Search

Search Results (363315 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-13984 2 Drupal, Kanopi 2 Next.js, Next.js 2026-02-06 6.1 Medium
Permissive Cross-domain Security Policy with Untrusted Domains vulnerability in Drupal Next.Js allows Cross-Site Scripting (XSS).This issue affects Next.Js: from 0.0.0 before 1.6.4, from 2.0.0 before 2.0.1.
CVE-2025-13986 2 Drupal, Zyxware 2 Disable Login Page, Disable Login Page 2026-02-06 4.2 Medium
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Disable Login Page allows Functionality Bypass.This issue affects Disable Login Page: from 0.0.0 before 1.1.3.
CVE-2025-13985 2 Drupal, Ithom 2 Entity Share, Entity Share 2026-02-06 5.3 Medium
Incorrect Authorization vulnerability in Drupal Entity Share allows Forceful Browsing.This issue affects Entity Share: from 0.0.0 before 3.13.0.
CVE-2025-14840 2 Bmeme, Drupal 2 Http Client Manager, Http Client Manager 2026-02-06 7.5 High
Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal HTTP Client Manager allows Forceful Browsing.This issue affects HTTP Client Manager: from 0.0.0 before 9.3.13, from 10.0.0 before 10.0.2, from 11.0.0 before 11.0.1.
CVE-2025-61726 2 Go Standard Library, Golang 2 Net/url, Go 2026-02-06 7.5 High
The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption.
CVE-2025-61728 2 Go Standard Library, Golang 2 Archive/zip, Go 2026-02-06 6.5 Medium
archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.
CVE-2025-12810 1 Delinea 1 Secret Server 2026-02-06 6.5 Medium
Improper Authentication vulnerability in Delinea Inc. Secret Server On-Prem (RPC Password Rotation modules).This issue affects Secret Server On-Prem: 11.8.1, 11.9.6, 11.9.25. A secret with "change password on check in" enabled automatically checks in even when the password change fails after reaching its retry limit. This leaves the secret in an inconsistent state with the wrong password. Remediation: Upgrade to 11.9.47 or later. The secret will remain checked out when the password change fails.
CVE-2025-5553 1 Phpgurukul 1 Rail Pass Management System 2026-02-06 7.3 High
A vulnerability classified as critical was found in PHPGurukul Rail Pass Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /download-pass.php. The manipulation of the argument searchdata leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
CVE-2023-6425 1 Bigprof 1 Online Clinic Management System 2026-02-06 6.3 Medium
A vulnerability has been discovered in BigProf Online Clinic Management System 2.2, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /clinic/medical_records_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads.
CVE-2022-40924 1 Phpgurukul 1 Zoo Management System 2026-02-06 7.2 High
Zoo Management System v1.0 has an arbitrary file upload vulnerability in the picture upload point of the "save_animal" file of the "Animals" module in the background management system.
CVE-2024-37385 2 Microsoft, Roundcube 3 Windows, Roundcube Webmail, Webmail 2026-02-06 9.8 Critical
Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 on Windows allows command injection via im_convert_path and im_identify_path. NOTE: this issue exists because of an incomplete fix for CVE-2020-12641.
CVE-2023-53662 1 Linux 1 Linux Kernel 2026-02-06 5.5 Medium
In the Linux kernel, the following vulnerability has been resolved: ext4: fix memory leaks in ext4_fname_{setup_filename,prepare_lookup} If the filename casefolding fails, we'll be leaking memory from the fscrypt_name struct, namely from the 'crypto_buf.name' member. Make sure we free it in the error path on both ext4_fname_setup_filename() and ext4_fname_prepare_lookup() functions.
CVE-2022-44151 1 Sanitization Management System Project 1 Sanitization Management System 2026-02-06 9.8 Critical
Simple Inventory Management System v1.0 is vulnerable to SQL Injection via /ims/login.php.
CVE-2025-4614 2 Palo Alto Networks, Paloaltonetworks 2 Pan-os, Pan-os 2026-02-06 2.7 Low
An information disclosure vulnerability in Palo Alto Networks PAN-OS® software enables an authenticated administrator to view session tokens of users authenticated to the firewall web UI. This may allow impersonation of users whose session tokens are leaked.   The security risk posed by this issue is significantly minimized when CLI access is restricted to a limited group of administrators. Cloud NGFW and Prisma® Access are not affected by this vulnerability.
CVE-2025-66415 1 Fastify 1 Reply-from 2026-02-06 5.4 Medium
fastify-reply-from is a Fastify plugin to forward the current HTTP request to another server. Prior to 12.5.0, by crafting a malicious URL, an attacker could access routes that are not allowed, even though the reply.from is defined for specific routes in @fastify/reply-from. This vulnerability is fixed in 12.5.0.
CVE-2025-66410 2 Flipped-aurora, Gin-vue-admin Project 2 Gin-vue-admin, Gin-vue-admin 2026-02-06 9.1 Critical
Gin-vue-admin is a backstage management system based on vue and gin. In 2.8.6 and earlier, attackers can delete any file on the server at will, causing damage or unavailability of server resources. Attackers can control the 'FileMd5' parameter to delete any file and folder.
CVE-2025-66400 2 Syntax-tree, Unifiedjs 2 Mdast-util-to-hast, Mdast-util-to-hast 2026-02-06 5.3 Medium
mdast-util-to-hast is an mdast utility to transform to hast. From 13.0.0 to before 13.2.1, multiple (unprefixed) classnames could be added in markdown source by using character references. This could make rendered user supplied markdown code elements appear like the rest of the page. This vulnerability is fixed in 13.2.1.
CVE-2025-66401 2 Kapilduraphe, Mcp-watch Project 2 Mcp Watch, Mcp-watch 2026-02-06 9.8 Critical
MCP Watch is a comprehensive security scanner for Model Context Protocol (MCP) servers. In 0.1.2 and earlier, the MCPScanner class contains a critical Command Injection vulnerability in the cloneRepo method. The application passes the user-supplied githubUrl argument directly to a system shell via execSync without sanitization. This allows an attacker to execute arbitrary commands on the host machine by appending shell metacharacters to the URL.
CVE-2025-49643 1 Zabbix 2 Frontend, Zabbix 2026-02-06 6.5 Medium
An authenticated Zabbix user (including Guest) is able to cause disproportionate CPU load on the webserver by sending specially crafted parameters to /imgstore.php, leading to potential denial of service.
CVE-2025-27232 1 Zabbix 2 Frontend, Zabbix 2026-02-06 4.9 Medium
An authenticated Zabbix Super Admin can exploit the oauth.authorize action to read arbitrary files from the webserver leading to potential confidentiality loss.