Export limit exceeded: 364952 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (364952 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-59541 1 Chamilo 1 Chamilo Lms 2026-03-09 8.1 High
Chamilo is a learning management system. Prior to version 1.11.34, a Cross-Site Request Forgery (CSRF) vulnerability allows an attacker to delete projects inside a course without the victim’s consent. The issue arises because sensitive actions such as project deletion do not implement anti-CSRF protections (tokens) and GET based requests. As a result, an authenticated user (Trainer) can be tricked into executing this unwanted action by simply visiting a malicious page. This issue has been patched in version 1.11.34.
CVE-2025-55289 1 Chamilo 1 Chamilo Lms 2026-03-09 8.8 High
Chamilo is a learning management system. Prior to version 1.11.34, there is a stored XSS vulnerability in Chamilo LMS (Verison 1.11.32) allows an attacker to inject arbitrary JavaScript into the platform’s social network and internal messaging features. When viewed by an authenticated user (including administrators), the payload executes in their browser within the LMS context. This enables full account takeover via session hijacking, unauthorized actions with the victim’s privileges, exfiltration of sensitive data, and potential self-propagation to other users. This issue has been patched in version 1.11.34.
CVE-2025-66944 2 Databasir, Vran-dev 2 Databasir, Databaseir 2026-03-09 9.8 Critical
SQL Injection vulnerability in vran-dev databaseir v.1.0.7 and before allows a remote attacker to execute arbitrary code via the query parameter in the search API endpoint
CVE-2025-69969 2 Pebblepower, Powertech 3 Pebble Prism Ultra, Pebble Prism Ultra Firmware, Pebble Prism Ultra 2026-03-09 9.6 Critical
A lack of authentication and authorization mechanisms in the Bluetooth Low Energy (BLE) communication protocol of SRK Powertech Pvt Ltd Pebble Prism Ultra v2.9.2 allows attackers to reverse engineer the protocol and execute arbitrary commands on the device without establishing a connection. This is exploitable over Bluetooth Low Energy (BLE) proximity (Adjacent), requiring no physical contact with the device. Furthermore, the vulnerability is not limited to arbitrary commands but includes cleartext data interception and unauthenticated firmware hijacking via OTA services.
CVE-2024-58040 2 Perl, Qwer 2 Crypt Randomencryption, Crypt\ 2026-03-09 9.1 Critical
Crypt::RandomEncryption for Perl version 0.01 uses insecure rand() function during encryption.
CVE-2025-15545 1 Tp-link 2 Archer Re605x, Archer Re605x Firmware 2026-03-09 6.8 Medium
The backup restore function does not properly validate unexpected or unrecognized tags within the backup file. When such a crafted file is restored, the injected tag is interpreted by a shell, allowing execution of arbitrary commands with root privileges. Successful exploitation allows the attacker to gain root-level command execution, compromising confidentiality, integrity and availability.
CVE-2022-35290 1 Sap 1 Authenticator 2026-03-09 7.5 High
Under certain conditions SAP Authenticator for Android allows an attacker to access information which would otherwise be restricted.
CVE-2022-30633 2 Golang, Redhat 14 Go, Acm, Application Interconnect and 11 more 2026-03-09 7.5 High
Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via unmarshalling an XML document into a Go struct which has a nested field that uses the 'any' field tag.
CVE-2025-30042 1 Cgm 2 Cgm Clininet, Clininet 2026-03-09 7.8 High
The CGM CLININET system provides smart card authentication; however, authentication is conducted locally on the client device, and, in reality, only the certificate number is used for access verification. As a result, possession of the certificate number alone is sufficient for authentication, regardless of the actual presence of the smart card or ownership of the private key.
CVE-2025-15509 1 Vivo 2 Smartremote, Smartremote Module 2026-03-09 4.3 Medium
The SmartRemote module has insufficient restrictions on loading URLs, which may lead to some information leakage.
CVE-2025-15567 1 Vivo 2 Health, Health Module 2026-03-09 3.3 Low
Insufficient protection mechanisms in the Health Module may lead to partial information disclosure.
CVE-2025-15035 1 Tp-link 2 Archer Axe75, Archer Axe75 Firmware 2026-03-09 7.3 High
Improper Input Validation vulnerability in TP-Link Archer AXE75 v1.6 (vpn modules) allows an authenticated adjacent attacker to delete arbitrary server file, leading to possible loss of critical system files and service interruption or degraded functionality.This issue affects Archer AXE75 v1.6: ≤ build 20250107.
CVE-2025-58402 1 Cgm 2 Cgm Clininet, Clininet 2026-03-09 7.5 High
The CGM CLININET application uses direct, sequential object identifiers "MessageID" without proper authorization checks. By modifying the parameter in the GET request, an attacker can access messages and attachments belonging to other users.
CVE-2025-58405 1 Cgm 2 Cgm Clininet, Clininet 2026-03-09 6.1 Medium
The CGM CLININET application does not implement any mechanisms that prevent clickjacking attacks, neither HTTP security headers nor HTML-based frame‑busting protections were detected. As a result, an attacker can embed the application inside a maliciously crafted IFRAME and trick users into performing unintended actions, including potentially bypassing CSRF/XSRF defenses.
CVE-2025-55848 1 Dlink 3 Dir-823, Dir-823x, Dir-823x Firmware 2026-03-09 8.8 High
An issue was discovered in DIR-823 firmware 20250416. There is an RCE vulnerability in the set_cassword settings interface, as the http_casswd parameter is not filtered by '&'to allow injection of reverse connection commands.
CVE-2025-14208 2 D-link, Dlink 3 Dir-823x, Dir-823x, Dir-823x Firmware 2026-03-09 6.3 Medium
A security flaw has been discovered in D-Link DIR-823X up to 20250416. This affects the function sub_415028 of the file /goform/set_wan_settings. The manipulation of the argument ppp_username results in command injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be exploited.
CVE-2025-58406 1 Cgm 2 Cgm Clininet, Clininet 2026-03-09 4.3 Medium
The CGM CLININET application respond without essential security HTTP headers, exposing users to client‑side attacks such as clickjacking, MIME sniffing, unsafe caching, weak cross‑origin isolation, and missing transport security controls.
CVE-2025-11683 2 Perl, Toddr 3 Perl, Yaml::syck, Yaml\ 2026-03-09 6.5 Medium
YAML::Syck versions before 1.36 for Perl has missing null-terminators which causes out-of-bounds read and potential information disclosure Missing null terminators in token.c leads to but-of-bounds read which allows adjacent variable to be read The issue is seen with complex YAML files with a hash of all keys and empty values.  There is no indication that the issue leads to accessing memory outside that allocated to the module.
CVE-2024-57854 1 Dougdude 2 Net::nsca::client, Net\ 2026-03-09 9.1 Critical
Net::NSCA::Client versions through 0.009002 for Perl uses a poor random number generator. Version v0.003 switched to use Data::Rand::Obscure instead of Crypt::Random for generation of a random initialisation vectors. Data::Rand::Obscure uses Perl's built-in rand() function, which is not suitable for cryptographic functions.
CVE-2022-40619 1 Netgear 22 R6230, R6230 Firmware, R6260 and 19 more 2026-03-09 7.7 High
FunJSQ, a third-party module integrated on some NETGEAR routers and Orbi WiFi Systems, exposes an HTTP server over the LAN interface of affected devices. This interface is vulnerable to unauthenticated arbitrary command injection through the funjsq_access_token parameter. This affects R6230 before 1.1.0.112, R6260 before 1.1.0.88, R7000 before 1.0.11.134, R8900 before 1.0.5.42, R9000 before 1.0.5.42, and XR300 before 1.0.3.72 and Orbi RBR20 before 2.7.2.26, RBR50 before 2.7.4.26, RBS20 before 2.7.2.26, and RBS50 before 2.7.4.26.