Total 328221 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2026-0992 1 Redhat 3 Enterprise Linux, Jboss Core Services, Openshift 2026-01-16 2.9 Low
A flaw was found in the libxml2 library. This uncontrolled resource consumption vulnerability occurs when processing XML catalogs that contain repeated <nextCatalog> elements pointing to the same downstream catalog. A remote attacker can exploit this by supplying crafted catalogs, causing the parser to redundantly traverse catalog chains. This leads to excessive CPU consumption and degrades application availability, resulting in a denial-of-service condition.
CVE-2026-22036 1 Nodejs 1 Undici 2026-01-16 3.7 Low
Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This vulnerability is fixed in 7.18.0 and 6.23.0.
CVE-2025-67082 1 Invoiceplane 1 Invoiceplane 2026-01-16 6.5 Medium
An SQL injection vulnerability in InvoicePlane through 1.6.3 has been identified in "maxQuantity" and "minQuantity" parameters when generating a report. An authenticated attacker can exploit this issue via error-based SQL injection, allowing for the extraction of arbitrary data from the database. The vulnerability arises from insufficient sanitizing of single quotes.
CVE-2025-70744 1 Tenda 1 Ax1806 2026-01-16 7.5 High
Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the cloneType parameter of the sub_65B5C function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request.
CVE-2026-22641 1 Sick Ag 1 Incoming Goods Suite 2026-01-16 5 Medium
This vulnerability in Grafana's datasource proxy API allows authorization checks to be bypassed by adding an extra slash character in the URL path. Users with minimal permissions could gain unauthorized read access to GET endpoints in Alertmanager and Prometheus datasources. The issue primarily affects datasources that implement route-specific permissions, including Alertmanager and certain Prometheus-based datasources.
CVE-2026-22643 1 Sick Ag 1 Incoming Goods Suite 2026-01-16 8.3 High
In Grafana, an excessively long dashboard title or panel name will cause Chromium browsers to become unresponsive due to Improper Input Validation vulnerability in Grafana. This issue affects Grafana: before 11.6.2 and is fixed in 11.6.2 and higher.
CVE-2026-22644 2026-01-16 5.3 Medium
Certain requests pass the authentication token in the URL as string query parameter, making it vulnerable to theft through server logs, proxy logs and Referer headers, which could allow an attacker to hijack the user's session and gain unauthorized access.
CVE-2026-22646 2026-01-16 4.3 Medium
Certain error messages returned by the application expose internal system details that should not be visible to end users, providing attackers with valuable reconnaissance information (like file paths, database errors, or software versions) that can be used to map the application's internal structure and discover other, more critical vulnerabilities.
CVE-2021-47759 1 Ttyplus 1 Mtputty 2026-01-16 6.2 Medium
MTPutty 1.0.1.21 contains a sensitive information disclosure vulnerability that allows local attackers to view SSH connection passwords through Windows PowerShell process listing. Attackers can run a PowerShell command to retrieve the full command line of MTPutty processes, exposing plaintext SSH credentials.
CVE-2021-47762 1 Httpdebugger 1 Httpdebuggerpro 2026-01-16 7.8 High
HTTPDebuggerPro 9.11 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path in the service configuration to inject malicious executables and gain elevated access to the system.
CVE-2021-47768 1 Thundernest 1 Importexporttools Ng 2026-01-16 6.1 Medium
ImportExportTools NG 10.0.4 contains a persistent HTML injection vulnerability in the email export module that allows remote attackers to inject malicious HTML payloads. Attackers can send emails with crafted HTML in the subject that execute during HTML export, potentially compromising user data or session credentials.
CVE-2021-47784 1 Cyberfox 1 Web Browser 2026-01-16 7.5 High
Cyberfox Web Browser 52.9.1 contains a denial of service vulnerability that allows attackers to crash the application by overflowing the search bar with excessive data. Attackers can generate a 9,000,000 byte payload and paste it into the search bar to trigger an application crash.
CVE-2021-47799 1 Visual-tools 2 Dvr Vx16, Dvr Vx16 Firmware 2026-01-16 6.2 Medium
Visual Tools DVR VX16 version 4.2.28 contains a local privilege escalation vulnerability in its Sudo configuration that allows attackers to gain root access. Attackers can exploit the unsafe Sudo settings by using mount commands to bind a shell, enabling unauthorized system-level privileges.
CVE-2021-47819 1 Projeqtor 1 Projeqtor 2026-01-16 9.8 Critical
ProjeQtOr Project Management 9.1.4 contains a file upload vulnerability that allows guest users to upload malicious PHP files with arbitrary code execution capabilities. Attackers can upload a PHP script through the profile attachment section and execute system commands by accessing the uploaded file with a specially crafted request parameter.
CVE-2025-67083 1 Invoiceplane 1 Invoiceplane 2026-01-16 5.3 Medium
Directory traversal vulnerability in InvoicePlane through 1.6.3 allows unauthenticated attackers to read files from the server. The ability to read files and the file type depends on the web server and its configuration.
CVE-2025-67084 1 Invoiceplane 1 Invoiceplane 2026-01-16 6.5 Medium
File upload vulnerability in InvoicePlane through 1.6.3 allows authenticated attackers to upload arbitrary PHP files into attachments, which can later be executed remotely, leading to Remote Code Execution (RCE).
CVE-2025-71019 1 Tenda 1 Ax1806 2026-01-16 7.5 High
Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the wanSpeed parameter of the sub_65B5C function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request.
CVE-2021-47752 1 Sylkat-tools 1 Awebserver Ghostbuilding 2026-01-16 7.5 High
AWebServer GhostBuilding 18 contains a denial of service vulnerability that allows remote attackers to overwhelm the server by sending multiple concurrent HTTP requests. Attackers can generate high-volume requests to multiple endpoints including /mysqladmin to potentially crash or render the service unresponsive.
CVE-2021-47753 1 Phpkf 1 Phpkf 2026-01-16 9.8 Critical
phpKF CMS 3.00 Beta y6 contains an unauthenticated file upload vulnerability that allows remote attackers to execute arbitrary code by bypassing file extension checks. Attackers can upload a PHP file disguised as a PNG, rename it, and execute system commands through a crafted web shell parameter.
CVE-2021-47754 1 Arunna 1 Arunna 2026-01-16 5.3 Medium
Arunna 1.0.0 contains a cross-site request forgery vulnerability that allows attackers to manipulate user profile settings without authentication. Attackers can craft a malicious form to change user details, including passwords, email, and administrative privileges by tricking authenticated users into submitting the form.