Export limit exceeded: 29948 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (363855 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-15115 1 Petlibro 2 Petlibro, Smart Pet Feeder Platform 2026-02-03 6.5 Medium
Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an authentication bypass vulnerability that allows unauthenticated attackers to access any user account by exploiting OAuth token validation flaws in the social login system. Attackers can send requests to /member/auth/thirdLogin with arbitrary Google IDs and phoneBrand parameters to obtain full session tokens and account access without proper OAuth verification.
CVE-2025-3646 1 Petlibro 2 Petlibro, Smart Pet Feeder Platform 2026-02-03 7.3 High
Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an authorization bypass vulnerability that allows unauthorized users to add users as shared owners to any device by exploiting missing permission checks. Attackers can send requests to the device share API to gain unauthorized access to devices and view owner information without proper authorization validation.
CVE-2025-3652 1 Petlibro 2 Petlibro, Smart Pet Feeder Platform 2026-02-03 5.3 Medium
Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an information disclosure vulnerability that allows unauthorized access to private audio recordings by exploiting sequential audio IDs and insecure assignment endpoints. Attackers can send requests to /device/deviceAudio/use with arbitrary audio IDs to assign recordings to any device, then retrieve audio URLs to access other users' private recordings.
CVE-2025-61505 1 E107 1 E107 2026-02-03 6.5 Medium
e107 CMS thru 2.3.3 are vulnerable to insecure deserialization in the `install.php` script. The script processes user-controlled input in the `previous_steps` POST parameter using `unserialize(base64_decode())` without validation, allowing attackers to craft malicious serialized data. This could lead to remote code execution, arbitrary file operations, or denial of service, depending on available PHP object gadgets in the codebase.
CVE-2025-3653 1 Petlibro 2 Petlibro, Smart Pet Feeder Platform 2026-02-03 7.3 High
Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an improper access control vulnerability that allows unauthorized device manipulation by accepting arbitrary serial numbers without ownership verification. Attackers can control any device by sending serial numbers to device control APIs to change feeding schedules, trigger manual feeds, access camera feeds, and modify device settings without authorization checks.
CVE-2025-3654 1 Petlibro 2 Petlibro, Smart Pet Feeder Platform 2026-02-03 5.3 Medium
Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an information disclosure vulnerability that allows unauthorized access to device hardware information by exploiting insecure API endpoints. Attackers can retrieve device serial numbers and MAC addresses through /device/devicePetRelation/getBoundDevices using pet IDs, enabling full device control without proper authorization checks.
CVE-2025-3660 1 Petlibro 2 Petlibro, Smart Pet Feeder Platform 2026-02-03 6.5 Medium
Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains a broken access control vulnerability that allows authenticated users to access other users' pet data by exploiting missing ownership verification. Attackers can send requests to /member/pet/detailV2 with arbitrary pet IDs to retrieve sensitive information including pet details, member IDs, and avatar URLs without proper authorization checks.
CVE-2025-41086 2 Ams Development Corp., Gams 2 Gams, Gams 2026-02-03 6.5 Medium
Vulnerability in the access control system of the GAMS licensing system that allows unlimited valid licenses to be generated, bypassing any usage restrictions. The validator uses an insecure checksum algorithm; knowing this algorithm and the format of the license lines, an attacker can recalculate the checksum and generate a valid license to grant themselves full privileges without credentials or access to the source code, allowing them unrestricted access to GAMS's mathematical models and commercial solvers.
CVE-2025-71001 1 Oneflow 1 Oneflow 2026-02-03 6.5 Medium
A segmentation violation in the flow.column_stack component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.
CVE-2025-9127 1 Purestorage 2 Portworx, Px Enterprise 2026-02-03 5.5 Medium
A vulnerability exists in PX Enterprise whereby sensitive information may be logged under specific conditions.
CVE-2025-71002 1 Oneflow 1 Oneflow 2026-02-03 6.5 Medium
A floating-point exception (FPE) in the flow.column_stack component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.
CVE-2025-71003 1 Oneflow 1 Oneflow 2026-02-03 7.5 High
An input validation vulnerability in the flow.arange() component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.
CVE-2025-11235 2 Microsoft, Progress 2 Windows, Moveit Transfer 2026-02-03 3.7 Low
Unverified Password Change vulnerability in Progress MOVEit Transfer on Windows (REST API modules).This issue affects MOVEit Transfer: from 2023.1.0 before 2023.1.3, from 2023.0.0 before 2023.0.8, from 2022.1.0 before 2022.1.11, from 2022.0.0 before 2022.0.10.
CVE-2025-30160 1 Redlib 1 Redlib 2026-02-03 7.5 High
Redlib is an alternative private front-end to Reddit. A vulnerability has been identified in Redlib where an attacker can cause a denial-of-service (DOS) condition by submitting a specially crafted base2048-encoded DEFLATE decompression bomb to the restore_preferences form. This leads to excessive memory consumption and potential system instability, which can be exploited to disrupt Redlib instances. This vulnerability is fixed in 0.36.0.
CVE-2025-58441 2 Eng, Knowage-suite 2 Knowage, Knowage 2026-02-03 6.5 Medium
Knowage is an open source analytics and business intelligence suite. Prior to version 8.1.37, there is a blind server-side request forgery vulnerability. The vulnerability allows attackers to send requests to arbitrary hosts/paths. Since the attacker is not able to read the response, the impact of this vulnerability is limited. However, an attacker should be able to leverage this vulnerability to scan the internal network. This issue has been patched in version 8.1.37.
CVE-2025-66560 1 Quarkus 1 Quarkus 2026-02-03 5.9 Medium
Quarkus is a Cloud Native, (Linux) Container First framework for writing Java applications. Prior to versions 3.31.0, 3.27.2, and 3.20.5, a vulnerability exists in the HTTP layer of Quarkus REST related to response handling. When a response is being written, the framework waits for previously written response chunks to be fully transmitted before proceeding. If the client connection is dropped during this waiting period, the associated worker thread is never released and becomes permanently blocked. Under sustained or repeated occurrences, this can exhaust the available worker threads, leading to degraded performance, or complete unavailability of the application. This issue has been patched in versions 3.31.0, 3.27.2, and 3.20.5. A workaround involves implementing a health check that monitors the status and saturation of the worker thread pool to detect abnormal thread retention early.
CVE-2025-13983 2 Drupal, Factorial 2 Tagify, Tagify 2026-02-03 5.4 Medium
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Tagify allows Cross-Site Scripting (XSS).This issue affects Tagify: from 0.0.0 before 1.2.44.
CVE-2025-71004 1 Oneflow 1 Oneflow 2026-02-03 6.5 Medium
A segmentation violation in the oneflow.logical_or component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.
CVE-2025-71005 1 Oneflow 1 Oneflow 2026-02-03 6.5 Medium
A floating point exception (FPE) in the oneflow.view component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.
CVE-2025-71006 1 Oneflow 1 Oneflow 2026-02-03 6.5 Medium
A floating point exception (FPE) in the oneflow.reshape component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.