Total CVEs

143,744

Critical Severity

4,091

High Severity

14,757

Last 7 Days

1,573
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 14,481 - 14,500 of 14,876 CVEs
CVE-2025-68718 MEDIUM - 5.4

KAYSUS KS-WR1200 routers with firmware 107 expose SSH and TELNET services on the LAN interface with hardcoded root credentials (root:12345678). The administrator cannot disable these services or change the hardcoded password. (Changing the management GUI password does not affect SSH/TELNET authentic...

Published: Jan 08, 2026
Source: NVD
CVE-2025-14505 MEDIUM - 5.6

The ECDSA implementation of the Elliptic package generates incorrect signatures if an interim value of 'k' (as computed based on step 3.2 of RFC 6979 https://datatracker.ietf.org/doc/html/rfc6979 ) has leading zeros and is susceptible to cryptanalysis, which can lead to secret key exposur...

Published: Jan 08, 2026
Source: NVD
CVE-2026-22253 MEDIUM - 5.4

Soft Serve is a self-hostable Git server for the command line. Prior to version 0.11.2, an authorization bypass in the LFS lock deletion endpoint allows any authenticated user with repository write access to delete locks owned by other users by setting the force flag. The vulnerable code path proces...

Published: Jan 08, 2026
Source: NVD
CVE-2025-65731 MEDIUM - 6.8

An issue was discovered in D-Link Router DIR-605L (Hardware version F1; Firmware version: V6.02CN02) allowing an attacker with physical access to the UART pins to execute arbitrary commands due to presence of root terminal access on a serial interface without proper access control.

Published: Jan 08, 2026
Source: NVD
CVE-2026-22587 MEDIUM - 5.5

Ideagen DevonWay contains a stored cross site scripting vulnerability. A remote, authenticated attacker could craft a payload in the 'Reports' page that executes when another user views the report. Fixed in 2.62.4 and 2.62 LTS.

Published: Jan 08, 2026
Source: NVD
CVE-2026-22233 MEDIUM - 5.5

OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript as a comment in the "Estimated Staff Hours" field. The JavaScript is executed whenever another user visits the Project Cost tab. Fixed in OPEXUS eCASE Audit 11.14.2.0.

Published: Jan 08, 2026
Source: NVD
CVE-2026-22232 MEDIUM - 5.5

OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript in the "A or SIC Number" field within the Project Setup functionality. The JavaScript is executed whenever another user views the project. Fixed in OPEXUS eCASE Audit 11.14.2.0.

Published: Jan 08, 2026
Source: NVD
CVE-2026-22231 MEDIUM - 5.5

OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript as a comment within the Document Check Out functionality. The JavaScript is executed whenever another user views the Action History Log. Fixed in OPEXUS eCASE Platform 11.14.1.0.

Published: Jan 08, 2026
Source: NVD
CVE-2026-22522 MEDIUM - 6.5

Missing Authorization vulnerability in Munir Kamal Block Slider allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Block Slider: from n/a through 2.2.3.

Published: Jan 08, 2026
Source: NVD
CVE-2026-22519 MEDIUM - 6.5

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BuddyDev MediaPress allows Stored XSS.This issue affects MediaPress: from n/a through 1.6.2.

Published: Jan 08, 2026
Source: NVD
CVE-2026-22518 MEDIUM - 6.5

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pencilwp X Addons for Elementor allows DOM-Based XSS.This issue affects X Addons for Elementor: from n/a through 1.0.23.

Published: Jan 08, 2026
Source: NVD
CVE-2026-22517 MEDIUM - 5.4

Missing Authorization vulnerability in Passionate Brains GA4WP: Google Analytics for WordPress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GA4WP: Google Analytics for WordPress: from n/a through 2.10.0.

Published: Jan 08, 2026
Source: NVD
CVE-2026-22492 MEDIUM - 4.3

Missing Authorization vulnerability in Nawawi Jamili Docket Cache allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Docket Cache: from n/a through 24.07.04.

Published: Jan 08, 2026
Source: NVD
CVE-2026-22490 MEDIUM - 5.4

Missing Authorization vulnerability in niklaslindemann Bulk Landing Page Creator for WordPress LPagery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Bulk Landing Page Creator for WordPress LPagery: from n/a through 2.4.9.

Published: Jan 08, 2026
Source: NVD
CVE-2026-22489 MEDIUM - 4.3

Authorization Bypass Through User-Controlled Key vulnerability in Wptexture Image Slider Slideshow allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Image Slider Slideshow: from n/a through 1.8.

Published: Jan 08, 2026
Source: NVD
CVE-2026-22488 MEDIUM - 5.3

Missing Authorization vulnerability in IdeaBox Creations Dashboard Welcome for Beaver Builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Dashboard Welcome for Beaver Builder: from n/a through 1.0.8.

Published: Jan 08, 2026
Source: NVD
CVE-2026-22487 MEDIUM - 4.3

Missing Authorization vulnerability in baqend Speed Kit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Speed Kit: from n/a through 2.0.2.

Published: Jan 08, 2026
Source: NVD
CVE-2026-22486 MEDIUM - 5.3

Missing Authorization vulnerability in Hakob Re Gallery & Responsive Photo Gallery Plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Re Gallery & Responsive Photo Gallery Plugin: from n/a through 1.17.18.

Published: Jan 08, 2026
Source: NVD
CVE-2026-21639 MEDIUM - 5.4

A malicious actor in Wi-Fi range of the affected product could leverage a vulnerability in the airMAX Wireless Protocol to achieve a remote code execution (RCE) within the affected product. Affected Products: airMAX AC (Version 8.7.20 and earlier) airMAX M (Version 6.3.22 and earlier) a...

Vendor: ui
Product: airmax_ac_firmware
Published: Jan 08, 2026
Source: NVD
CVE-2026-0671 MEDIUM - 6.1

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki - UploadWizard extension allows Cross-Site Scripting (XSS).This issue affects MediaWiki - UploadWizard extension: 1.45, 1.44, 1.43, 1.39.

Vendor: wikimedia
Product: mediawiki-extensions-uploadwizard
Published: Jan 08, 2026
Source: NVD