Total
328221 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-0992 | 1 Redhat | 3 Enterprise Linux, Jboss Core Services, Openshift | 2026-01-16 | 2.9 Low |
| A flaw was found in the libxml2 library. This uncontrolled resource consumption vulnerability occurs when processing XML catalogs that contain repeated <nextCatalog> elements pointing to the same downstream catalog. A remote attacker can exploit this by supplying crafted catalogs, causing the parser to redundantly traverse catalog chains. This leads to excessive CPU consumption and degrades application availability, resulting in a denial-of-service condition. | ||||
| CVE-2026-22036 | 1 Nodejs | 1 Undici | 2026-01-16 | 3.7 Low |
| Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This vulnerability is fixed in 7.18.0 and 6.23.0. | ||||
| CVE-2025-67082 | 1 Invoiceplane | 1 Invoiceplane | 2026-01-16 | 6.5 Medium |
| An SQL injection vulnerability in InvoicePlane through 1.6.3 has been identified in "maxQuantity" and "minQuantity" parameters when generating a report. An authenticated attacker can exploit this issue via error-based SQL injection, allowing for the extraction of arbitrary data from the database. The vulnerability arises from insufficient sanitizing of single quotes. | ||||
| CVE-2025-70744 | 1 Tenda | 1 Ax1806 | 2026-01-16 | 7.5 High |
| Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the cloneType parameter of the sub_65B5C function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | ||||
| CVE-2026-22641 | 1 Sick Ag | 1 Incoming Goods Suite | 2026-01-16 | 5 Medium |
| This vulnerability in Grafana's datasource proxy API allows authorization checks to be bypassed by adding an extra slash character in the URL path. Users with minimal permissions could gain unauthorized read access to GET endpoints in Alertmanager and Prometheus datasources. The issue primarily affects datasources that implement route-specific permissions, including Alertmanager and certain Prometheus-based datasources. | ||||
| CVE-2026-22643 | 1 Sick Ag | 1 Incoming Goods Suite | 2026-01-16 | 8.3 High |
| In Grafana, an excessively long dashboard title or panel name will cause Chromium browsers to become unresponsive due to Improper Input Validation vulnerability in Grafana. This issue affects Grafana: before 11.6.2 and is fixed in 11.6.2 and higher. | ||||
| CVE-2026-22644 | 2026-01-16 | 5.3 Medium | ||
| Certain requests pass the authentication token in the URL as string query parameter, making it vulnerable to theft through server logs, proxy logs and Referer headers, which could allow an attacker to hijack the user's session and gain unauthorized access. | ||||
| CVE-2026-22646 | 2026-01-16 | 4.3 Medium | ||
| Certain error messages returned by the application expose internal system details that should not be visible to end users, providing attackers with valuable reconnaissance information (like file paths, database errors, or software versions) that can be used to map the application's internal structure and discover other, more critical vulnerabilities. | ||||
| CVE-2021-47759 | 1 Ttyplus | 1 Mtputty | 2026-01-16 | 6.2 Medium |
| MTPutty 1.0.1.21 contains a sensitive information disclosure vulnerability that allows local attackers to view SSH connection passwords through Windows PowerShell process listing. Attackers can run a PowerShell command to retrieve the full command line of MTPutty processes, exposing plaintext SSH credentials. | ||||
| CVE-2021-47762 | 1 Httpdebugger | 1 Httpdebuggerpro | 2026-01-16 | 7.8 High |
| HTTPDebuggerPro 9.11 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path in the service configuration to inject malicious executables and gain elevated access to the system. | ||||
| CVE-2021-47768 | 1 Thundernest | 1 Importexporttools Ng | 2026-01-16 | 6.1 Medium |
| ImportExportTools NG 10.0.4 contains a persistent HTML injection vulnerability in the email export module that allows remote attackers to inject malicious HTML payloads. Attackers can send emails with crafted HTML in the subject that execute during HTML export, potentially compromising user data or session credentials. | ||||
| CVE-2021-47784 | 1 Cyberfox | 1 Web Browser | 2026-01-16 | 7.5 High |
| Cyberfox Web Browser 52.9.1 contains a denial of service vulnerability that allows attackers to crash the application by overflowing the search bar with excessive data. Attackers can generate a 9,000,000 byte payload and paste it into the search bar to trigger an application crash. | ||||
| CVE-2021-47799 | 1 Visual-tools | 2 Dvr Vx16, Dvr Vx16 Firmware | 2026-01-16 | 6.2 Medium |
| Visual Tools DVR VX16 version 4.2.28 contains a local privilege escalation vulnerability in its Sudo configuration that allows attackers to gain root access. Attackers can exploit the unsafe Sudo settings by using mount commands to bind a shell, enabling unauthorized system-level privileges. | ||||
| CVE-2021-47819 | 1 Projeqtor | 1 Projeqtor | 2026-01-16 | 9.8 Critical |
| ProjeQtOr Project Management 9.1.4 contains a file upload vulnerability that allows guest users to upload malicious PHP files with arbitrary code execution capabilities. Attackers can upload a PHP script through the profile attachment section and execute system commands by accessing the uploaded file with a specially crafted request parameter. | ||||
| CVE-2025-67083 | 1 Invoiceplane | 1 Invoiceplane | 2026-01-16 | 5.3 Medium |
| Directory traversal vulnerability in InvoicePlane through 1.6.3 allows unauthenticated attackers to read files from the server. The ability to read files and the file type depends on the web server and its configuration. | ||||
| CVE-2025-67084 | 1 Invoiceplane | 1 Invoiceplane | 2026-01-16 | 6.5 Medium |
| File upload vulnerability in InvoicePlane through 1.6.3 allows authenticated attackers to upload arbitrary PHP files into attachments, which can later be executed remotely, leading to Remote Code Execution (RCE). | ||||
| CVE-2025-71019 | 1 Tenda | 1 Ax1806 | 2026-01-16 | 7.5 High |
| Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the wanSpeed parameter of the sub_65B5C function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | ||||
| CVE-2021-47752 | 1 Sylkat-tools | 1 Awebserver Ghostbuilding | 2026-01-16 | 7.5 High |
| AWebServer GhostBuilding 18 contains a denial of service vulnerability that allows remote attackers to overwhelm the server by sending multiple concurrent HTTP requests. Attackers can generate high-volume requests to multiple endpoints including /mysqladmin to potentially crash or render the service unresponsive. | ||||
| CVE-2021-47753 | 1 Phpkf | 1 Phpkf | 2026-01-16 | 9.8 Critical |
| phpKF CMS 3.00 Beta y6 contains an unauthenticated file upload vulnerability that allows remote attackers to execute arbitrary code by bypassing file extension checks. Attackers can upload a PHP file disguised as a PNG, rename it, and execute system commands through a crafted web shell parameter. | ||||
| CVE-2021-47754 | 1 Arunna | 1 Arunna | 2026-01-16 | 5.3 Medium |
| Arunna 1.0.0 contains a cross-site request forgery vulnerability that allows attackers to manipulate user profile settings without authentication. Attackers can craft a malicious form to change user details, including passwords, email, and administrative privileges by tricking authenticated users into submitting the form. | ||||