Export limit exceeded: 364866 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (364866 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-59529 1 Avahi 1 Avahi 2026-01-16 5.5 Medium
Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions up to and including 0.9-rc2, the simple protocol server ignores the documented client limit and accepts unlimited connections, allowing for easy local DoS. Although `CLIENTS_MAX` is defined, `server_work()` unconditionally `accept()`s and `client_new()` always appends the new client and increments `n_clients`. There is no check against the limit. When client cannot be accepted as a result of maximal socket number of avahi-daemon, it logs unconditionally error per each connection. Unprivileged local users can exhaust daemon memory and file descriptors, causing a denial of service system-wide for mDNS/DNS-SD. Exhausting local file descriptors causes increased system load caused by logging errors of each of request. Overloading prevents glibc calls using nss-mdns plugins to resolve `*.local.` names and link-local addresses. As of time of publication, no known patched versions are available, but a candidate fix is available in pull request 808, and some workarounds are available. Simple clients are offered for nss-mdns package functionality. It is not possible to disable the unix socket `/run/avahi-daemon/socket`, but resolution requests received via DBus are not affected directly. Tools avahi-resolve, avahi-resolve-address and avahi-resolve-host-name are not affected, they use DBus interface. It is possible to change permissions of unix socket after avahi-daemon is started. But avahi-daemon does not provide any configuration for it. Additional access restrictions like SELinux can also prevent unwanted tools to access the socket and keep resolution working for trusted users.
CVE-2023-3666 2 Maevelander, Wordpress 2 Sticky Side Buttons, Wordpress 2026-01-16 3.3 Low
The Sticky Side Buttons WordPress plugin before 2.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
CVE-2025-2268 1 Hp 108 1y7d4a, 1y7d4a Firmware, 2a129a and 105 more 2026-01-16 7.5 High
The HP LaserJet MFP M232-M237 Printer Series may be vulnerable to a denial of service attack when a specially crafted request message is sent via Internet Printing Protocol (IPP).
CVE-2024-11131 1 Synology 6 Bc500, Bc500 Firmware, Cc400w and 3 more 2026-01-16 9.8 Critical
A vulnerability regarding out-of-bounds read is found in the video interface. This allows remote attackers to execute arbitrary code via unspecified vectors. The following models with Synology Camera Firmware versions before 1.2.0-0525 may be affected: BC500, CC400W and TC500.
CVE-2024-50630 1 Synology 1 Drive Server 2026-01-16 7.5 High
Missing authentication for critical function vulnerability in the webapi component in Synology Drive Server before 3.0.4-12699, 3.2.1-23280, 3.5.0-26085 and 3.5.1-26102 allows remote attackers to obtain administrator credentials via unspecified vectors.
CVE-2024-50631 1 Synology 1 Drive Server 2026-01-16 7.5 High
Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in the system syncing daemon in Synology Drive Server before 3.0.4-12699, 3.2.1-23280, 3.5.0-26085 and 3.5.1-26102 allows remote attackers to inject SQL commands, limited to write operations, via unspecified vectors.
CVE-2025-58754 1 Axios 1 Axios 2026-01-16 7.5 High
Axios is a promise based HTTP client for the browser and Node.js. When Axios starting in version 0.28.0 and prior to versions 0.30.2 and 1.12.0 runs on Node.js and is given a URL with the `data:` scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire payload into memory (`Buffer`/`Blob`) and returns a synthetic 200 response. This path ignores `maxContentLength` / `maxBodyLength` (which only protect HTTP responses), so an attacker can supply a very large `data:` URI and cause the process to allocate unbounded memory and crash (DoS), even if the caller requested `responseType: 'stream'`. Versions 0.30.2 and 1.12.0 contain a patch for the issue.
CVE-2022-50911 1 Bitrix24 1 Bitrix24 2026-01-16 N/A
This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue.
CVE-2025-36599 1 Dell 1 Powerflex Manager 2026-01-16 4.3 Medium
Dell PowerFlex Manager VM, versions prior to 4.6.2.1, contains an Insertion of Sensitive Information into Log File vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the system with privileges of the compromised account.
CVE-2025-30026 1 Axis 2 Camera Station, Camera Station Pro 2026-01-16 9.8 Critical
The AXIS Camera Station Server had a flaw that allowed to bypass authentication that is normally required.
CVE-2025-7404 2 Gelbphoenix, Janeczku 2 Autocaliweb, Calibre-web 2026-01-16 9.8 Critical
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Calibre Web, Autocaliweb allows Blind OS Command Injection.This issue affects Calibre Web: 0.6.24 (Nicolette); Autocaliweb: from 0.7.0 before 0.7.1.
CVE-2025-43023 2 Hp, Linux 5 Hp, Linux Imaging And Printing, Linux Imaging And Printing Project and 2 more 2026-01-16 9.1 Critical
A potential security vulnerability has been identified in the HP Linux Imaging and Printing Software documentation. This potential vulnerability is due to the use of a weak code signing key, Digital Signature Algorithm (DSA).
CVE-2025-68637 1 Apache 1 Uniffle 2026-01-16 9.1 Critical
The Uniffle HTTP client is configured to trust all SSL certificates and disables hostname verification by default. This insecure configuration exposes all REST API communication between the Uniffle CLI/client and the Uniffle Coordinator service to potential Man-in-the-Middle (MITM) attacks. This issue affects all versions from before 0.10.0. Users are recommended to upgrade to version 0.10.0, which fixes the issue.
CVE-2025-66169 1 Apache 1 Camel 2026-01-16 5.3 Medium
Cypher Injection vulnerability in Apache Camel camel-neo4j component. This issue affects Apache Camel: from 4.10.0 before 4.10.8, from 4.14.0 before 4.14.3, from 4.15.0 before 4.17.0 Users are recommended to upgrade to version 4.10.8 for 4.10.x LTS and 4.14.3 for 4.14.x LTS and 4.17.0.
CVE-2026-0823 2026-01-16 N/A
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this candidate have been removed to prevent accidental usage.
CVE-2025-10145 2 Themeisle, Wordpress 2 Auto Featured Image, Wordpress 2026-01-16 N/A
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2023-7073. Reason: This candidate is a reservation duplicate of CVE-2023-7073. Notes: All CVE users should reference CVE-2023-7073 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.
CVE-2026-23714 2026-01-16 N/A
Not used
CVE-2026-23713 2026-01-16 N/A
Not used
CVE-2026-23712 2026-01-16 N/A
Not used
CVE-2026-23711 2026-01-16 N/A
Not used