Export limit exceeded: 25158 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (25158 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-48642 | 1 Google | 1 Android | 2026-03-06 | 5.5 Medium |
| In jump_to_payload of payload.rs, there is a possible information disclosure due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2025-48635 | 1 Google | 1 Android | 2026-03-06 | 7.7 High |
| In multiple functions of TaskFragmentOrganizerController.java, there is a possible activity token leak due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2025-48630 | 1 Google | 1 Android | 2026-03-06 | 7.4 High |
| In drawLayersInternal of SkiaRenderEngine.cpp, there is a possible way to access the GPU cache due to side channel information disclosure. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2025-48587 | 1 Google | 1 Android | 2026-03-06 | 6.2 Medium |
| In multiple functions of ProfilingService.java, there is a possible persistent denial of service due to improper input validation. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2025-48585 | 1 Google | 1 Android | 2026-03-06 | 6.2 Medium |
| In multiple functions of ProfilingService.java, there is a possible persistent denial of service due to improper input validation. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2025-64427 | 2 Icewhaletech, Zimaspace | 2 Zimaos, Zimaos | 2026-03-05 | 7.1 High |
| ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.0 and prior, due to insufficient validation or restriction of target URLs, an authenticated local user can craft requests that target internal IP addresses (e.g., 127.0.0.1, localhost, or private network ranges). This allows the attacker to interact with internal HTTP/HTTPS services that are not intended to be exposed externally or to local users. No known patch is publicly available. | ||||
| CVE-2020-37150 | 1 Edimax | 2 Ew-7438rpn Mini, Ew-7438rpn Mini Firmware | 2026-03-05 | 7.5 High |
| Edimax EW-7438RPn-v3 Mini 1.27 allows unauthenticated attackers to access the /wizard_reboot.asp page in unsetup mode, which discloses the Wi-Fi SSID and security key. Attackers can retrieve the wireless password by sending a GET request to this endpoint, exposing sensitive information without authentication. | ||||
| CVE-2019-25338 | 1 Dokuwiki | 1 Dokuwiki | 2026-03-05 | 5.3 Medium |
| DokuWiki 2018-04-22b contains a username enumeration vulnerability in its password reset functionality that allows attackers to identify valid user accounts. Attackers can submit different usernames to the password reset endpoint and distinguish between existing and non-existing accounts by analyzing the server's error response messages. | ||||
| CVE-2024-55020 | 1 Weintek | 4 Cmt-3072xh2, Cmt-3072xh2 Firmware, Cmt3072xh and 1 more | 2026-03-04 | 9.8 Critical |
| A command injection vulnerability in the DHCP activation feature of Weintek cMT-3072XH2 easyweb Web Version v2.1.53, OS v20231011 allows attackers to execute arbitrary commands with root privileges. | ||||
| CVE-2025-66623 | 2 Linuxfoundation, Strimzi | 2 Strimzi, Kafka-operator | 2026-03-04 | 7.4 High |
| Strimzi provides a way to run an Apache Kafka cluster on Kubernetes or OpenShift in various deployment configurations. From 0.47.0 and prior to 0.49.1, in some situations, Strimzi creates an incorrect Kubernetes Role which grants the Apache Kafka Connect and Apache Kafka MirrorMaker 2 operands the GET access to all Kubernetes Secrets that exist in the given Kubernetes namespace. The issue is fixed in Strimzi 0.49.1. | ||||
| CVE-2025-62816 | 1 Samsung | 15 Exynos, Exynos 1280, Exynos 1280 Firmware and 12 more | 2026-03-04 | 5.5 Medium |
| An issue was discovered in Samsung Mobile Processor Exynos 1280, 2200, 1380, 1480, 2400, 1580, and 2500. Unvalidated VS4L_VERTEXIOC_BOOTUP input leads to a denial of service. | ||||
| CVE-2025-12773 | 2 Broadcom, Brocade | 2 Sannav, Sannav | 2026-03-03 | 6.5 Medium |
| A vulnerability in update-reports-purge-settings.sh script logging for Brocade SANnav before 2.4.0a could allow the collection of SANnav database password in the system audit logs. The vulnerability could allow a remote authenticated attacker with access to the audit logs to access the Brocade SANnav database password. | ||||
| CVE-2025-0178 | 1 Watchguard | 28 Firebox M270, Firebox M290, Firebox M370 and 25 more | 2026-03-02 | 6.1 Medium |
| Improper Input Validation vulnerability in WatchGuard Fireware OS allows an attacker to manipulate the value of the HTTP Host header in requests sent to the Web UI. An attacker could exploit this vulnerability to redirect users to malicious websites, poison the web cache, or inject malicious JavaScript into responses sent by the Web UI. This issue affects Fireware OS: from 12.0 up to and including 12.11. | ||||
| CVE-2024-26480 | 1 Statping-ng | 1 Statping-ng | 2026-02-28 | 7.5 High |
| An issue in Statping-ng v.0.91.0 allows an attacker to obtain sensitive information via a crafted request to the admin parameter. | ||||
| CVE-2025-62512 | 1 Piwigo | 1 Piwigo | 2026-02-27 | 5.3 Medium |
| Piwigo is an open source photo gallery application for the web. In version 15.5.0 and likely earlier 15.x releases, the password reset functionality in Piwigo allows an unauthenticated attacker to determine whether a given username or email address exists in the system. The endpoint at password.php?action=lost returns distinct messages for valid vs. invalid accounts, enabling user enumeration. As of time of publication, no known patches are available. | ||||
| CVE-2025-61684 | 2 H20, H2o | 2 Quickly, Quicly | 2026-02-27 | 7.5 High |
| Quicly, an IETF QUIC protocol implementation, is susceptible to a denial-of-service attack prior to commit d9d3df6a8530a102b57d840e39b0311ce5c9e14e. A remote attacker can exploit these bugs to trigger an assertion failure that crashes process using Quicly. Commit d9d3df6a8530a102b57d840e39b0311ce5c9e14e fixes the issue. | ||||
| CVE-2024-5692 | 2 Microsoft, Mozilla | 3 Windows, Firefox, Thunderbird | 2026-02-27 | 6.5 Medium |
| On Windows 10, when using the 'Save As' functionality, an attacker could have tricked the browser into saving the file with a disallowed extension such as `.url` by including an invalid character in the extension. *Note:* This issue only affected Windows operating systems. Other operating systems are unaffected. This vulnerability affects Firefox < 127, Firefox ESR < 115.12, and Thunderbird < 115.12. | ||||
| CVE-2025-15438 | 1 Pluxml | 1 Pluxml | 2026-02-27 | 4.7 Medium |
| A vulnerability was determined in PluXml up to 5.8.22. Affected is the function FileCookieJar::__destruct of the file core/admin/medias.php of the component Media Management Module. Executing a manipulation of the argument File can lead to deserialization. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was informed early about this issue and announced that "[w]e fix this issue in the next version 5.8.23". A patch for it is ready. | ||||
| CVE-2025-27378 | 1 Altium | 2 Aes, On-prem Enterprise Server | 2026-02-26 | 8.6 High |
| AES contains a SQL injection vulnerability due to an inactive configuration that prevents the latest SQL parsing logic from being applied. When this configuration is not enabled, crafted input may be improperly handled, allowing attackers to inject and execute arbitrary SQL queries. | ||||
| CVE-2024-26477 | 1 Statping-ng | 1 Statping-ng | 2026-02-26 | 7.5 High |
| An issue in Statping-ng v.0.91.0 allows an attacker to obtain sensitive information via a crafted request to the api parameter of the oauth, amazon_sns, export endpoints. | ||||