Search
Search Results (364787 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-69431 | 1 Zspace | 3 Q2c, Q2c Firmware, Q2c Nas | 2026-02-11 | 6.1 Medium |
| The ZSPACE Q2C NAS contains a vulnerability related to incorrect symbolic link following. Attackers can format a USB drive to ext4, create a symbolic link to its root directory, insert the drive into the NAS device's slot, and then access the USB drive's directory mounted on the NAS using the Samba protocol. This allows them to obtain all files within the NAS system and tamper with those files. | ||||
| CVE-2025-69848 | 1 Netbox | 1 Netbox | 2026-02-11 | 5.4 Medium |
| NetBox is an open-source infrastructure resource modeling and IP address management platform. A reflected cross-site scripting (XSS) vulnerability exists in versions 2.11.0 through 3.7.x in the ProtectedError handling logic, where object names are included in HTML error messages without proper escaping. This allows user-controlled content to be rendered in the web interface when a delete operation fails due to protected relationships, potentially enabling execution of arbitrary client-side code in the context of a privileged user. | ||||
| CVE-2025-69875 | 1 Quickheal | 1 Total Security | 2026-02-11 | 7.8 High |
| A vulnerability exists in Quick Heal Total Security 23.0.0 in the quarantine management component where insufficient validation of restore paths and improper permission handling allow a low-privileged local user to restore quarantined files into protected system directories. This behavior can be abused by a local attacker to place files in high-privilege locations, potentially leading to privilege escalation. | ||||
| CVE-2025-70841 | 2 Amcoders, Dokans | 2 Dokans, Multitenancy Based Ecommerce Platform Saas | 2026-02-11 | 10 Critical |
| Dokans Multi-Tenancy Based eCommerce Platform SaaS 3.9.2 allows unauthenticated remote attackers to obtain sensitive application configuration data via direct request to /script/.env file. The exposed file contains Laravel application encryption key (APP_KEY), database credentials, SMTP/SendGrid API credentials, and internal configuration parameters, enabling complete system compromise including authentication bypass via session token forgery, direct database access to all tenant data, and email infrastructure takeover. Due to the multi-tenancy architecture, this vulnerability affects all tenants in the system. | ||||
| CVE-2025-61546 | 1 Edubusinesssolutions | 1 Print Shop Pro Webdesk | 2026-02-11 | 9.1 Critical |
| There is an issue on the /PSP/appNET/Store/CartV12.aspx/GetUnitPrice endpoint in edu Business Solutions Print Shop Pro WebDesk version 18.34 (fixed in 19.69) that enables remote attacker to create financial discrepancies by purchasing items with a negative quantity. This vulnerability is possible due to reliance on client-side input validation controls. | ||||
| CVE-2025-70849 | 1 Stefanprodan | 1 Podinfo | 2026-02-11 | 6.1 Medium |
| Arbitrary File Upload in podinfo thru 6.9.0 allows unauthenticated attackers to upload arbitrary files via crafted POST request to the /store endpoint. The application renders uploaded content without a restrictive Content-Security-Policy (CSP) or adequate Content-Type validation, leading to Stored Cross-Site Scripting (XSS). | ||||
| CVE-2025-63386 | 2 Dify, Langgenius | 2 Dify, Dify | 2026-02-11 | 9.1 Critical |
| A Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/setup endpoint. The endpoint implements an insecure CORS policy that reflects any Origin header and enables Access-Control-Allow-Credentials: true, permitting arbitrary external domains to make authenticated requests. NOTE: the Supplier disputes this because the endpoint configuration is intentional to support bootstrap. | ||||
| CVE-2025-21427 | 1 Qualcomm | 358 205 Mobile, 205 Mobile Firmware, 215 Mobile and 355 more | 2026-02-11 | 8.2 High |
| Information disclosure while decoding this RTP packet Payload when UE receives the RTP packet from the network. | ||||
| CVE-2026-26044 | 2026-02-11 | N/A | ||
| Not used | ||||
| CVE-2026-26043 | 2026-02-11 | N/A | ||
| Not used | ||||
| CVE-2026-26042 | 2026-02-11 | N/A | ||
| Not used | ||||
| CVE-2026-26041 | 2026-02-11 | N/A | ||
| Not used | ||||
| CVE-2026-26040 | 2026-02-11 | N/A | ||
| Not used | ||||
| CVE-2026-26039 | 2026-02-11 | N/A | ||
| Not used | ||||
| CVE-2026-26038 | 2026-02-11 | N/A | ||
| Not used | ||||
| CVE-2026-26037 | 2026-02-11 | N/A | ||
| Not used | ||||
| CVE-2026-26036 | 2026-02-11 | N/A | ||
| Not used | ||||
| CVE-2024-30098 | 1 Microsoft | 22 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 19 more | 2026-02-10 | 7.5 High |
| Windows Cryptographic Services Security Feature Bypass Vulnerability | ||||
| CVE-2024-38164 | 1 Microsoft | 1 Groupme | 2026-02-10 | 9.6 Critical |
| An improper access control vulnerability in GroupMe allows an a unauthenticated attacker to elevate privileges over a network by convincing a user to click on a malicious link. | ||||
| CVE-2024-38176 | 1 Microsoft | 1 Groupme | 2026-02-10 | 8.1 High |
| An improper restriction of excessive authentication attempts in GroupMe allows a unauthenticated attacker to elevate privileges over a network. | ||||