Export limit exceeded: 76990 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (76990 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-31107 | 3 Grafana, Netapp, Redhat | 6 Grafana, E-series Performance Analyzer, Ceph Storage and 3 more | 2026-01-28 | 7.1 High |
| Grafana is an open-source platform for monitoring and observability. In versions 5.3 until 9.0.3, 8.5.9, 8.4.10, and 8.3.10, it is possible for a malicious user who has authorization to log into a Grafana instance via a configured OAuth IdP which provides a login name to take over the account of another user in that Grafana instance. This can occur when the malicious user is authorized to log in to Grafana via OAuth, the malicious user's external user id is not already associated with an account in Grafana, the malicious user's email address is not already associated with an account in Grafana, and the malicious user knows the Grafana username of the target user. If these conditions are met, the malicious user can set their username in the OAuth provider to that of the target user, then go through the OAuth flow to log in to Grafana. Due to the way that external and internal user accounts are linked together during login, if the conditions above are all met then the malicious user will be able to log in to the target user's Grafana account. Versions 9.0.3, 8.5.9, 8.4.10, and 8.3.10 contain a patch for this issue. As a workaround, concerned users can disable OAuth login to their Grafana instance, or ensure that all users authorized to log in via OAuth have a corresponding user account in Grafana linked to their email address. | ||||
| CVE-2022-36062 | 1 Grafana | 1 Grafana | 2026-01-28 | 7.6 High |
| Grafana is an open-source platform for monitoring and observability. In versions prior to 8.5.13, 9.0.9, and 9.1.6, Grafana is subject to Improper Preservation of Permissions resulting in privilege escalation on some folders where Admin is the only used permission. The vulnerability impacts Grafana instances where RBAC was disabled and enabled afterwards, as the migrations which are translating legacy folder permissions to RBAC permissions do not account for the scenario where the only user permission in the folder is Admin, as a result RBAC adds permissions for Editors and Viewers which allow them to edit and view folders accordingly. This issue has been patched in versions 8.5.13, 9.0.9, and 9.1.6. A workaround when the impacted folder/dashboard is known is to remove the additional permissions manually. | ||||
| CVE-2022-23498 | 2 Grafana, Redhat | 2 Grafana, Ceph Storage | 2026-01-28 | 7.1 High |
| Grafana is an open-source platform for monitoring and observability. When datasource query caching is enabled, Grafana caches all headers, including `grafana_session`. As a result, any user that queries a datasource where the caching is enabled can acquire another user’s session. To mitigate the vulnerability you can disable datasource query caching for all datasources. This issue has been patched in versions 9.2.10 and 9.3.4. | ||||
| CVE-2025-43860 | 2 Open-emr, Openemr | 2 Openemr, Openemr | 2026-01-27 | 7.6 High |
| OpenEMR is a free and open source electronic health records and medical practice management application. A stored cross-site scripting (XSS) vulnerability in versions prior to 7.0.3.4 allows any authenticated user with patient creation and editing privileges to inject arbitrary JavaScript code into the system by entering malicious payloads in the (1) Text Box fields of Address, Address Line 2, Postal Code and City fields and (2) Drop Down menu options of Address Use, State and Country of the Additional Addresses section of the Contact tab in Patient Demographics. The injected script can execute in two scenarios: (1) dynamically during form input, and (2) when the form data is later loaded for editing. Version 7.0.3.4 contains a patch for the issue. | ||||
| CVE-2026-22481 | 1 Wordpress | 1 Wordpress | 2026-01-27 | 8.8 High |
| Missing Authorization vulnerability in Rasedul Haque Rumi BD Courier Order Ratio Checker bd-courier-order-ratio-checker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BD Courier Order Ratio Checker: from n/a through <= 2.0.1. | ||||
| CVE-2025-69190 | 1 Wordpress | 1 Wordpress | 2026-01-27 | 7.3 High |
| Missing Authorization vulnerability in e-plugins Listihub listihub allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Listihub: from n/a through <= 1.0.6. | ||||
| CVE-2025-69183 | 2 E-plugins, Wordpress | 2 Hospital & Doctor Directory, Wordpress | 2026-01-27 | 8.8 High |
| Incorrect Privilege Assignment vulnerability in e-plugins Hospital Doctor Directory hospital-doctor-directory allows Privilege Escalation.This issue affects Hospital Doctor Directory: from n/a through <= 1.3.9. | ||||
| CVE-2025-69182 | 2 E-plugins, Wordpress | 2 Institutions Directory, Wordpress | 2026-01-27 | 8.8 High |
| Incorrect Privilege Assignment vulnerability in e-plugins Institutions Directory institutions-directory allows Privilege Escalation.This issue affects Institutions Directory: from n/a through <= 1.3.4. | ||||
| CVE-2025-68899 | 2 Designthemes, Wordpress | 2 Vivagh, Wordpress | 2026-01-27 | 8.8 High |
| Deserialization of Untrusted Data vulnerability in designthemes Vivagh vivagh allows Object Injection.This issue affects Vivagh: from n/a through <= 2.4. | ||||
| CVE-2025-68894 | 1 Wordpress | 1 Wordpress | 2026-01-27 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in shoutoutglobal ShoutOut shoutout allows Reflected XSS.This issue affects ShoutOut: from n/a through <= 4.0.2. | ||||
| CVE-2025-68884 | 1 Wordpress | 1 Wordpress | 2026-01-27 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Arevico WP Simple Redirect wp-simple-redirect allows Reflected XSS.This issue affects WP Simple Redirect: from n/a through <= 1.1. | ||||
| CVE-2025-68883 | 2 Extremeidea, Wordpress | 2 Bidorbuy Store Integrator, Wordpress | 2026-01-27 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in extremeidea bidorbuy Store Integrator bidorbuystoreintegrator allows Reflected XSS.This issue affects bidorbuy Store Integrator: from n/a through <= 2.12.0. | ||||
| CVE-2025-68882 | 1 Wordpress | 1 Wordpress | 2026-01-27 | 7.5 High |
| Missing Authorization vulnerability in Scalenut Scalenut scalenut allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Scalenut: from n/a through <= 1.1.3. | ||||
| CVE-2025-68839 | 1 Wordpress | 1 Wordpress | 2026-01-27 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Remi Corson Easy Theme Options easy-theme-options allows Reflected XSS.This issue affects Easy Theme Options: from n/a through <= 1.0. | ||||
| CVE-2025-68835 | 2 Matiskiba, Wordpress | 2 Ravpage, Wordpress | 2026-01-27 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in matiskiba Ravpage ravpage allows Reflected XSS.This issue affects Ravpage: from n/a through <= 2.33. | ||||
| CVE-2025-68510 | 1 Wordpress | 1 Wordpress | 2026-01-27 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeGoods Photography photography allows PHP Local File Inclusion.This issue affects Photography: from n/a through < 7.7.5. | ||||
| CVE-2025-66518 | 1 Apache | 1 Kyuubi | 2026-01-27 | 8.8 High |
| Any client who can access to Apache Kyuubi Server via Kyuubi frontend protocols can bypass server-side config kyuubi.session.local.dir.allow.list and use local files which are not listed in the config. This issue affects Apache Kyuubi: from 1.6.0 through 1.10.2. Users are recommended to upgrade to version 1.10.3 or upper, which fixes the issue. | ||||
| CVE-2025-47339 | 1 Qualcomm | 371 Ar8035, Ar8035 Firmware, Ar9380 and 368 more | 2026-01-27 | 7.8 High |
| Memory corruption while deinitializing a HDCP session. | ||||
| CVE-2025-47345 | 1 Qualcomm | 211 Ar8035, Ar8035 Firmware, Fastconnect 6200 and 208 more | 2026-01-27 | 8.4 High |
| Cryptographic issue may occur while encrypting license data. | ||||
| CVE-2025-47346 | 1 Qualcomm | 227 Ar8035, Ar8035 Firmware, Fastconnect 6200 and 224 more | 2026-01-27 | 7.8 High |
| Memory corruption while processing a secure logging command in the trusted application. | ||||