Search

Search Results (364834 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-1711 1 Endress 2 Meac300-fnade4, Meac300-fnade4 Firmware 2026-01-29 4.3 Medium
Multiple services of the DUT as well as different scopes of the same service reuse the same credentials.
CVE-2025-67229 1 Todesktop 1 Builder 2026-01-29 9.8 Critical
An improper certificate validation vulnerability exists in ToDesktop Builder v0.32.1 This vulnerability allows an unauthenticated, on-path attacker to spoof backend responses by exploiting insufficient certificate validation.
CVE-2025-67230 1 Todesktop 1 Builder 2026-01-29 7.1 High
Improper permissions in the handler for the Custom URL Scheme in ToDesktop Builder v0.33.0 allows attackers with renderer-context access to invoke external protocol handlers without sufficient validation.
CVE-2025-67231 1 Todesktop 1 Builder 2026-01-29 5.9 Medium
A reflected cross-site scripting (XSS) vulnerability in ToDesktop Builder v0.33.1 allows attackers to execute arbitrary code in the context of a user's browser via a crafted payload.
CVE-2025-56157 1 Langgenius 1 Dify 2026-01-29 9.8 Critical
Default credentials in Dify thru 1.5.1. PostgreSQL username and password specified in the docker-compose.yaml file included in its source code. NOTE: the Supplier reports that the Docker configuration does not make PostgreSQL (on TCP port 5432) exposed by default in version 1.0.1 or later.
CVE-2025-27453 1 Endress 2 Meac300-fnade4, Meac300-fnade4 Firmware 2026-01-29 5.3 Medium
The HttpOnly flag is set to false on the PHPSESSION cookie. Therefore, the cookie can be accessed by other sources such as JavaScript.
CVE-2025-49182 1 Sick 1 Media Server 2026-01-29 7.5 High
Files in the source code contain login credentials for the admin user and the property configuration password, allowing an attacker to get full access to the application.
CVE-2025-49183 1 Sick 1 Media Server 2026-01-29 7.5 High
All communication with the REST API is unencrypted (HTTP), allowing an attacker to intercept traffic between an actor and the webserver. This leads to the possibility of information gathering and downloading media files.
CVE-2025-49184 1 Sick 6 Baggage Analytics, Enterprise Analytics, Field Analytics and 3 more 2026-01-29 7.5 High
A remote unauthorized attacker may gather sensitive information of the application, due to missing authorization of configuration settings of the product.
CVE-2024-53636 2 Academiaerp, Serosoft 2 Student Information System, Academia Student Information System 2026-01-29 6.4 Medium
An arbitrary file upload vulnerability via writefile.php of Serosoft Academia Student Information System (SIS) EagleR-1.0.118 allows attackers to execute arbitrary code via ../ in the filePath parameter.
CVE-2024-4464 1 Synology 1 Media Server 2026-01-29 7.5 High
Authorization bypass through user-controlled key vulnerability in streaming service in Synology Media Server before 1.4-2680, 2.0.5-3152 and 2.2.0-3325 allows remote attackers to read specific files via unspecified vectors.
CVE-2025-49185 1 Sick 1 Field Analytics 2026-01-29 5.5 Medium
The web application is susceptible to cross-site-scripting attacks. An attacker who can create new dashboard widgets can inject malicious JavaScript code into the Transform Function which will be executed when the widget receives data from its data source.
CVE-2025-49187 1 Sick 1 Field Analytics 2026-01-29 5.3 Medium
For failed login attempts, the application returns different error messages depending on whether the login failed due to an incorrect password or a non-existing username. This allows an attacker to guess usernames until they find an existing one.
CVE-2025-49190 1 Sick 1 Field Analytics 2026-01-29 4.3 Medium
The application is vulnerable to Server-Side Request Forgery (SSRF). An endpoint can be used to send server internal requests to other ports.
CVE-2025-49188 1 Sick 1 Field Analytics 2026-01-29 5.3 Medium
The application sends user credentials as URL parameters instead of POST bodies, making it vulnerable to information gathering.
CVE-2025-49191 1 Sick 1 Field Analytics 2026-01-29 4.8 Medium
Linked URLs during the creation of iFrame widgets and dashboards are vulnerable to code execution. The URLs get embedded as iFrame widgets, making it possible to attack other users that access the dashboard by including malicious code. The attack is only possible if the attacker is authorized to create new dashboards or iFrame widgets.
CVE-2025-65091 1 Xwiki 2 Full Calendar Macro, Xwiki 2026-01-29 10 Critical
XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.5, users with the right to view the Calendar.JSONService page (including guest users) can exploit a SQL injection vulnerability by accessing database info or starting a DoS attack. This issue has been patched in version 2.4.5.
CVE-2025-65090 1 Xwiki 2 Full Calendar Macro, Xwiki 2026-01-29 5.3 Medium
XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.6, users with the rights to view the Calendar.JSONService page (including guest users) can exploit the data leak vulnerability by accessing database info, with the exception of passwords. This issue has been patched in version 2.4.6.
CVE-2025-1708 1 Endress 2 Meac300-fnade4, Meac300-fnade4 Firmware 2026-01-29 8.6 High
The application is vulnerable to SQL injection attacks. An attacker is able to dump the PostgreSQL database and read its content.
CVE-2025-15223 1 Philipinho 1 Simple-php-blog 2026-01-29 4.3 Medium
A vulnerability was found in Philipinho Simple-PHP-Blog up to 94b5d3e57308bce5dfbc44c3edafa9811893d958. Impacted is an unknown function of the file /login.php. Performing manipulation of the argument Username results in cross site scripting. The attack is possible to be carried out remotely. The exploit has been made public and could be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The vendor was contacted early about this disclosure and makes clear that the product is "[f]or educational purposes only".