Export limit exceeded: 339531 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (339531 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-34167 | 2026-01-02 | N/A | ||
| This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. | ||||
| CVE-2025-34166 | 2026-01-02 | N/A | ||
| This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. | ||||
| CVE-2025-34145 | 2026-01-02 | N/A | ||
| This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. | ||||
| CVE-2025-34144 | 2026-01-02 | N/A | ||
| This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. | ||||
| CVE-2025-34137 | 2026-01-02 | N/A | ||
| This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. | ||||
| CVE-2025-34131 | 2026-01-02 | N/A | ||
| This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. | ||||
| CVE-2025-34122 | 2026-01-02 | N/A | ||
| This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. | ||||
| CVE-2025-34094 | 2026-01-02 | N/A | ||
| This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. | ||||
| CVE-2025-67436 | 1 Pluxml | 1 Pluxml | 2026-01-02 | 6.5 Medium |
| Authenticated Remote Code Execution (RCE) in PluXml CMS 5.8.22 allows an attacker with administrator panel access to inject a malicious PHP webshell into a theme file (e.g., home.php). | ||||
| CVE-2025-67442 | 1 Eve-ng | 1 Eve-ng | 2026-01-02 | 7.6 High |
| EVE-NG 6.4.0-13-PRO is vulnerable to Directory Traversal. The /api/export interface allows authenticated users to export lab files. This interface lacks effective input validation and filtering when processing file path parameters submitted by users. | ||||
| CVE-2025-67443 | 1 Schlix | 1 Cms | 2026-01-02 | 6.1 Medium |
| Schlix CMS before v2.2.9-5 is vulnerable to Cross Site Scripting (XSS). Due to lack of javascript sanitization in the login form, incorrect login attempts in logs are triggered as XSS in the admin panel. | ||||
| CVE-2025-68115 | 2 Parse Community, Parseplatform | 2 Parse Server, Parse-server | 2026-01-02 | 6.1 Medium |
| Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 8.6.1 and 9.1.0-alpha.3, a Reflected Cross-Site Scripting (XSS) vulnerability exists in Parse Server's password reset and email verification HTML pages. The patch, available in versions 8.6.1 and 9.1.0-alpha.3, escapes user controlled values that are inserted into the HTML pages. No known workarounds are available. | ||||
| CVE-2025-68116 | 1 Filerise | 1 Filerise | 2026-01-02 | 8.9 High |
| FileRise is a self-hosted web file manager / WebDAV server. Versions prior to 2.7.1 are vulnerable to Stored Cross-Site Scripting (XSS) due to unsafe handling of browser-renderable user uploads when served through the sharing and download endpoints. An attacker who can get a crafted SVG (primary) or HTML (secondary) file stored in a FileRise instance can cause JavaScript execution when a victim opens a generated share link (and in some cases via the direct download endpoint). This impacts share links (`/api/file/share.php`) and direct file access / download path (`/api/file/download.php`), depending on browser/content-type behavior. Version 2.7.1 fixes the issue. | ||||
| CVE-2025-69412 | 1 Kde | 1 Messagelib | 2026-01-02 | 3.4 Low |
| KDE messagelib before 25.11.90 ignores SSL errors for threatMatches:find in the Google Safe Browsing Lookup API (aka phishing API), which might allow spoofing of threat data. NOTE: this Lookup API is not contacted in the messagelib default configuration. | ||||
| CVE-2023-7331 | 2026-01-02 | 4.7 Medium | ||
| A vulnerability was detected in PKrystian Full-Stack-Bank up to bf73a0179e3ff07c0d7dc35297cea0be0e5b1317. This vulnerability affects unknown code of the component User Handler. Performing manipulation results in sql injection. It is possible to initiate the attack remotely. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The patch is named 25c9965a872c704f3a9475488dc5d3196902199a. It is suggested to install a patch to address this issue. | ||||
| CVE-2023-7332 | 2026-01-02 | N/A | ||
| PocketMine-MP versions prior to 4.18.1 contain an improper input validation vulnerability in inventory transaction handling. A remote attacker with a valid player session can request that the server drop more items than are available in the player's hotbar, triggering a server crash and resulting in denial of service. | ||||
| CVE-2025-68118 | 2 Freerdp, Microsoft | 2 Freerdp, Windows | 2026-01-02 | 9.1 Critical |
| FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.20.0, a vulnerability exists in FreeRDP’s certificate handling code on Windows platforms. The function `freerdp_certificate_data_hash_ uses` the Microsoft-specific `_snprintf` function to format certificate cache filenames without guaranteeing NUL termination when truncation occurs. According to Microsoft documentation, `_snprintf` does not append a terminating NUL byte if the formatted output exceeds the destination buffer size. If an attacker controls the hostname value (for example via server redirection or a crafted .rdp file), the resulting filename buffer may not be NUL-terminated. Subsequent string operations performed on this buffer may read beyond the allocated memory region, resulting in a heap-based out-of-bounds read. In default configurations, the connection is typically terminated before sensitive data can be meaningfully exposed, but unintended memory read or a client crash may still occur under certain conditions. Version 3.20.0 has a patch for the issue. | ||||
| CVE-2025-68150 | 2 Parse Community, Parseplatform | 2 Parse Server, Parse-server | 2026-01-02 | 6.5 Medium |
| Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.2 and 9.1.1-alpha.1, the Instagram authentication adapter allows clients to specify a custom API URL via the `apiURL` parameter in `authData`. This enables SSRF attacks and possibly authentication bypass if malicious endpoints return fake responses to validate unauthorized users. This is fixed in versions 8.6.2 and 9.1.1-alpha.1 by hardcoding the Instagram Graph API URL `https://graph.instagram.com` and ignoring client-provided `apiURL` values. No known workarounds are available. | ||||
| CVE-2025-68279 | 1 Weblate | 1 Weblate | 2026-01-02 | 7.7 High |
| Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to read arbitrary files from the server file system using crafted symbolic links in the repository. Version 5.15.1 fixes the issue. | ||||
| CVE-2025-68460 | 1 Roundcube | 1 Webmail | 2026-01-02 | 7.2 High |
| Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a information disclosure vulnerability in the HTML style sanitizer. | ||||