Export limit exceeded: 364837 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (364837 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-47907 | 1 Golang | 2 Database Sql, Go | 2026-01-29 | 7 High |
| Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the expected results with those of another query, causing the call to Scan to return either unexpected results from the other query or an error. | ||||
| CVE-2025-9435 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2026-01-29 | 5.5 Medium |
| Zohocorp ManageEngine ADManager Plus versions below 7230 are vulnerable to Path Traversal in the User Management module | ||||
| CVE-2025-1271 | 1 Anapi | 1 H6web | 2026-01-29 | 6.1 Medium |
| Reflected Cross-Site Scripting (XSS) in Anapi Group's h6web. This security flaw could allow an attacker to inject malicious JavaScript code into a URL. When a user accesses that URL, the injected code is executed in their browser, which can result in the theft of sensitive information, identity theft or the execution of unauthorised actions on behalf of the affected user. | ||||
| CVE-2025-1711 | 1 Endress | 2 Meac300-fnade4, Meac300-fnade4 Firmware | 2026-01-29 | 4.3 Medium |
| Multiple services of the DUT as well as different scopes of the same service reuse the same credentials. | ||||
| CVE-2025-67229 | 1 Todesktop | 1 Builder | 2026-01-29 | 9.8 Critical |
| An improper certificate validation vulnerability exists in ToDesktop Builder v0.32.1 This vulnerability allows an unauthenticated, on-path attacker to spoof backend responses by exploiting insufficient certificate validation. | ||||
| CVE-2025-67230 | 1 Todesktop | 1 Builder | 2026-01-29 | 7.1 High |
| Improper permissions in the handler for the Custom URL Scheme in ToDesktop Builder v0.33.0 allows attackers with renderer-context access to invoke external protocol handlers without sufficient validation. | ||||
| CVE-2025-67231 | 1 Todesktop | 1 Builder | 2026-01-29 | 5.9 Medium |
| A reflected cross-site scripting (XSS) vulnerability in ToDesktop Builder v0.33.1 allows attackers to execute arbitrary code in the context of a user's browser via a crafted payload. | ||||
| CVE-2025-56157 | 1 Langgenius | 1 Dify | 2026-01-29 | 9.8 Critical |
| Default credentials in Dify thru 1.5.1. PostgreSQL username and password specified in the docker-compose.yaml file included in its source code. NOTE: the Supplier reports that the Docker configuration does not make PostgreSQL (on TCP port 5432) exposed by default in version 1.0.1 or later. | ||||
| CVE-2025-27453 | 1 Endress | 2 Meac300-fnade4, Meac300-fnade4 Firmware | 2026-01-29 | 5.3 Medium |
| The HttpOnly flag is set to false on the PHPSESSION cookie. Therefore, the cookie can be accessed by other sources such as JavaScript. | ||||
| CVE-2025-49182 | 1 Sick | 1 Media Server | 2026-01-29 | 7.5 High |
| Files in the source code contain login credentials for the admin user and the property configuration password, allowing an attacker to get full access to the application. | ||||
| CVE-2025-49183 | 1 Sick | 1 Media Server | 2026-01-29 | 7.5 High |
| All communication with the REST API is unencrypted (HTTP), allowing an attacker to intercept traffic between an actor and the webserver. This leads to the possibility of information gathering and downloading media files. | ||||
| CVE-2025-49184 | 1 Sick | 6 Baggage Analytics, Enterprise Analytics, Field Analytics and 3 more | 2026-01-29 | 7.5 High |
| A remote unauthorized attacker may gather sensitive information of the application, due to missing authorization of configuration settings of the product. | ||||
| CVE-2024-53636 | 2 Academiaerp, Serosoft | 2 Student Information System, Academia Student Information System | 2026-01-29 | 6.4 Medium |
| An arbitrary file upload vulnerability via writefile.php of Serosoft Academia Student Information System (SIS) EagleR-1.0.118 allows attackers to execute arbitrary code via ../ in the filePath parameter. | ||||
| CVE-2024-4464 | 1 Synology | 1 Media Server | 2026-01-29 | 7.5 High |
| Authorization bypass through user-controlled key vulnerability in streaming service in Synology Media Server before 1.4-2680, 2.0.5-3152 and 2.2.0-3325 allows remote attackers to read specific files via unspecified vectors. | ||||
| CVE-2025-49185 | 1 Sick | 1 Field Analytics | 2026-01-29 | 5.5 Medium |
| The web application is susceptible to cross-site-scripting attacks. An attacker who can create new dashboard widgets can inject malicious JavaScript code into the Transform Function which will be executed when the widget receives data from its data source. | ||||
| CVE-2025-49187 | 1 Sick | 1 Field Analytics | 2026-01-29 | 5.3 Medium |
| For failed login attempts, the application returns different error messages depending on whether the login failed due to an incorrect password or a non-existing username. This allows an attacker to guess usernames until they find an existing one. | ||||
| CVE-2025-49190 | 1 Sick | 1 Field Analytics | 2026-01-29 | 4.3 Medium |
| The application is vulnerable to Server-Side Request Forgery (SSRF). An endpoint can be used to send server internal requests to other ports. | ||||
| CVE-2025-49188 | 1 Sick | 1 Field Analytics | 2026-01-29 | 5.3 Medium |
| The application sends user credentials as URL parameters instead of POST bodies, making it vulnerable to information gathering. | ||||
| CVE-2025-49191 | 1 Sick | 1 Field Analytics | 2026-01-29 | 4.8 Medium |
| Linked URLs during the creation of iFrame widgets and dashboards are vulnerable to code execution. The URLs get embedded as iFrame widgets, making it possible to attack other users that access the dashboard by including malicious code. The attack is only possible if the attacker is authorized to create new dashboards or iFrame widgets. | ||||
| CVE-2025-65091 | 1 Xwiki | 2 Full Calendar Macro, Xwiki | 2026-01-29 | 10 Critical |
| XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.5, users with the right to view the Calendar.JSONService page (including guest users) can exploit a SQL injection vulnerability by accessing database info or starting a DoS attack. This issue has been patched in version 2.4.5. | ||||