Export limit exceeded: 12822 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (12822 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-67645 2 Open-emr, Openemr 2 Openemr, Openemr 2026-02-12 8.8 High
OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 7.0.4 have a broken access control in the Profile Edit endpoint. An authenticated normal user can modify the request parameters (pubpid / pid) to reference another user’s record; the server accepts the modified IDs and applies the changes to that other user’s profile. This allows one user to alter another user’s profile data (name, contact info, etc.), and could enable account takeover. Version 7.0.4 fixes the issue.
CVE-2025-13980 2 Ckeditor, Cksource 3 Ckeditor, Ckeditor 5, Ckeditor 5 Premium Features 2026-02-12 5.3 Medium
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal CKEditor 5 Premium Features allows Functionality Bypass.This issue affects CKEditor 5 Premium Features: from 0.0.0 before 1.2.10, from 1.3.0 before 1.3.6, from 1.4.0 before 1.4.3, from 1.5.0 before 1.5.1, from 1.6.0 before 1.6.4.
CVE-2025-70997 2 Eladmin, Elunez 2 Eladmin, Eladmin 2026-02-12 8.1 High
A vulnerability has been discovered in eladmin v2.7 and before. This vulnerability allows for an arbitrary user password reset under any user permission level.
CVE-2025-70982 2 Bladex, Chillzhuang 2 Springblade, Springblade 2026-02-12 9.9 Critical
Incorrect access control in the importUser function of SpringBlade v4.5.0 allows attackers with low-level privileges to arbitrarily import sensitive user data.
CVE-2025-27024 1 Nokia 2 G42, G42 Firmware 2026-02-11 6.5 Medium
Unrestricted access to OS file system in SFTP service in Infinera G42 version R6.1.3 allows remote authenticated users to read/write OS files via SFTP connections. Details: Account members of the Network Administrator profile can access the target machine via SFTP with the same credentials used for SSH CLI access and are able to read all files according to the OS permission instead of remaining inside the chrooted directory position.
CVE-2025-69908 2 Newgen, Newgensoft 2 Omniapp, Omniapp 2026-02-11 7.5 High
An unauthenticated information disclosure vulnerability in Newgen OmniApp allows attackers to enumerate valid privileged usernames via a publicly accessible client-side JavaScript resource.
CVE-2025-70983 2 Bladex, Springblade Project 2 Springblade, Springblade 2026-02-11 9.9 Critical
Incorrect access control in the authRoutes function of SpringBlade v4.5.0 allows attackers with low-level privileges to escalate privileges.
CVE-2025-69875 1 Quickheal 1 Total Security 2026-02-11 7.8 High
A vulnerability exists in Quick Heal Total Security 23.0.0 in the quarantine management component where insufficient validation of restore paths and improper permission handling allow a low-privileged local user to restore quarantined files into protected system directories. This behavior can be abused by a local attacker to place files in high-privilege locations, potentially leading to privilege escalation.
CVE-2025-70841 2 Amcoders, Dokans 2 Dokans, Multitenancy Based Ecommerce Platform Saas 2026-02-11 10 Critical
Dokans Multi-Tenancy Based eCommerce Platform SaaS 3.9.2 allows unauthenticated remote attackers to obtain sensitive application configuration data via direct request to /script/.env file. The exposed file contains Laravel application encryption key (APP_KEY), database credentials, SMTP/SendGrid API credentials, and internal configuration parameters, enabling complete system compromise including authentication bypass via session token forgery, direct database access to all tenant data, and email infrastructure takeover. Due to the multi-tenancy architecture, this vulnerability affects all tenants in the system.
CVE-2024-38164 1 Microsoft 1 Groupme 2026-02-10 9.6 Critical
An improper access control vulnerability in GroupMe allows an a unauthenticated attacker to elevate privileges over a network by convincing a user to click on a malicious link.
CVE-2024-38099 1 Microsoft 9 Windows Server 2008, Windows Server 2008 R2, Windows Server 2008 Sp2 and 6 more 2026-02-10 5.9 Medium
Windows Remote Desktop Licensing Service Denial of Service Vulnerability
CVE-2024-38100 1 Microsoft 5 Windows Server 2016, Windows Server 2019, Windows Server 2022 and 2 more 2026-02-10 7.8 High
Windows File Explorer Elevation of Privilege Vulnerability
CVE-2024-38061 1 Microsoft 22 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 19 more 2026-02-10 7.5 High
DCOM Remote Cross-Session Activation Elevation of Privilege Vulnerability
CVE-2020-37116 2 Gunet, Openeclass 2 Open Eclass Platform, Openeclass 2026-02-10 8.8 High
GUnet OpenEclass 1.7.3 includes phpMyAdmin 2.10.0.2 by default, which allows remote logins. Attackers with access to the platform can remotely access phpMyAdmin and, after uploading a shell, view the config.php file to obtain the MySQL password, leading to full database compromise.
CVE-2025-3569 1 Jameszbl 1 Db-hospital-drug 2026-02-10 6.3 Medium
A vulnerability was found in JamesZBL/code-projects db-hospital-drug 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file ShiroConfig.java. The manipulation leads to improper authorization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-60865 1 Avanquest 2 Driver Updater, Pc Helpsoft Driver Updater 2026-02-10 7.8 High
Insecure Permissions vulnerability in avanquest Driver Updater v.9.1.57803.1174 allows a local attacker to escalate privileges via the Driver Updater Service windows component.
CVE-2025-13986 2 Drupal, Zyxware 2 Disable Login Page, Disable Login Page 2026-02-06 4.2 Medium
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Disable Login Page allows Functionality Bypass.This issue affects Disable Login Page: from 0.0.0 before 1.1.3.
CVE-2025-12810 1 Delinea 1 Secret Server 2026-02-06 6.5 Medium
Improper Authentication vulnerability in Delinea Inc. Secret Server On-Prem (RPC Password Rotation modules).This issue affects Secret Server On-Prem: 11.8.1, 11.9.6, 11.9.25. A secret with "change password on check in" enabled automatically checks in even when the password change fails after reaching its retry limit. This leaves the secret in an inconsistent state with the wrong password. Remediation: Upgrade to 11.9.47 or later. The secret will remain checked out when the password change fails.
CVE-2025-66698 2 Semantic, Semantic-machines 2 Machines, Veda 2026-02-05 8.6 High
An issue in Semantic machines v5.4.8 allows attackers to bypass authentication via sending a crafted HTTP request to various API endpoints.
CVE-2025-59392 2 Elspec, Elspec-ltd 3 G5 Digital Fault Recorder, G5dfr, G5dfr Firmware 2026-02-04 6.8 Medium
On Elspec G5 devices through 1.2.2.19, a person with physical access to the device can reset the Admin password by inserting a USB drive (containing a publicly documented reset string) into a USB port.