Export limit exceeded: 364353 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (364353 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-10148 | 2 Curl, Haxx | 2 Curl, Curl | 2026-01-20 | 5.3 Medium |
| curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted and was used throughout the entire connection. A predictable mask pattern allows for a malicious server to induce traffic between the two communicating parties that could be interpreted by an involved proxy (configured or transparent) as genuine, real, HTTP traffic with content and thereby poison its cache. That cached poisoned content could then be served to all users of that proxy. | ||||
| CVE-2025-13034 | 2 Curl, Haxx | 2 Curl, Curl | 2026-01-20 | 5.9 Medium |
| When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey` with the curl tool,curl should check the public key of the server certificate to verify the peer. This check was skipped in a certain condition that would then make curl allow the connection without performing the proper check, thus not noticing a possible impostor. To skip this check, the connection had to be done with QUIC with ngtcp2 built to use GnuTLS and the user had to explicitly disable the standard certificate verification. | ||||
| CVE-2025-14819 | 2 Curl, Haxx | 2 Curl, Curl | 2026-01-20 | 5.3 Medium |
| When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcurl find and accept a trust chain that it otherwise would not. | ||||
| CVE-2025-15079 | 2 Curl, Haxx | 2 Curl, Curl | 2026-01-20 | 5.3 Medium |
| When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts *not present* in the specified file if they were added as recognized in the libssh *global* known_hosts file. | ||||
| CVE-2025-15224 | 2 Curl, Haxx | 2 Curl, Curl | 2026-01-20 | 3.1 Low |
| When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate using a locally running SSH agent. | ||||
| CVE-2025-62595 | 1 Koajs | 1 Koa | 2026-01-20 | 4.3 Medium |
| Koa is expressive middleware for Node.js using ES2017 async functions. In versions 2.16.2 to before 2.16.3 and 3.0.1 to before 3.0.3, a bypass to CVE-2025-8129 was discovered in the Koa.js framework affecting its back redirect functionality. In certain circumstances, an attacker can manipulate the Referer header to force a user’s browser to navigate to an external, potentially malicious website. This occurs because the implementation incorrectly treats some specially crafted URLs as safe relative paths. Exploiting this vulnerability could allow attackers to perform phishing, social engineering, or other redirect-based attacks on users of affected applications. This issue has been patched in version 3.0.3. | ||||
| CVE-2025-25200 | 1 Koajs | 1 Koa | 2026-01-20 | 7.5 High |
| Koa is expressive middleware for Node.js using ES2017 async functions. Prior to versions 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3, Koa uses an evil regex to parse the `X-Forwarded-Proto` and `X-Forwarded-Host` HTTP headers. This can be exploited to carry out a Denial-of-Service attack. Versions 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3 fix the issue. | ||||
| CVE-2025-20998 | 1 Samsung | 11 Galaxy Watch, Galaxy Watch 4, Galaxy Watch 4 Classic and 8 more | 2026-01-20 | 5.5 Medium |
| Improper access control in SamsungAccount for Galaxy Watch prior to SMR Jul-2025 Release 1 allows local attackers to access phone number. | ||||
| CVE-2025-21004 | 2 Samsung, Samsung Mobile | 12 Galaxy Watch, Galaxy Watch 4, Galaxy Watch 4 Classic and 9 more | 2026-01-20 | 6.2 Medium |
| Improper verification of intent by broadcast receiver in System UI for Galaxy Watch prior to SMR Jul-2025 Release 1 allows local attackers to power off the device. | ||||
| CVE-2025-43019 | 1 Hp | 1 Support Assistant | 2026-01-20 | 7.8 High |
| A potential security vulnerability has been identified in the HP Support Assistant, which allows a local attacker to escalate privileges via an arbitrary file deletion. | ||||
| CVE-2026-23917 | 2026-01-20 | N/A | ||
| Not used | ||||
| CVE-2026-23916 | 2026-01-20 | N/A | ||
| Not used | ||||
| CVE-2026-23915 | 2026-01-20 | N/A | ||
| Not used | ||||
| CVE-2026-23914 | 2026-01-20 | N/A | ||
| Not used | ||||
| CVE-2026-23913 | 2026-01-20 | N/A | ||
| Not used | ||||
| CVE-2026-23912 | 2026-01-20 | N/A | ||
| Not used | ||||
| CVE-2026-23911 | 2026-01-20 | N/A | ||
| Not used | ||||
| CVE-2026-23910 | 2026-01-20 | N/A | ||
| Not used | ||||
| CVE-2026-23909 | 2026-01-20 | N/A | ||
| Not used | ||||
| CVE-2025-3125 | 1 Wso2 | 18 Api Control Plane, Api Manager, Carbon and 15 more | 2026-01-20 | 6.7 Medium |
| An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper input validation in the CarbonAppUploader admin service endpoint. An authenticated attacker with appropriate privileges can upload a malicious file to a user-controlled location on the server, potentially leading to remote code execution (RCE). This functionality is restricted by default to admin users; therefore, successful exploitation requires valid credentials with administrative permissions. | ||||