Export limit exceeded: 364439 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (364439 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-4674 2 Golang, Gotoolchain 2 Go, Cmd/go 2026-01-29 8.6 High
The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a repository was fetched via one VCS (e.g. Git), but contains metadata for another VCS (e.g. Mercurial). Modules which are retrieved using the go command line, i.e. via "go get", are not affected.
CVE-2025-11250 1 Zohocorp 1 Manageengine Adselfservice Plus 2026-01-29 9.1 Critical
Zohocorp ManageEngine ADSelfService Plus versions before 6519 are vulnerable to Authentication Bypass due to improper filter configurations.
CVE-2025-47907 1 Golang 2 Database Sql, Go 2026-01-29 7 High
Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the expected results with those of another query, causing the call to Scan to return either unexpected results from the other query or an error.
CVE-2025-9435 1 Zohocorp 1 Manageengine Admanager Plus 2026-01-29 5.5 Medium
Zohocorp ManageEngine ADManager Plus versions below 7230 are vulnerable to Path Traversal in the User Management module
CVE-2025-1271 1 Anapi 1 H6web 2026-01-29 6.1 Medium
Reflected Cross-Site Scripting (XSS) in Anapi Group's h6web. This security flaw could allow an attacker to inject malicious JavaScript code into a URL. When a user accesses that URL, the injected code is executed in their browser, which can result in the theft of sensitive information, identity theft or the execution of unauthorised actions on behalf of the affected user.
CVE-2025-1711 1 Endress 2 Meac300-fnade4, Meac300-fnade4 Firmware 2026-01-29 4.3 Medium
Multiple services of the DUT as well as different scopes of the same service reuse the same credentials.
CVE-2025-67229 1 Todesktop 1 Builder 2026-01-29 9.8 Critical
An improper certificate validation vulnerability exists in ToDesktop Builder v0.32.1 This vulnerability allows an unauthenticated, on-path attacker to spoof backend responses by exploiting insufficient certificate validation.
CVE-2025-67230 1 Todesktop 1 Builder 2026-01-29 7.1 High
Improper permissions in the handler for the Custom URL Scheme in ToDesktop Builder v0.33.0 allows attackers with renderer-context access to invoke external protocol handlers without sufficient validation.
CVE-2025-67231 1 Todesktop 1 Builder 2026-01-29 5.9 Medium
A reflected cross-site scripting (XSS) vulnerability in ToDesktop Builder v0.33.1 allows attackers to execute arbitrary code in the context of a user's browser via a crafted payload.
CVE-2025-56157 1 Langgenius 1 Dify 2026-01-29 9.8 Critical
Default credentials in Dify thru 1.5.1. PostgreSQL username and password specified in the docker-compose.yaml file included in its source code. NOTE: the Supplier reports that the Docker configuration does not make PostgreSQL (on TCP port 5432) exposed by default in version 1.0.1 or later.
CVE-2025-27453 1 Endress 2 Meac300-fnade4, Meac300-fnade4 Firmware 2026-01-29 5.3 Medium
The HttpOnly flag is set to false on the PHPSESSION cookie. Therefore, the cookie can be accessed by other sources such as JavaScript.
CVE-2025-49182 1 Sick 1 Media Server 2026-01-29 7.5 High
Files in the source code contain login credentials for the admin user and the property configuration password, allowing an attacker to get full access to the application.
CVE-2025-49183 1 Sick 1 Media Server 2026-01-29 7.5 High
All communication with the REST API is unencrypted (HTTP), allowing an attacker to intercept traffic between an actor and the webserver. This leads to the possibility of information gathering and downloading media files.
CVE-2025-49184 1 Sick 6 Baggage Analytics, Enterprise Analytics, Field Analytics and 3 more 2026-01-29 7.5 High
A remote unauthorized attacker may gather sensitive information of the application, due to missing authorization of configuration settings of the product.
CVE-2024-53636 2 Academiaerp, Serosoft 2 Student Information System, Academia Student Information System 2026-01-29 6.4 Medium
An arbitrary file upload vulnerability via writefile.php of Serosoft Academia Student Information System (SIS) EagleR-1.0.118 allows attackers to execute arbitrary code via ../ in the filePath parameter.
CVE-2024-4464 1 Synology 1 Media Server 2026-01-29 7.5 High
Authorization bypass through user-controlled key vulnerability in streaming service in Synology Media Server before 1.4-2680, 2.0.5-3152 and 2.2.0-3325 allows remote attackers to read specific files via unspecified vectors.
CVE-2025-49185 1 Sick 1 Field Analytics 2026-01-29 5.5 Medium
The web application is susceptible to cross-site-scripting attacks. An attacker who can create new dashboard widgets can inject malicious JavaScript code into the Transform Function which will be executed when the widget receives data from its data source.
CVE-2025-49187 1 Sick 1 Field Analytics 2026-01-29 5.3 Medium
For failed login attempts, the application returns different error messages depending on whether the login failed due to an incorrect password or a non-existing username. This allows an attacker to guess usernames until they find an existing one.
CVE-2025-49190 1 Sick 1 Field Analytics 2026-01-29 4.3 Medium
The application is vulnerable to Server-Side Request Forgery (SSRF). An endpoint can be used to send server internal requests to other ports.
CVE-2025-49188 1 Sick 1 Field Analytics 2026-01-29 5.3 Medium
The application sends user credentials as URL parameters instead of POST bodies, making it vulnerable to information gathering.