Export limit exceeded: 363660 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (363660 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-70149 | 1 Codeastro | 1 Membership Management System | 2026-02-23 | 9.8 Critical |
| CodeAstro Membership Management System 1.0 is vulnerable to SQL Injection in print_membership_card.php via the ID parameter. | ||||
| CVE-2025-70150 | 1 Codeastro | 1 Membership Management System | 2026-02-23 | 9.8 Critical |
| CodeAstro Membership Management System 1.0 contains a missing authentication vulnerability in delete_members.php that allows unauthenticated attackers to delete arbitrary member records via the id parameter. | ||||
| CVE-2024-55271 | 1 Phpgurukul | 1 Gym Management System | 2026-02-23 | 3.5 Low |
| A Cross-Site Request Forgery (CSRF) vulnerability has been identified in phpgurukul Gym Management System 1.0. This issue is present in the profile update functionality of the User Panel, specifically the /profile.php endpoint. | ||||
| CVE-2025-70141 | 2 Oretnom23, Sourcecodester | 2 Customer Support System, Customer Support System | 2026-02-23 | 9.4 Critical |
| SourceCodester Customer Support System 1.0 contains an incorrect access control vulnerability in ajax.php. The AJAX dispatcher does not enforce authentication or authorization before invoking administrative methods in admin_class.php based on the action parameter. An unauthenticated remote attacker can perform sensitive operations such as creating customers and deleting users (including the admin account), as well as modifying or deleting other application records (tickets, departments, comments), resulting in unauthorized data modification. | ||||
| CVE-2025-41738 | 1 Codesys | 22 Control For Beaglebone Sl, Control For Empc-a/imx6 Sl, Control For Empc-a\/imx6 Sl and 19 more | 2026-02-23 | 7.5 High |
| An unauthenticated remote attacker may cause the visualisation server of the CODESYS Control runtime system to access a resource with a pointer of wrong type, potentially leading to a denial-of-service (DoS) condition. | ||||
| CVE-2025-41700 | 1 Codesys | 2 Codesys, Development System | 2026-02-23 | 7.8 High |
| An unauthenticated attacker can trick a local user into executing arbitrary code by opening a deliberately manipulated CODESYS project file with a CODESYS development system. This arbitrary code is executed in the user context. | ||||
| CVE-2025-70296 | 2 Mealie, Mealie-recipes | 2 Mealie, Mealie | 2026-02-23 | 5.4 Medium |
| A stored HTML injection vulnerability in the Recipe Notes rendering component in Mealie 3.3.1 allows remote authenticated users to inject arbitrary HTML, resulting in user interface redressing within the recipe view. | ||||
| CVE-2025-70297 | 2 Mealie, Mealie-recipes | 2 Mealie, Mealie | 2026-02-23 | 6.1 Medium |
| A stored cross-site scripting (XSS) vulnerability in the recipe asset upload and media serving component in Mealie 3.3.1 allows remote authenticated users to inject arbitrary web script or HTML via an uploaded SVG file that is served as image/svg+xml and rendered by a victim s browser. | ||||
| CVE-2025-69210 | 1 Facturascripts | 1 Facturascripts | 2026-02-23 | 5.4 Medium |
| FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.7, a stored cross-site scripting (XSS) vulnerability exists in the product file upload functionality. Authenticated users can upload crafted XML files containing executable JavaScript. These files are later rendered by the application without sufficient sanitization or content-type enforcement, allowing arbitrary JavaScript execution when the file is accessed. Because product files uploaded by regular users are visible to administrative users, this vulnerability can be leveraged to execute malicious JavaScript in an administrator’s browser session. Version 2025.7 fixes the issue. | ||||
| CVE-2024-5462 | 1 Broadcom | 1 Fabric Operating System | 2026-02-23 | 7.5 High |
| If Brocade Fabric OS before Fabric OS 9.2.0 configuration settings are not set to encrypt SNMP passwords, then the SNMP privsecret / authsecret fields can be exposed in plaintext. The plaintext passwords can be exposed in a configupload capture or a supportsave capture if encryption of passwords is not enabled. An attacker can use these passwords to fetch values of the supported OIDs via SNMPv3 queries. There are also a limited number of MIB objects that can be modified. | ||||
| CVE-2024-5461 | 1 Broadcom | 2 Brocade 6547, Fabric Operating System | 2026-02-23 | 8.0 High |
| Implementation of the Simple Network Management Protocol (SNMP) operating on the Brocade 6547 (FC5022) embedded switch blade, makes internal script calls to system.sh from within the SNMP binary. An authenticated attacker could perform command or parameter injection on SNMP operations that are only enabled on the Brocade 6547 (FC5022) embedded switch. This injection could allow the authenticated attacker to issue commands as Root. | ||||
| CVE-2025-52603 | 1 Hcltech | 1 Connections | 2026-02-23 | 3.5 Low |
| HCL Connections is vulnerable to information disclosure. In a very specific user navigation scenario, this could allow a user to obtain limited information when a single piece of internal metadata is returned in the browser. | ||||
| CVE-2025-15577 | 1 Valmet | 2 Dna, Valmet Dna Web Tools | 2026-02-23 | 7.5 High |
| An unauthenticated attacker can exploit this vulnerability by manipulating URL to achieve arbitrary file read access.This issue affects Valmet DNA Web Tools: C2022 and older. | ||||
| CVE-2013-6662 | 1 Google | 1 Chrome | 2026-02-23 | 6.5 Medium |
| Google Chrome caches TLS sessions before certificate validation occurs. | ||||
| CVE-2022-40011 | 1 Typora | 1 Typora | 2026-02-23 | 6.1 Medium |
| Typora through 1.3.8 allows XSS if a document containing an SVG element with an attacker-controlled onload attribute is exported and then used at a victim's origin. | ||||
| CVE-2025-49113 | 2 Debian, Roundcube | 2 Debian Linux, Webmail | 2026-02-23 | 9.9 Critical |
| Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization. | ||||
| CVE-2025-70829 | 1 Running-elephant | 1 Datart | 2026-02-23 | 5.7 Medium |
| An information exposure vulnerability in Datart v1.0.0-rc.3 allows authenticated attackers to access sensitive data via a custom H2 JDBC connection string. | ||||
| CVE-2023-38265 | 1 Ibm | 1 Cloud Pak System | 2026-02-23 | 5.3 Medium |
| IBM Cloud Pak System 2.3.3.6, 2.3.3.7, 2.3.4.0, 2.3.4.1, and 2.3.5.0 could disclose folder location information to an unauthenticated attacker that could aid in further attacks against the system. | ||||
| CVE-2021-41810 | 1 M-files | 1 Server | 2026-02-23 | 5.2 Medium |
| Script injection in M-Files Admin versions before 22.2.11051.0, allows executing stored script in admin tool. M-Files Admin tool allows storing configuration data with script which may then get run by another vault administrator. Requires vault admin level authentication and is not remotely exploitable | ||||
| CVE-2025-9826 | 1 M-files | 2 Hubshare, M-files | 2026-02-23 | 5.4 Medium |
| Stored cross-site scripting vulnerability in M-Files Hubshare before version 25.8 allows authenticated attackers to cause script execution for other users. | ||||