Total
331723 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-24010 | 1 Horilla | 1 Horilla | 2026-01-29 | N/A | 8.0 HIGH |
| Horilla is a free and open source Human Resource Management System (HRMS). A critical File Upload vulnerability in versions prior to 1.5.0, with Social Engineering, allows authenticated users to deploy phishing attacks. By uploading a malicious HTML file disguised as a profile picture, an attacker can create a convincing login page replica that steals user credentials. When a victim visits the uploaded file URL, they see an authentic-looking "Session Expired" message prompting them to re-authenticate. All entered credentials are captured and sent to the attacker's server, enabling Account Takeover. Version 1.5.0 patches the issue. | |||||
| CVE-2026-22793 | 1 5ire | 1 5ire | 2026-01-29 | N/A | 9.6 CRITICAL |
| 5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. Prior to version 0.15.3, an unsafe option parsing vulnerability in the ECharts Markdown plugin allows any user able to submit ECharts code blocks to execute arbitrary JavaScript code in the renderer context. This can lead to Remote Code Execution (RCE) in environments where privileged APIs (such as Electron’s electron.mcp) are exposed, resulting in full compromise of the host system. Version 0.15.3 patches the issue. | |||||
| CVE-2025-1947 | 1 Hzmanyun | 1 Education And Training System | 2026-01-29 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability classified as critical has been found in hzmanyun Education and Training System 2.1.3. This affects the function scorm of the file UploadImageController.java. The manipulation of the argument param leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2026-22792 | 1 5ire | 1 5ire | 2026-01-29 | N/A | 9.6 CRITICAL |
| 5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. Prior to version 0.15.3, an unsafe HTML rendering permits untrusted HTML (including on* event attributes) to execute in the renderer context. An attacker can inject an `<img onerror=...>` payload to run arbitrary JavaScript in the renderer, which can call exposed bridge APIs such as `window.bridge.mcpServersManager.createServer`. This enables unauthorized creation of MCP servers and lead to remote command execution. Version 0.15.3 fixes the issue. | |||||
| CVE-2025-27459 | 1 Endress | 2 Meac300-fnade4, Meac300-fnade4 Firmware | 2026-01-29 | N/A | 4.4 MEDIUM |
| The VNC application stores its passwords encrypted within the registry but uses DES for encryption. As DES is broken, the original passwords can be recovered. | |||||
| CVE-2025-1270 | 1 Anapi | 1 H6web | 2026-01-29 | N/A | 9.1 CRITICAL |
| Insecure direct object reference (IDOR) vulnerability in Anapi Group's h6web, allows an authenticated attacker to access other users' information by making a POST request and modifying the “pkrelated” parameter in the “/h6web/ha_datos_hermano.php” endpoint to refer to another user. In addition, the first request could also allow the attacker to impersonate other users. As a result, all requests made after exploitation of the IDOR vulnerability will be executed with the privileges of the impersonated user. | |||||
| CVE-2025-9787 | 1 Zohocorp | 1 Manageengine Applications Manager | 2026-01-29 | N/A | 6.1 MEDIUM |
| Zohocorp ManageEngine Applications Manager versions 177400 and below are vulnerable to Stored Cross-Site Scripting vulnerability in the NOC view. | |||||
| CVE-2021-47814 | 1 Nsasoft | 1 Nbmonitor | 2026-01-29 | N/A | 7.5 HIGH |
| NBMonitor 1.6.8 contains a denial of service vulnerability that allows attackers to crash the application by overflowing the registration code input field. Attackers can paste a 256-character buffer into the registration key field to trigger an application crash and potential system instability. | |||||
| CVE-2025-68547 | 1 Wpwebelite | 1 Follow My Blog Post | 2026-01-29 | N/A | 7.5 HIGH |
| Missing Authorization vulnerability in WPweb Follow My Blog Post allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Follow My Blog Post: from n/a through 2.4.0. | |||||
| CVE-2026-0731 | 1 Totolink | 2 Wa1200-poe, Wa1200-poe Firmware | 2026-01-29 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability has been found in TOTOLINK WA1200 5.9c.2914. The impacted element is an unknown function of the file cstecgi.cgi of the component HTTP Request Handler. The manipulation leads to null pointer dereference. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-68006 | 2026-01-29 | N/A | 6.5 MEDIUM | ||
| Insertion of Sensitive Information Into Sent Data vulnerability in Deetronix Booking Ultra Pro booking-ultra-pro allows Retrieve Embedded Sensitive Data.This issue affects Booking Ultra Pro: from n/a through <= 1.1.23. | |||||
| CVE-2025-68004 | 2026-01-29 | N/A | 7.1 HIGH | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kapil Chugh My Post Order my-posts-order allows Reflected XSS.This issue affects My Post Order: from n/a through <= 1.2.1.1. | |||||
| CVE-2025-68003 | 2026-01-29 | N/A | 6.5 MEDIUM | ||
| Missing Authorization vulnerability in renatoatshown Shown Connector shown-connector allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Shown Connector: from n/a through <= 1.2.10. | |||||
| CVE-2025-67957 | 2026-01-29 | N/A | 8.1 HIGH | ||
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in TangibleWP Listivo Core listivo-core allows PHP Local File Inclusion.This issue affects Listivo Core: from n/a through <= 2.3.77. | |||||
| CVE-2025-67956 | 2026-01-29 | N/A | 8.2 HIGH | ||
| Missing Authorization vulnerability in wpeverest User Registration user-registration allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Registration: from n/a through <= 4.4.6. | |||||
| CVE-2025-67955 | 2026-01-29 | N/A | 7.5 HIGH | ||
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in TangibleWP MyHome Core myhome-core allows PHP Local File Inclusion.This issue affects MyHome Core: from n/a through <= 4.1.0. | |||||
| CVE-2025-67954 | 2026-01-29 | N/A | 6.5 MEDIUM | ||
| Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Dimitri Grassi Salon booking system salon-booking-system allows Retrieve Embedded Sensitive Data.This issue affects Salon booking system: from n/a through <= 10.30.3. | |||||
| CVE-2025-67953 | 2026-01-29 | N/A | 8.1 HIGH | ||
| Incorrect Privilege Assignment vulnerability in Booking Activities Team Booking Activities booking-activities allows Privilege Escalation.This issue affects Booking Activities: from n/a through <= 1.16.44. | |||||
| CVE-2025-13982 | 2026-01-29 | N/A | 8.1 HIGH | ||
| Cross-Site Request Forgery (CSRF) vulnerability in Drupal Login Time Restriction allows Cross Site Request Forgery.This issue affects Login Time Restriction: from 0.0.0 before 1.0.3. | |||||
| CVE-2025-13654 | 1 Zevv | 1 Duc | 2026-01-29 | N/A | 7.5 HIGH |
| A stack buffer overflow vulnerability exists in the buffer_get function of duc, a disk management tool, where a condition can evaluate to true due to underflow, allowing an out-of-bounds read. | |||||