Total CVEs

143,744

Critical Severity

4,091

High Severity

14,757

Last 7 Days

1,564
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 14,541 - 14,560 of 14,876 CVEs
CVE-2025-13034 MEDIUM - 5.9

When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey` with the curl tool,curl should check the public key of the server certificate to verify the peer. This check was skipped in a certain condition that would then make curl allow the connection without performing the proper c...

Vendor: haxx
Product: curl
Published: Jan 08, 2026
Source: NVD
CVE-2025-12551 MEDIUM - 6.1

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e-plugins ListingHub listinghub allows Reflected XSS.This issue affects ListingHub: from n/a through 1.2.6.

Published: Jan 08, 2026
Source: NVD
CVE-2025-13679 MEDIUM - 6.5

The Tutor LMS โ€“ eLearning and online course solution plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_order_by_id() function in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with Subscriber-...

Published: Jan 08, 2026
Source: NVD
CVE-2026-0707 MEDIUM - 5.3

A flaw was found in Keycloak. The Keycloak Authorization header parser is overly permissive regarding the formatting of the "Bearer" authentication scheme. It accepts non-standard characters (such as tabs) as separators and tolerates case variations that deviate from RFC 6750 specification...

Published: Jan 08, 2026
Source: NVD
CVE-2025-14275 MEDIUM - 6.4

The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.0.1 due to insufficient input sanitization in the countdown widget's redirect functionality. This makes it possible for authenticated attackers, with Contributor-level...

Published: Jan 08, 2026
Source: NVD
CVE-2025-12640 MEDIUM - 4.3

The Folders โ€“ Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager plugin for WordPress is vulnerable to Unauthorized Arbitrary Media Replacement in all versions up to, and including, 3.1.5. This is due to missing object-level authorization checks in the handle_folders_file...

Published: Jan 08, 2026
Source: NVD
CVE-2026-21880 MEDIUM - 5.3

Kanboard is project management software focused on Kanban methodology. Versions 1.2.48 and below have an LDAP Injection vulnerability in the LDAP authentication mechanism. User-supplied input is directly substituted into LDAP search filters without proper sanitization, allowing attackers to enumerat...

Vendor: kanboard
Product: kanboard
Published: Jan 08, 2026
Source: NVD
CVE-2026-21879 MEDIUM - 6.1

Kanboard is project management software focused on Kanban methodology. Versions 1.2.48 and below are vulnerable to an Open Redirect attack that allows malicious actors to redirect authenticated users to attacker-controlled websites. By crafting URLs such as //evil.com, attackers can bypass the filte...

Vendor: kanboard
Product: kanboard
Published: Jan 08, 2026
Source: NVD
CVE-2019-25295 MEDIUM - 6.5

The WP Cost Estimation plugin for WordPress is vulnerable to Upload Directory Traversal in versions before 9.660 via the uploadFormFiles function. This allows attackers to overwrite any file with a whitelisted type on an affected site.

Published: Jan 08, 2026
Source: NVD
CVE-2026-21859 MEDIUM - 5.8

Mailpit is an email testing tool and API for developers. Versions 1.28.0 and below have a Server-Side Request Forgery (SSRF) vulnerability in the /proxy endpoint, allowing attackers to make requests to internal network resources. The /proxy endpoint validates http:// and https:// schemes, but it doe...

Published: Jan 08, 2026
Source: NVD
CVE-2026-21695 MEDIUM - 4.3

Titra is open source project time tracking software. In versions 0.99.49 and below, an API has a Mass Assignment vulnerability which allows authenticated users to inject arbitrary fields into time entries, bypassing business logic controls via the customfields parameter. The affected endpoint uses t...

Vendor: kromit
Product: titra
Published: Jan 08, 2026
Source: NVD
CVE-2019-25290 MEDIUM - 5.3

Smartliving SmartLAN/G/SI <=6.x contains an unauthenticated server-side request forgery vulnerability in the GetImage functionality through the 'host' parameter. Attackers can exploit the onvif.cgi endpoint by specifying external domains to bypass firewalls and perform network enumerati...

Published: Jan 08, 2026
Source: NVD
CVE-2019-25284 MEDIUM - 6.1

V-SOL GPON/EPON OLT Platform v2.03 contains multiple reflected cross-site scripting vulnerabilities due to improper input sanitization in various script parameters. Attackers can exploit these vulnerabilities by injecting malicious HTML and script code to execute arbitrary scripts in a victim's...

Published: Jan 08, 2026
Source: NVD
CVE-2019-25280 MEDIUM - 6.1

Yahei-PHP Prober 0.4.7 contains a remote HTML injection vulnerability that allows attackers to execute arbitrary HTML code through the 'speed' GET parameter. Attackers can inject malicious HTML code in the 'speed' parameter of prober.php to trigger cross-site scripting in user br...

Published: Jan 08, 2026
Source: NVD
CVE-2019-25278 MEDIUM - 5.9

FaceSentry Access Control System 6.4.8 contains a cleartext transmission vulnerability that allows remote attackers to intercept authentication credentials. Attackers can perform man-in-the-middle attacks to capture HTTP cookie authentication information during network communication.

Vendor: iwt
Product: facesentry_access_control_system_firmware
Published: Jan 08, 2026
Source: NVD
CVE-2019-25277 MEDIUM - 6.1

FaceSentry Access Control System 6.4.8 contains a cross-site scripting vulnerability in the 'msg' parameter of pluginInstall.php that allows attackers to inject malicious scripts. Attackers can exploit the unvalidated input to execute arbitrary JavaScript in victim browsers, potentially st...

Vendor: iwt
Product: facesentry_access_control_system_firmware
Published: Jan 08, 2026
Source: NVD
CVE-2019-25270 MEDIUM - 6.1

SOCA Access Control System 180612 contains a cross-site scripting vulnerability in the 'senddata' POST parameter of logged_page.php that allows attackers to inject malicious scripts. Attackers can exploit this weakness by sending crafted POST requests to execute arbitrary HTML and script c...

Published: Jan 08, 2026
Source: NVD
CVE-2019-25259 MEDIUM - 5.3

Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without request validation. Attackers can trick logged-in users into executing unauthorized actions by crafting malicious web pages that subm...

Published: Jan 08, 2026
Source: NVD
CVE-2017-20212 MEDIUM - 6.2

FLIR Thermal Camera F/FC/PT/D firmware version 8.0.0.64 contains an information disclosure vulnerability that allows unauthenticated attackers to read arbitrary files through unverified input parameters. Attackers can exploit the /var/www/data/controllers/api/xml.php readFile() function to access lo...

Published: Jan 08, 2026
Source: NVD
CVE-2026-21857 MEDIUM - 6.5

REDAXO is a PHP-based content management system. Prior to version 5.20.2, authenticated users with backup permissions can read arbitrary files within the webroot via path traversal in the Backup addon's file export functionality. The Backup addon does not validate the `EXPDIR` POST parameter ag...

Vendor: redaxo
Product: redaxo
Published: Jan 07, 2026
Source: NVD