Export limit exceeded: 364922 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Export limit exceeded: 364922 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (364922 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-67745 1 Aiven 1 Myhoard 2026-03-05 7.1 High
MyHoard is a daemon for creating, managing and restoring MySQL backups. Starting in version 1.0.1 and prior to version 1.3.0, in some cases, myhoard logs the whole backup info, including the encryption key. Version 1.3.0 fixes the issue. As a workaround, direct logs into /dev/null.
CVE-2020-9375 1 Tp-link 2 Archer C5, Archer C50 2026-03-05 7.5 High
TP-Link Archer C50 V3 devices before Build 200318 Rel. 62209 allows remote attackers to cause a denial of service via a crafted HTTP Header containing an unexpected Referer field.
CVE-2025-68481 2 Fastapi-users, Fastapi-users Project 2 Fastapi-users, Fastapi Users 2026-03-05 5.9 Medium
FastAPI Users allows users to quickly add a registration and authentication system to their FastAPI project. Prior to version 15.0.2, the OAuth login state tokens are completely stateless and carry no per-request entropy or any data that could link them to the session that initiated the OAuth flow. `generate_state_token()` is always called with an empty `state_data` dict, so the resulting JWT only contains the fixed audience claim plus an expiration timestamp. On callback, the library merely checks that the JWT verifies under `state_secret` and is unexpired; there is no attempt to match the state value to the browser that initiated the OAuth request, no correlation cookie, and no server-side cache. Any attacker can hit `/authorize`, capture the server-generated state, finish the upstream OAuth flow with their own provider account, and then trick a victim into loading `.../callback?code=<attacker_code>&state=<attacker_state>`. Because the state JWT is valid for any client for \~1 hour, the victim’s browser will complete the flow. This leads to login CSRF. Depending on the app’s logic, the login CSRF can lead to an account takeover of the victim account or to the victim user getting logged in to the attacker's account. Version 15.0.2 contains a patch for the issue.
CVE-2025-14517 1 Yalantis 1 Ucrop 2026-03-05 5.3 Medium
A vulnerability was determined in Yalantis uCrop 2.2.11. This affects the function UCropActivity  of the file AndroidManifest.xml. Executing manipulation can lead to improper export of android application components. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-14516 1 Yalantis 1 Ucrop 2026-03-05 6.3 Medium
A vulnerability was found in Yalantis uCrop 2.2.11. Affected by this issue is the function downloadFile of the file com.yalantis.ucrop.task.BitmapLoadTask.java of the component URL Handler. Performing manipulation results in server-side request forgery. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-59787 1 2n 1 Access Commander 2026-03-05 6.5 Medium
2N Access Commander application version 3.4.2 and prior returns HTTP 500 Internal Server Error responses when receiving malformed or manipulated requests, indicating improper handling of invalid input and potential security or availability impacts.
CVE-2025-15015 1 Ragic 1 Enterprise Cloud Database 2026-03-05 7.5 High
Enterprise Cloud Database developed by Ragic has a Arbitrary File Read vulnerability, allowing unauthenticated remote attackers to exploit Relative Path Traversal to download arbitrary system files.
CVE-2025-15016 1 Ragic 1 Enterprise Cloud Database 2026-03-05 9.8 Critical
Enterprise Cloud Database developed by Ragic has a Hard-coded Cryptographic Key vulnerability, allowing unauthenticated remote attackers to exploit the fixed key to generate verification information and log into the system as any user.
CVE-2018-5383 4 Apple, Google, Redhat and 1 more 5 Iphone Os, Mac Os X, Android and 2 more 2026-03-05 6.8 Medium
Bluetooth firmware or operating system software drivers in macOS versions before 10.13, High Sierra and iOS versions before 11.4, and Android versions before the 2018-06-05 patch may not sufficiently validate elliptic curve parameters used to generate public keys during a Diffie-Hellman key exchange, which may allow a remote attacker to obtain the encryption key used by the device.
CVE-2025-40895 2 Nozomi Networks, Nozominetworks 2 Cmc, Cmc 2026-03-05 4.8 Medium
A Stored HTML Injection vulnerability was discovered in the CMC's Sensor Map functionality due to improper validation on connected Guardians' properties. A malicious authenticated user with administrator privileges on a Guardian connected to a CMC can edit the Guardian's properties to inject HTML tags. If the Sensor Map functionality is enabled in the CMC, when a victim CMC user interacts with it, then the injected HTML may render in their browser, enabling phishing and possibly open redirect attacks. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration.
CVE-2025-40896 2 Nozomi Networks, Nozominetworks 2 Arc, Arc 2026-03-05 6.5 Medium
The server certificate was not verified when an Arc agent connected to a Guardian or CMC. A malicious actor could perform a man-in-the-middle attack and intercept the communication between the Arc agent and the Guardian or CMC. This could result in theft of the client token and sensitive information (such as assets and alerts), impersonation of the server, or injection of spoofed data (such as false asset information or vulnerabilities) into the Guardian or CMC.
CVE-2025-70341 1 App-auto-patch 1 App-auto-patch 2026-03-05 7.8 High
Insecure permissions in App-Auto-Patch v3.4.2 create a race condition which allows attackers to write arbitrary files.
CVE-2025-64736 2 Libbiosig Project, The Biosig Project 2 Libbiosig, Libbiosig 2026-03-05 6.1 Medium
An out-of-bounds read vulnerability exists in the ABF parsing functionality of The Biosig Project libbiosig 3.9.2 and Master Branch (5462afb0). A specially crafted .abf file can lead to an information leak. An attacker can provide a malicious file to trigger this vulnerability.
CVE-2025-62879 1 Suse 2 Rancher, Rancher Backup And Restore Operator 2026-03-05 6.8 Medium
A vulnerability has been identified within the Rancher Backup Operator, resulting in the leakage of S3 tokens (both accessKey and secretKey) into the rancher-backup-operator pod's logs.
CVE-2025-14532 2 Studio Fabryka, Studiofabryka 2 Dobrycms, Dorbycms 2026-03-05 9.8 Critical
DobryCMS's upload file functionality allows an unauthenticated remote attacker to upload files of any type and extension without restriction, which can result in Remote Code Execution. This issue was fixed in versions above 5.0.
CVE-2023-31324 1 Amd 28 Instinct Mi210, Instinct Mi250, Instinct Mi300a and 25 more 2026-03-05 7.8 High
A Time-of-check time-of-use (TOCTOU) race condition in the AMD Secure Processor (ASP) could allow an attacker to modify External Global Memory Interconnect Trusted Agent (XGMI TA) commands as they are processed potentially resulting in loss of confidentiality, integrity, or availability.
CVE-2023-20548 1 Amd 28 Instinct Mi210, Instinct Mi250, Instinct Mi300a and 25 more 2026-03-05 7.8 High
A Time-of-check time-of-use (TOCTOU) race condition in the AMD Secure Processor (ASP) could allow an attacker to corrupt memory resulting in loss of integrity, confidentiality, or availability.
CVE-2025-64427 2 Icewhaletech, Zimaspace 2 Zimaos, Zimaos 2026-03-05 7.1 High
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.0 and prior, due to insufficient validation or restriction of target URLs, an authenticated local user can craft requests that target internal IP addresses (e.g., 127.0.0.1, localhost, or private network ranges). This allows the attacker to interact with internal HTTP/HTTPS services that are not intended to be exposed externally or to local users. No known patch is publicly available.
CVE-2025-59783 1 2n 1 Access Commander 2026-03-05 7.2 High
API endpoint for user synchronization in 2N Access Commander version 3.4.1 did not have a sufficient input validation allowing for OS command injection. This vulnerability can only be exploited after authenticating with administrator privileges.
CVE-2025-59784 1 2n 1 Access Commander 2026-03-05 7.2 High
2N Access Commander version 3.4.1 and prior is vulnerable to log pollution. Certain parameters sent over API may be included in the logs without prior validation or sanitisation. This vulnerability can only be exploited after authenticating with administrator privileges.