Export limit exceeded: 10619 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 10619 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (10619 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-69752 | 1 Ideagen | 1 Q-pulse | 2026-02-18 | 4.3 Medium |
| An issue in the "My Details" user profile functionality of Ideagen Q-Pulse 7.1.0.32 allows an authenticated user to view other users' profile information by modifying the objectKey HTTP parameter in the My Details page URL. | ||||
| CVE-2026-22235 | 2 Opexus, Opexustech | 2 Ecomplaint, Ecase Ecomplaint | 2026-02-18 | 7.5 High |
| OPEXUS eComplaint before version 9.0.45.0 allows an attacker to visit the the 'DocumentOpen.aspx' endpoint, iterate through predictable values of 'chargeNumber', and download any uploaded files. | ||||
| CVE-2026-22709 | 2 Patriksimek, Vm2 Project | 2 Vm2, Vm2 | 2026-02-17 | 9.8 Critical |
| vm2 is an open source vm/sandbox for Node.js. In vm2 prior to version 3.10.2, `Promise.prototype.then` `Promise.prototype.catch` callback sanitization can be bypassed. This allows attackers to escape the sandbox and run arbitrary code. In lib/setup-sandbox.js, the callback function of `localPromise.prototype.then` is sanitized, but `globalPromise.prototype.then` is not sanitized. The return value of async functions is `globalPromise` object. Version 3.10.2 fixes the issue. | ||||
| CVE-2026-0484 | 2 Sap, Sap Se | 2 Sap Basis, Sap Netweaver Application Server Abap And Sap S/4hana | 2026-02-17 | 6.5 Medium |
| Due to missing authorization check in SAP NetWeaver Application Server ABAP and SAP S/4HANA, an authenticated attacker could access a specific transaction code and modify the text data in the system. This vulnerability has a high impact on integrity of the application with no effect on the confidentiality and availability. | ||||
| CVE-2026-23991 | 1 Theupdateframework | 1 Go-tuf | 2026-02-17 | 5.9 Medium |
| go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, if the TUF repository (or any of its mirrors) returns invalid TUF metadata JSON (valid JSON but not well formed TUF metadata), the client will panic during parsing, causing a denial of service. The panic happens before any signature is validated. This means that a compromised repository/mirror/cache can DoS clients without having access to any signing key. Version 2.3.1 fixes the issue. No known workarounds are available. | ||||
| CVE-2025-61950 | 1 Groupsession | 3 Groupsession, Groupsession Bycloud, Groupsession Zion | 2026-02-17 | N/A |
| In GroupSession, a Circular notice can be created with its memo field non-editable, but the authorization check is improperly implemented. With some crafted request, a logged-in user may alter the memo field. The affected products and versions are GroupSession Free edition prior to ver5.3.0, GroupSession byCloud prior to ver5.3.3, and GroupSession ZION prior to ver5.3.2. | ||||
| CVE-2025-20791 | 1 Mediatek | 26 Mt2735, Mt6833, Mt6833p and 23 more | 2026-02-17 | 6.5 Medium |
| In Modem, there is a possible system crash due to incorrect error handling. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01661189; Issue ID: MSV-4298. | ||||
| CVE-2025-20757 | 1 Mediatek | 27 Modem, Mt2735, Mt6833 and 24 more | 2026-02-17 | 6.5 Medium |
| In Modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01673751; Issue ID: MSV-4644. | ||||
| CVE-2025-20752 | 1 Mediatek | 50 Modem, Mt2735, Mt2737 and 47 more | 2026-02-17 | 6.5 Medium |
| In Modem, there is a possible system crash due to a missing bounds check. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01270690; Issue ID: MSV-4301. | ||||
| CVE-2025-20678 | 1 Mediatek | 94 Lr12a, Lr13, Mt6739 and 91 more | 2026-02-17 | 6.5 Medium |
| In ims service, there is a possible system crash due to incorrect error handling. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01394606; Issue ID: MSV-2739. | ||||
| CVE-2025-20666 | 1 Mediatek | 31 Mt2735, Mt6833, Mt6833p and 28 more | 2026-02-17 | 6.5 Medium |
| In Modem, there is a possible system crash due to an uncaught exception. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY00650610; Issue ID: MSV-2933. | ||||
| CVE-2026-24323 | 2 Sap, Sap Se | 4 Document Management System, Erp, S4core and 1 more | 2026-02-17 | 6.1 Medium |
| The BSP applications allow an unauthenticated user to inject malicious script content via user-controlled URL parameters that are not sufficiently sanitized. When a victim accesses a crafted URL, the injected script is executed in the victim�s browser, leading to a low impact on confidentiality and integrity, and no impact on the availability of the application. | ||||
| CVE-2026-24328 | 2 Sap, Sap Se | 2 Business Server Pages, Business Server Pages Application (taf Applauncher) | 2026-02-17 | 6.1 Medium |
| SAP TAF_APPLAUNCHER within Business Server Pages allows unauthenticated attacker to craft malicious links that, when clicked by a victim, redirect them to attacker?controlled sites, potentially exposing or altering sensitive information in the victim�s browser. This results in a low impact on confidentiality and integrity, with no impact on the availability of the application. | ||||
| CVE-2025-12063 | 2 Axis, Axis Communications Ab | 2 Camera Station Pro, Axis Camera Station Pro | 2026-02-17 | 5.7 Medium |
| An insecure direct object reference allowed a non-admin user to modify or remove certain data objects without having the appropriate permissions. | ||||
| CVE-2026-25956 | 1 Frappe | 1 Frappe | 2026-02-17 | 6.1 Medium |
| Frappe is a full-stack web application framework. Prior to 14.99.14 and 15.94.0, an attacker could craft a malicious signup URL for a frappe site which could lead to an open redirect (or reflected XSS, depending on the crafted payload) when a user signs up. This vulnerability is fixed in 14.99.14 and 15.94.0. | ||||
| CVE-2025-26637 | 1 Microsoft | 20 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 17 more | 2026-02-16 | 6.8 Medium |
| Protection mechanism failure in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack. | ||||
| CVE-2025-62453 | 2 Github, Microsoft | 2 Copilot, Visual Studio Code | 2026-02-13 | 5 Medium |
| Improper validation of generative ai output in GitHub Copilot and Visual Studio Code allows an authorized attacker to bypass a security feature locally. | ||||
| CVE-2026-25530 | 1 Kanboard | 1 Kanboard | 2026-02-13 | 4.3 Medium |
| Kanboard is project management software focused on Kanban methodology. Prior to 1.2.50, the getSwimlane API method lacks project-level authorization, allowing authenticated users to access swimlane data from projects they cannot access. This vulnerability is fixed in 1.2.50. | ||||
| CVE-2025-21104 | 1 Dell | 2 Networker, Networker Management Console | 2026-02-13 | 4.3 Medium |
| Dell NetWorker, versions prior to 19.11.0.4 and version 19.12, contains an URL Redirection to Untrusted Site ('Open Redirect') Vulnerability in NetWorker Management Console. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to a targeted application user being redirected to arbitrary web URLs. The vulnerability could be leveraged by attackers to conduct phishing attacks that cause users to divulge sensitive information. | ||||
| CVE-2022-32221 | 6 Apple, Debian, Haxx and 3 more | 16 Macos, Debian Linux, Curl and 13 more | 2026-02-13 | 9.8 Critical |
| When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously was used to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent `POST` request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST. | ||||