Export limit exceeded: 345217 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 345217 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (345217 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-37028 | 1 Linuxfoundation | 1 Magma | 2026-02-28 | 6.5 Medium |
| A Null pointer dereference vulnerability in the Mobile Management Entity (MME) in Magma <= 1.8.0 (fixed in v1.9 commit 08472ba98b8321f802e95f5622fa90fec2dea486) allows network-adjacent attackers to crash the MME via an S1AP `E-RAB Modification Indication` packet missing an expected `eNB_UE_S1AP_ID` field. | ||||
| CVE-2024-29741 | 1 Google | 1 Android | 2026-02-28 | 7.8 High |
| In pblS2mpuResume of s2mpu.c, there is a possible mitigation bypass due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2026-26369 | 2 Jung, Jung-group | 2 Enet Smart Home Server, Enet Smart Home | 2026-02-28 | 9.8 Critical |
| eNet SMART HOME server 2.2.1 and 2.3.1 contains a privilege escalation vulnerability due to insufficient authorization checks in the setUserGroup JSON-RPC method. A low-privileged user (UG_USER) can send a crafted POST request to /jsonrpc/management specifying their own username to elevate their account to the UG_ADMIN group, bypassing intended access controls and gaining administrative capabilities such as modifying device configurations, network settings, and other smart home system functions. | ||||
| CVE-2024-55928 | 1 Xerox | 1 Workplace Suite | 2026-02-28 | 6.5 Medium |
| Xerox Workplace Suite exposes sensitive secrets in clear text, both locally and remotely. This vulnerability allows attackers to intercept or access secrets without encryption | ||||
| CVE-2024-55927 | 1 Xerox | 1 Workplace Suite | 2026-02-28 | 7.6 High |
| A vulnerability in Xerox Workplace Suite arises from flawed token generation and the use of hard-coded keys. These weaknesses allow attackers to predict or forge tokens, leading to unauthorized access to sensitive functions. | ||||
| CVE-2024-55926 | 1 Xerox | 1 Workplace Suite | 2026-02-28 | 7.6 High |
| A vulnerability found in Xerox Workplace Suite allows arbitrary file read, upload, and deletion on the server through crafted header manipulation. By exploiting improper validation of headers, attackers can gain unauthorized access to data | ||||
| CVE-2024-55925 | 1 Xerox | 1 Workplace Suite | 2026-02-28 | 7.5 High |
| In Xerox Workplace Suite, an API restricted to specific hosts can be bypassed by manipulating the Host header. If the server improperly validates or trusts the Host header without verifying the actual destination, an attacker can forge a value to gain unauthorized access. This exploit targets improper host validation, potentially exposing sensitive API endpoints. | ||||
| CVE-2026-1725 | 1 Gitlab | 1 Gitlab | 2026-02-28 | 5.3 Medium |
| GitLab has remediated an issue in GitLab CE/EE affecting versions from 18.9 before 18.9.1 that could have under certain conditions, allowed an unauthenticated user to cause denial of service by sending specially crafted requests to a CI jobs API endpoint. | ||||
| CVE-2026-27837 | 2 Dottie Project, Mickhansen | 2 Dottie, Dottie.js | 2026-02-28 | 6.3 Medium |
| Dottie provides nested object access and manipulation in JavaScript. Versions 2.0.4 through 2.0.6 contain an incomplete fix for CVE-2023-26132. The prototype pollution guard introduced in commit `7d3aee1` only validates the first segment of a dot-separated path, allowing an attacker to bypass the protection by placing `__proto__` at any position other than the first. Both `dottie.set()` and `dottie.transform()` are affected. Version 2.0.7 contains an updated fix to address the residual vulnerability. | ||||
| CVE-2026-27948 | 1 9001 | 1 Copyparty | 2026-02-28 | 5.4 Medium |
| Copyparty is a portable file server. In versions prior to 1.20.9, an XSS allows for reflected cross-site scripting via URL-parameter `?setck=...`. Version 1.20.9 fixes the issue. | ||||
| CVE-2026-0752 | 1 Gitlab | 1 Gitlab | 2026-02-28 | 8 High |
| GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.2 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that under certain circumstances, could have allowed an unauthenticated user to inject arbitrary scripts into the Mermaid sandbox UI. | ||||
| CVE-2025-14511 | 1 Gitlab | 1 Gitlab | 2026-02-28 | 7.5 High |
| GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.2 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that could have allowed an unauthenticated user to cause denial of service by sending specially crafted files to the container registry event endpoint under certain conditions. | ||||
| CVE-2026-3221 | 1 Devolutions | 2 Devolutions Server, Server | 2026-02-28 | 4.9 Medium |
| Sensitive user account information is not encrypted in the database in Devolutions Server 2025.3.14 and earlier, which allows an attacker with access to the database to obtain sensitive user information via direct database access. | ||||
| CVE-2026-1979 | 1 Mruby | 1 Mruby | 2026-02-28 | 5.3 Medium |
| A flaw has been found in mruby up to 3.4.0. This affects the function mrb_vm_exec of the file src/vm.c of the component JMPNOT-to-JMPIF Optimization. Executing a manipulation can lead to use after free. The attack needs to be launched locally. The exploit has been published and may be used. This patch is called e50f15c1c6e131fa7934355eb02b8173b13df415. It is advisable to implement a patch to correct this issue. | ||||
| CVE-2026-25729 | 1 Lintsinghua | 1 Deepaudit | 2026-02-28 | 6.5 Medium |
| DeepAudit is a multi-agent system for code vulnerability discovery. In 3.0.4 and earlier, there is an improper access control vulnerability in the /api/v1/users/ endpoint allows any authenticated user to enumerate all users in the system and retrieve sensitive information including email addresses, phone numbers, full names, and role information. | ||||
| CVE-2025-15564 | 1 Mapnik | 1 Mapnik | 2026-02-28 | 3.3 Low |
| A vulnerability has been found in Mapnik up to 4.2.0. This vulnerability affects the function mapnik::detail::mod<...>::operator of the file src/value.cpp. The manipulation leads to divide by zero. The attack needs to be performed locally. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | ||||
| CVE-2025-66630 | 2 Gofiber, Golang | 2 Fiber, Go | 2026-02-28 | 9.4 Critical |
| Fiber is an Express inspired web framework written in Go. Before 2.52.11, on Go versions prior to 1.24, the underlying crypto/rand implementation can return an error if secure randomness cannot be obtained. Because no error is returned by the Fiber v2 UUID functions, application code may unknowingly rely on predictable, repeated, or low-entropy identifiers in security-critical pathways. This is especially impactful because many Fiber v2 middleware components (session middleware, CSRF, rate limiting, request-ID generation, etc.) default to using utils.UUIDv4(). This vulnerability is fixed in 2.52.11. | ||||
| CVE-2026-25598 | 2 Step Security, Stepsecurity | 2 Harden Runner, Harden-runner | 2026-02-28 | 5.3 Medium |
| Harden-Runner is a CI/CD security agent that works like an EDR for GitHub Actions runners. Prior to 2.14.2, a security vulnerability has been identified in the Harden-Runner GitHub Action (Community Tier) that allows outbound network connections to evade audit logging. Specifically, outbound traffic using the sendto, sendmsg, and sendmmsg socket system calls can bypass detection and logging when using egress-policy: audit. This vulnerability is fixed in 2.14.2. | ||||
| CVE-2026-25878 | 1 Friendsofshopware | 2 Froshadminer, Froshplatformadminer | 2026-02-28 | 5.3 Medium |
| FroshAdminer is the Adminer plugin for Shopware Platform. Prior to 2.2.1, the Adminer route (/admin/adminer) was accessible without Shopware admin authentication. The route was configured with auth_required=false and performed no session validation, exposing the Adminer UI to unauthenticated users. This vulnerability is fixed in 2.2.1. | ||||
| CVE-2026-25808 | 2 Fedify, Fedify-dev | 2 Hollo, Hollo | 2026-02-28 | 7.5 High |
| Hollo is a federated single-user microblogging software designed to be federated through ActivityPub. Prior to 0.6.20 and 0.7.2, there is a security vulnerability where DMs and followers-only posts were exposed through the ActivityPub outbox endpoint without authorization. This vulnerability is fixed in 0.6.20 and 0.7.2. | ||||