Export limit exceeded: 364799 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Export limit exceeded: 364799 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (364799 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2023-36881 1 Microsoft 2 Azure Hdinsight, Azure Hdinsights 2026-02-11 4.5 Medium
Azure Apache Ambari Spoofing Vulnerability
CVE-2023-38156 1 Microsoft 1 Azure Hdinsight 2026-02-11 7.2 High
Azure HDInsight Apache Ambari JDBC Injection Elevation of Privilege Vulnerability
CVE-2023-38188 1 Microsoft 2 Azure Hdinsight, Azure Hdinsights 2026-02-11 4.5 Medium
Azure Apache Hadoop Spoofing Vulnerability
CVE-2025-67855 1 Moodle 1 Moodle 2026-02-11 5.4 Medium
A flaw was found in mooodle. A remote attacker could exploit a reflected Cross-Site Scripting (XSS) vulnerability in the policy tool return URL. This vulnerability arises from insufficient sanitization of URL parameters, allowing attackers to inject malicious scripts through specially crafted links. Successful exploitation could lead to information disclosure or arbitrary client-side script execution within the user's browser.
CVE-2025-67853 1 Moodle 1 Moodle 2026-02-11 7.5 High
A flaw was found in Moodle. A remote attacker could exploit a lack of proper rate limiting in the confirmation email service. This vulnerability allows attackers to more easily enumerate or guess user credentials, facilitating brute-force attacks against user accounts.
CVE-2025-67852 1 Moodle 1 Moodle 2026-02-11 3.5 Low
A flaw was found in Moodle. An open redirect vulnerability in the OAuth login flow allows a remote attacker to redirect users to attacker-controlled pages after they have successfully authenticated. This occurs due to insufficient validation of redirect parameters, which could lead to phishing attacks or information disclosure.
CVE-2025-67851 1 Moodle 1 Moodle 2026-02-11 6.1 Medium
A flaw was found in moodle. This formula injection vulnerability occurs when data fields are exported without proper escaping. A remote attacker could exploit this by providing malicious data that, when exported and opened in a spreadsheet, allows arbitrary formulas to execute. This can lead to compromised data integrity and unintended operations within the spreadsheet.
CVE-2025-69983 1 Frangoteam 1 Fuxa 2026-02-11 8.2 High
FUXA v1.2.7 allows Remote Code Execution (RCE) via the project import functionality. The application does not properly sanitize or sandbox user-supplied scripts within imported project files. An attacker can upload a malicious project containing system commands, leading to full system compromise.
CVE-2025-69981 1 Frangoteam 1 Fuxa 2026-02-11 7.5 High
FUXA v1.2.7 contains an Unrestricted File Upload vulnerability in the `/api/upload` API endpoint. The endpoint lacks authentication mechanisms, allowing unauthenticated remote attackers to upload arbitrary files. This can be exploited to overwrite critical system files (such as the SQLite user database) to gain administrative access, or to upload malicious scripts to execute arbitrary code.
CVE-2025-65923 1 Frappe 1 Erpnext 2026-02-11 5.4 Medium
A Stored Cross-Site Scripting (XSS) vulnerability was discovered within the CSV import mechanism of ERPNext thru 15.88.1 when using the Update Existing Recordsoption. An attacker can embed malicious JavaScript code into a CSV field, which is then stored in the database and executed whenever the affected record is viewed by a user within the ERPNext web interface. This exposure may allow an attacker to compromise user sessions or perform unauthorized actions under the context of a victim's account.
CVE-2025-69429 1 Orico 2 Cd3510, Cd3510 Firmware 2026-02-11 6.1 Medium
The ORICO NAS CD3510 (version V1.9.12 and below) contains an Incorrect Symlink Follow vulnerability that could be exploited by attackers to leak or tamper with the internal file system. Attackers can format a USB drive to ext4, create a symbolic link to its root directory, insert the drive into the NAS device's slot, then access the USB drive's symlink directory mounted on the NAS to obtain all files within the NAS system and tamper with those files.
CVE-2025-69430 1 Yottamaster 6 Dm2, Dm200, Dm200 Firmware and 3 more 2026-02-11 6.1 Medium
An Incorrect Symlink Follow vulnerability exists in multiple Yottamaster NAS devices, including DM2 (version equal to or prior to V1.9.12), DM3 (version equal to or prior to V1.9.12), and DM200 (version equal to or prior to V1.2.23) that could be exploited by attackers to leak or tamper with the internal file system. Attackers can format a USB drive to ext4, create a symbolic link to its root directory, insert the drive into the NAS device's slot, then access the USB drive's symlink directory mounted on the NAS to obtain all files within the NAS system and tamper with those files.
CVE-2025-69431 1 Zspace 3 Q2c, Q2c Firmware, Q2c Nas 2026-02-11 6.1 Medium
The ZSPACE Q2C NAS contains a vulnerability related to incorrect symbolic link following. Attackers can format a USB drive to ext4, create a symbolic link to its root directory, insert the drive into the NAS device's slot, and then access the USB drive's directory mounted on the NAS using the Samba protocol. This allows them to obtain all files within the NAS system and tamper with those files.
CVE-2025-69848 1 Netbox 1 Netbox 2026-02-11 5.4 Medium
NetBox is an open-source infrastructure resource modeling and IP address management platform. A reflected cross-site scripting (XSS) vulnerability exists in versions 2.11.0 through 3.7.x in the ProtectedError handling logic, where object names are included in HTML error messages without proper escaping. This allows user-controlled content to be rendered in the web interface when a delete operation fails due to protected relationships, potentially enabling execution of arbitrary client-side code in the context of a privileged user.
CVE-2025-69875 1 Quickheal 1 Total Security 2026-02-11 7.8 High
A vulnerability exists in Quick Heal Total Security 23.0.0 in the quarantine management component where insufficient validation of restore paths and improper permission handling allow a low-privileged local user to restore quarantined files into protected system directories. This behavior can be abused by a local attacker to place files in high-privilege locations, potentially leading to privilege escalation.
CVE-2025-70841 2 Amcoders, Dokans 2 Dokans, Multitenancy Based Ecommerce Platform Saas 2026-02-11 10 Critical
Dokans Multi-Tenancy Based eCommerce Platform SaaS 3.9.2 allows unauthenticated remote attackers to obtain sensitive application configuration data via direct request to /script/.env file. The exposed file contains Laravel application encryption key (APP_KEY), database credentials, SMTP/SendGrid API credentials, and internal configuration parameters, enabling complete system compromise including authentication bypass via session token forgery, direct database access to all tenant data, and email infrastructure takeover. Due to the multi-tenancy architecture, this vulnerability affects all tenants in the system.
CVE-2025-61546 1 Edubusinesssolutions 1 Print Shop Pro Webdesk 2026-02-11 9.1 Critical
There is an issue on the /PSP/appNET/Store/CartV12.aspx/GetUnitPrice endpoint in edu Business Solutions Print Shop Pro WebDesk version 18.34 (fixed in 19.69) that enables remote attacker to create financial discrepancies by purchasing items with a negative quantity. This vulnerability is possible due to reliance on client-side input validation controls.
CVE-2025-70849 1 Stefanprodan 1 Podinfo 2026-02-11 6.1 Medium
Arbitrary File Upload in podinfo thru 6.9.0 allows unauthenticated attackers to upload arbitrary files via crafted POST request to the /store endpoint. The application renders uploaded content without a restrictive Content-Security-Policy (CSP) or adequate Content-Type validation, leading to Stored Cross-Site Scripting (XSS).
CVE-2025-63386 2 Dify, Langgenius 2 Dify, Dify 2026-02-11 9.1 Critical
A Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/setup endpoint. The endpoint implements an insecure CORS policy that reflects any Origin header and enables Access-Control-Allow-Credentials: true, permitting arbitrary external domains to make authenticated requests. NOTE: the Supplier disputes this because the endpoint configuration is intentional to support bootstrap.
CVE-2025-21427 1 Qualcomm 358 205 Mobile, 205 Mobile Firmware, 215 Mobile and 355 more 2026-02-11 8.2 High
Information disclosure while decoding this RTP packet Payload when UE receives the RTP packet from the network.