Export limit exceeded: 76092 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (76092 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-26055 | 1 Yokecd | 1 Yoke | 2026-02-13 | 7.5 High |
| Yoke is a Helm-inspired infrastructure-as-code (IaC) package deployer. In 0.19.0 and earlier, a vulnerability exists in the Air Traffic Controller (ATC) component of Yoke. The ATC webhook endpoints lack proper authentication mechanisms, allowing any pod within the cluster network to directly send AdmissionReview requests to the webhook, bypassing Kubernetes API Server authentication. This enables attackers to trigger WASM module execution in the ATC controller context without proper authorization. | ||||
| CVE-2026-26056 | 1 Yokecd | 1 Yoke | 2026-02-13 | 8.8 High |
| Yoke is a Helm-inspired infrastructure-as-code (IaC) package deployer. In 0.19.0 and earlier, a vulnerability exists in the Air Traffic Controller (ATC) component of Yoke. It allows users with CR create/update permissions to execute arbitrary WASM code in the ATC controller context by injecting a malicious URL through the overrides.yoke.cd/flight annotation. The ATC controller downloads and executes the WASM module without proper URL validation, enabling attackers to create arbitrary Kubernetes resources or potentially escalate privileges to cluster-admin level. | ||||
| CVE-2019-25322 | 1 Heatmiser | 1 Heatmiser Netmonitor | 2026-02-13 | 7.5 High |
| Heatmiser Netmonitor 3.03 contains a hardcoded credentials vulnerability in the networkSetup.htm page with predictable admin login credentials. Attackers can access the device by using the hard-coded username 'admin' and password 'admin' in the hidden form input fields. | ||||
| CVE-2019-25328 | 1 Xnsoft | 1 Xnconvert | 2026-02-13 | 7.5 High |
| XnConvert 1.82 contains a denial of service vulnerability in its registration code input field that allows attackers to crash the application. Attackers can generate a 9000-byte buffer of repeated characters and paste it into the registration code field to trigger an application crash. | ||||
| CVE-2019-25330 | 1 Bimesoft | 1 Surfoffline Professional | 2026-02-13 | 7.5 High |
| SurfOffline Professional 2.2.0.103 contains a structured exception handler (SEH) overflow vulnerability that allows attackers to crash the application by manipulating the project name input. Attackers can generate a malicious payload of 382 'A' characters followed by specific byte sequences to trigger a denial of service condition and overwrite SEH registers. | ||||
| CVE-2019-25332 | 1 Internet-soft | 1 Ftp Commander Pro | 2026-02-13 | 8.4 High |
| FTP Commander Pro 8.03 contains a local stack overflow vulnerability that allows attackers to execute arbitrary code by overwriting the EIP register through a custom command input. Attackers can craft a malicious payload of 4108 bytes to overwrite memory and execute shellcode, demonstrating remote code execution potential. | ||||
| CVE-2019-25333 | 1 Bullwark | 1 Momentum Series Jaws | 2026-02-13 | 7.5 High |
| Bullwark Momentum Series JAWS 1.0 contains a directory traversal vulnerability that allows unauthenticated attackers to access system files by manipulating HTTP request paths. Attackers can exploit the vulnerability by sending crafted GET requests with multiple '../' sequences to read sensitive files like /etc/passwd outside the web root directory. | ||||
| CVE-2019-25339 | 1 Ghia-camip | 1 Ghia Camip | 2026-02-13 | 7.5 High |
| GHIA CamIP 1.2 for iOS contains a denial of service vulnerability in the password input field that allows attackers to crash the application. Attackers can paste a 33-character buffer of repeated characters into the password field to trigger an application crash on iOS devices. | ||||
| CVE-2019-25341 | 1 Inettools | 1 Inettools For Ios | 2026-02-13 | 7.5 High |
| iNetTools for iOS 8.20 contains a denial of service vulnerability in the Whois feature that allows attackers to crash the application by manipulating input. Attackers can paste a specially crafted 98-character buffer into the Domain Name field to trigger an application crash. | ||||
| CVE-2019-25342 | 1 Centova Technologies Inc. | 1 Centova Cast | 2026-02-13 | 7.5 High |
| Centova Cast 3.2.12 contains a denial of service vulnerability that allows attackers to overwhelm the system by repeatedly calling the database export API endpoint. Attackers can trigger 100% CPU load by sending multiple concurrent requests to the /api.php endpoint with crafted parameters. | ||||
| CVE-2019-25335 | 1 Websitem | 1 7070 Hazır Profesyonel Web Sitesi | 2026-02-13 | 7.5 High |
| PRO-7070 Hazır Profesyonel Web Sitesi version 1.0 contains an authentication bypass vulnerability in the administration panel login page. Attackers can bypass authentication by using '=' 'or' as both username and password to gain unauthorized access to the administrative interface. | ||||
| CVE-2026-25614 | 2 Blesta, Phillipsdata | 2 Blesta, Blesta | 2026-02-13 | 7.5 High |
| Blesta 3.x through 5.x before 5.13.3 allows object injection, aka CORE-5680. | ||||
| CVE-2026-25615 | 2 Blesta, Phillipsdata | 2 Blesta, Blesta | 2026-02-13 | 7.2 High |
| Blesta 3.x through 5.x before 5.13.3 allows object injection, aka CORE-5668. | ||||
| CVE-2023-33498 | 1 Alistgo | 1 Alist | 2026-02-13 | 8.8 High |
| alist <=3.16.3 is vulnerable to Incorrect Access Control. Low privilege accounts can upload any file. | ||||
| CVE-2025-63647 | 1 Owntone | 2 Owntone-server, Owntone Server | 2026-02-13 | 7.5 High |
| A NULL pointer dereference in the parse_meta function (src/httpd_daap.c) of owntone-server commit 334beb allows attackers to cause a Denial of Service (DoS) via sending a crafted DAAP request to the server. | ||||
| CVE-2023-4911 | 6 Canonical, Debian, Fedoraproject and 3 more | 43 Ubuntu Linux, Debian Linux, Fedora and 40 more | 2026-02-13 | 7.8 High |
| A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges. | ||||
| CVE-2026-25161 | 1 Alistgo | 1 Alist | 2026-02-13 | 8.8 High |
| Alist is a file list program that supports multiple storages, powered by Gin and Solidjs. Prior to version 3.57.0, the application contains path traversal vulnerability in multiple file operation handlers. An authenticated attacker can bypass directory-level authorisation by injecting traversal sequences into filename components, enabling unauthorised file removal, movement and copying across user boundaries within the same storage mount. This issue has been patched in version 3.57.0. | ||||
| CVE-2023-31726 | 1 Alistgo | 1 Alist | 2026-02-13 | 7.5 High |
| AList 3.15.1 is vulnerable to Incorrect Access Control, which can be exploited by attackers to obtain sensitive information. | ||||
| CVE-2022-45968 | 1 Alistgo | 1 Alist | 2026-02-13 | 8.8 High |
| Alist v3.4.0 is vulnerable to File Upload. A user with only file upload permission can upload any file to any folder (even a password protected one). | ||||
| CVE-2026-0789 | 2 Algo, Algosolutions | 3 8180 Ip Audio Alerter, 8180 Ip Audio Alerter, 8180 Ip Audio Alerter Firmware | 2026-02-13 | 7.5 High |
| ALGO 8180 IP Audio Alerter Web UI Inclusion of Authentication Cookie in Response Body Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the web-based user interface. The issue results from the lack of proper management of sensitive information. An attacker can leverage this vulnerability to disclose information in the context of the device. Was ZDI-CAN-28297. | ||||