Search

Search Results (364251 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-7209 1 9fans 1 Plan9port 2026-02-02 3.3 Low
A vulnerability has been found in 9fans plan9port up to 9da5b44 and classified as problematic. Affected by this vulnerability is the function value_decode in the library src/libsec/port/x509.c. The manipulation leads to null pointer dereference. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The identifier of the patch is deae8939583d83fd798fca97665e0e94656c3ee8. It is recommended to apply a patch to fix this issue.
CVE-2025-2503 1 Lenovo 1 Pcmanager 2026-02-02 7.1 High
An improper permission handling vulnerability was reported in Lenovo PC Manager that could allow a local attacker to perform arbitrary file deletions as an elevated user.
CVE-2025-67717 1 Zitadel 1 Zitadel 2026-02-02 4.3 Medium
ZITADEL is an open-source identity infrastructure tool. Versions 2.44.0 through 3.4.4 and 4.0.0-rc.1 through 4.7.1 disclose the total number of instance users to authenticated users, regardless of their specific permissions. While this does not leak individual user data or PII, disclosing the total user count via the totalResult field constitutes an information disclosure vulnerability that may be sensitive in certain contexts. This issue is fixed in versions 3.4.5 and 4.7.2.
CVE-2018-17207 1 Awesomemotive 1 Duplicator 2026-02-02 9.8 Critical
An issue was discovered in Snap Creek Duplicator before 1.2.42. By accessing leftover installer files (installer.php and installer-backup.php), an attacker can inject PHP code into wp-config.php during the database setup step, achieving arbitrary code execution.
CVE-2018-25095 1 Awesomemotive 1 Duplicator 2026-02-02 9.8 Critical
The Duplicator WordPress plugin before 1.3.0 does not properly escape values when its installer script replaces values in WordPress configuration files. If this installer script is left on the site after use, it could be use to run arbitrary code on the server.
CVE-2018-7543 1 Awesomemotive 1 Duplicator 2026-02-02 6.1 Medium
Cross-site scripting (XSS) vulnerability in installer/build/view.step4.php of the SnapCreek Duplicator plugin 1.2.32 for WordPress allows remote attackers to inject arbitrary JavaScript or HTML via the json parameter.
CVE-2020-11738 1 Awesomemotive 1 Duplicator 2026-02-02 7.5 High
The Snap Creek Duplicator plugin before 1.3.28 for WordPress (and Duplicator Pro before 3.8.7.1) allows Directory Traversal via ../ in the file parameter to duplicator_download or duplicator_init.
CVE-2022-2551 1 Awesomemotive 1 Duplicator 2026-02-02 7.5 High
The Duplicator WordPress plugin before 1.4.7 discloses the url of the a backup to unauthenticated visitors accessing the main installer endpoint of the plugin, if the installer script has been run once by an administrator, allowing download of the full site backup without authenticating.
CVE-2022-2552 1 Awesomemotive 1 Duplicator 2026-02-02 5.3 Medium
The Duplicator WordPress plugin before 1.4.7 does not authenticate or authorize visitors before displaying information about the system such as server software, php version and full file system path to the site.
CVE-2025-67713 1 Miniflux Project 1 Miniflux 2026-02-02 6.1 Medium
Miniflux 2 is an open source feed reader. Versions 2.2.14 and below treat redirect_url as safe when url.Parse(...).IsAbs() is false, enabling phishing flows after login. Protocol-relative URLs like //ikotaslabs.com have an empty scheme and pass that check, allowing post-login redirects to attacker-controlled sites. This issue is fixed in version 2.2.15.
CVE-2025-59935 1 Glpi-project 1 Glpi 2026-02-02 6.5 Medium
GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.21, an unauthenticated user can store an XSS payload through the inventory endpoint. Users should upgrade to 10.0.21 to receive a patch.
CVE-2025-7397 1 Brocade 1 Ascg 2026-02-02 7.1 High
A vulnerability in the ascgshell, of Brocade ASCG before 3.3.0 stores any command executed in the Command Line Interface (CLI) in plain text within the command history. A local authenticated user that can access sensitive information like passwords within the CLI history leading to unauthorized access and potential data breaches.
CVE-2025-62408 1 C-ares 1 C-ares 2026-02-02 5.9 Medium
c-ares is an asynchronous resolver library. Versions 1.32.3 through 1.34.5 terminate a query after maximum attempts when using read_answer() and process_answer(), which can cause a Denial of Service. This issue is fixed in version 1.34.6.
CVE-2025-69285 2 Dataease, Fit2cloud 2 Sqlbot, Sqlbot 2026-02-02 6.1 Medium
SQLBot is an intelligent data query system based on a large language model and RAG. Versions prior to 1.5.0 contain a missing authentication vulnerability in the /api/v1/datasource/uploadExcel endpoint, allowing a remote unauthenticated attacker to upload arbitrary Excel/CSV files and inject data directly into the PostgreSQL database. The endpoint is explicitly added to the authentication whitelist, causing the TokenMiddleware to bypass all token validation. Uploaded files are parsed by pandas and inserted into the database via to_sql() with if_exists='replace' mode. The vulnerability has been fixed in v1.5.0. No known workarounds are available.
CVE-2024-2420 1 Honeywell 1 Lenels2 Netbox 2026-02-02 9.8 Critical
LenelS2 NetBox access control and event monitoring system was discovered to contain Hardcoded Credentials in versions prior to and including 5.6.1 which allows an attacker to bypass authentication requirements.
CVE-2024-2422 1 Honeywell 1 Lenels2 Netbox 2026-02-02 8.8 High
LenelS2 NetBox access control and event monitoring system was discovered to contain an authenticated RCE in versions prior to and including 5.6.1, which allows an attacker to execute malicious commands.
CVE-2024-2421 1 Honeywell 1 Lenels2 Netbox 2026-02-02 9.8 Critical
LenelS2 NetBox access control and event monitoring system was discovered to contain an unauthenticated RCE in versions prior to and including 5.6.1, which allows an attacker to execute malicious commands with elevated permissions.
CVE-2025-64718 2 Js-yaml, Nodeca 2 Js-yaml, Js-yaml 2026-02-02 5.3 Medium
js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted. The problem is patched in js-yaml 4.1.1 and 3.14.2. Users can protect against this kind of attack on the server by using `node --disable-proto=delete` or `deno` (in Deno, pollution protection is on by default).
CVE-2024-34764 2026-02-02 N/A
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. Collision with another CVE ID.
CVE-2024-43275 2026-02-02 N/A
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. Collision with another CVE.