Total CVEs

143,746

Critical Severity

4,091

High Severity

14,758

Last 7 Days

1,538
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 14,761 - 14,780 of 14,877 CVEs
CVE-2025-20785 MEDIUM - 6.7

In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10149882; Issue ID: MSV-4677.

Vendor: google
Product: android
Published: Jan 06, 2026
Source: NVD
CVE-2025-20784 MEDIUM - 6.7

In display, there is a possible memory corruption due to uninitialized data. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10182882; Issue ID: MSV-4683.

Vendor: google
Product: android
Published: Jan 06, 2026
Source: NVD
CVE-2025-20783 MEDIUM - 6.7

In display, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10182882; Issue ID: MSV-4684.

Vendor: google
Product: android
Published: Jan 06, 2026
Source: NVD
CVE-2025-20782 MEDIUM - 6.7

In display, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10182882; Issue ID: MSV-4685.

Vendor: google
Product: android
Published: Jan 06, 2026
Source: NVD
CVE-2025-69197 MEDIUM - 6.5

Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below allow TOTP to be used multiple times during its validity window. Users with 2FA enabled are prompted to enter a token during sign-in, and afterward it is not sufficiently marked as used in the system. This al...

Vendor: pterodactyl
Product: panel
Published: Jan 06, 2026
Source: NVD
CVE-2025-68954 MEDIUM - 5.4

Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below do not revoke active SFTP connections when a user is removed from a server instance or has their permissions changes with respect to file access over SFTP. This allows a user that was already connected to SFT...

Vendor: pterodactyl
Product: panel
Published: Jan 06, 2026
Source: NVD
CVE-2026-21439 MEDIUM - 5.3

badkeys is a tool and library for checking cryptographic public keys for known vulnerabilities. In versions 0.0.15 and below, an attacker may inject content with ASCII control characters like vertical tabs, ANSI escape sequences, etc., that can create misleading output of the badkeys command-line to...

Vendor: badkeys
Product: badkeys
Published: Jan 06, 2026
Source: NVD
CVE-2025-69230 MEDIUM - 5.3

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, reading multiple invalid cookies can lead to a logging storm. If the cookies attribute is accessed in an application, then an attacker may be able to trigger a storm of warning-level logs us...

Vendor: aiohttp
Product: aiohttp
Published: Jan 06, 2026
Source: NVD
CVE-2025-69225 MEDIUM - 5.3

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below contain parser logic which allows non-ASCII decimals to be present in the Range header. There is no known impact, but there is the possibility that there's a method to exploit a request smu...

Vendor: aiohttp
Product: aiohttp
Published: Jan 06, 2026
Source: NVD
CVE-2025-69226 MEDIUM - 5.3

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below enable an attacker to ascertain the existence of absolute path components through the path normalization logic for static files meant to prevent path traversal. If an application uses web.static...

Vendor: aiohttp
Product: aiohttp
Published: Jan 05, 2026
Source: NVD
CVE-2025-69224 MEDIUM - 6.5

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below of the Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters. If a pure Python version of AIOHTTP is installed (i.e. without the usual C extensions) o...

Vendor: aiohttp
Product: aiohttp
Published: Jan 05, 2026
Source: NVD
CVE-2025-68437 MEDIUM - 6.8

Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, the Craft CMS GraphQL `save_<VolumeName>_Asset` mutation is vulnerable to Server-Side Request Forgery (SSRF). This vulnerability arises because the `_file` input, specifica...

Vendor: craftcms
Product: craft_cms
Published: Jan 05, 2026
Source: NVD
CVE-2025-68436 MEDIUM - 6.5

Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, authenticated users on a Craft installation could potentially expose sensitive assets via their user profile photo via maliciously crafted requests. Users should update to the pa...

Vendor: craftcms
Product: craft_cms
Published: Jan 05, 2026
Source: NVD
CVE-2025-67732 MEDIUM - 6.5

Dify is an open-source LLM app development platform. Prior to version 1.11.0, the API key is exposed in plaintext to the frontend, allowing non-administrator users to view and reuse it. This can lead to unauthorized access to third-party services, potentially consuming limited quotas. Version 1.11.0...

Vendor: dify
Product: dify
Published: Jan 05, 2026
Source: NVD
CVE-2025-64422 MEDIUM - 4.3

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify vstarting with version 4.0.0-beta.434, the /login endpoint advertises a rate limit of 5 requests but can be trivially bypassed by rotating the X-Forwarded-For header. This enables unlimited...

Vendor: coollabs
Product: coolify
Published: Jan 05, 2026
Source: NVD
CVE-2025-67427 MEDIUM - 6.5

A Blind Server-Side Request Forgery (SSRF) vulnerability in evershop 2.1.0 and prior allows unauthenticated attackers to force the server to initiate an HTTP request via the "GET /images" API. The vulnerability occurs due to insufficient validation of the "src" query parameter, w...

Vendor: evershop
Product: evershop
Published: Jan 05, 2026
Source: NVD
CVE-2025-52517 MEDIUM - 5.9

An issue was discovered in the Camera in Samsung Mobile Processor and Wearable Processor Exynos 1330, 1380, 1480, 2400, 1580, 2500. A race condition in the issimian device driver results in a double free, leading to a denial of service.

Vendor: samsung
Product: exynos_2500_firmware
Published: Jan 05, 2026
Source: NVD
CVE-2025-52516 MEDIUM - 6.2

An issue was discovered in the Camera in Samsung Mobile Processor and Wearable Processor Exynos 1330, 1380, 1480, 2400, 1580, 2500. An invalid kernel address dereference in the issimian device driver leads to a denial of service.

Vendor: samsung
Product: exynos_1330_firmware
Published: Jan 05, 2026
Source: NVD
CVE-2025-52515 MEDIUM - 5.1

An issue was discovered in the Camera in Samsung Mobile Processor and Wearable Processor Exynos 1330, 1380, 1480, 2400, 1580, 2500. A race condition in the issimian device driver results in an out-of-bounds access, leading to a denial of service.

Vendor: samsung
Product: exynos_1330_firmware
Published: Jan 05, 2026
Source: NVD
CVE-2025-65922 MEDIUM - 4.3

PLANKA 2.0.0 lacks X-Frame-Options and CSP frame-ancestors headers, allowing the application to be embedded within malicious iframes. While this does not lead to unintended modification of projects or tasks, it exposes users to Phishing attacks. Attackers can frame the legitimate Planka application ...

Published: Jan 05, 2026
Source: NVD