Export limit exceeded: 76839 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (76839 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-15268 | 2 Infility, Wordpress | 2 Infility Global, Wordpress | 2026-02-04 | 7.5 High |
| The Infility Global plugin for WordPress is vulnerable to unauthenticated SQL Injection via the 'infility_get_data' API action in all versions up to, and including, 2.14.46. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append - with certain server configurations - additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2026-1819 | 1 Karel | 1 Viport | 2026-02-04 | 8.8 High |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Karel Electronics Industry and Trade Inc. ViPort allows Stored XSS.This issue affects ViPort: through 23012026. | ||||
| CVE-2025-15368 | 2 Themeboy, Wordpress | 2 Sportspress, Wordpress | 2026-02-04 | 8.8 High |
| The SportsPress plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.7.26 via shortcodes 'template_name' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included. | ||||
| CVE-2023-47150 | 2 Ibm, Linux | 4 Aix, Common Cryptographic Architecture, I and 1 more | 2026-02-04 | 7.5 High |
| IBM Common Cryptographic Architecture (CCA) 7.0.0 through 7.5.36 could allow a remote user to cause a denial of service due to incorrect data handling for certain types of AES operations. IBM X-Force ID: 270602. | ||||
| CVE-2025-63560 | 1 Kiloview | 3 E3, E3 Firmware, Video Encoder Firmware | 2026-02-04 | 7.5 High |
| An issue in KiloView Dual Channel 4k HDMI & 3G-SDI HEVC Video Encoder Firmware v.1.20.0006 allows a remote attacker to cause a denial of service via the systemctrl API System/reFactory component. | ||||
| CVE-2025-63551 | 1 Metinfo | 2 Content Management System, Metinfo | 2026-02-04 | 7.5 High |
| A Server-Side Request Forgery (SSRF) vulnerability, achievable through an XML External Entity (XXE) injection, exists in MetInfo Content Management System (CMS) thru 8.1. This flaw stems from a defect in the XML parsing logic, which allows an attacker to construct a malicious XML entity that forces the server to initiate an HTTP request to an arbitrary internal or external network address. Successful exploitation could lead to internal network reconnaissance, port scanning, or the retrieval of sensitive information. The vulnerability may be present in the backend API called by or associated with the path `/admin/#/webset/?head_tab_active=0`, where user-provided XML data is processed. | ||||
| CVE-2020-37085 | 1 Sunnysidesoft | 1 Virtualtablet Server | 2026-02-04 | 7.5 High |
| VirtualTablet Server 3.0.2 contains a denial of service vulnerability that allows attackers to crash the service by sending oversized string payloads through the Thrift protocol. Attackers can exploit the vulnerability by sending a long string to the send_say() method, causing the server to become unresponsive. | ||||
| CVE-2020-37081 | 1 Fishing Reservation System | 1 Fishing Reservation System | 2026-02-04 | 7.1 High |
| Fishing Reservation System 7.5 contains multiple remote SQL injection vulnerabilities in admin.php, cart.php, and calendar.php that allow attackers to inject malicious SQL commands. Attackers can exploit vulnerable parameters like uid, pid, type, m, y, and code to compromise the database management system and web application without user interaction. | ||||
| CVE-2020-37078 | 1 I-doit | 1 I-doit | 2026-02-04 | 8.8 High |
| i-doit Open Source CMDB 1.14.1 contains a file deletion vulnerability in the import module that allows authenticated attackers to delete arbitrary files by manipulating the delete_import parameter. Attackers can send a POST request to the import module with a crafted filename to remove files from the server's filesystem. | ||||
| CVE-2019-25260 | 1 Oxid-esales | 1 Eshop | 2026-02-04 | 8.2 High |
| OXID eShop versions 6.x prior to 6.3.4 contains a SQL injection vulnerability in the 'sorting' parameter that allows attackers to insert malicious database content. Attackers can exploit the vulnerability by manipulating the sorting parameter to inject PHP code into the database and execute arbitrary code through crafted URLs. | ||||
| CVE-2025-22890 | 1 Hummingheads | 1 Defense Platform | 2026-02-04 | 8.8 High |
| Execution with unnecessary privileges issue exists in Defense Platform Home Edition Ver.3.9.51.x and earlier. If an attacker performs a specific operation, SYSTEM privilege of the Windows system where the product is running may be obtained. | ||||
| CVE-2025-22894 | 1 Hummingheads | 1 Defense Platform | 2026-02-04 | 8.8 High |
| Unprotected Windows messaging channel ('Shatter') issue exists in Defense Platform Home Edition Ver.3.9.51.x and earlier. If an attacker sends a specially crafted message to the specific process of the Windows system where the product is running, arbitrary files in the system may be altered. As a result, an arbitrary DLL may be executed with SYSTEM privilege. | ||||
| CVE-2025-60785 | 2 Icescrum, Kagilum | 2 Icescrum, Icescrum | 2026-02-04 | 8.8 High |
| A remote code execution (RCE) vulnerability in the Postgres Drivers component of iceScrum v7.54 Pro On-prem allows attackers to execute arbitrary code via a crafted HTML page. | ||||
| CVE-2025-63441 | 1 Opensource-socialnetwork | 1 Open Source Social Network | 2026-02-04 | 7.3 High |
| Open Source Social Network (OSSN) 8.6 is vulnerable to Cross Site Scripting (XSS) via the parameter param` at endpoint u/administrator/friends. | ||||
| CVE-2026-25027 | 1 Wordpress | 1 Wordpress | 2026-02-04 | 7.5 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove Unicamp unicamp allows PHP Local File Inclusion.This issue affects Unicamp: from n/a through <= 2.7.1. | ||||
| CVE-2025-32023 | 1 Redis | 1 Redis | 2026-02-04 | 7 High |
| Redis is an open source, in-memory database that persists on disk. From 2.8 to before 8.0.3, 7.4.5, 7.2.10, and 6.2.19, an authenticated user may use a specially crafted string to trigger a stack/heap out of bounds write on hyperloglog operations, potentially leading to remote code execution. The bug likely affects all Redis versions with hyperloglog operations implemented. This vulnerability is fixed in 8.0.3, 7.4.5, 7.2.10, and 6.2.19. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing hyperloglog operations. This can be done using ACL to restrict HLL commands. | ||||
| CVE-2024-37301 | 1 Adfinis | 1 Document Merge Service | 2026-02-04 | 7.2 High |
| Document Merge Service is a document template merge service providing an API to manage templates and merge them with given data. Versions 6.5.1 and prior are vulnerable to remote code execution via server-side template injection which, when executed as root, can result in full takeover of the affected system. As of time of publication, no patched version exists, nor have any known workarounds been disclosed. | ||||
| CVE-2020-37092 | 1 Netis-systems | 1 Netis E1+ | 2026-02-04 | 7.5 High |
| Netis E1+ version 1.2.32533 contains a hardcoded root account vulnerability that allows unauthenticated attackers to access the device with predefined credentials. Attackers can leverage the embedded root account with a crackable password to gain full administrative access to the network device. | ||||
| CVE-2026-24833 | 1 Dnnsoftware | 2 Dnn Platform, Dotnetnuke | 2026-02-04 | 7.7 High |
| DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to versions 9.13.10 and 10.2.0, a module could install with richtext in its description field which could contain scripts that will run for user in the Persona Bar. Versions 9.13.10 and 10.2.0 contain a fix for the issue. | ||||
| CVE-2026-24836 | 1 Dnnsoftware | 2 Dnn Platform, Dotnetnuke | 2026-02-04 | 7.7 High |
| DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 9.0.0 and prior to versions 9.13.10 and 10.2.0, extensions could write richtext in log notes which can include scripts that would run in the PersonaBar when displayed. Versions 9.13.10 and 10.2.0 contain a fix for the issue. | ||||