Export limit exceeded: 363303 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (363303 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-69601 1 Altumcode 1 66biolinks 2026-02-09 6.5 Medium
A directory traversal (Zip Slip) vulnerability exists in the “Static Sites” feature of 66biolinks v44.0.0 by AltumCode. Uploaded ZIP archives are automatically extracted without validating or sanitizing file paths. An attacker can include traversal sequences (e.g., ../) in ZIP entries to write files outside the intended extraction directory. This allows static files (html, js, css, images) file write to unintended locations, or overwriting existing HTML files, potentially leading to content defacement and, in certain deployments, further impact if sensitive files are overwritten.
CVE-2025-69602 1 Altumcode 1 66biolinks 2026-02-09 9.1 Critical
A session fixation vulnerability exists in 66biolinks v62.0.0 by AltumCode, where the application does not regenerate the session identifier after successful authentication. As a result, the same session cookie value is reused for users logging in from the same browser, allowing an attacker who can set or predict a session ID to potentially hijack an authenticated session.
CVE-2025-12772 2 Broadcom, Brocade 2 Sannav, Sannav 2026-02-09 4.9 Medium
Brocade SANnav before 2.4.0b logs the Brocade Fabric OS Switch admin password on the SANnav support save logs. When OOM occurs on a Brocade SANnav server, the call stack trace for the Brocade switch is also collected in the heap dump file which contains this switch password in clear text. The vulnerability could allow a remote authenticated attacker with admin privilege able to access the SANnav logs or the supportsave to read the switch admin password.
CVE-2020-36928 1 Brother 1 Bragent 2026-02-09 7.8 High
Brother BRAgent 1.38 contains an unquoted service path vulnerability in the WBA_Agent_Client service running with LocalSystem privileges. Attackers can exploit the unquoted path in C:\Program Files (x86)\Brother\BRAgent\ to inject and execute malicious code with elevated system permissions.
CVE-2020-36929 1 Brother 1 Brprint Auditor 2026-02-09 7.8 High
Brother BRPrint Auditor 3.0.7 contains an unquoted service path vulnerability in its Windows service configurations that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted file paths in BrAuSvc and BRPA_Agent services to inject malicious executables and escalate privileges on the system.
CVE-2021-47785 1 Ethersoftware 1 Ether Mp3 Cd Burner 2026-02-09 9.8 Critical
Ether MP3 CD Burner 1.3.8 contains a buffer overflow vulnerability in the registration name field that allows remote code execution. Attackers can craft a malicious payload to overwrite SEH handlers and execute a bind shell on port 3110 by exploiting improper input validation.
CVE-2025-66802 2 Covid-19 Contact Tracing System Project, Sourcecodester 2 Covid-19 Contact Tracing System, Covid-19 Contact Tracing System 2026-02-09 9.8 Critical
Sourcecodester Covid-19 Contact Tracing System 1.0 is vulnerable to RCE (Remote Code Execution). The application receives a reverse shell (php) into imagem of the user enabling RCE.
CVE-2026-25845 2026-02-07 N/A
Not used
CVE-2026-25844 2026-02-07 N/A
Not used
CVE-2026-25843 2026-02-07 N/A
Not used
CVE-2026-25842 2026-02-07 N/A
Not used
CVE-2026-25841 2026-02-07 N/A
Not used
CVE-2026-25840 2026-02-07 N/A
Not used
CVE-2026-25839 2026-02-07 N/A
Not used
CVE-2026-25838 2026-02-07 N/A
Not used
CVE-2026-25837 2026-02-07 N/A
Not used
CVE-2023-6763 2026-02-06 N/A
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
CVE-2025-68138 2 Everest, Linuxfoundation 2 Everest-core, Libocpp 2026-02-06 4.7 Medium
EVerest is an EV charging software stack, and EVerest libocpp is a C++ implementation of the Open Charge Point Protocol. In libocpp prior to version 0.30.1, pointers returned by the `strdup` calls are never freed. At each connection attempt, the newly allocated memory area will be leaked, potentially causing memory exhaustion and denial of service. Version 0.30.1 fixes the issue.
CVE-2025-68139 2 Everest, Linuxfoundation 2 Everest-core, Everest 2026-02-06 4.3 Medium
EVerest is an EV charging software stack. In all versions up to and including 2025.12.1, the default value for `terminate_connection_on_failed_response` is `False`, which leaves the responsibility for session and connection termination to the EV. In this configuration, any errors encountered by the module are logged but do not trigger countermeasures such as session and connection reset or termination. This could be abused by a malicious user in order to exploit other weaknesses or vulnerabilities. While the default will stay at the setting that is described as potentially problematic in this reported issue, a mitigation is available by changing the `terminate_connection_on_failed_response` setting to `true`. However this cannot be set to this value by default since it can trigger errors in vehicle ECUs requiring ECU resets and lengthy unavailability in charging for vehicles. The maintainers judge this to be a much more important workaround then short-term unavailability of an EVSE, therefore this setting will stay at the current value.
CVE-2025-68140 2 Everest, Linuxfoundation 2 Everest-core, Everest 2026-02-06 4.3 Medium
EVerest is an EV charging software stack. Prior to version 2025.9.0, once the validity of the received V2G message has been verified, it is checked whether the submitted session ID matches the registered one. However, if no session has been registered, the default value is 0. Therefore, a message submitted with a session ID of 0 is accepted, as it matches the registered value. This could allow unauthorized and anonymous indirect emission of MQTT messages and communication with V2G messages handlers, updating a session context. Version 2025.9.0 fixes the issue.