Export limit exceeded: 21038 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 24794 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (24794 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-22539 | 1 Efacec | 3 Qc 120, Qc 60, Qc 90 | 2026-01-09 | N/A |
| As the service interaction is performed without authentication, an attacker with some knowledge of the protocol could obtain information about the charger via OCPP v1.6. | ||||
| CVE-2025-64991 | 1 Teamviewer | 2 Dex, Digital Employee Experience | 2026-01-09 | 6.8 Medium |
| A command injection vulnerability was discovered in TeamViewer DEX (former 1E DEX), specifically within the 1E-PatchInsights-Deploy instruction prior V15. Improper input validation, allowing authenticated attackers with Actioner privileges to inject arbitrary commands. Exploitation enables remote execution of elevated commands on devices connected to the platform. | ||||
| CVE-2025-64992 | 1 Teamviewer | 2 Dex, Digital Employee Experience | 2026-01-09 | 6.8 Medium |
| A command injection vulnerability was discovered in TeamViewer DEX (former 1E DEX), specifically within the 1E-Nomad-PauseNomadJobQueue instruction prior V25. Improper input validation, allowing authenticated attackers with Actioner privileges to inject arbitrary commands. Exploitation enables remote execution of elevated commands on devices connected to the platform. | ||||
| CVE-2025-64993 | 1 Teamviewer | 2 Dex, Digital Employee Experience | 2026-01-09 | 6.8 Medium |
| A command injection vulnerability was discovered in TeamViewer DEX (former 1E DEX), specifically within the 1E-ConfigMgrConsoleExtensions instructions. Improper input validation, allowing authenticated attackers with Actioner privileges to inject arbitrary commands. Exploitation enables remote execution of elevated commands on devices connected to the platform. | ||||
| CVE-2025-14553 | 3 Apple, Google, Tp-link | 4 Ios, Android, Tapo and 1 more | 2026-01-09 | N/A |
| Exposure of password hashes through an unauthenticated API response in TP-Link Tapo app on iOS and Android for Tapo cameras, allowing attackers to brute force the password in the local network. Issue can be mitigated through mobile application updates. Device firmware remains unchanged. | ||||
| CVE-2024-29898 | 1 Miraheze | 1 Createwiki | 2026-01-08 | 4.9 Medium |
| CreateWiki is Miraheze's MediaWiki extension for requesting & creating wikis. An oversight during the writing of the patch for CVE-2024-29897 may have exposed suppressed wiki requests to private wikis that added Special:RequestWikiQueue to the read whitelist to users without the `(read)` permission. This vulnerability is fixed in 8f8442ed5299510ea3e58416004b9334134c149c. | ||||
| CVE-2025-12540 | 2 Sharethis, Wordpress | 2 Dashboard For Google Analytics, Wordpress | 2026-01-08 | 4.7 Medium |
| The ShareThis Dashboard for Google Analytics plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.4. This is due to the Google Analytics client_ID and client_secret being stored in plaintext in the publicly visible plugin source. This can allow unauthenticated attackers to craft a link to the sharethis.com server, which will share an authorization token for Google Analytics with a malicious website, if the attacker can trick an administrator logged into the website and Google Analytics to click the link. | ||||
| CVE-2025-13215 | 2 Averta, Wordpress | 2 Shortcodes And Extra Features For Phlox Theme, Wordpress | 2026-01-08 | 5.3 Medium |
| The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.17.13 via the auxels_ajax_search due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract titles of draft posts that they should not have access to. | ||||
| CVE-2025-13371 | 1 Wordpress | 1 Wordpress | 2026-01-08 | 8.6 High |
| The MoneySpace plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.13.9. This is due to the plugin storing full payment card details (PAN, card holder name, expiry month/year, and CVV) in WordPress post_meta using base64_encode(), and then embedding these values into the publicly accessible mspaylink page's inline JavaScript without any authentication or authorization check. This makes it possible for unauthenticated attackers who know or can guess an order_id to access the mspaylink endpoint and retrieve full credit card numbers and CVV codes directly from the HTML/JS response, constituting a severe PCI-DSS violation. | ||||
| CVE-2024-42508 | 1 Hpe | 1 Oneview | 2026-01-08 | 5.5 Medium |
| This vulnerability could be exploited, leading to unauthorized disclosure of information to authenticated users. | ||||
| CVE-2025-67500 | 1 Joinmastodon | 1 Mastodon | 2026-01-08 | 3.7 Low |
| Mastodon is a free, open-source social network server based on ActivityPub. Versions 4.2.27 and prior, 4.3.0-beta.1 through 4.3.14, 4.4.0-beta.1 through 4.4.9, 4.5.0-beta.1 through 4.5.2 have discrepancies in error handling which allow checking whether a given status exists by sending a request with a non-English Accept-Language header. Using this behavior, an attacker who knows the identifier of a particular status they are not allowed to see can confirm whether this status exists or not. This cannot be used to learn the contents of the status or any other property besides its existence. This issue is fixed in versions 4.2.28, 4.3.15, 4.4.10 and 4.5.3. | ||||
| CVE-2025-59301 | 1 Deltaww | 2 Dvp15mc11t, Dvp15mc11t Firmware | 2026-01-08 | 4 Medium |
| Delta Electronics DVP15MC11T lacks proper validation of the modbus/tcp packets and can lead to denial of service. | ||||
| CVE-2025-53512 | 1 Canonical | 1 Juju | 2026-01-08 | 6.5 Medium |
| The /log endpoint on a Juju controller lacked sufficient authorization checks, allowing unauthorized users to access debug messages that could contain sensitive information. | ||||
| CVE-2025-40325 | 1 Linux | 2 Kernel, Linux Kernel | 2026-01-08 | 5.5 Medium |
| In the Linux kernel, the following vulnerability has been resolved: md/raid10: wait barrier before returning discard request with REQ_NOWAIT raid10_handle_discard should wait barrier before returning a discard bio which has REQ_NOWAIT. And there is no need to print warning calltrace if a discard bio has REQ_NOWAIT flag. Quality engineer usually checks dmesg and reports error if dmesg has warning/error calltrace. | ||||
| CVE-2025-5731 | 2 Infinispan, Redhat | 6 Infinispan, Data Grid, Jboss Data Grid and 3 more | 2026-01-08 | 5.5 Medium |
| A flaw was found in Infinispan CLI. A sensitive password, decoded from a Base64-encoded Kubernetes secret, is processed in plaintext and included in a command string that may expose the data in an error message when a command is not found. | ||||
| CVE-2025-65561 | 1 Free5gc | 2 Free5gc, Upf | 2026-01-07 | 7.5 High |
| An issue was discovered in function LocalNode.Sess in free5GC 4.1.0 allowing attackers to cause a denial of service or other unspecified impacts via crafted header Local SEID to the PFCP Session Modification Request. | ||||
| CVE-2025-58173 | 1 Freshrss | 1 Freshrss | 2026-01-07 | 8.8 High |
| FreshRSS is a self-hosted RSS feed aggregator. In versions 1.23.0 through 1.27.0, using a path traversal inside the `language` user configuration parameter, it's possible to call `install.php` and perform various administrative actions as an unprivileged user. These actions include logging in as the admin, creating a new admin user, or set the database to an attacker-controlled MySQL server and abuse it to execute code in FreshRSS by setting malicious feed `curl_params` inside the `feed` table. Version 1.27.1 fixes the issue. | ||||
| CVE-2025-8075 | 1 Hanwhavision | 512 Knb-2000, Knb-2000 Firmware, Knb-5000n and 509 more | 2026-01-07 | 6.1 Medium |
| Cybersecurity Nozomi Networks Labs, a specialized security company focused on Industrial Control Systems (ICS) and OT/IoT security, has discovered that validation of incoming XML format request messages is inadequate. This vulnerability could allow an attacker to XSS on the user's browser. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer's report for details and workarounds. | ||||
| CVE-2025-52600 | 1 Hanwhavision | 512 Knb-2000, Knb-2000 Firmware, Knb-5000n and 509 more | 2026-01-07 | 9.8 Critical |
| Cybersecurity Nozomi Networks Labs, a specialized security company focused on Industrial Control Systems (ICS) and OT/IoT security, has discovered a vulnerability in camera video analytics that Improper input validation. This vulnerability could allow an attacker to execute specific commands on the user's host PC.The manufacturer has released patch firmware for the flaw, please refer to the manufacturer's report for details and workarounds. | ||||
| CVE-2025-59716 | 1 Owncloud | 2 Guests, Owncloud | 2026-01-07 | 5.3 Medium |
| ownCloud Guests before 0.12.5 allows unauthenticated user enumeration via the /apps/guests/register/{email}/{token} endpoint. Because of insufficient validation of the supplied token in showPasswordForm, the server responds differently when an e-mail address corresponds to a valid pending guest user rather than a non-existent user. | ||||