Total CVEs

142,714

Critical Severity

4,025

High Severity

14,400

Last 7 Days

1,392
Quick preset (or use dates below)
Clear Filters
Showing 14,421 - 14,440 of 14,826 CVEs
CVE-2025-47208 MEDIUM - 6.5

An allocation of resources without limits or throttling vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same ty...

Vendor: qnap
Product: quts_hero
Published: Jan 02, 2026
Source: NVD
CVE-2025-45286 MEDIUM - 6.1

A cross-site scripting (XSS) vulnerability in mccutchen httpbin v2.17.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

Vendor: httpbingo
Product: go-httpbin
Published: Jan 02, 2026
Source: NVD
CVE-2025-44013 MEDIUM - 6.5

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versio...

Vendor: qnap
Product: quts_hero
Published: Jan 02, 2026
Source: NVD
CVE-2025-15438 MEDIUM - 4.7

A vulnerability was determined in PluXml up to 5.8.22. Affected is the function FileCookieJar::__destruct of the file core/admin/medias.php of the component Media Management Module. Executing manipulation of the argument File can lead to deserialization. The attack can be launched remotely. The expl...

Published: Jan 02, 2026
Source: NVD
CVE-2024-55374 MEDIUM - 5.3

REDCap 14.3.13 allows an attacker to enumerate usernames due to an observable discrepancy between login attempts.

Vendor: vanderbilt
Product: redcap
Published: Jan 02, 2026
Source: NVD
CVE-2025-14072 MEDIUM - 5.3

The Ninja Forms WordPress plugin before 3.13.3 allows unauthenticated attackers to generate valid access tokens via the REST API which can then be used to read form submissions.

Vendor: ninjaforms
Product: ninja_forms
Published: Jan 02, 2026
Source: NVD
CVE-2025-13456 MEDIUM - 6.1

The ShopBuilder WordPress plugin before 3.2.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

Published: Jan 02, 2026
Source: NVD
CVE-2025-13153 MEDIUM - 6.1

The Logo Slider WordPress plugin before 4.9.0 does not validate and escape some of its slider options before outputting them back in the dashboard, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

Published: Jan 02, 2026
Source: NVD
CVE-2025-12685 MEDIUM - 6.5

The WPBookit WordPress plugin through 1.0.7 lacks a CSRF check when deleting customers. This could allow an unauthenticated attacker to delete any customer through a CSRF attack.

Published: Jan 02, 2026
Source: NVD
CVE-2025-14047 MEDIUM - 5.3

The Registration, User Profile, Membership, Content Restriction, User Directory, and Frontend Post Submission – WP User Frontend plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'Frontend_Form_Ajax::submit_post' function in all versio...

Published: Jan 02, 2026
Source: NVD
CVE-2025-15419 MEDIUM - 5.5

A weakness has been identified in Open5GS up to 2.7.6. Affected by this issue is the function sgwc_s5c_handle_create_session_response of the file src/sgwc/s5c-handler.c of the component GTPv2-C Flow Handler. Executing a manipulation can lead to denial of service. The attack needs to be launched loca...

Vendor: open5gs
Product: open5gs
Published: Jan 02, 2026
Source: NVD
CVE-2025-15418 MEDIUM - 5.5

A security flaw has been discovered in Open5GS up to 2.7.6. Affected by this vulnerability is the function ogs_gtp2_parse_bearer_qos in the library lib/gtp/v2/types.c of the component Bearer QoS IE Length Handler. Performing manipulation results in denial of service. The attack must be initiated fro...

Vendor: open5gs
Product: open5gs
Published: Jan 02, 2026
Source: NVD
CVE-2025-15417 MEDIUM - 5.5

A vulnerability was identified in Open5GS up to 2.7.6. Affected is the function sgwc_s11_handle_create_session_request of the file src/sgwc/s11-handler.c of the component GTPv2-C F-TEID Handler. Such manipulation leads to denial of service. The attack must be carried out locally. The exploit is publ...

Vendor: open5gs
Product: open5gs
Published: Jan 01, 2026
Source: NVD
CVE-2025-15416 MEDIUM - 5.4

A vulnerability was found in xnx3 wangmarket up to 6.4. This affects an unknown function of the file /siteVar/save.do of the component Add Global Variable Handler. The manipulation of the argument Remark/Variable Value results in cross site scripting. The attack can be executed remotely. The exploit...

Vendor: wang.market
Product: wangmarket
Published: Jan 01, 2026
Source: NVD
CVE-2025-15415 MEDIUM - 5.4

A vulnerability has been found in xnx3 wangmarket up to 6.4. The impacted element is the function uploadImage of the file /sits/uploadImage.do of the component XML File Handler. The manipulation of the argument image leads to unrestricted upload. Remote exploitation of the attack is possible. The ex...

Vendor: wang.market
Product: wangmarket
Published: Jan 01, 2026
Source: NVD
CVE-2025-15414 MEDIUM - 4.7

A flaw has been found in go-sonic sonic up to 1.1.4. The affected element is the function FetchTheme of the file service/theme/git_fetcher.go of the component Theme Fetching API. Executing manipulation of the argument uri can lead to server-side request forgery. The attack may be launched remotely. ...

Published: Jan 01, 2026
Source: NVD
CVE-2025-68273 MEDIUM - 5.3

Signal K Server is a server application that runs on a central hub in a boat. An unauthenticated information disclosure vulnerability in versions prior to 2.19.0 allows any user to retrieve sensitive system information, including the full SignalK data schema, connected serial devices, and installed ...

Vendor: signalk
Product: signal_k_server
Published: Jan 01, 2026
Source: NVD
CVE-2025-48768 MEDIUM - 6.5

Release of Invalid Pointer or Reference vulnerability was discovered in fs/inode/fs_inoderemove code of the Apache NuttX RTOS that allowed root filesystem inode removal leading to a debug assert trigger (that is disabled by default), NULL pointer dereference (handled differently depending on the tar...

Vendor: apache
Product: nuttx
Published: Jan 01, 2026
Source: NVD
CVE-2025-14627 MEDIUM - 6.4

The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.35. This is due to inadequate validation of the resolved URL after following Bitly shortlink redirects in the `upload_function()` method. ...

Published: Jan 01, 2026
Source: NVD
CVE-2025-14428 MEDIUM - 4.3

The All-in-one Sticky Floating Contact Form, Call, Click to Chat, and 50+ Social Icon Tabs - My Sticky Elements plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check on the 'my_sticky_elements_bulks' function in all versions up to, and including, 2....

Published: Jan 01, 2026
Source: NVD