Export limit exceeded: 343533 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (343533 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-58582 | 1 Sick | 1 Enterprise Analytics | 2026-01-27 | 5.3 Medium |
| If a user tries to login but the provided credentials are incorrect a log is created. The data for this POST requests is not validated and it’s possible to send giant payloads which are then logged. | ||||
| CVE-2025-58583 | 1 Sick | 1 Enterprise Analytics | 2026-01-27 | 5.3 Medium |
| The application provides access to a login protected H2 database for caching purposes. The username is prefilled. | ||||
| CVE-2025-58584 | 1 Sick | 5 Baggage Analytics, Enterprise Analytics, Logistic Diagnostic Analytics and 2 more | 2026-01-27 | 5.3 Medium |
| In the HTTP request, the username and password are transferred directly in the URL as parameters. However, URLs can be stored in various systems such as server logs, browser histories or proxy servers. As a result, there is a high risk that this sensitive data will be disclosed unintentionally. | ||||
| CVE-2025-9273 | 1 Cdata | 1 Api Server | 2026-01-27 | N/A |
| CData API Server MySQL Misconfiguration Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of CData API Server. Authentication is required to exploit this vulnerability. The specific flaw exists within the usage of MySQL connections. When connecting to a MySQL server, the product enables an option that gives the MySQL server permission to request local files from the MySQL client. An attacker can leverage this vulnerability to disclose information in the context of NETWORK SERVICE. Was ZDI-CAN-23950. | ||||
| CVE-2023-29639 | 1 Zhenfeng13 | 1 My Blog | 2026-01-27 | 5.4 Medium |
| Cross site scripting (XSS) vulnerability in ZHENFENG13 My-Blog, allows attackers to inject arbitrary web script or HTML via editing an article in the "blog article" page due to the default configuration not utilizing MyBlogUtils.cleanString. | ||||
| CVE-2023-29636 | 1 Zhenfeng13 | 1 My Blog | 2026-01-27 | 5.4 Medium |
| Cross site scripting (XSS) vulnerability in ZHENFENG13 My-Blog, allows attackers to inject arbitrary web script or HTML via the "title" field in the "blog management" page due to the the default configuration not using MyBlogUtils.cleanString. | ||||
| CVE-2018-14634 | 6 Canonical, F5, Linux and 3 more | 35 Ubuntu Linux, Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager and 32 more | 2026-01-27 | N/A |
| An integer overflow flaw was found in the Linux kernel's create_elf_tables() function. An unprivileged local user with access to SUID (or otherwise privileged) binary could use this flaw to escalate their privileges on the system. Kernel versions 2.6.x, 3.10.x and 4.14.x are believed to be vulnerable. | ||||
| CVE-2012-2571 | 1 Winwebmail | 1 Winwebmail Server | 2026-01-27 | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in WinWebMail Server 3.8.1.6 allow remote attackers to inject arbitrary web script or HTML via an e-mail message body with (1) a SCRIPT element, (2) a crafted Cascading Style Sheets (CSS) expression property, (3) a CSS expression property in the STYLE attribute of an arbitrary element, (4) a crafted SRC attribute of an IFRAME element, or (5) UTF-7 text in an HTTP-EQUIV="CONTENT-TYPE" META element. | ||||
| CVE-2023-43944 | 1 Oretnom23 | 1 Task Management System | 2026-01-27 | 5.4 Medium |
| A Stored Cross Site Scripting (XSS) vulnerability was found in SourceCodester Task Management System 1.0. It allows attackers to execute arbitrary code via parameter field in index.php?page=project_list. | ||||
| CVE-2022-28975 | 1 Infoblox | 1 Nios | 2026-01-27 | 5.4 Medium |
| A stored cross-site scripting (XSS) vulnerability in Infoblox NIOS v8.5.2-409296 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the VLAN View Name field. | ||||
| CVE-2026-24489 | 1 Happyhackingspace | 1 Gakido | 2026-01-27 | 5.3 Medium |
| Gakido is a Python HTTP client focused on browser impersonation and anti-bot evasion. A vulnerability was discovered in Gakido prior to version 0.1.1 that allowed HTTP header injection through CRLF (Carriage Return Line Feed) sequences in user-supplied header values and names. When making HTTP requests with user-controlled header values containing `\r\n` (CRLF), `\n` (LF), or `\x00` (null byte) characters, an attacker could inject arbitrary HTTP headers into the request. The fix in version 0.1.1 adds a `_sanitize_header()` function that strips `\r`, `\n`, and `\x00` characters from both header names and values before they are included in HTTP requests. | ||||
| CVE-2025-9615 | 1 Redhat | 2 Enterprise Linux, Openshift | 2026-01-27 | N/A |
| A flaw was found in NetworkManager. The NetworkManager package allows access to files that may belong to other users. NetworkManager allows non-root users to configure the system's network. The daemon runs with root privileges and can access files owned by users different from the one who added the connection. | ||||
| CVE-2025-71178 | 1 Micron | 1 Crucial Storage Executive | 2026-01-27 | N/A |
| Crucial Storage Executive installer versions prior to 11.08.082025.00 contain a DLL preloading vulnerability. During installation, the installer runs with elevated privileges and loads Windows DLLs using an uncontrolled search path, which can cause a malicious DLL placed alongside the installer to be loaded instead of the intended system library. A local attacker who can convince a victim to run the installer from a directory containing the attacker-supplied DLL can achieve arbitrary code execution with administrator privileges. | ||||
| CVE-2020-36957 | 1 Pdfcomplete | 1 Pdf Complete | 2026-01-27 | 7.8 High |
| PDF Complete 3.5.310.2002 contains an unquoted service path vulnerability in its pdfsvc.exe service configuration. Attackers can exploit the unquoted path to inject and execute malicious code with elevated LocalSystem privileges. | ||||
| CVE-2020-36958 | 1 Kite | 1 Kite | 2026-01-27 | 7.8 High |
| Kite 1.2020.1119.0 contains an unquoted service path vulnerability in the KiteService Windows service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files\Kite\KiteService.exe' to inject malicious executables and escalate privileges on the system. | ||||
| CVE-2025-11687 | 1 Gnome | 1 Gi-docgen | 2026-01-27 | 6.1 Medium |
| A flaw was found in the gi-docgen. This vulnerability allows arbitrary JavaScript execution in the context of the page — enabling DOM access, session cookie theft and other client-side attacks — via a crafted URL that supplies a malicious value to the q GET parameter (reflected DOM XSS). | ||||
| CVE-2025-14459 | 1 Redhat | 1 Container Native Virtualization | 2026-01-27 | 8.5 High |
| A flaw was found in KubeVirt Containerized Data Importer (CDI). This vulnerability allows a user to clone PersistentVolumeClaims (PVCs) from unauthorized namespaces, resulting in unauthorized access to data via the DataImportCron PVC source mechanism. | ||||
| CVE-2025-14525 | 1 Redhat | 1 Container Native Virtualization | 2026-01-27 | 6.4 Medium |
| A flaw was found in kubevirt. A user within a virtual machine (VM), if the guest agent is active, can exploit this by causing the agent to report an excessive number of network interfaces. This action can overwhelm the system's ability to store VM configuration updates, effectively blocking changes to the Virtual Machine Instance (VMI). This allows the VM user to restrict the VM administrator's ability to manage the VM, leading to a denial of service for administrative operations. | ||||
| CVE-2023-29240 | 1 F5 | 1 Big-iq Centralized Management | 2026-01-27 | 5.4 Medium |
| An authenticated attacker granted a Viewer or Auditor role on a BIG-IQ can upload arbitrary files using an undisclosed iControl REST endpoint. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | ||||
| CVE-2025-23419 | 3 Debian, F5, Redhat | 4 Debian Linux, Nginx, Nginx Plus and 1 more | 2026-01-27 | 4.3 Medium |
| When multiple server blocks are configured to share the same IP address and port, an attacker can use session resumption to bypass client certificate authentication requirements on these servers. This vulnerability arises when TLS Session Tickets https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_ticket_key are used and/or the SSL session cache https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache are used in the default server and the default server is performing client certificate authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | ||||