Export limit exceeded: 364527 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (364527 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-29886 1 Serverpod 1 Serverpod 2026-01-08 5.3 Medium
Serverpod is an app and web server, built for the Flutter and Dart ecosystem. An issue was identified with the old password hash algorithm that made it susceptible to rainbow attacks if the database was compromised. This vulnerability is fixed by 1.2.6.
CVE-2024-29888 1 Saleor 1 Saleor 2026-01-08 4.2 Medium
Saleor is an e-commerce platform that serves high-volume companies. When using `Pickup: Local stock only` click-and-collect as a delivery method in specific conditions the customer could overwrite the warehouse address with its own, which exposes its address as click-and-collect address. This issue has been patched in versions: `3.14.61`, `3.15.37`, `3.16.34`, `3.17.32`, `3.18.28`, `3.19.15`.
CVE-2024-29882 1 Ossrs 1 Simple Realtime Server 2026-01-08 7.2 High
SRS is a simple, high-efficiency, real-time video server. SRS's `/api/v1/vhosts/vid-<id>?callback=<payload>` endpoint didn't filter the callback function name which led to injecting malicious javascript payloads and executing XSS ( Cross-Site Scripting). This vulnerability is fixed in 5.0.210 and 6.0.121.
CVE-2024-29898 1 Miraheze 1 Createwiki 2026-01-08 4.9 Medium
CreateWiki is Miraheze's MediaWiki extension for requesting & creating wikis. An oversight during the writing of the patch for CVE-2024-29897 may have exposed suppressed wiki requests to private wikis that added Special:RequestWikiQueue to the read whitelist to users without the `(read)` permission. This vulnerability is fixed in 8f8442ed5299510ea3e58416004b9334134c149c.
CVE-2023-45706 1 Hcltech 1 Bigfix Platform 2026-01-08 2 Low
An administrative user of WebReports may perform a Cross Site Scripting (XSS) and/or Man in the Middle (MITM) exploit through SAML configuration.
CVE-2023-45715 1 Hcltech 1 Bigfix Platform 2026-01-08 3.5 Low
The console may experience a service interruption when processing file names with invalid characters.
CVE-2025-13204 2 Expr-eval Project, Silentmatt 2 Expr-eval, Javascript Expression Evaluator 2026-01-08 7.3 High
npm package `expr-eval` is vulnerable to Prototype Pollution. An attacker with access to express eval interface can use JavaScript prototype-based inheritance model to achieve arbitrary code execution. The npm expr-eval-fork package resolves this issue.
CVE-2025-67634 1 Cisa 2 Software Acquisition Guide, Software Acquisition Guide Tool 2026-01-08 4.4 Medium
The CISA Software Acquisition Guide Supplier Response Web Tool before 2025-12-11 was vulnerable to cross-site scripting via text fields. If an attacker could convince a user to import a specially-crafted JSON file, the Tool would load JavaScript from the file into the page. The JavaScript would execute in the context of the user's browser when the user submits the page (clicks 'Next').
CVE-2025-21063 1 Samsung 2 Android, Voice Recorder 2026-01-08 4.6 Medium
Improper access control in Samsung Voice Recorder prior to version 21.5.73.12 in Android 15 and 21.5.81.40 in Android 16 allows physical attackers to access recording files on the lock screen.
CVE-2025-11651 1 Utt 2 518g, 518g Firmware 2026-01-08 8.8 High
A vulnerability has been found in UTT 进取 518G up to V3v3.2.7-210919-161313. This vulnerability affects the function sub_4247AC of the file /goform/formRemoteControl. The manipulation of the argument Profile leads to buffer overflow. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-11652 1 Utt 2 518g, 518g Firmware 2026-01-08 8.8 High
A vulnerability was found in UTT 进取 518G up to V3v3.2.7-210919-161313. This issue affects some unknown processing of the file /goform/formTaskEdit_ap. The manipulation of the argument txtMin2 results in buffer overflow. The attack may be performed from remote. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-61304 1 Dynatrace 2 Activegate, Activegate Ping Extension 2026-01-08 9.8 Critical
OS command injection vulnerability in Dynatrace ActiveGate ping extension up to 1.016 via crafted ip address.
CVE-2025-63248 1 Diaowen 1 Dwsurvey 2026-01-08 7.5 High
DWSurvey 6.14.0 is vulnerable to Incorrect Access Control. When deleting a questionnaire, replacing the questionnaire ID with the ID of another questionnaire can enable the deletion of other questionnaires.
CVE-2025-63917 2 Cnblogs, Pdfpatcher 2 Pdfpatcher, Pdfpatcher 2026-01-08 7.1 High
PDFPatcher thru 1.1.3.4663 executable's XML bookmark import functionality does not restrict XML external entity (XXE) references. The application uses .NET's XmlDocument class without disabling external entity resolution, enabling attackers to: Read arbitrary files from the victim's filesystem, exfiltrate sensitive data via out-of-band (OOB) HTTP requests, perform SSRF attacks against internal network resources, or cause a denial of service via entity expansion attacks.
CVE-2024-30149 1 Hcltech 1 Appscan Source 2026-01-08 4.8 Medium
HCL AppScan Source <= 10.6.0 does not properly validate a TLS/SSL certificate for an executable.
CVE-2025-63918 2 Cnblogs, Pdfpatcher 2 Pdfpatcher, Pdfpatcher 2026-01-08 6.2 Medium
PDFPatcher executable does not validate user-supplied file paths, allowing directory traversal attacks allowing attackers to upload arbitrary files to arbitrary locations.
CVE-2025-58407 1 Imaginationtech 2 Ddk, Graphics Ddk 2026-01-08 7.4 High
Kernel or driver software installed on a Guest VM may post improper commands to the GPU Firmware to exploit a TOCTOU race condition and trigger a read and/or write of data outside the allotted memory escaping the virtual machine.
CVE-2025-13306 2 D-link, Dlink 12 Dir-822, Dir-825, Dwr-920 and 9 more 2026-01-08 6.3 Medium
A security vulnerability has been detected in D-Link DWR-M920, DWR-M921, DIR-822K and DIR-825M 1.1.5. Impacted is the function system of the file /boafrm/formDebugDiagnosticRun. The manipulation of the argument host leads to command injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used.
CVE-2025-55796 1 Openml 1 Openml.org 2026-01-08 7.5 High
The openml/openml.org web application version v2.0.20241110 uses predictable MD5-based tokens for critical user workflows such as signup confirmation, password resets, email confirmation resends, and email change confirmation. These tokens are generated by hashing the current timestamp formatted as "%d %H:%M:%S" without incorporating any user-specific data or cryptographic randomness. This predictability allows remote attackers to brute-force valid tokens within a small time window, enabling unauthorized account confirmation, password resets, and email change approvals, potentially leading to account takeover.
CVE-2024-42508 1 Hpe 1 Oneview 2026-01-08 5.5 Medium
This vulnerability could be exploited, leading to unauthorized disclosure of information to authenticated users.