Total
328208 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-67083 | 1 Invoiceplane | 1 Invoiceplane | 2026-01-16 | 5.3 Medium |
| Directory traversal vulnerability in InvoicePlane through 1.6.3 allows unauthenticated attackers to read files from the server. The ability to read files and the file type depends on the web server and its configuration. | ||||
| CVE-2025-67084 | 1 Invoiceplane | 1 Invoiceplane | 2026-01-16 | 6.5 Medium |
| File upload vulnerability in InvoicePlane through 1.6.3 allows authenticated attackers to upload arbitrary PHP files into attachments, which can later be executed remotely, leading to Remote Code Execution (RCE). | ||||
| CVE-2025-71019 | 1 Tenda | 1 Ax1806 | 2026-01-16 | 7.5 High |
| Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the wanSpeed parameter of the sub_65B5C function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | ||||
| CVE-2021-47752 | 1 Sylkat-tools | 1 Awebserver Ghostbuilding | 2026-01-16 | 7.5 High |
| AWebServer GhostBuilding 18 contains a denial of service vulnerability that allows remote attackers to overwhelm the server by sending multiple concurrent HTTP requests. Attackers can generate high-volume requests to multiple endpoints including /mysqladmin to potentially crash or render the service unresponsive. | ||||
| CVE-2021-47753 | 1 Phpkf | 1 Phpkf | 2026-01-16 | 9.8 Critical |
| phpKF CMS 3.00 Beta y6 contains an unauthenticated file upload vulnerability that allows remote attackers to execute arbitrary code by bypassing file extension checks. Attackers can upload a PHP file disguised as a PNG, rename it, and execute system commands through a crafted web shell parameter. | ||||
| CVE-2021-47754 | 1 Arunna | 1 Arunna | 2026-01-16 | 5.3 Medium |
| Arunna 1.0.0 contains a cross-site request forgery vulnerability that allows attackers to manipulate user profile settings without authentication. Attackers can craft a malicious form to change user details, including passwords, email, and administrative privileges by tricking authenticated users into submitting the form. | ||||
| CVE-2021-47757 | 1 Chikitsa | 1 Patient Management System | 2026-01-16 | 8.8 High |
| Chikitsa Patient Management System 2.0.2 contains an authenticated remote code execution vulnerability in the backup restoration functionality. Authenticated attackers can upload a modified backup zip file with a malicious PHP shell to execute arbitrary system commands on the server. | ||||
| CVE-2021-47758 | 1 Chikitsa | 1 Patient Management System | 2026-01-16 | 8.8 High |
| Chikitsa Patient Management System 2.0.2 contains an authenticated remote code execution vulnerability that allows attackers to upload malicious PHP plugins through the module upload functionality. Authenticated attackers can generate and upload a ZIP plugin with a PHP backdoor that enables arbitrary command execution on the server through a weaponized PHP script. | ||||
| CVE-2021-47763 | 1 Aimeos | 1 Aimeos Laravel Ecommerce Platform | 2026-01-16 | 8.2 High |
| Aimeos 2021.10 LTS contains a SQL injection vulnerability in the json api 'sort' parameter that allows attackers to inject malicious database queries. Attackers can manipulate the sort parameter to reveal table and column names by sending crafted GET requests to the jsonapi/review endpoint. | ||||
| CVE-2021-47765 | 1 Celestial Software | 1 Absolutetelnet | 2026-01-16 | 6.2 Medium |
| AbsoluteTelnet 11.24 contains a denial of service vulnerability that allows local attackers to crash the application by manipulating username and error report fields. Attackers can trigger the crash by inserting 1000 characters into the username or email address fields, causing the application to become unresponsive. | ||||
| CVE-2021-47769 | 1 Bdtask | 1 Isshue | 2026-01-16 | 7.2 High |
| Isshue Shopping Cart 3.5 contains a persistent cross-site scripting vulnerability in title input fields across stock, customer, and invoice modules. Attackers with privileged user accounts can inject malicious scripts that execute on preview, potentially enabling session hijacking and persistent phishing attacks. | ||||
| CVE-2021-47772 | 1 10-strike | 1 Network Inventory Explorer | 2026-01-16 | 9.8 Critical |
| 10-Strike Network Inventory Explorer Pro 9.31 contains a buffer overflow vulnerability in the text file import functionality that allows remote code execution. Attackers can craft a malicious text file with carefully constructed payload to trigger a reverse shell and execute arbitrary code on the target system. | ||||
| CVE-2021-47777 | 1 Ribccs | 1 Build Smart Erp | 2026-01-16 | 8.2 High |
| Build Smart ERP 21.0817 contains an unauthenticated SQL injection vulnerability in the 'eidValue' parameter of the login validation endpoint. Attackers can inject stacked SQL queries using payloads like ';WAITFOR DELAY '0:0:3'-- to manipulate database queries and potentially extract or modify database information. | ||||
| CVE-2025-12166 | 2 Croixhaug, Wordpress | 2 Appointment Booking Calendar, Wordpress | 2026-01-16 | 7.5 High |
| The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to blind SQL Injection via the `order` and `append_where_sql` parameters in all versions up to, and including, 1.6.9.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2025-13062 | 1 Wordpress | 1 Wordpress | 2026-01-16 | 8.8 High |
| The Supreme Modules Lite plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 2.5.62. This is due to insufficient file type validation detecting JSON files, allowing double extension files to bypass sanitization while being accepted as a valid JSON file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2025-13453 | 1 Lenovo | 4 Thinkplus Fu100, Thinkplus Fu200, Thinkplus Tsd303 and 1 more | 2026-01-16 | 6.8 Medium |
| A potential vulnerability was reported in some ThinkPlus USB drives that could allow a user with physical access to read data stored on the drive. | ||||
| CVE-2025-13454 | 1 Lenovo | 4 Thinkplus Fu100, Thinkplus Fu200, Thinkplus Tsd303 and 1 more | 2026-01-16 | 4.7 Medium |
| A potential vulnerability was reported in ThinkPlus configuration software that could allow a local authenticated user to gain access to sensitive device information. | ||||
| CVE-2025-13455 | 1 Lenovo | 4 Thinkplus Fu100, Thinkplus Fu200, Thinkplus Tsd303 and 1 more | 2026-01-16 | 7.8 High |
| A vulnerability was reported in ThinkPlus configuration software that could allow a local authenticated user to bypass ThinkPlus device authentication and enroll an untrusted fingerprint. | ||||
| CVE-2025-13859 | 1 Wordpress | 1 Wordpress | 2026-01-16 | 6.4 Medium |
| The AffiliateX – Amazon Affiliate Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_customization_settings AJAX action in versions 1.0.0 to 1.3.9.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to store arbitrary JavaScript that executes whenever an AffiliateX block renders on the site. | ||||
| CVE-2025-14058 | 1 Lenovo | 31 Idea Tab Pro Tb373fu, Idea Tab Tb336fu, Legion Tab Tb320fc and 28 more | 2026-01-16 | 3.2 Low |
| A potential missing authentication vulnerability was reported in some Lenovo Tablets that could allow an unauthorized user with physical access to modify Control Center settings if the device is locked when the "Allow Control Center access when locked" option is disabled. | ||||