Total
9510 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-13086 | 1 Qnap | 2 Qts, Quts Hero | 2026-01-30 | N/A | 5.3 MEDIUM |
| An exposure of sensitive information vulnerability has been reported to affect product. If exploited, the vulnerability could allow remote attackers to compromise the security of the system. We have already fixed the vulnerability in the following version: QTS 5.2.0.2851 build 20240808 and later QuTS hero h5.2.0.2851 build 20240808 and later | |||||
| CVE-2025-65098 | 1 Typebot | 1 Typebot | 2026-01-30 | N/A | 7.4 HIGH |
| Typebot is an open-source chatbot builder. In versions prior to 3.13.2, client-side script execution in Typebot allows stealing all stored credentials from any user. When a victim previews a malicious typebot by clicking "Run", JavaScript executes in their browser and exfiltrates their OpenAI keys, Google Sheets tokens, and SMTP passwords. The `/api/trpc/credentials.getCredentials` endpoint returns plaintext API keys without verifying credential ownership. Version 3.13.2 fixes the issue. | |||||
| CVE-2026-20800 | 1 Gitea | 1 Gitea | 2026-01-29 | N/A | 6.5 MEDIUM |
| Gitea's notification API does not re-validate repository access permissions when returning notification details. After a user's access to a private repository is revoked, they may still view issue and pull request titles through previously received notifications. | |||||
| CVE-2024-56526 | 1 Oxid-esales | 1 Eshop | 2026-01-29 | N/A | 4.9 MEDIUM |
| An issue was discovered in OXID eShop before 7. CMS pages in combination with Smarty may display user information if a CMS page contains a Smarty syntax error. | |||||
| CVE-2026-21940 | 1 Oracle | 1 Supply Chain Products Suite | 2026-01-29 | N/A | 7.5 HIGH |
| Vulnerability in the Oracle Agile PLM product of Oracle Supply Chain (component: User and User Group). The supported version that is affected is 9.3.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Agile PLM. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Agile PLM accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). | |||||
| CVE-2026-0905 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2026-01-29 | N/A | 9.8 CRITICAL |
| Insufficient policy enforcement in Network in Google Chrome prior to 144.0.7559.59 allowed an attack who obtained a network log file to potentially obtain potentially sensitive information via a network log file. (Chromium security severity: Medium) | |||||
| CVE-2025-49184 | 1 Sick | 6 Baggage Analytics, Enterprise Analytics, Field Analytics and 3 more | 2026-01-29 | N/A | 7.5 HIGH |
| A remote unauthorized attacker may gather sensitive information of the application, due to missing authorization of configuration settings of the product. | |||||
| CVE-2025-65090 | 1 Xwiki | 1 Full Calendar Macro | 2026-01-29 | N/A | 5.3 MEDIUM |
| XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.6, users with the rights to view the Calendar.JSONService page (including guest users) can exploit the data leak vulnerability by accessing database info, with the exception of passwords. This issue has been patched in version 2.4.6. | |||||
| CVE-2026-22645 | 1 Sick | 1 Incoming Goods Suite | 2026-01-29 | N/A | 5.3 MEDIUM |
| The application discloses all used components, versions and license information to unauthenticated actors, giving attackers the opportunity to target known security vulnerabilities of used components. | |||||
| CVE-2026-24870 | 2026-01-29 | N/A | 3.7 LOW | ||
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in ixray-team ixray-1.6-stcop.This issue affects ixray-1.6-stcop: before 1.3. | |||||
| CVE-2025-54373 | 2026-01-29 | N/A | N/A | ||
| OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 7.0.4 have a vulnerability where sensitive data is unintentionally revealed to unauthorized parties. Contents of Clinical Notes and Care Plan, where an encounter has Sensitivity=high, can be viewed and changed by users who do not have Sensitivities=high privilege. Version 7.0.4 fixes the issue. | |||||
| CVE-2026-24473 | 2026-01-29 | N/A | N/A | ||
| Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, Serve static Middleware for the Cloudflare Workers adapter contains an information disclosure vulnerability that may allow attackers to read arbitrary keys from the Workers environment. Improper validation of user-controlled paths can result in unintended access to internal asset keys. Version 4.11.7 contains a patch for the issue. | |||||
| CVE-2026-1060 | 2026-01-29 | N/A | 5.3 MEDIUM | ||
| The WP Adminify plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.7.7 via the /wp-json/adminify/v1/get-addons-list REST API endpoint. The endpoint is registered with permission_callback set to __return_true, allowing unauthenticated attackers to retrieve the complete list of available addons, their installation status, version numbers, and download URLs. | |||||
| CVE-2026-21974 | 1 Oracle | 1 Life Sciences Central Designer | 2026-01-29 | N/A | 5.3 MEDIUM |
| Vulnerability in the Oracle Life Sciences Central Designer product of Oracle Health Sciences Applications (component: Platform). The supported version that is affected is 7.0.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Life Sciences Central Designer. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Life Sciences Central Designer accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). | |||||
| CVE-2025-25468 | 1 Ffmpeg | 1 Ffmpeg | 2026-01-29 | N/A | 6.5 MEDIUM |
| FFmpeg git-master before commit d5873b was discovered to contain a memory leak in the component libavutil/mem.c. | |||||
| CVE-2026-24422 | 1 Phpmyfaq | 1 Phpmyfaq | 2026-01-28 | N/A | 5.3 MEDIUM |
| phpMyFAQ is an open source FAQ web application. In versions 4.0.16 and below, multiple public API endpoints improperly expose sensitive user information due to insufficient access controls. The OpenQuestionController::list() endpoint calls Question::getAll() with showAll=true by default, returning records marked as non-public (isVisible=false) along with user email addresses, with similar exposures present in comment, news, and FAQ APIs. This information disclosure vulnerability could enable attackers to harvest email addresses for phishing campaigns or access content that was explicitly marked as private. This issue has been fixed in version 4.0.17. | |||||
| CVE-2017-16539 | 1 Mobyproject | 1 Moby | 2026-01-27 | 4.3 MEDIUM | 5.9 MEDIUM |
| The DefaultLinuxSpec function in oci/defaults.go in Docker Moby through 17.03.2-ce does not block /proc/scsi pathnames, which allows attackers to trigger data loss (when certain older Linux kernels are used) by leveraging Docker container access to write a "scsi remove-single-device" line to /proc/scsi/scsi, aka SCSI MICDROP. | |||||
| CVE-2026-22251 | 1 Weblate | 1 Wlc | 2026-01-27 | N/A | 5.3 MEDIUM |
| wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, wlc supported providing unscoped API keys in the setting. This practice was discouraged for years, but the code was never removed. This might cause the API key to be leaked to different servers. | |||||
| CVE-2025-24090 | 1 Apple | 2 Ipados, Iphone Os | 2026-01-27 | N/A | 3.3 LOW |
| A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 18.3 and iPadOS 18.3. An app may be able to enumerate a user's installed apps. | |||||
| CVE-2025-24089 | 1 Apple | 2 Ipados, Iphone Os | 2026-01-27 | N/A | 5.3 MEDIUM |
| A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 18.3 and iPadOS 18.3. An app may be able to enumerate a user's installed apps. | |||||