Export limit exceeded: 367109 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (367109 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-34213 | 2026-01-02 | N/A | ||
| This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. | ||||
| CVE-2025-34170 | 2026-01-02 | N/A | ||
| This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. | ||||
| CVE-2025-34169 | 2026-01-02 | N/A | ||
| This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. | ||||
| CVE-2025-34168 | 2026-01-02 | N/A | ||
| This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. | ||||
| CVE-2025-34167 | 2026-01-02 | N/A | ||
| This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. | ||||
| CVE-2025-34166 | 2026-01-02 | N/A | ||
| This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. | ||||
| CVE-2025-34145 | 2026-01-02 | N/A | ||
| This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. | ||||
| CVE-2025-34144 | 2026-01-02 | N/A | ||
| This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. | ||||
| CVE-2025-34137 | 2026-01-02 | N/A | ||
| This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. | ||||
| CVE-2025-34131 | 2026-01-02 | N/A | ||
| This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. | ||||
| CVE-2025-34122 | 2026-01-02 | N/A | ||
| This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. | ||||
| CVE-2025-34094 | 2026-01-02 | N/A | ||
| This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. | ||||
| CVE-2025-67436 | 1 Pluxml | 1 Pluxml | 2026-01-02 | 6.5 Medium |
| Authenticated Remote Code Execution (RCE) in PluXml CMS 5.8.22 allows an attacker with administrator panel access to inject a malicious PHP webshell into a theme file (e.g., home.php). | ||||
| CVE-2025-67442 | 1 Eve-ng | 1 Eve-ng | 2026-01-02 | 7.6 High |
| EVE-NG 6.4.0-13-PRO is vulnerable to Directory Traversal. The /api/export interface allows authenticated users to export lab files. This interface lacks effective input validation and filtering when processing file path parameters submitted by users. | ||||
| CVE-2025-67443 | 1 Schlix | 1 Cms | 2026-01-02 | 6.1 Medium |
| Schlix CMS before v2.2.9-5 is vulnerable to Cross Site Scripting (XSS). Due to lack of javascript sanitization in the login form, incorrect login attempts in logs are triggered as XSS in the admin panel. | ||||
| CVE-2025-68115 | 2 Parse Community, Parseplatform | 2 Parse Server, Parse-server | 2026-01-02 | 6.1 Medium |
| Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 8.6.1 and 9.1.0-alpha.3, a Reflected Cross-Site Scripting (XSS) vulnerability exists in Parse Server's password reset and email verification HTML pages. The patch, available in versions 8.6.1 and 9.1.0-alpha.3, escapes user controlled values that are inserted into the HTML pages. No known workarounds are available. | ||||
| CVE-2025-68116 | 1 Filerise | 1 Filerise | 2026-01-02 | 8.9 High |
| FileRise is a self-hosted web file manager / WebDAV server. Versions prior to 2.7.1 are vulnerable to Stored Cross-Site Scripting (XSS) due to unsafe handling of browser-renderable user uploads when served through the sharing and download endpoints. An attacker who can get a crafted SVG (primary) or HTML (secondary) file stored in a FileRise instance can cause JavaScript execution when a victim opens a generated share link (and in some cases via the direct download endpoint). This impacts share links (`/api/file/share.php`) and direct file access / download path (`/api/file/download.php`), depending on browser/content-type behavior. Version 2.7.1 fixes the issue. | ||||
| CVE-2025-68118 | 2 Freerdp, Microsoft | 2 Freerdp, Windows | 2026-01-02 | 9.1 Critical |
| FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.20.0, a vulnerability exists in FreeRDP’s certificate handling code on Windows platforms. The function `freerdp_certificate_data_hash_ uses` the Microsoft-specific `_snprintf` function to format certificate cache filenames without guaranteeing NUL termination when truncation occurs. According to Microsoft documentation, `_snprintf` does not append a terminating NUL byte if the formatted output exceeds the destination buffer size. If an attacker controls the hostname value (for example via server redirection or a crafted .rdp file), the resulting filename buffer may not be NUL-terminated. Subsequent string operations performed on this buffer may read beyond the allocated memory region, resulting in a heap-based out-of-bounds read. In default configurations, the connection is typically terminated before sensitive data can be meaningfully exposed, but unintended memory read or a client crash may still occur under certain conditions. Version 3.20.0 has a patch for the issue. | ||||
| CVE-2025-68150 | 2 Parse Community, Parseplatform | 2 Parse Server, Parse-server | 2026-01-02 | 6.5 Medium |
| Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.2 and 9.1.1-alpha.1, the Instagram authentication adapter allows clients to specify a custom API URL via the `apiURL` parameter in `authData`. This enables SSRF attacks and possibly authentication bypass if malicious endpoints return fake responses to validate unauthorized users. This is fixed in versions 8.6.2 and 9.1.1-alpha.1 by hardcoding the Instagram Graph API URL `https://graph.instagram.com` and ignoring client-provided `apiURL` values. No known workarounds are available. | ||||
| CVE-2025-68279 | 1 Weblate | 1 Weblate | 2026-01-02 | 7.7 High |
| Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to read arbitrary files from the server file system using crafted symbolic links in the repository. Version 5.15.1 fixes the issue. | ||||