Total
327535 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-13774 | 2026-01-13 | 8.8 High | ||
| A vulnerability exists in Progress Flowmon ADS versions prior to 12.5.4 and 13.0.1 where an SQL injection vulnerability allows authenticated users to execute unintended SQL queries and commands. | ||||
| CVE-2026-22587 | 1 Ideagen | 1 Devonway | 2026-01-13 | 5.5 Medium |
| Ideagen DevonWay contains a stored cross site scripting vulnerability. A remote, authenticated attacker could craft a payload in the 'Reports' page that executes when another user views the report. Fixed in 2.62.4 and 2.62 LTS. | ||||
| CVE-2026-22232 | 1 Opexus | 1 Ecase Audit | 2026-01-13 | 5.5 Medium |
| OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript in the "A or SIC Number" field within the Project Setup functionality. The JavaScript is executed whenever another user views the project. Fixed in OPEXUS eCASE Audit 11.14.2.0. | ||||
| CVE-2025-67325 | 2026-01-13 | 9.8 Critical | ||
| Unrestricted file upload in the hotel review feature in QloApps versions 1.7.0 and earlier allows remote unauthenticated attackers to achieve remote code execution. | ||||
| CVE-2025-14436 | 3 Neeraj Slit, Woocommerce, Wordpress | 3 Brevo For Woocommerce, Woocommerce, Wordpress | 2026-01-13 | 7.2 High |
| The Brevo for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘user_connection_id’ parameter in all versions up to, and including, 4.0.49 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-15464 | 1 Yintibao | 1 Fun Print Mobile | 2026-01-13 | 7.5 High |
| Exported Activity allows external applications to gain application context and directly launch Gmail with inbox access, bypassing security controls. | ||||
| CVE-2026-22712 | 2 Mediawiki, Wikimedia | 2 Mediawiki, Mediawiki-approvedrevs Extension | 2026-01-13 | N/A |
| Improper Encoding or Escaping of Output due to magic word replacement in ParserAfterTidy vulnerability in The Wikimedia Foundation Mediawiki - ApprovedRevs Extension allows Input Data Manipulation.This issue affects Mediawiki - ApprovedRevs Extension: 1.45, 1.44, 1.43, 1.39. | ||||
| CVE-2026-0733 | 1 Phpgurukul | 1 Online Course Registration System | 2026-01-13 | 6.3 Medium |
| A vulnerability was determined in PHPGurukul Online Course Registration System up to 3.1. This impacts an unknown function of the file /onlinecourse/admin/manage-students.php. This manipulation of the argument id/cid causes sql injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. | ||||
| CVE-2025-70974 | 1 Alibaba | 1 Fastjson | 2026-01-13 | 10 Critical |
| Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an attacker-supplied payload located elsewhere in that JSON document. This was exploited in the wild in 2023 through 2025. NOTE: this issue exists because of an incomplete fix for CVE-2017-18349. Also, a later bypass is covered by CVE-2022-25845. | ||||
| CVE-2026-20971 | 1 Samsung | 2 Mobile, Mobile Devices | 2026-01-13 | N/A |
| Use After Free in PROCA driver prior to SMR Jan-2026 Release 1 allows local attackers to potentially execute arbitrary code. | ||||
| CVE-2026-20973 | 1 Samsung | 1 Mobile Devices | 2026-01-13 | 5.3 Medium |
| Out-of-bounds read in libimagecodec.quram.so prior to SMR Jan-2026 Release 1 allows remote attacker to access out-of-bounds memory. | ||||
| CVE-2025-14782 | 2 Wordpress, Wpmudev | 2 Wordpress, Forminator Forms | 2026-01-13 | 5.3 Medium |
| The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.49.1 via the 'listen_for_csv_export' function. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with access to the Forminator dashboard, to export sensitive form submission data including personally identifiable information. | ||||
| CVE-2025-15057 | 2 Wordpress, Wp-slimstat | 2 Wordpress, Slimstat Analytics | 2026-01-13 | 7.2 High |
| The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `fh` (fingerprint) parameter in all versions up to, and including, 5.3.3. This is due to insufficient input sanitization and output escaping on the fingerprint value stored in the database. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator views the Real-time Access Log report. | ||||
| CVE-2026-20974 | 1 Samsung | 1 Mobile Devices | 2026-01-13 | N/A |
| Improper input validation in data related to network restrictions prior to SMR Jan-2026 Release 1 allows physical attackers to bypass Carrier Relock. | ||||
| CVE-2025-13895 | 2 Top-position, Wordpress | 2 Google-finance, Wordpress | 2026-01-13 | 6.1 Medium |
| The Top Position Google Finance plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 0.1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2025-13701 | 2 Beshkin, Wordpress | 2 Shabat Keeper, Wordpress | 2026-01-13 | 6.1 Medium |
| The Shabat Keeper plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $_SERVER['PHP_SELF'] parameter in all versions up to, and including, 0.4.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2025-13852 | 2 Debtcom, Wordpress | 2 Debt.com Business In A Box, Wordpress | 2026-01-13 | 6.4 Medium |
| The Debt.com Business in a Box plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'configuration' parameter of the lead_form shortcode in all versions up to, and including, 4.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-13854 | 2 Soniz, Wordpress | 2 Curved Text, Wordpress | 2026-01-13 | 6.4 Medium |
| The Curved Text plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'radius' parameter of the arctext shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-66052 | 1 Vivotek | 1 Ip7137 | 2026-01-13 | N/A |
| Vivotek IP7137 camera with firmware version 0200a is vulnerable to command injection. Parameter "system_ntpIt" used by "/cgi-bin/admin/setparam.cgi" endpoint is not sanitized properly, allowing a user with administrative privileges to perform an attack. Due to CVE-2025-66050, administrative access is not protected by default, The vendor has not replied to the CNA Possibly all firmware versions are affected. Since the product has met End-Of-Life phase, a fix is not expected to be released. | ||||
| CVE-2025-13900 | 2 Themelocation, Wordpress | 2 Wp Popup Magic, Wordpress | 2026-01-13 | 6.4 Medium |
| The WP Popup Magic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' parameter of the [wppum_end] shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||