Export limit exceeded: 364909 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (364909 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2019-25277 1 Iwt 2 Facesentry Access Control System, Facesentry Access Control System Firmware 2026-03-05 6.1 Medium
FaceSentry Access Control System 6.4.8 contains a cross-site scripting vulnerability in the 'msg' parameter of pluginInstall.php that allows attackers to inject malicious scripts. Attackers can exploit the unvalidated input to execute arbitrary JavaScript in victim browsers, potentially stealing authentication credentials and conducting phishing attacks.
CVE-2019-25267 1 Wftpserver 1 Wing Ftp Server 2026-03-05 7.8 High
Wing FTP Server 6.0.7 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path in the service configuration to inject malicious executables that will be launched with LocalSystem permissions.
CVE-2019-25261 1 Anydesk 1 Anydesk 2026-03-05 7.8 High
AnyDesk 5.4.0 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to potentially inject malicious executables. Attackers can exploit the unquoted binary path to place malicious files in service executable locations, potentially gaining elevated system privileges.
CVE-2025-15597 2 Dataease, Fit2cloud 2 Sqlbot, Sqlbot 2026-03-05 6.3 Medium
A vulnerability has been found in Dataease SQLBot up to 1.4.0. This affects an unknown function of the file backend/apps/system/api/assistant.py of the component API Endpoint. Such manipulation leads to improper access controls. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.5.0 mitigates this issue. The name of the patch is d640ac31d1ce64ce90e06cf7081163915c9fc28c. Upgrading the affected component is recommended. Multiple endpoints are affected. The vendor was contacted early about this disclosure.
CVE-2025-15599 1 Cure53 1 Dompurify 2026-03-05 6.1 Medium
DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting missing textarea rawtext element validation in the SAFE_FOR_XML regex. Attackers can include closing rawtext tags like </textarea> in attribute values to break out of rawtext contexts and execute JavaScript when sanitized output is placed inside rawtext elements. The 3.x branch was fixed in 3.2.7; the 2.x branch was never patched.
CVE-2025-63909 1 Cohesity 2 Tranzman, Tranzman Migration Appliance 2026-03-05 7.2 High
Incorrect access control in the component /opt/SRLtzm/bin/TapeDumper of Cohesity TranZman Migration Appliance Release 4.0 Build 14614 allows attackers to escalate privileges to root and read and write arbitrary files.
CVE-2025-63910 1 Cohesity 2 Tranzman, Tranzman Migration Appliance 2026-03-05 7.2 High
An authenticated arbitrary file upload vulnerability in Cohesity TranZman Migration Appliance Release 4.0 Build 14614 allows attackers with Administrator privileges to execute arbitrary code via uploading a crafted patch file.
CVE-2025-63911 1 Cohesity 2 Tranzman, Tranzman Migration Appliance 2026-03-05 7.2 High
Cohesity TranZman Migration Appliance Release 4.0 Build 14614 was discovered to contain an authenticated command injection vulnerability.
CVE-2025-67840 1 Cohesity 1 Tranzman 2026-03-05 7.2 High
Multiple authenticated OS command injection vulnerabilities exist in the Cohesity (formerly Stone Ram) TranZman 4.0 Build 14614 through TZM_1757588060_SEP2025_FULL.depot web application API endpoints (including Scheduler and Actions pages). The appliance directly concatenates user-controlled parameters into system commands without sufficient sanitisation, allowing an authenticated admin user to inject and execute arbitrary OS commands with root privileges. An attacker can intercept legitimate requests (e.g. during job creation or execution) using a proxy and modify parameters to include shell metacharacters, achieving remote code execution on the appliance. This completely bypasses the intended CLISH restricted shell confinement and results in full system compromise. The vulnerabilities persist in Release 4.0 Build 14614 including the latest patch (as of the time of testing) TZM_1757588060_SEP2025_FULL.depot.
CVE-2025-13490 1 Ibm 3 App Connect Enterprise Certified Containers Operands, App Connect Enterprisecertified Containers Operands, App Connect Operator 2026-03-04 5.9 Medium
IBM App Connect Operator versions CD 11.3.0 through 11.6.0 and 12.1.0 through 12.20.0, LTS versions 12.0.0 through 12.0.20, and IBM App Connect Enterprise Certified Containers Operands versions CD 12.0.11.2‑r1 through 12.0.12.5‑r1 and 13.0.1.0‑r1 through 13.0.6.1‑r1, and LTS versions 12.0.12‑r1 through 12.0.12‑r20, contain a vulnerability in which the IBM App Connect Enterprise Certified Container transmits data in clear text, potentially allowing an attacker to intercept and obtain sensitive information through man‑in‑the‑middle techniques.
CVE-2025-70236 2 D-link, Dlink 3 Dir-513, Dir-513, Dir-513 Firmware 2026-03-04 5.3 Medium
Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the curTime parameter to goform/formSetDomainFilter.
CVE-2025-13616 1 Ibm 1 Datastage On Cloud Pak For Data 2026-03-04 6.5 Medium
IBM DataStage on Cloud Pak for Data 5.1.2 through 5.3.0 returns sensitive information in an HTTP response that could be used in further attacks against the system.
CVE-2025-13734 1 Ibm 1 Engineering Requirements Management Doors Next 2026-03-04 5.4 Medium
IBM Engineering Requirements Management DOORS Next 7.1, and 7.2 could allow an authenticated user to view and edit data beyond their authorized access permissions.
CVE-2025-14923 1 Ibm 2 Websphere Application Server, Websphere Application Server Liberty 2026-03-04 4.7 Medium
IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.2 IBM WebSphere Application Server Liberty could provide weaker than expected security when using the Security Utility when administering security settings.
CVE-2025-36364 1 Ibm 1 Devops Plan 2026-03-04 6.2 Medium
IBM DevOps Plan 3.0.0 through 3.0.5 allows web page cache to be stored locally which can be read by another user on the system.
CVE-2025-36363 1 Ibm 1 Devops Plan 2026-03-04 5.9 Medium
IBM DevOps Plan 3.0.0 through 3.0.5 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials.
CVE-2025-47371 1 Qualcomm 251 5g Fixed Wireless Access Platform, 5g Fixed Wireless Access Platform Firmware, Ar8035 and 248 more 2026-03-04 6.5 Medium
Transient DOS when an LTE RLC packet with invalid TB is received by UE.
CVE-2025-52365 1 Ccurtsinger 1 Stabilizer 2026-03-04 7.8 High
A command injection vulnerability in the szc script of the ccurtsinger/stabilizer repository allows remote attackers to execute arbitrary system commands via unsanitized user input passed to os.system(). The vulnerability arises from improper input handling where command-line arguments are directly concatenated into shell commands without validation
CVE-2024-55027 1 Weintek 4 Cmt-3072xh2, Cmt-3072xh2 Firmware, Cmt3072xh and 1 more 2026-03-04 7.5 High
Weintek cMT-3072XH2 easyweb v2.1.53, OS v20231011 was discovered to stroe credentials in plaintext in the component uac_temp.db.
CVE-2024-55019 1 Weintek 4 Cmt-3072xh2, Cmt-3072xh2 Firmware, Cmt3072xh and 1 more 2026-03-04 6.5 Medium
Incorrect access control in the component download_wb.cgi of Weintek cMT-3072XH2 easyweb Web Version v2.1.53, OS v20231011 allows unauthenticated attack to download arbitrary files.