CVE-2025-67811 - Area9 Rhapsode 1.47.3 allows SQL Injection via multiple API endpoints accessible to authenticated users. Insufficient input validation allows remote attackers to inject arbitrary SQL commands, resulting in unauthorized database access and potentia... read CVE-2025-67811
Published: January 09, 2026; 3:15:52 PM -0500

CVE-2025-14457 - The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing ownership check in the dnd_codedropz_upload_delete() function in all versions up to, and including, ... read CVE-2025-14457
Published: January 15, 2026; 2:16:02 AM -0500

V3.1: 7.4 HIGH

CVE-2026-22907 - An attacker may gain unauthorized access to the host filesystem, potentially allowing them to read and modify system data.
Published: January 15, 2026; 8:16:05 AM -0500

V3.1: 9.1 CRITICAL

CVE-2026-22908 - Uploading unvalidated container images may allow remote attackers to gain full access to the system, potentially compromising its integrity and confidentiality.
Published: January 15, 2026; 8:16:05 AM -0500

V3.1: 9.1 CRITICAL

CVE-2026-22909 - Certain system functions may be accessed without proper authorization, allowing attackers to start, stop, or delete installed applications, potentially disrupting system operations.
Published: January 15, 2026; 8:16:05 AM -0500

V3.1: 9.1 CRITICAL

CVE-2026-22910 - The device is deployed with weak and publicly known default passwords for certain hidden user levels, increasing the risk of unauthorized access. This represents a high risk to the integrity of the system.
Published: January 15, 2026; 8:16:05 AM -0500

V3.1: 9.1 CRITICAL

CVE-2026-22911 - Firmware update files may expose password hashes for system accounts, which could allow a remote attacker to recover credentials and gain unauthorized access to the device.
Published: January 15, 2026; 8:16:05 AM -0500

V3.1: 7.5 HIGH

CVE-2026-22912 - Improper validation of a login parameter may allow attackers to redirect users to malicious websites after authentication. This can lead to various risk including stealing credentials from unsuspecting users.
Published: January 15, 2026; 8:16:05 AM -0500

V3.1: 6.1 MEDIUM

CVE-2026-22913 - Improper handling of a URL parameter may allow attackers to execute code in a user's browser after login. This can lead to the extraction of sensitive data.
Published: January 15, 2026; 8:16:06 AM -0500

V3.1: 6.1 MEDIUM

CVE-2026-22914 - An attacker with limited permissions may still be able to write files to specific locations on the device, potentially leading to system manipulation.
Published: January 15, 2026; 8:16:06 AM -0500

V3.1: 6.5 MEDIUM

CVE-2025-37179 - Multiple out-of-bounds read vulnerabilities were identified in a system component responsible for handling certain data buffers. Due to insufficient validation of maximum buffer size values, the process may attempt to read beyond the intended memo... read CVE-2025-37179
Published: January 13, 2026; 3:16:06 PM -0500

V3.1: 5.3 MEDIUM

CVE-2026-22915 - An attacker with low privileges may be able to read files from specific directories on the device, potentially exposing sensitive information.
Published: January 15, 2026; 8:16:06 AM -0500

V3.1: 6.5 MEDIUM

CVE-2026-22916 - An attacker with low privileges may be able to trigger critical system functions such as reboot or factory reset without proper restrictions, potentially leading to service disruption or loss of configuration.
Published: January 15, 2026; 8:16:06 AM -0500

V3.1: 5.4 MEDIUM

CVE-2026-22917 - Improper input handling in a system endpoint may allow attackers to overload resources, causing a denial of service.
Published: January 15, 2026; 8:16:06 AM -0500

V3.1: 7.5 HIGH

CVE-2025-37168 - Arbitrary file deletion vulnerability have been identified in a system function of mobility conductors running AOS-8 operating system. Successful exploitation of this vulnerability could allow an unauthenticated remote malicious actor to delete ar... read CVE-2025-37168
Published: January 13, 2026; 3:16:04 PM -0500

V3.1: 9.1 CRITICAL

CVE-2025-70968 - FreeImage 3.18.0 contains a Use After Free in PluginTARGA.cpp;loadRLE().
Published: January 14, 2026; 12:16:07 PM -0500

CVE-2026-21889 - Weblate is a web based localization tool. Prior to 5.15.2, the screenshot images were served directly by the HTTP server without proper access control. This could allow an unauthenticated user to access screenshots after guessing their filename. T... read CVE-2026-21889
Published: January 14, 2026; 12:16:07 PM -0500

V3.1: 7.5 HIGH

CVE-2025-63644 - A stored cross-site scripting (XSS) vulnerability exists in pH7Software pH7-Social-Dating-CMS 17.9.1 in the user profile Description field.
Published: January 14, 2026; 1:16:41 PM -0500

CVE-2025-14556 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Flag allows Cross-Site Scripting (XSS).This issue affects Flag: from 7.X-3.0 through 7.X-3.9.
Published: January 14, 2026; 2:16:41 PM -0500

V3.1: 5.4 MEDIUM

CVE-2025-14557 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Facebook Pixel facebook_pixel allows Stored XSS.This issue affects Facebook Pixel: from 7.X-1.0 through 7.X-1.1.
Published: January 14, 2026; 2:16:41 PM -0500

V3.1: 4.8 MEDIUM