Export limit exceeded: 336153 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (336153 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-3429 | 1 Keycloak | 1 Keycloak | 2026-03-03 | 4.2 Medium |
| A flaw was identified in the Account REST API of Keycloak that allows a user authenticated at a lower security level to perform sensitive actions intended only for higher-assurance sessions. Specifically, an attacker who has already obtained a victim’s password can delete the victim’s registered MFA/OTP credential without first proving possession of that factor. The attacker can then register their own MFA device, effectively taking full control of the account. This weakness undermines the intended protection provided by multi-factor authentication. | ||||
| CVE-2026-3441 | 1 Gnu | 1 Binutils | 2026-03-03 | 6.1 Medium |
| No description is available for this CVE. | ||||
| CVE-2026-3442 | 1 Gnu | 1 Binutils | 2026-03-03 | 6.1 Medium |
| No description is available for this CVE. | ||||
| CVE-2025-66880 | 1 720yun | 1 Pano Sdk | 2026-03-03 | 6.1 Medium |
| Cross Site Scripting vulnerability in Wethink Technology Inc 720yun pano-sdk 0.5.877 allows a remote attacker to execute arbitrary code via the LoginComp (Module 2093) and SignupComp (Module 2094) modules. | ||||
| CVE-2025-58107 | 1 Microsoft | 4 Exchange, Exchange Server, Exchange Server 2016 and 1 more | 2026-03-03 | 7.5 High |
| In Microsoft Exchange through 2019, Exchange ActiveSync (EAS) configurations on on-premises servers may transmit sensitive data from Samsung mobile devices in cleartext, including the user's name, e-mail address, device ID, bearer token, and base64-encoded password. | ||||
| CVE-2025-65465 | 1 Skrol29 | 1 Tbszip | 2026-03-03 | 6.1 Medium |
| A reflected Cross-Site Scripting (XSS) vulnerability in the RaiseError function of Skrol29 TbsZip version 2.17 and earlier allows remote attackers to execute arbitrary web script or HTML via a crafted payload in a filename parameter (e.g., to the FileRead function). This occurs because the error message is not properly sanitized before being output to the user. This vulnerability is fixed in version 2.18. | ||||
| CVE-2026-26709 | 1 Code-projects | 1 Simple Gym Management System | 2026-03-03 | N/A |
| code-projects Simple Gym Management System v1.0 is vulnerable to SQL Injection in /gym/trainer_search.php. | ||||
| CVE-2026-2999 | 1 Changing | 1 Idexpert Windows Logon Agent | 2026-03-03 | 9.8 Critical |
| IDExpert Windows Logon Agent developed by Changing has a Remote Code Execution vulnerability, allowing unauthenticated remote attackers to force the system to download arbitrary executable files from a remote source and execute them. | ||||
| CVE-2026-3000 | 1 Changing | 1 Idexpert Windows Logon Agent | 2026-03-03 | 9.8 Critical |
| IDExpert Windows Logon Agent developed by Changing has a Remote Code Execution vulnerability, allowing unauthenticated remote attackers to force the system to download arbitrary DLL files from a remote source and execute them. | ||||
| CVE-2026-3422 | 1 E-excellence | 1 U-office Force | 2026-03-03 | 9.8 Critical |
| U-Office Force developed by e-Excellence has a Insecure Deserialization vulnerability, allowing unauthenticated remote attackers to execute arbitrary code on the server by sending maliciously crafted serialized content. | ||||
| CVE-2026-20430 | 2 Mediatek, Openwrt | 7 Mt6890, Mt7915, Mt7916 and 4 more | 2026-03-03 | 8.8 High |
| In wlan AP FW, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote (proximal/adjacent) escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00467553; Issue ID: MSV-5151. | ||||
| CVE-2026-20429 | 2 Google, Mediatek | 30 Android, Mt6739, Mt6761 and 27 more | 2026-03-03 | 4.4 Medium |
| In display, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10320471; Issue ID: MSV-5535. | ||||
| CVE-2026-2584 | 1 Ciser System | 1 Csip Firmware | 2026-03-03 | N/A |
| A critical SQL Injection (SQLi) vulnerability has been identified in the authentication module of the system. An unauthenticated, remote attacker (AV:N/PR:N) can exploit this flaw by sending specially crafted SQL queries through the login interface. Due to low attack complexity (AC:L) and the absence of specific requirements (AT:N), the vulnerability allows for a total compromise of the system's configuration data (VC:H/VI:H). While the availability of the service remains unaffected (VA:N), the breach may lead to a limited exposure of sensitive information regarding subsequent or interconnected systems (SC:L). | ||||
| CVE-2025-10350 | 1 Cgm | 1 Cgm Netraad | 2026-03-03 | N/A |
| SQL Injection vulnerability in "imageserver" module when processing C-FIND queries in CGM NETRAAD software allows attacker connected to PACS gaining access to database, including data processed by GCM CLININET software.This issue affects CGM NETRAAD with imageserver module in versions before 7.9.0. | ||||
| CVE-2025-30035 | 1 Cgm | 1 Cgm Clininet | 2026-03-03 | N/A |
| The vulnerability enables an attacker to fully bypass authentication in CGM CLININET and gain access to any active user account by supplying only the username, without requiring a password or any other credentials. Obtaining a session ID is sufficient for session takeover and grants access to the system with the privileges of the targeted user. | ||||
| CVE-2025-30042 | 1 Cgm | 1 Cgm Clininet | 2026-03-03 | N/A |
| The CGM CLININET system provides smart card authentication; however, authentication is conducted locally on the client device, and, in reality, only the certificate number is used for access verification. As a result, possession of the certificate number alone is sufficient for authentication, regardless of the actual presence of the smart card or ownership of the private key. | ||||
| CVE-2025-30044 | 1 Cgm | 1 Cgm Clininet | 2026-03-03 | N/A |
| In the endpoints "/cgi-bin/CliniNET.prd/utils/usrlogstat_simple.pl", "/cgi-bin/CliniNET.prd/utils/usrlogstat.pl", "/cgi-bin/CliniNET.prd/utils/userlogstat2.pl", and "/cgi-bin/CliniNET.prd/utils/dblogstat.pl", the parameters are not sufficiently normalized, which enables code injection. | ||||
| CVE-2025-30062 | 1 Cgm | 1 Cgm Clininet | 2026-03-03 | N/A |
| In the "CheckUnitCodeAndKey.pl" service, the "validateOrgUnit" function is vulnerable to SQL injection. | ||||
| CVE-2025-58402 | 1 Cgm | 1 Cgm Clininet | 2026-03-03 | N/A |
| The CGM CLININET application uses direct, sequential object identifiers "MessageID" without proper authorization checks. By modifying the parameter in the GET request, an attacker can access messages and attachments belonging to other users. | ||||
| CVE-2025-58405 | 1 Cgm | 1 Cgm Clininet | 2026-03-03 | N/A |
| The CGM CLININET application does not implement any mechanisms that prevent clickjacking attacks, neither HTTP security headers nor HTML-based frame‑busting protections were detected. As a result, an attacker can embed the application inside a maliciously crafted IFRAME and trick users into performing unintended actions, including potentially bypassing CSRF/XSRF defenses. | ||||