Export limit exceeded: 367109 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (367109 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-34213 2026-01-02 N/A
This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure.
CVE-2025-34170 2026-01-02 N/A
This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure.
CVE-2025-34169 2026-01-02 N/A
This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure.
CVE-2025-34168 2026-01-02 N/A
This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure.
CVE-2025-34167 2026-01-02 N/A
This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure.
CVE-2025-34166 2026-01-02 N/A
This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure.
CVE-2025-34145 2026-01-02 N/A
This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure.
CVE-2025-34144 2026-01-02 N/A
This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure.
CVE-2025-34137 2026-01-02 N/A
This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure.
CVE-2025-34131 2026-01-02 N/A
This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure.
CVE-2025-34122 2026-01-02 N/A
This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure.
CVE-2025-34094 2026-01-02 N/A
This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure.
CVE-2025-67436 1 Pluxml 1 Pluxml 2026-01-02 6.5 Medium
Authenticated Remote Code Execution (RCE) in PluXml CMS 5.8.22 allows an attacker with administrator panel access to inject a malicious PHP webshell into a theme file (e.g., home.php).
CVE-2025-67442 1 Eve-ng 1 Eve-ng 2026-01-02 7.6 High
EVE-NG 6.4.0-13-PRO is vulnerable to Directory Traversal. The /api/export interface allows authenticated users to export lab files. This interface lacks effective input validation and filtering when processing file path parameters submitted by users.
CVE-2025-67443 1 Schlix 1 Cms 2026-01-02 6.1 Medium
Schlix CMS before v2.2.9-5 is vulnerable to Cross Site Scripting (XSS). Due to lack of javascript sanitization in the login form, incorrect login attempts in logs are triggered as XSS in the admin panel.
CVE-2025-68115 2 Parse Community, Parseplatform 2 Parse Server, Parse-server 2026-01-02 6.1 Medium
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 8.6.1 and 9.1.0-alpha.3, a Reflected Cross-Site Scripting (XSS) vulnerability exists in Parse Server's password reset and email verification HTML pages. The patch, available in versions 8.6.1 and 9.1.0-alpha.3, escapes user controlled values that are inserted into the HTML pages. No known workarounds are available.
CVE-2025-68116 1 Filerise 1 Filerise 2026-01-02 8.9 High
FileRise is a self-hosted web file manager / WebDAV server. Versions prior to 2.7.1 are vulnerable to Stored Cross-Site Scripting (XSS) due to unsafe handling of browser-renderable user uploads when served through the sharing and download endpoints. An attacker who can get a crafted SVG (primary) or HTML (secondary) file stored in a FileRise instance can cause JavaScript execution when a victim opens a generated share link (and in some cases via the direct download endpoint). This impacts share links (`/api/file/share.php`) and direct file access / download path (`/api/file/download.php`), depending on browser/content-type behavior. Version 2.7.1 fixes the issue.
CVE-2025-68118 2 Freerdp, Microsoft 2 Freerdp, Windows 2026-01-02 9.1 Critical
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.20.0, a vulnerability exists in FreeRDP’s certificate handling code on Windows platforms. The function `freerdp_certificate_data_hash_ uses` the Microsoft-specific `_snprintf` function to format certificate cache filenames without guaranteeing NUL termination when truncation occurs. According to Microsoft documentation, `_snprintf` does not append a terminating NUL byte if the formatted output exceeds the destination buffer size. If an attacker controls the hostname value (for example via server redirection or a crafted .rdp file), the resulting filename buffer may not be NUL-terminated. Subsequent string operations performed on this buffer may read beyond the allocated memory region, resulting in a heap-based out-of-bounds read. In default configurations, the connection is typically terminated before sensitive data can be meaningfully exposed, but unintended memory read or a client crash may still occur under certain conditions. Version 3.20.0 has a patch for the issue.
CVE-2025-68150 2 Parse Community, Parseplatform 2 Parse Server, Parse-server 2026-01-02 6.5 Medium
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.2 and 9.1.1-alpha.1, the Instagram authentication adapter allows clients to specify a custom API URL via the `apiURL` parameter in `authData`. This enables SSRF attacks and possibly authentication bypass if malicious endpoints return fake responses to validate unauthorized users. This is fixed in versions 8.6.2 and 9.1.1-alpha.1 by hardcoding the Instagram Graph API URL `https://graph.instagram.com` and ignoring client-provided `apiURL` values. No known workarounds are available.
CVE-2025-68279 1 Weblate 1 Weblate 2026-01-02 7.7 High
Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to read arbitrary files from the server file system using crafted symbolic links in the repository. Version 5.15.1 fixes the issue.