Export limit exceeded: 364697 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (364697 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-24771 | 1 Maykinmedia | 1 Open Forms | 2026-01-30 | 7.7 High |
| Open Forms allows users create and publish smart forms. Versions prior to 2.2.9, 2.3.7, 2.4.5, and 2.5.2 contain a non-exploitable multi-factor authentication weakness. Superusers who have their credentials (username + password) compromised could potentially have the second-factor authentication bypassed if an attacker somehow managed to authenticate to Open Forms. The maintainers of Open Forms do not believe it is or has been possible to perform this login. However, if this were possible, the victim's account may be abused to view (potentially sensitive) submission data or have been used to impersonate other staff accounts to view and/or modify data. Three mitigating factors to help prevent exploitation include: the usual login page (at `/admin/login/`) does not fully log in the user until the second factor was succesfully provided; the additional non-MFA protected login page at `/api/v2/api-authlogin/` was misconfigured and could not be used to log in; and there are no additional ways to log in. This also requires credentials of a superuser to be compromised to be exploitable. Versions 2.2.9, 2.3.7, 2.4.5, and 2.5.2 contain the following patches to address these weaknesses: Move and only enable the API auth endpoints (`/api/v2/api-auth/login/`) with `settings.DEBUG = True`. `settings.DEBUG = True` is insecure and should never be applied in production settings. Additionally, apply a custom permission check to the hijack flow to only allow second-factor-verified superusers to perform user hijacking. | ||||
| CVE-2025-67025 | 1 Anycomment | 2 Anycomment, Anycomment.io | 2026-01-30 | 6.1 Medium |
| Cross Site Scripting vulnerability in Anycomment anycomment.io 0.4.4 allows a remote attacker to execute arbitrary code via the Anycomment comment section | ||||
| CVE-2022-47425 | 2 Reputeinfosystems, Wordpress | 2 Armember, Wordpress | 2026-01-30 | 4.3 Medium |
| Missing Authorization vulnerability in Repute Infosystems ARMember allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ARMember: from n/a through 3.4.10. | ||||
| CVE-2025-13743 | 1 Docker | 1 Docker Desktop | 2026-01-30 | 7.5 High |
| Docker Desktop diagnostics bundles were found to include expired Hub PATs in log output due to error object serialization. This poses a risk of leaking sensitive information in exported diagnostics, especially when access denied errors occurred. | ||||
| CVE-2025-67488 | 2 B3log, Siyuan | 2 Siyuan, Siyuan | 2026-01-30 | 7.8 High |
| SiYuan is self-hosted, open source personal knowledge management software. Versions 0.0.0-20251202123337-6ef83b42c7ce and below contain function importZipMd which is vulnerable to ZipSlips, allowing an authenticated user to overwrite files on the system. An authenticated user with access to the import functionality in notes is able to overwrite any file on the system, and can escalate to full code execution under some circumstances. A fix is planned for version 3.5.0. | ||||
| CVE-2025-40700 | 2 Idi Eikon, Idieikon | 2 Governalia, Governalia | 2026-01-30 | 6.1 Medium |
| Reflected Cross-Site Scripting (XSS) in IDI Eikon's Governalia. The vulnerability allows an attacker to execute JavaScript code in the victim's browser when a malicious URL with the 'q' parameter in '/search' is sent to them. This vulnerability can be exploited to steal sensitive information such as session cookies or to perform actions on behalf of the victim. | ||||
| CVE-2024-50388 | 1 Qnap | 2 Hbs 3, Hybrid Backup Sync | 2026-01-30 | 9.8 Critical |
| An OS command injection vulnerability has been reported to affect HBS 3 Hybrid Backup Sync. If exploited, the vulnerability could allow remote attackers to execute commands. We have already fixed the vulnerability in the following version: HBS 3 Hybrid Backup Sync 25.1.1.673 and later | ||||
| CVE-2024-13086 | 1 Qnap | 2 Qts, Quts Hero | 2026-01-30 | 5.3 Medium |
| An exposure of sensitive information vulnerability has been reported to affect product. If exploited, the vulnerability could allow remote attackers to compromise the security of the system. We have already fixed the vulnerability in the following version: QTS 5.2.0.2851 build 20240808 and later QuTS hero h5.2.0.2851 build 20240808 and later | ||||
| CVE-2025-13751 | 2 Microsoft, Openvpn | 2 Windows, Openvpn | 2026-01-30 | 5.5 Medium |
| Interactive service agent in OpenVPN version 2.5.0 through 2.6.16 and 2.7_alpha1 through 2.7_rc2 on Windows allows a local authenticated user to connect to the service and trigger an error causing a local denial of service. | ||||
| CVE-2025-63083 | 1 Joomla | 3 Joomla, Joomla!, Joomla\! | 2026-01-30 | 6.1 Medium |
| Lack of output escaping leads to a XSS vector in the pagebreak plugin. | ||||
| CVE-2025-33208 | 2 Canonical, Nvidia | 3 Ubuntu Linux, Tao, Tao Toolkit | 2026-01-30 | 8.8 High |
| NVIDIA TAO contains a vulnerability where an attacker may cause a resource to be loaded via an uncontrolled search path. A successful exploit of this vulnerability may lead to escalation of privileges, data tampering, denial of service, information disclosure. | ||||
| CVE-2025-63082 | 1 Joomla | 3 Joomla, Joomla!, Joomla\! | 2026-01-30 | 6.1 Medium |
| Lack of input filtering leads to an XSS vector in the HTML filter code related to data URLs in img tags. | ||||
| CVE-2025-10865 | 1 Imaginationtech | 2 Ddk, Graphics Ddk | 2026-01-30 | 7.8 High |
| Software installed and run as a non-privileged user may conduct improper GPU system calls to cause mismanagement of reference counting to cause a potential use after free. Improper reference counting on an internal resource caused scenario where potential for use after free was present. | ||||
| CVE-2025-58409 | 1 Imaginationtech | 2 Ddk, Graphics Ddk | 2026-01-30 | 3.5 Low |
| Software installed and run as a non-privileged user may conduct improper GPU system calls to subvert GPU HW to write to arbitrary physical memory pages. Under certain circumstances this exploit could be used to corrupt data pages not allocated by the GPU driver but memory pages in use by the kernel and drivers running on the platform altering their behaviour. This attack can lead the GPU to perform write operations on restricted internal GPU buffers that can lead to a second order affect of corrupted arbitrary physical memory. | ||||
| CVE-2025-58411 | 1 Imaginationtech | 2 Ddk, Graphics Ddk | 2026-01-30 | 8.8 High |
| Software installed and run as a non-privileged user may conduct improper GPU system calls to cause mismanagement of resources reference counting creating a potential use after free scenario. Improper resource management and reference counting on an internal resource caused scenario where potential write use after free was present. | ||||
| CVE-2025-13086 | 1 Openvpn | 1 Openvpn | 2026-01-30 | 7.5 High |
| Improper validation of source IP addresses in OpenVPN version 2.6.0 through 2.6.15 and 2.7_alpha1 through 2.7_rc1 allows an attacker to open a session from a different IP address which did not initiate the connection resulting in a denial of service for the originating client | ||||
| CVE-2025-25176 | 1 Imaginationtech | 2 Ddk, Graphics Ddk | 2026-01-30 | 9.1 Critical |
| Intermediate register values of secure workloads can be exfiltrated in workloads scheduled from applications running in the non-secure environment of a platform. | ||||
| CVE-2025-39205 | 1 Hitachienergy | 1 Microscada X Sys600 | 2026-01-30 | 6.5 Medium |
| A vulnerability exists in the IEC 61850 in MicroSCADA X SYS600 product. The certificate validation of the TLS protocol allows remote Man-in-the-Middle attack due to missing proper validation. | ||||
| CVE-2025-68470 | 1 Shopify | 1 React-router | 2026-01-30 | 6.5 Medium |
| React Router is a router for React. In versions 6.0.0 through 6.30.1 and 7.0.0 through 7.9.5, an attacker-supplied path can be crafted so that when a React Router application navigates to it via navigate(), <Link>, or redirect(), the app performs a navigation/redirect to an external URL. This is only an issue if you are passing untrusted content into navigation paths in your application code. This issue has been patched in versions 6.30.2 and 7.9.6. | ||||
| CVE-2025-59057 | 1 Shopify | 2 React-router, Remix-run\/react | 2026-01-30 | 7.6 High |
| React Router is a router for React. In @remix-run/react versions 1.15.0 through 2.17.0. and react-router versions 7.0.0 through 7.8.2, a XSS vulnerability exists in in React Router's meta()/<Meta> APIs in Framework Mode when generating script:ld+json tags which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the tag. There is no impact if the application is being used in Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>). This issue has been patched in @remix-run/react version 2.17.1 and react-router version 7.9.0. | ||||