Search

Search Results (363163 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-69430 1 Yottamaster 6 Dm2, Dm200, Dm200 Firmware and 3 more 2026-02-11 6.1 Medium
An Incorrect Symlink Follow vulnerability exists in multiple Yottamaster NAS devices, including DM2 (version equal to or prior to V1.9.12), DM3 (version equal to or prior to V1.9.12), and DM200 (version equal to or prior to V1.2.23) that could be exploited by attackers to leak or tamper with the internal file system. Attackers can format a USB drive to ext4, create a symbolic link to its root directory, insert the drive into the NAS device's slot, then access the USB drive's symlink directory mounted on the NAS to obtain all files within the NAS system and tamper with those files.
CVE-2025-69431 1 Zspace 3 Q2c, Q2c Firmware, Q2c Nas 2026-02-11 6.1 Medium
The ZSPACE Q2C NAS contains a vulnerability related to incorrect symbolic link following. Attackers can format a USB drive to ext4, create a symbolic link to its root directory, insert the drive into the NAS device's slot, and then access the USB drive's directory mounted on the NAS using the Samba protocol. This allows them to obtain all files within the NAS system and tamper with those files.
CVE-2025-69848 1 Netbox 1 Netbox 2026-02-11 5.4 Medium
NetBox is an open-source infrastructure resource modeling and IP address management platform. A reflected cross-site scripting (XSS) vulnerability exists in versions 2.11.0 through 3.7.x in the ProtectedError handling logic, where object names are included in HTML error messages without proper escaping. This allows user-controlled content to be rendered in the web interface when a delete operation fails due to protected relationships, potentially enabling execution of arbitrary client-side code in the context of a privileged user.
CVE-2025-69875 1 Quickheal 1 Total Security 2026-02-11 7.8 High
A vulnerability exists in Quick Heal Total Security 23.0.0 in the quarantine management component where insufficient validation of restore paths and improper permission handling allow a low-privileged local user to restore quarantined files into protected system directories. This behavior can be abused by a local attacker to place files in high-privilege locations, potentially leading to privilege escalation.
CVE-2025-70841 2 Amcoders, Dokans 2 Dokans, Multitenancy Based Ecommerce Platform Saas 2026-02-11 10 Critical
Dokans Multi-Tenancy Based eCommerce Platform SaaS 3.9.2 allows unauthenticated remote attackers to obtain sensitive application configuration data via direct request to /script/.env file. The exposed file contains Laravel application encryption key (APP_KEY), database credentials, SMTP/SendGrid API credentials, and internal configuration parameters, enabling complete system compromise including authentication bypass via session token forgery, direct database access to all tenant data, and email infrastructure takeover. Due to the multi-tenancy architecture, this vulnerability affects all tenants in the system.
CVE-2025-61546 1 Edubusinesssolutions 1 Print Shop Pro Webdesk 2026-02-11 9.1 Critical
There is an issue on the /PSP/appNET/Store/CartV12.aspx/GetUnitPrice endpoint in edu Business Solutions Print Shop Pro WebDesk version 18.34 (fixed in 19.69) that enables remote attacker to create financial discrepancies by purchasing items with a negative quantity. This vulnerability is possible due to reliance on client-side input validation controls.
CVE-2025-70849 1 Stefanprodan 1 Podinfo 2026-02-11 6.1 Medium
Arbitrary File Upload in podinfo thru 6.9.0 allows unauthenticated attackers to upload arbitrary files via crafted POST request to the /store endpoint. The application renders uploaded content without a restrictive Content-Security-Policy (CSP) or adequate Content-Type validation, leading to Stored Cross-Site Scripting (XSS).
CVE-2025-63386 2 Dify, Langgenius 2 Dify, Dify 2026-02-11 9.1 Critical
A Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/setup endpoint. The endpoint implements an insecure CORS policy that reflects any Origin header and enables Access-Control-Allow-Credentials: true, permitting arbitrary external domains to make authenticated requests. NOTE: the Supplier disputes this because the endpoint configuration is intentional to support bootstrap.
CVE-2025-21427 1 Qualcomm 358 205 Mobile, 205 Mobile Firmware, 215 Mobile and 355 more 2026-02-11 8.2 High
Information disclosure while decoding this RTP packet Payload when UE receives the RTP packet from the network.
CVE-2026-26044 2026-02-11 N/A
Not used
CVE-2026-26043 2026-02-11 N/A
Not used
CVE-2026-26042 2026-02-11 N/A
Not used
CVE-2026-26041 2026-02-11 N/A
Not used
CVE-2026-26040 2026-02-11 N/A
Not used
CVE-2026-26039 2026-02-11 N/A
Not used
CVE-2026-26038 2026-02-11 N/A
Not used
CVE-2026-26037 2026-02-11 N/A
Not used
CVE-2026-26036 2026-02-11 N/A
Not used
CVE-2024-30098 1 Microsoft 22 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 19 more 2026-02-10 7.5 High
Windows Cryptographic Services Security Feature Bypass Vulnerability
CVE-2024-38164 1 Microsoft 1 Groupme 2026-02-10 9.6 Critical
An improper access control vulnerability in GroupMe allows an a unauthenticated attacker to elevate privileges over a network by convincing a user to click on a malicious link.