (XSS).This issue affects Artifactory (Workers): from >=7.94.0 through <7.117.10.

Published: Jan 04, 2026
Source: NVD
CVE-2026-0574 MEDIUM - 6.3

A weakness has been identified in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. This affects the function saveUserRole of the file warehouse\src\main\java\com\yeqifu\sys\controller\UserController.java of the component Request Handler. This manipulation causes improper authorizatio...

Published: Jan 04, 2026
Source: NVD
CVE-2025-3660 MEDIUM - 6.5

Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains a broken access control vulnerability that allows authenticated users to access other users' pet data by exploiting missing ownership verification. Attackers can send requests to /member/pet/detailV2 with arbitrary pet IDs to ret...

Published: Jan 04, 2026
Source: NVD
CVE-2025-3654 MEDIUM - 5.3

Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an information disclosure vulnerability that allows unauthorized access to device hardware information by exploiting insecure API endpoints. Attackers can retrieve device serial numbers and MAC addresses through /device/devicePetRelat...

Published: Jan 04, 2026
Source: NVD
CVE-2025-3652 MEDIUM - 5.3

Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an information disclosure vulnerability that allows unauthorized access to private audio recordings by exploiting sequential audio IDs and insecure assignment endpoints. Attackers can send requests to /device/deviceAudio/use with arbi...

Published: Jan 04, 2026
Source: NVD
CVE-2025-15115 MEDIUM - 6.5

Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an authentication bypass vulnerability that allows unauthenticated attackers to access any user account by exploiting OAuth token validation flaws in the social login system. Attackers can send requests to /member/auth/thirdLogin with...

Published: Jan 04, 2026
Source: NVD
CVE-2026-21484 MEDIUM - 5.3

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to commit e287fab56089cf8fcea9ba579a3ecdeca0daa313, the password recovery endpoint returns different error messages depending on whether a username exists, so enabling us...

Published: Jan 03, 2026
Source: NVD
CVE-2026-0571 MEDIUM - 4.3

A security flaw has been discovered in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. Affected by this issue is the function createResponseEntity of the file warehouse\src\main\java\com\yeqifu\sys\common\AppFileUtils.java. The manipulation of the argument path results in path trave...

Published: Jan 02, 2026
Source: NVD
CVE-2026-21444 MEDIUM - 5.5

libtpms, a library that provides software emulation of a Trusted Platform Module, has a flaw in versions 0.10.0 and 0.10.1. The commonly used integration of libtpms with OpenSSL 3.x contained a vulnerability related to the returned IV (initialization vector) when certain symmetric ciphers were used....

Published: Jan 02, 2026
Source: NVD
CVE-2026-21432 MEDIUM - 5.4

Emlog is an open source website building system. Version 2.5.23 has a stored cross-site scripting vulnerability that can lead to account takeover, including takeover of admin accounts. As of time of publication, no known patched versions are available.

Vendor: emlog
Product: emlog
Published: Jan 02, 2026
Source: NVD
CVE-2026-21431 MEDIUM - 5.4

Emlog is an open source website building system. Version 2.5.23 has a stored cross-site scripting vulnerability in the `Resource media library ` function while publishing an article. As of time of publication, no known patched versions are available.

Vendor: emlog
Product: emlog
Published: Jan 02, 2026
Source: NVD
CVE-2026-21429 MEDIUM - 4.3

Emlog is an open source website building system. In version 2.5.23, the admin can set controls which makes users unable to edit or delete their articles after publishing them. As of time of publication, no known patched versions are available.

Vendor: emlog
Product: emlog
Published: Jan 02, 2026
Source: NVD
CVE-2025-69417 MEDIUM - 5.0

In the plex.tv backend for Plex Media Server (PMS) through 2025-12-31, a non-server device token can retrieve share tokens (intended for unrelated access) via a shared_servers endpoint.

Published: Jan 02, 2026
Source: NVD
CVE-2025-69416 MEDIUM - 5.0

In the plex.tv backend for Plex Media Server (PMS) through 2025-12-31, a non-server device token can retrieve other tokens (intended for unrelated access) via clients.plex.tv/devices.xml.

Published: Jan 02, 2026
Source: NVD
CVE-2025-15439 MEDIUM - 6.3

A vulnerability was identified in Daptin 0.10.3. Affected by this vulnerability is the function goqu.L of the file server/resource/resource_aggregate.go of the component Aggregate API. The manipulation of the argument column/group/order leads to sql injection. The attack may be initiated remotely. T...

Published: Jan 02, 2026
Source: NVD
CVE-2025-69284 MEDIUM - 4.3

Plane is an an open-source project management tool. In plane.io, a guest user doesn't have a permission to access https[:]//app[.]plane[.]so/[:]slug/settings. Prior to Plane version 1.2.0, a problem occurs when the `/api/workspaces/:slug/members/` is accessible by guest and able to list of user...

Published: Jan 02, 2026
Source: NVD
CVE-2025-62852 MEDIUM - 6.5

A buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following version: QTS...

Vendor: qnap
Product: qts
Published: Jan 02, 2026
Source: NVD
CVE-2025-59381 MEDIUM - 4.9

A path traversal vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the fol...

Vendor: qnap
Product: qts
Published: Jan 02, 2026
Source: NVD