Export limit exceeded: 24781 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (24781 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-23878 | 1 Hotcrp | 1 Hotcrp | 2026-02-05 | 6.5 Medium |
| HotCRP is conference review software. Starting in commit aa20ef288828b04550950cf67c831af8a525f508 and prior to commit ceacd5f1476458792c44c6a993670f02c984b4a0, authors with at least one submission on a HotCRP site could use the document API to download any documents (PDFs, attachments) associated with any submission. The problem was patched in commit ceacd5f1476458792c44c6a993670f02c984b4a0. | ||||
| CVE-2026-24345 | 2 Actions-micro, Nimbletech | 4 Ezcast Pro Ii, Ezcast Pro Ii Firmware, Ezcast Pro Dongle Ii and 1 more | 2026-02-05 | 8.8 High |
| Cross-Site Request Forgery in Admin UI of EZCast Pro II version 1.17478.146 allows attackers to bypass authorization checks and gain full access to the admin UI | ||||
| CVE-2026-24347 | 2 Actions-micro, Nimbletech | 4 Ezcast Pro Ii, Ezcast Pro Ii Firmware, Ezcast Pro Dongle Ii and 1 more | 2026-02-05 | 5.3 Medium |
| Improper input validation in Admin UI of EZCast Pro II version 1.17478.146 allows attackers to manipulate files in the /tmp directory | ||||
| CVE-2026-24348 | 2 Actions-micro, Nimbletech | 4 Ezcast Pro Ii, Ezcast Pro Ii Firmware, Ezcast Pro Dongle Ii and 1 more | 2026-02-05 | 6.1 Medium |
| Multiple cross-site scripting vulnerabilities in Admin UI of EZCast Pro II version 1.17478.146 allow attackers to execute arbitrary JavaScript code in the browser of other Admin UI users. | ||||
| CVE-2026-24870 | 1 Ixray-team | 2 Ix-ray Engine 1.6, Ixray | 2026-02-05 | 3.7 Low |
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in ixray-team ixray-1.6-stcop.This issue affects ixray-1.6-stcop: before 1.3. | ||||
| CVE-2025-63783 | 1 Onlook | 1 Onlook | 2026-02-05 | 7.6 High |
| A Broken Object Level Authorization (BOLA) vulnerability was discovered in the tRPC project mutation APIs (update, delete, add/remove tag) of the Onlook web application 0.2.32. The vulnerability exists because the API fails to verify the ownership or membership of the currently authenticated user for the requested project ID. An authenticated attacker can send a malicious request containing another user's project ID to unlawfully modify, delete, or manipulate tags on that project, which can severely compromise data integrity and availability. | ||||
| CVE-2025-46676 | 1 Dell | 3 Data Domain Operating System, Powerprotect Data Domain, Powerprotect Dd | 2026-02-05 | 2.7 Low |
| Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.4.0.0, LTS2025 release version 8.3.1.10, LTS2024 release versions 7.13.1.0 through 7.13.1.40, LTS 2023 release versions 7.10.1.0 through 7.10.1.70, contain an Exposure of Sensitive Information to an Unauthorized Actor vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure. | ||||
| CVE-2025-15482 | 2 Chapaet, Wordpress | 2 Chapa Payment Gateway Plugin For Woocommerce, Wordpress | 2026-02-04 | 5.3 Medium |
| The Chapa Payment Gateway Plugin for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.3 via 'chapa_proceed' WooCommerce API endpoint. This makes it possible for unauthenticated attackers to extract sensitive data including the merchant's Chapa secret API key. | ||||
| CVE-2025-15508 | 1 Wordpress | 1 Wordpress | 2026-02-04 | 5.3 Medium |
| The Magic Import Document Extractor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.4 via the get_frontend_settings() function. This makes it possible for unauthenticated attackers to extract the site's magicimport.ai license key from the page source on any page containing the plugin's shortcode. | ||||
| CVE-2025-48985 | 1 Vercel | 3 Ai, Ai Sdk, Vercel | 2026-02-04 | 3.7 Low |
| A vulnerability in Vercel’s AI SDK has been fixed in versions 5.0.52, 5.1.0-beta.9, and 6.0.0-beta. This issue may have allowed users to bypass filetype whitelists when uploading files. All users are encouraged to upgrade. More details: https://vercel.com/changelog/cve-2025-48985-input-validation-bypass-on-ai-sdk | ||||
| CVE-2025-60925 | 1 Codeshare | 1 Codeshare | 2026-02-04 | 5.3 Medium |
| codeshare v1.0.0 was discovered to contain an information leakage vulnerability. | ||||
| CVE-2020-37093 | 1 Netis-systems | 1 Netis E1+ | 2026-02-04 | 7.5 High |
| Netis E1+ 1.2.32533 contains an information disclosure vulnerability that allows unauthenticated attackers to retrieve WiFi passwords through the netcore_get.cgi endpoint. Attackers can send a GET request to the endpoint to extract sensitive network credentials including SSID and WiFi passwords in plain text. | ||||
| CVE-2025-24319 | 1 F5 | 1 Big-ip Next Central Manager | 2026-02-04 | 6.5 Medium |
| When BIG-IP Next Central Manager is running, undisclosed requests to the BIG-IP Next Central Manager API can cause the BIG-IP Next Central Manager Node's Kubernetes service to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | ||||
| CVE-2025-13473 | 1 Djangoproject | 1 Django | 2026-02-04 | 5.3 Medium |
| An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. The `django.contrib.auth.handlers.modwsgi.check_password()` function for authentication via `mod_wsgi` allows remote attackers to enumerate users via a timing attack. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Stackered for reporting this issue. | ||||
| CVE-2026-25117 | 1 Pwncollege | 1 Dojo | 2026-02-04 | N/A |
| pwn.college DOJO is an education platform for learning cybersecurity. Prior to commit e33da14449a5abcff507e554f66e2141d6683b0a, missing sandboxing on `/workspace/*` routes allows challenge authors to inject arbitrary javascript which runs on the same origin as `http[:]//dojo[.]website`. This is a sandbox escape leading to arbitrary javascript execution as the dojo's origin. A challenge author can craft a page that executes any dangerous actions that the user could. Version e33da14449a5abcff507e554f66e2141d6683b0a patches the issue. | ||||
| CVE-2026-24473 | 1 Hono | 1 Hono | 2026-02-04 | 5.3 Medium |
| Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, Serve static Middleware for the Cloudflare Workers adapter contains an information disclosure vulnerability that may allow attackers to read arbitrary keys from the Workers environment. Improper validation of user-controlled paths can result in unintended access to internal asset keys. Version 4.11.7 contains a patch for the issue. | ||||
| CVE-2025-6593 | 2 Mediawiki, Wikimedia | 2 Mediawiki, Mediawiki | 2026-02-04 | N/A |
| Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/user/User.Php. This issue affects MediaWiki: from 1.27.0 before 1.39.13, 1.42.7 1.43.2, 1.44.0. | ||||
| CVE-2025-6590 | 2 Mediawiki, Wikimedia | 2 Mediawiki, Mediawiki | 2026-02-04 | N/A |
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/fields/HTMLUserTextField.Php. This issue affects MediaWiki: from * through 1.39.12, 1.42.76 1.43.1, 1.44.0. | ||||
| CVE-2026-0950 | 2 Brainstormforce, Wordpress | 2 Spectra, Wordpress | 2026-02-04 | 5.3 Medium |
| The Spectra Gutenberg Blocks – Website Builder for the Block Editor plugin for WordPress is vulnerable to Information Disclosure in all versions up to, and including, 2.19.17. This is due to the plugin failing to check `post_password_required()` before rendering post excerpts in the `render_excerpt()` function and the `uagb_get_excerpt()` helper function. This makes it possible for unauthenticated attackers to read excerpts of password-protected posts by simply viewing any page that contains a Spectra Post Grid, Post Masonry, Post Carousel, or Post Timeline block. | ||||
| CVE-2025-8590 | 1 Akce | 1 Skspro | 2026-02-04 | 7.5 High |
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in AKCE Software Technology R&D Industry and Trade Inc. SKSPro allows Directory Indexing.This issue affects SKSPro: through 07012026. | ||||