Export limit exceeded: 335023 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 335023 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (335023 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-14524 | 2 Curl, Haxx | 2 Curl, Curl | 2026-01-20 | 5.3 Medium |
| When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host. | ||||
| CVE-2026-22820 | 2 Outray, Outray-tunnel | 2 Outray, Outray | 2026-01-20 | 3.7 Low |
| Outray openSource ngrok alternative. Prior to 0.1.5, a TOCTOU race condition vulnerability allows a user to exceed the set number of active tunnels in their subscription plan. This vulnerability is fixed in 0.1.5. | ||||
| CVE-2025-14819 | 2 Curl, Haxx | 2 Curl, Curl | 2026-01-20 | 5.3 Medium |
| When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcurl find and accept a trust chain that it otherwise would not. | ||||
| CVE-2025-15079 | 2 Curl, Haxx | 2 Curl, Curl | 2026-01-20 | 5.3 Medium |
| When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts *not present* in the specified file if they were added as recognized in the libssh *global* known_hosts file. | ||||
| CVE-2025-15224 | 2 Curl, Haxx | 2 Curl, Curl | 2026-01-20 | 3.1 Low |
| When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate using a locally running SSH agent. | ||||
| CVE-2025-62595 | 1 Koajs | 1 Koa | 2026-01-20 | 4.3 Medium |
| Koa is expressive middleware for Node.js using ES2017 async functions. In versions 2.16.2 to before 2.16.3 and 3.0.1 to before 3.0.3, a bypass to CVE-2025-8129 was discovered in the Koa.js framework affecting its back redirect functionality. In certain circumstances, an attacker can manipulate the Referer header to force a user’s browser to navigate to an external, potentially malicious website. This occurs because the implementation incorrectly treats some specially crafted URLs as safe relative paths. Exploiting this vulnerability could allow attackers to perform phishing, social engineering, or other redirect-based attacks on users of affected applications. This issue has been patched in version 3.0.3. | ||||
| CVE-2025-25200 | 1 Koajs | 1 Koa | 2026-01-20 | 7.5 High |
| Koa is expressive middleware for Node.js using ES2017 async functions. Prior to versions 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3, Koa uses an evil regex to parse the `X-Forwarded-Proto` and `X-Forwarded-Host` HTTP headers. This can be exploited to carry out a Denial-of-Service attack. Versions 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3 fix the issue. | ||||
| CVE-2025-20998 | 1 Samsung | 11 Galaxy Watch, Galaxy Watch 4, Galaxy Watch 4 Classic and 8 more | 2026-01-20 | 5.5 Medium |
| Improper access control in SamsungAccount for Galaxy Watch prior to SMR Jul-2025 Release 1 allows local attackers to access phone number. | ||||
| CVE-2025-21004 | 2 Samsung, Samsung Mobile | 12 Galaxy Watch, Galaxy Watch 4, Galaxy Watch 4 Classic and 9 more | 2026-01-20 | 6.2 Medium |
| Improper verification of intent by broadcast receiver in System UI for Galaxy Watch prior to SMR Jul-2025 Release 1 allows local attackers to power off the device. | ||||
| CVE-2025-43019 | 1 Hp | 1 Support Assistant | 2026-01-20 | 7.8 High |
| A potential security vulnerability has been identified in the HP Support Assistant, which allows a local attacker to escalate privileges via an arbitrary file deletion. | ||||
| CVE-2026-23917 | 2026-01-20 | N/A | ||
| Not used | ||||
| CVE-2026-23916 | 2026-01-20 | N/A | ||
| Not used | ||||
| CVE-2026-23915 | 2026-01-20 | N/A | ||
| Not used | ||||
| CVE-2026-23914 | 2026-01-20 | N/A | ||
| Not used | ||||
| CVE-2026-23913 | 2026-01-20 | N/A | ||
| Not used | ||||
| CVE-2026-23912 | 2026-01-20 | N/A | ||
| Not used | ||||
| CVE-2026-23911 | 2026-01-20 | N/A | ||
| Not used | ||||
| CVE-2026-23910 | 2026-01-20 | N/A | ||
| Not used | ||||
| CVE-2026-23909 | 2026-01-20 | N/A | ||
| Not used | ||||
| CVE-2025-3125 | 1 Wso2 | 18 Api Control Plane, Api Manager, Carbon and 15 more | 2026-01-20 | 6.7 Medium |
| An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper input validation in the CarbonAppUploader admin service endpoint. An authenticated attacker with appropriate privileges can upload a malicious file to a user-controlled location on the server, potentially leading to remote code execution (RCE). This functionality is restricted by default to admin users; therefore, successful exploitation requires valid credentials with administrative permissions. | ||||