Search

Search Results (365200 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-26298 2026-02-14 N/A
Not used
CVE-2026-26297 2026-02-14 N/A
Not used
CVE-2026-26296 2026-02-14 N/A
Not used
CVE-2026-26295 2026-02-14 N/A
Not used
CVE-2025-59429 2 Freepbx, Sangoma 2 Freepbx, Freepbx 2026-02-13 5.4 Medium
FreePBX is an open source GUI for managing Asterisk. In versions prior to 16.0.68.39 for FreePBX 16 and versions prior to 17.0.18.38 for FreePBX 17, a reflected cross-site scripting vulnerability is present on the Asterisk HTTP Status page. The Asterisk HTTP status page is exposed by FreePBX and is available by default on version 16 via any bound IP address at port 8088. By default on version 17, the binding is only to localhost IP, making it significantly less vulnerable. The vulnerability can be exploited by unauthenticated attackers to obtain cookies from logged-in users, allowing them to hijack a session of an administrative user. The theft of admin session cookies allows attackers to gain control over the FreePBX admin interface, enabling them to access sensitive data, modify system configurations, create backdoor accounts, and cause service disruption. This issue has been patched in version 16.0.68.39 for FreePBX 16 and version 17.0.18.38 for FreePBX 17.
CVE-2025-59056 2 Freepbx, Sangoma 2 Freepbx, Freepbx 2026-02-13 7.5 High
FreePBX is an open-source web-based graphical user interface. In FreePBX 15, 16, and 17, malicious connections to the Administrator Control Panel web interface can cause the uninstall function to be triggered for certain modules. This function drops the module's database tables, which is where most modules store their configuration. This vulnerability is fixed in 15.0.38, 16.0.41, and 17.0.21.
CVE-2025-55211 2 Freepbx, Sangoma 2 Freepbx, Freepbx 2026-02-13 8.8 High
FreePBX is an open-source web-based graphical user interface. From 17.0.19.11 to before 17.0.21, authenticated users of the Administrator Control Panel (ACP) can run arbitrary shell commands by maliciously changing languages of the framework module. This vulnerability is fixed in 17.0.21.
CVE-2025-3546 1 H3c 10 Magic Be18000, Magic Be18000 Firmware, Magic Nx15 and 7 more 2026-02-13 8 High
A vulnerability was found in H3C Magic NX15, Magic NX30 Pro, Magic NX400, Magic R3010 and Magic BE18000 up to V100R014. It has been declared as critical. Affected by this vulnerability is the function FCGI_CheckStringIfContainsSemicolon of the file /api/wizard/getLanguage of the component HTTP POST Request Handler. The manipulation leads to command injection. The attack can only be done within the local network. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component.
CVE-2021-37914 1 Argoproj 1 Argo Workflows 2026-02-13 6.5 Medium
In Argo Workflows through 3.1.3, if EXPRESSION_TEMPLATES is enabled and untrusted users are allowed to specify input parameters when running workflows, an attacker may be able to disrupt a workflow because expression template output is evaluated.
CVE-2024-50619 1 Cipplanner 1 Cipace 2026-02-13 8.8 High
Vulnerabilities in the My Account and User Management components in CIPPlanner CIPAce before 9.17 allows attackers to escalate their access levels. A low-privileged authenticated user can gain access to other people's accounts by tampering with the client's user id to change their account information. A low-privileged authenticated user can elevate his or her system privileges by modifying the information of a user role that is disabled in the client.
CVE-2024-50617 1 Cipplanner 1 Cipace 2026-02-13 7.5 High
Vulnerabilities in the File Download and Get File handler components in CIPPlanner CIPAce before 9.17 allow attackers to download unauthorized files. An authenticated user can easily change the file id parameter or pass the physical file path in the URL query string to retrieve the files. (Retrieval is not intended without correct data access configured for documents.)
CVE-2019-25348 1 Computrols 1 Cbas-web 2026-02-13 N/A
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
CVE-2023-33498 1 Alistgo 1 Alist 2026-02-13 8.8 High
alist <=3.16.3 is vulnerable to Incorrect Access Control. Low privilege accounts can upload any file.
CVE-2025-63647 1 Owntone 2 Owntone-server, Owntone Server 2026-02-13 7.5 High
A NULL pointer dereference in the parse_meta function (src/httpd_daap.c) of owntone-server commit 334beb allows attackers to cause a Denial of Service (DoS) via sending a crafted DAAP request to the server.
CVE-2025-24054 1 Microsoft 23 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 20 more 2026-02-13 6.5 Medium
External control of file name or path in Windows NTLM allows an unauthorized attacker to perform spoofing over a network.
CVE-2024-47067 2 Alist Project, Alistgo 2 Alist, Alist 2026-02-13 6.1 Medium
AList is a file list program that supports multiple storages. AList contains a reflected cross-site scripting vulnerability in helper.go. The endpoint /i/:link_name takes in a user-provided value and reflects it back in the response. The endpoint returns an application/xml response, opening it up to HTML tags via XHTML and thus leading to a XSS vulnerability. This vulnerability is fixed in 3.29.0.
CVE-2022-26533 1 Alistgo 1 Alist 2026-02-13 6.1 Medium
Alist v2.1.0 and below was discovered to contain a cross-site scripting (XSS) vulnerability via /i/:data/ipa.plist.
CVE-2022-45968 1 Alistgo 1 Alist 2026-02-13 8.8 High
Alist v3.4.0 is vulnerable to File Upload. A user with only file upload permission can upload any file to any folder (even a password protected one).
CVE-2022-45969 1 Alistgo 1 Alist 2026-02-13 9.8 Critical
Alist v3.4.0 is vulnerable to Directory Traversal,
CVE-2022-45970 1 Alistgo 1 Alist 2026-02-13 5.4 Medium
Alist v3.5.1 is vulnerable to Cross Site Scripting (XSS) via the bulletin board.