Export limit exceeded: 10202 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 363318 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (363318 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-68670 | 2 Debian, Neutrinolabs | 2 Debian Linux, Xrdp | 2026-02-06 | 9.1 Critical |
| xrdp is an open source RDP server. xrdp before v0.10.5 contains an unauthenticated stack-based buffer overflow vulnerability. The issue stems from improper bounds checking when processing user domain information during the connection sequence. If exploited, the vulnerability could allow remote attackers to execute arbitrary code on the target system. The vulnerability allows an attacker to overwrite the stack buffer and the return address, which could theoretically be used to redirect the execution flow. The impact of this vulnerability is lessened if a compiler flag has been used to build the xrdp executable with stack canary protection. If this is the case, a second vulnerability would need to be used to leak the stack canary value. Upgrade to version 0.10.5 to receive a patch. Additionally, do not rely on stack canary protection on production systems. | ||||
| CVE-2025-65264 | 1 Cpuid | 1 Cpu-z | 2026-02-06 | 5.5 Medium |
| The kernel driver of CPUID CPU-Z v2.17 and earlier does not validate user-supplied values passed via its IOCTL interface, allowing an attacker to access sensitive information via a crafted request. | ||||
| CVE-2025-47283 | 1 Gardener | 1 Gardener | 2026-02-06 | 9.9 Critical |
| Gardener implements the automated management and operation of Kubernetes clusters as a service. A security vulnerability was discovered in Gardener prior to versions 1.116.4, 1.117.5, 1.118.2, and 1.119.0 that could allow a user with administrative privileges for a Gardener project to obtain control over the seed cluster(s) where their shoot clusters are managed. This CVE affects all Gardener installations no matter of the public cloud provider(s) used for the seed clusters/shoot clusters. `gardener/gardener` (`gardenlet`) is the affected component. Versions 1.116.4, 1.117.5, 1.118.2, and 1.119.0 fix the issue. | ||||
| CVE-2025-14472 | 2 Acquia, Drupal | 2 Acquia Content Hub, Acquia Content Hub | 2026-02-06 | 8.1 High |
| Cross-Site Request Forgery (CSRF) vulnerability in Drupal Acquia Content Hub allows Cross Site Request Forgery.This issue affects Acquia Content Hub: from 0.0.0 before 3.6.4, from 3.7.0 before 3.7.3. | ||||
| CVE-2025-13984 | 2 Drupal, Kanopi | 2 Next.js, Next.js | 2026-02-06 | 6.1 Medium |
| Permissive Cross-domain Security Policy with Untrusted Domains vulnerability in Drupal Next.Js allows Cross-Site Scripting (XSS).This issue affects Next.Js: from 0.0.0 before 1.6.4, from 2.0.0 before 2.0.1. | ||||
| CVE-2025-13986 | 2 Drupal, Zyxware | 2 Disable Login Page, Disable Login Page | 2026-02-06 | 4.2 Medium |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Disable Login Page allows Functionality Bypass.This issue affects Disable Login Page: from 0.0.0 before 1.1.3. | ||||
| CVE-2025-13985 | 2 Drupal, Ithom | 2 Entity Share, Entity Share | 2026-02-06 | 5.3 Medium |
| Incorrect Authorization vulnerability in Drupal Entity Share allows Forceful Browsing.This issue affects Entity Share: from 0.0.0 before 3.13.0. | ||||
| CVE-2025-14840 | 2 Bmeme, Drupal | 2 Http Client Manager, Http Client Manager | 2026-02-06 | 7.5 High |
| Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal HTTP Client Manager allows Forceful Browsing.This issue affects HTTP Client Manager: from 0.0.0 before 9.3.13, from 10.0.0 before 10.0.2, from 11.0.0 before 11.0.1. | ||||
| CVE-2025-61726 | 2 Go Standard Library, Golang | 2 Net/url, Go | 2026-02-06 | 7.5 High |
| The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption. | ||||
| CVE-2025-61728 | 2 Go Standard Library, Golang | 2 Archive/zip, Go | 2026-02-06 | 6.5 Medium |
| archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive. | ||||
| CVE-2025-12810 | 1 Delinea | 1 Secret Server | 2026-02-06 | 6.5 Medium |
| Improper Authentication vulnerability in Delinea Inc. Secret Server On-Prem (RPC Password Rotation modules).This issue affects Secret Server On-Prem: 11.8.1, 11.9.6, 11.9.25. A secret with "change password on check in" enabled automatically checks in even when the password change fails after reaching its retry limit. This leaves the secret in an inconsistent state with the wrong password. Remediation: Upgrade to 11.9.47 or later. The secret will remain checked out when the password change fails. | ||||
| CVE-2025-5553 | 1 Phpgurukul | 1 Rail Pass Management System | 2026-02-06 | 7.3 High |
| A vulnerability classified as critical was found in PHPGurukul Rail Pass Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /download-pass.php. The manipulation of the argument searchdata leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2023-6425 | 1 Bigprof | 1 Online Clinic Management System | 2026-02-06 | 6.3 Medium |
| A vulnerability has been discovered in BigProf Online Clinic Management System 2.2, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /clinic/medical_records_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads. | ||||
| CVE-2022-40924 | 1 Phpgurukul | 1 Zoo Management System | 2026-02-06 | 7.2 High |
| Zoo Management System v1.0 has an arbitrary file upload vulnerability in the picture upload point of the "save_animal" file of the "Animals" module in the background management system. | ||||
| CVE-2024-37385 | 2 Microsoft, Roundcube | 3 Windows, Roundcube Webmail, Webmail | 2026-02-06 | 9.8 Critical |
| Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 on Windows allows command injection via im_convert_path and im_identify_path. NOTE: this issue exists because of an incomplete fix for CVE-2020-12641. | ||||
| CVE-2023-53662 | 1 Linux | 1 Linux Kernel | 2026-02-06 | 5.5 Medium |
| In the Linux kernel, the following vulnerability has been resolved: ext4: fix memory leaks in ext4_fname_{setup_filename,prepare_lookup} If the filename casefolding fails, we'll be leaking memory from the fscrypt_name struct, namely from the 'crypto_buf.name' member. Make sure we free it in the error path on both ext4_fname_setup_filename() and ext4_fname_prepare_lookup() functions. | ||||
| CVE-2022-44151 | 1 Sanitization Management System Project | 1 Sanitization Management System | 2026-02-06 | 9.8 Critical |
| Simple Inventory Management System v1.0 is vulnerable to SQL Injection via /ims/login.php. | ||||
| CVE-2025-4614 | 2 Palo Alto Networks, Paloaltonetworks | 2 Pan-os, Pan-os | 2026-02-06 | 2.7 Low |
| An information disclosure vulnerability in Palo Alto Networks PAN-OS® software enables an authenticated administrator to view session tokens of users authenticated to the firewall web UI. This may allow impersonation of users whose session tokens are leaked. The security risk posed by this issue is significantly minimized when CLI access is restricted to a limited group of administrators. Cloud NGFW and Prisma® Access are not affected by this vulnerability. | ||||
| CVE-2025-66415 | 1 Fastify | 1 Reply-from | 2026-02-06 | 5.4 Medium |
| fastify-reply-from is a Fastify plugin to forward the current HTTP request to another server. Prior to 12.5.0, by crafting a malicious URL, an attacker could access routes that are not allowed, even though the reply.from is defined for specific routes in @fastify/reply-from. This vulnerability is fixed in 12.5.0. | ||||
| CVE-2025-66410 | 2 Flipped-aurora, Gin-vue-admin Project | 2 Gin-vue-admin, Gin-vue-admin | 2026-02-06 | 9.1 Critical |
| Gin-vue-admin is a backstage management system based on vue and gin. In 2.8.6 and earlier, attackers can delete any file on the server at will, causing damage or unavailability of server resources. Attackers can control the 'FileMd5' parameter to delete any file and folder. | ||||