Total
328400 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-13453 | 2026-01-16 | N/A | 6.8 MEDIUM | ||
| A potential vulnerability was reported in some ThinkPlus USB drives that could allow a user with physical access to read data stored on the drive. | |||||
| CVE-2025-70744 | 2026-01-16 | N/A | 7.5 HIGH | ||
| Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the cloneType parameter of the sub_65B5C function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | |||||
| CVE-2021-47774 | 2026-01-16 | N/A | 9.8 CRITICAL | ||
| Kingdia CD Extractor 3.0.2 contains a buffer overflow vulnerability in the registration name field that allows attackers to execute arbitrary code. Attackers can craft a malicious payload exceeding 256 bytes to overwrite Structured Exception Handler and gain remote code execution through a bind shell. | |||||
| CVE-2026-0712 | 2026-01-16 | N/A | 7.6 HIGH | ||
| An open redirect vulnerability has been identified in Grafana OSS that can be exploited to achieve XSS attacks. The vulnerability was introduced in Grafana v11.5.0. The open redirect can be chained with path traversal vulnerabilities to achieve XSS. Fixed in versions 12.0.2+security-01, 11.6.3+security-01, 11.5.6+security-01, 11.4.6+security-01 and 11.3.8+security-01 | |||||
| CVE-2026-0713 | 2026-01-16 | N/A | 8.3 HIGH | ||
| A security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions (v0alpha1, v1alpha1, v2alpha1). Impact: - Viewers can view all dashboards/folders regardless of permissions - Editors can view/edit/delete all dashboards/folders regardless of permissions - Editors can create dashboards in any folder regardless of permissions - Anonymous users with viewer/editor roles are similarly affected Organization isolation boundaries remain intact. The vulnerability only affects dashboard access and does not grant access to datasources. | |||||
| CVE-2025-71166 | 2026-01-16 | N/A | N/A | ||
| Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the administrative interface within the Tools Status move message handling. The path parameter is reflected into the HTML output without proper output encoding in include/admin/Tools/Status.php. An authenticated attacker can supply crafted input containing HTML or JavaScript, resulting in arbitrary script execution in the context of an authenticated user's browser session. | |||||
| CVE-2026-0421 | 2026-01-16 | N/A | 6.5 MEDIUM | ||
| A potential vulnerability was reported in the BIOS of L13 Gen 6, L13 Gen 6 2-in-1, L14 Gen 6, and L16 Gen 2 ThinkPads which could result in Secure Boot being disabled even when configured as “On” in the BIOS setup menu. This issue only affects systems where Secure Boot is set to User Mode. | |||||
| CVE-2026-22910 | 2026-01-16 | N/A | 7.5 HIGH | ||
| The device is deployed with weak and publicly known default passwords for certain hidden user levels, increasing the risk of unauthorized access. This represents a high risk to the integrity of the system. | |||||
| CVE-2026-22915 | 2026-01-16 | N/A | 4.3 MEDIUM | ||
| An attacker with low privileges may be able to read files from specific directories on the device, potentially exposing sensitive information. | |||||
| CVE-2026-22859 | 2026-01-16 | N/A | N/A | ||
| FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, the URBDRC client does not perform bounds checking on server‑supplied MSUSB_INTERFACE_DESCRIPTOR values and uses them as indices in libusb_udev_complete_msconfig_setup, causing an out‑of‑bounds read. This vulnerability is fixed in 3.20.1. | |||||
| CVE-2025-13859 | 2026-01-16 | N/A | 6.4 MEDIUM | ||
| The AffiliateX – Amazon Affiliate Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_customization_settings AJAX action in versions 1.0.0 to 1.3.9.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to store arbitrary JavaScript that executes whenever an AffiliateX block renders on the site. | |||||
| CVE-2026-23498 | 2026-01-16 | N/A | 7.2 HIGH | ||
| Shopware is an open commerce platform. From 6.7.0.0 to before 6.7.6.1, a regression of CVE-2023-2017 leads to an array and array crafted PHP Closure not checked being against allow list for the map(...) override. This vulnerability is fixed in 6.7.6.1. | |||||
| CVE-2025-65396 | 2026-01-16 | N/A | 6.1 MEDIUM | ||
| A vulnerability in the boot process of Blurams Flare Camera version 24.1114.151.929 and earlier allows a physically proximate attacker to hijack the boot mechanism and gain a bootloader shell via the UART interface. This is achieved by inducing a read error from the SPI flash memory during the boot, by shorting a data pin of the IC to ground. An attacker can then dump the entire firmware, leading to the disclosure of sensitive information including cryptographic keys and user configurations. | |||||
| CVE-2021-47761 | 2026-01-16 | N/A | 7.8 HIGH | ||
| MilleGPG5 5.7.2 contains a local privilege escalation vulnerability that allows authenticated users to modify service executable files in the MariaDB bin directory. Attackers can replace the mysqld.exe with a malicious executable, which will execute with system privileges when the computer restarts. | |||||
| CVE-2026-22637 | 2026-01-16 | N/A | 6.8 MEDIUM | ||
| The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability. A user with Editor permissions is able to modify such a panel in order to make it execute arbitrary JavaScript. | |||||
| CVE-2026-22908 | 2026-01-16 | N/A | 9.1 CRITICAL | ||
| Uploading unvalidated container images may allow remote attackers to gain full access to the system, potentially compromising its integrity and confidentiality. | |||||
| CVE-2026-0961 | 2026-01-16 | N/A | 5.5 MEDIUM | ||
| BLF file parser crash in Wireshark 4.6.0 to 4.6.2 and 4.4.0 to 4.4.12 allows denial of service | |||||
| CVE-2025-71164 | 2026-01-16 | N/A | N/A | ||
| Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the Editing component. The images parameter (submitted as images[] in a POST request) is reflected into an HTML href attribute without proper context-aware output encoding in include/tool/Editing.php. An authenticated attacker with editing privileges can supply a JavaScript pseudo-protocol (e.g., javascript:) to trigger arbitrary JavaScript execution in the context of the victim's browser session. | |||||
| CVE-2026-22912 | 2026-01-16 | N/A | 4.3 MEDIUM | ||
| Improper validation of a login parameter may allow attackers to redirect users to malicious websites after authentication. This can lead to various risk including stealing credentials from unsuspecting users. | |||||
| CVE-2026-0990 | 2026-01-16 | N/A | 5.9 MEDIUM | ||
| A flaw was found in libxml2, an XML parsing library. This uncontrolled recursion vulnerability occurs in the xmlCatalogXMLResolveURI function when an XML catalog contains a delegate URI entry that references itself. A remote attacker could exploit this configuration-dependent issue by providing a specially crafted XML catalog, leading to infinite recursion and call stack exhaustion. This ultimately results in a segmentation fault, causing a Denial of Service (DoS) by crashing affected applications. | |||||