Export limit exceeded: 363660 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (363660 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-70149 1 Codeastro 1 Membership Management System 2026-02-23 9.8 Critical
CodeAstro Membership Management System 1.0 is vulnerable to SQL Injection in print_membership_card.php via the ID parameter.
CVE-2025-70150 1 Codeastro 1 Membership Management System 2026-02-23 9.8 Critical
CodeAstro Membership Management System 1.0 contains a missing authentication vulnerability in delete_members.php that allows unauthenticated attackers to delete arbitrary member records via the id parameter.
CVE-2024-55271 1 Phpgurukul 1 Gym Management System 2026-02-23 3.5 Low
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in phpgurukul Gym Management System 1.0. This issue is present in the profile update functionality of the User Panel, specifically the /profile.php endpoint.
CVE-2025-70141 2 Oretnom23, Sourcecodester 2 Customer Support System, Customer Support System 2026-02-23 9.4 Critical
SourceCodester Customer Support System 1.0 contains an incorrect access control vulnerability in ajax.php. The AJAX dispatcher does not enforce authentication or authorization before invoking administrative methods in admin_class.php based on the action parameter. An unauthenticated remote attacker can perform sensitive operations such as creating customers and deleting users (including the admin account), as well as modifying or deleting other application records (tickets, departments, comments), resulting in unauthorized data modification.
CVE-2025-41738 1 Codesys 22 Control For Beaglebone Sl, Control For Empc-a/imx6 Sl, Control For Empc-a\/imx6 Sl and 19 more 2026-02-23 7.5 High
An unauthenticated remote attacker may cause the visualisation server of the CODESYS Control runtime system to access a resource with a pointer of wrong type, potentially leading to a denial-of-service (DoS) condition.
CVE-2025-41700 1 Codesys 2 Codesys, Development System 2026-02-23 7.8 High
An unauthenticated attacker can trick a local user into executing arbitrary code by opening a deliberately manipulated CODESYS project file with a CODESYS development system. This arbitrary code is executed in the user context.
CVE-2025-70296 2 Mealie, Mealie-recipes 2 Mealie, Mealie 2026-02-23 5.4 Medium
A stored HTML injection vulnerability in the Recipe Notes rendering component in Mealie 3.3.1 allows remote authenticated users to inject arbitrary HTML, resulting in user interface redressing within the recipe view.
CVE-2025-70297 2 Mealie, Mealie-recipes 2 Mealie, Mealie 2026-02-23 6.1 Medium
A stored cross-site scripting (XSS) vulnerability in the recipe asset upload and media serving component in Mealie 3.3.1 allows remote authenticated users to inject arbitrary web script or HTML via an uploaded SVG file that is served as image/svg+xml and rendered by a victim s browser.
CVE-2025-69210 1 Facturascripts 1 Facturascripts 2026-02-23 5.4 Medium
FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.7, a stored cross-site scripting (XSS) vulnerability exists in the product file upload functionality. Authenticated users can upload crafted XML files containing executable JavaScript. These files are later rendered by the application without sufficient sanitization or content-type enforcement, allowing arbitrary JavaScript execution when the file is accessed. Because product files uploaded by regular users are visible to administrative users, this vulnerability can be leveraged to execute malicious JavaScript in an administrator’s browser session. Version 2025.7 fixes the issue.
CVE-2024-5462 1 Broadcom 1 Fabric Operating System 2026-02-23 7.5 High
If Brocade Fabric OS before Fabric OS 9.2.0 configuration settings are not set to encrypt SNMP passwords, then the SNMP privsecret / authsecret fields can be exposed in plaintext. The plaintext passwords can be exposed in a configupload capture or a supportsave capture if encryption of passwords is not enabled. An attacker can use these passwords to fetch values of the supported OIDs via SNMPv3 queries. There are also a limited number of MIB objects that can be modified.
CVE-2024-5461 1 Broadcom 2 Brocade 6547, Fabric Operating System 2026-02-23 8.0 High
Implementation of the Simple Network Management Protocol (SNMP) operating on the Brocade 6547 (FC5022) embedded switch blade, makes internal script calls to system.sh from within the SNMP binary. An authenticated attacker could perform command or parameter injection on SNMP operations that are only enabled on the Brocade 6547 (FC5022) embedded switch. This injection could allow the authenticated attacker to issue commands as Root.
CVE-2025-52603 1 Hcltech 1 Connections 2026-02-23 3.5 Low
HCL Connections is vulnerable to information disclosure. In a very specific user navigation scenario, this could allow a user to obtain limited information when a single piece of internal metadata is returned in the browser.
CVE-2025-15577 1 Valmet 2 Dna, Valmet Dna Web Tools 2026-02-23 7.5 High
An unauthenticated attacker can exploit this vulnerability by manipulating URL to achieve arbitrary file read access.This issue affects Valmet DNA Web Tools: C2022 and older.
CVE-2013-6662 1 Google 1 Chrome 2026-02-23 6.5 Medium
Google Chrome caches TLS sessions before certificate validation occurs.
CVE-2022-40011 1 Typora 1 Typora 2026-02-23 6.1 Medium
Typora through 1.3.8 allows XSS if a document containing an SVG element with an attacker-controlled onload attribute is exported and then used at a victim's origin.
CVE-2025-49113 2 Debian, Roundcube 2 Debian Linux, Webmail 2026-02-23 9.9 Critical
Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.
CVE-2025-70829 1 Running-elephant 1 Datart 2026-02-23 5.7 Medium
An information exposure vulnerability in Datart v1.0.0-rc.3 allows authenticated attackers to access sensitive data via a custom H2 JDBC connection string.
CVE-2023-38265 1 Ibm 1 Cloud Pak System 2026-02-23 5.3 Medium
IBM Cloud Pak System 2.3.3.6, 2.3.3.7, 2.3.4.0, 2.3.4.1, and 2.3.5.0 could disclose folder location information to an unauthenticated attacker that could aid in further attacks against the system.
CVE-2021-41810 1 M-files 1 Server 2026-02-23 5.2 Medium
Script injection in M-Files Admin versions before 22.2.11051.0, allows executing stored script in admin tool. M-Files Admin tool allows storing configuration data with script which may then get run by another vault administrator. Requires vault admin level authentication and is not remotely exploitable
CVE-2025-9826 1 M-files 2 Hubshare, M-files 2026-02-23 5.4 Medium
Stored cross-site scripting vulnerability in M-Files Hubshare before version 25.8 allows authenticated attackers to cause script execution for other users.