) orhttps:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.
The NVD is the U.S. government repositoryof standards based vulnerability management data represented usingthe Security Content Automation Protocol (SCAP). This data enablesautomation of vulnerability management, security measurement, andcompliance. The NVD includes databases of security checklistreferences, security-related software flaws, product names, and impact metrics.
For information on how to cite the NVD, including thedatabase's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.
Legal Disclaimer:
Here is where you can read the NVDlegal disclaimer.
CVE-2026-24135 - Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, a path traversal vulnerability exists in the updateWikiPage function of Gogs. The vulnerability allows an authenticated user with write access to a repository's wiki to d...read CVE-2026-24135
Published:February 06, 2026; 1:15:57 PM -0500V3.1:8.1 HIGH
CVE-2026-23633 - Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, there is an arbitrary file read/write via path traversal in Git hook editing. This issue has been patched in versions 0.13.4 and 0.14.0+dev.
Published:February 06, 2026; 1:15:56 PM -0500CVE-2026-23632 - Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, the endpoint "PUT /repos/:owner/:repo/contents/*" does not require write permissions and allows access with read permission only via repoAssignment(). After passing the p...read CVE-2026-23632
Published:February 06, 2026; 1:15:56 PM -0500CVE-2026-22592 - Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, an authenticated user can cause a DOS attack. If one of the repo files is deleted before synchronization, it will cause the application to crash. This issue has been patc...read CVE-2026-22592
Published:February 06, 2026; 1:15:56 PM -0500CVE-2025-64175 - Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, Gogs’ 2FA recovery code validation does not scope codes by user, enabling cross-account bypass. If an attacker knows a victim’s username and password, they can use any un...read CVE-2025-64175
Published:February 06, 2026; 1:15:55 PM -0500V3.1:8.8 HIGH
CVE-2026-21643 - An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiClientEMS 7.4.4 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP req...read CVE-2026-21643
Published:February 06, 2026; 4:15:49 AM -0500CVE-2026-25635 - calibre is an e-book manager. Prior to 9.2.0, Calibre's CHM reader contains a path traversal vulnerability that allows arbitrary file writes anywhere the user has write permissions. On Windows (haven't tested on other OS's), this can lead to Remot...read CVE-2026-25635
Published:February 06, 2026; 4:16:18 PM -0500CVE-2026-25636 - calibre is an e-book manager. In 9.1.0 and earlier, a path traversal vulnerability in Calibre's EPUB conversion allows a malicious EPUB file to corrupt arbitrary existing files writable by the Calibre process. During conversion, Calibre resolves C...read CVE-2026-25636
Published:February 06, 2026; 4:16:18 PM -0500V3.1:7.8 HIGH
CVE-2026-25731 - calibre is an e-book manager. Prior to 9.2.0, a Server-Side Template Injection (SSTI) vulnerability in Calibre's Templite templating engine allows arbitrary code execution when a user converts an ebook using a malicious custom template file via th...read CVE-2026-25731
Published:February 06, 2026; 4:16:19 PM -0500CVE-2026-22709 - vm2 is an open source vm/sandbox for Node.js. In vm2 prior to version 3.10.2, `Promise.prototype.then` `Promise.prototype.catch` callback sanitization can be bypassed. This allows attackers to escape the sandbox and run arbitrary code. In lib/setu...read CVE-2026-22709
Published:January 26, 2026; 5:15:55 PM -0500V3.1:10.0 CRITICAL
CVE-2026-24003 - EVerest is an EV charging software stack. In versions up to and including 2025.12.1, it is possible to bypass the sequence state verification including authentication, and send requests that transition to forbidden states relative to the current o...read CVE-2026-24003
Published:January 26, 2026; 5:15:56 PM -0500V3.1:5.3 MEDIUM
CVE-2026-24476 - Shaarli is a personal bookmarking service. Prior to version 0.16.0, crafting a malicious tag which starting with `"` prematurely ends the `<input>` tag on the start page and allows an attacker to add arbitrary html leading to a possible XSS attack...read CVE-2026-24476
Published:January 26, 2026; 6:16:09 PM -0500V3.1:5.4 MEDIUM
CVE-2026-24486 - Python-Multipart is a streaming multipart parser for Python. Prior to version 0.0.22, a Path Traversal vulnerability exists when using non-default configuration options `UPLOAD_DIR` and `UPLOAD_KEEP_FILENAME=True`. An attacker can write uploaded f...read CVE-2026-24486
Published:January 26, 2026; 8:16:02 PM -0500V3.1:7.5 HIGH
CVE-2026-20628 - A permissions issue was addressed with additional restrictions. This issue is fixed in watchOS 26.3, tvOS 26.3, macOS Tahoe 26.3, macOS Sonoma 14.8.4, macOS Sequoia 15.7.4, iOS 18.7.5 and iPadOS 18.7.5, visionOS 26.3, iOS 26.3 and iPadOS 26.3. An ...read CVE-2026-20628
Published:February 11, 2026; 6:16:06 PM -0500CVE-2026-20671 - A logic issue was addressed with improved checks. This issue is fixed in watchOS 26.3, tvOS 26.3, macOS Tahoe 26.3, macOS Sonoma 14.8.4, macOS Sequoia 15.7.4, iOS 18.7.5 and iPadOS 18.7.5, visionOS 26.3, iOS 26.3 and iPadOS 26.3. An attacker in a ...read CVE-2026-20671
Published:February 11, 2026; 6:16:09 PM -0500CVE-2020-37200 - NetShareWatcher 1.5.8.0 contains a buffer overflow vulnerability in the registration key input that allows attackers to crash the application by supplying oversized input. Attackers can generate a 1000-character payload and paste it into the regis...read CVE-2020-37200
Published:February 11, 2026; 4:16:14 PM -0500V3.1:7.5 HIGH
CVE-2021-47723 - STVS ProVision 5.9.10 contains a cross-site request forgery vulnerability that allows attackers to perform actions with administrative privileges by exploiting unvalidated HTTP requests. Attackers can visit malicious web sites to trigger the forge...read CVE-2021-47723
Published:December 09, 2025; 4:15:50 PM -0500V3.1:8.8 HIGH
CVE-2026-24490 - MobSF is a mobile application security testing tool used. Prior to version 4.4.5, a Stored Cross-site Scripting (XSS) vulnerability in MobSF's Android manifest analysis allows an attacker to execute arbitrary JavaScript in the context of a victim'...read CVE-2026-24490
Published:January 26, 2026; 8:16:02 PM -0500V3.1:4.8 MEDIUM
CVE-2020-37201 - NetShareWatcher 1.5.8.0 contains a buffer overflow vulnerability in the registration name input that allows attackers to crash the application. Attackers can generate a 1000-character payload and paste it into the 'Name' field to trigger an applic...read CVE-2020-37201
Published:February 11, 2026; 4:16:14 PM -0500V3.1:7.5 HIGH
CVE-2026-1361 - ASDA-Soft Stack-based Buffer Overflow Vulnerability
Published:January 26, 2026; 11:16:03 PM -0500V3.1:9.8 CRITICAL