Total
4304 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-63218 | 1 Axeltechnology | 4 Wolf1ms, Wolf1ms Firmware, Wolf2ms and 1 more | 2026-01-12 | N/A | 9.8 CRITICAL |
| The Axel Technology WOLF1MS and WOLF2MS devices (firmware versions 0.8.5 to 1.0.3) are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenticated remote attackers can list user accounts, create new administrative users, delete users, and modify system settings, leading to full compromise of the device. | |||||
| CVE-2025-67014 | 1 Axing | 2 Dev7113, Dev7113 Firmware | 2026-01-09 | N/A | 7.5 HIGH |
| Incorrect access control in DEV Systemtechnik GmbH DEV 7113 RF over Fiber Distribution System 32-0078 H.01 allows unauthenticated attackers to access an administrative endpoint. | |||||
| CVE-2025-15110 | 1 Jackq | 1 Xcms | 2026-01-09 | 5.8 MEDIUM | 4.7 MEDIUM |
| A vulnerability has been found in jackq XCMS up to 3fab5342cc509945a7ce1b8ec39d19f701b89261. Affected is the function Upload of the file Admin/Home/Controller/ProductImageController.class.php of the component Backend. Such manipulation of the argument File leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet. | |||||
| CVE-2021-33162 | 1 Intel | 7 Ethernet Adapter Complete Driver, Ethernet Controller I225-it, Ethernet Controller I225-it Firmware and 4 more | 2026-01-09 | N/A | 8.4 HIGH |
| Improper access control in some Intel(R) Ethernet Adapters and Intel(R) Ethernet Controller I225 Manageability firmware may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2025-15360 | 1 Newbee-ltd | 1 Newbee-mall-plus | 2026-01-09 | 5.8 MEDIUM | 4.7 MEDIUM |
| A vulnerability was determined in newbee-mall-plus 2.0.0. This impacts the function Upload of the file src/main/java/ltd/newbee/mall/controller/common/UploadController.java of the component Product Information Edit Page. This manipulation of the argument File causes unrestricted upload. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-60784 | 1 Xiaozhangbang | 1 Voluntary Like System | 2026-01-09 | N/A | 6.5 MEDIUM |
| A vulnerability in the XiaozhangBang Voluntary Like System V8.8 allows remote attackers to manipulate the zhekou parameter in the /topfirst.php Pay module, enabling unauthorized discounts. By sending a crafted HTTP POST request with zhekou set to an abnormally low value, an attacker can purchase votes at a reduced cost. Furthermore, by modifying the zid parameter, attackers can influence purchases made by other users, amplifying the impact. This issue stems from insufficient server-side validation of these parameters, potentially leading to economic loss and unfair manipulation of vote counts. | |||||
| CVE-2026-0577 | 1 Fabian | 1 Online Product Reservation System | 2026-01-09 | 6.5 MEDIUM | 6.3 MEDIUM |
| A flaw has been found in code-projects Online Product Reservation System 1.0. Affected by this vulnerability is an unknown functionality of the file /handgunner-administrator/prod.php. Executing manipulation can lead to unrestricted upload. It is possible to launch the attack remotely. The exploit has been published and may be used. | |||||
| CVE-2025-14522 | 1 Baowzh | 1 Hfly | 2026-01-09 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was detected in baowzh hfly up to 638ff9abe9078bc977c132b37acbe1900b63491c. The impacted element is an unknown function of the file /Public/Kindeditor/php/upload_json.php. Performing manipulation of the argument imgFile results in unrestricted upload. It is possible to initiate the attack remotely. The exploit is now public and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-5873 | 2026-01-09 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability was detected in eCharge Hardy Barth Salia PLCC up to 2.3.81. Affected by this issue is some unknown functionality of the file /firmware.php of the component Web UI. Performing a manipulation of the argument media results in unrestricted upload. The attack can be initiated remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-10371 | 2026-01-09 | 7.5 HIGH | 7.3 HIGH | ||
| A security flaw has been discovered in eCharge Hardy Barth Salia PLCC up to 2.3.81. This issue affects some unknown processing of the file /api.php. The manipulation of the argument setrfidlist results in unrestricted upload. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2026-21447 | 1 Webkul | 1 Bagisto | 2026-01-08 | N/A | 7.1 HIGH |
| Bagisto is an open source laravel eCommerce platform. Prior to version 2.3.10, an Insecure Direct Object Reference vulnerability in the customer order reorder function allows any authenticated customer to add items from another customer's order to their own shopping cart by manipulating the order ID parameter. This exposes sensitive purchase information and enables potential fraud. Version 2.3.10 patches the issue. | |||||
| CVE-2025-15448 | 2026-01-08 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability was found in cld378632668 JavaMall up to 994f1e2b019378ec9444cdf3fce2d5b5f72d28f0. This impacts the function Upload of the file src/main/java/com/macro/mall/controller/MinioController.java. The manipulation results in unrestricted upload. It is possible to launch the attack remotely. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-0980 | 2026-01-08 | N/A | 6.4 MEDIUM | ||
| Nokia SR Linux is vulnerable to an authentication vulnerability allowing unauthorized access to the JSON-RPC service. When exploited, an invalid validation allows JSON RPC access without providing valid authentication credentials. | |||||
| CVE-2022-32872 | 1 Apple | 2 Ipados, Iphone Os | 2026-01-07 | N/A | 2.4 LOW |
| A logic issue was addressed with improved restrictions. This issue is fixed in iOS 16, iOS 15.7 and iPadOS 15.7. A person with physical access to an iOS device may be able to access photos from the lock screen. | |||||
| CVE-2025-15423 | 1 Phome | 1 Empirecms | 2026-01-07 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability has been found in EmpireSoft EmpireCMS up to 8.0. Impacted is the function CheckSaveTranFiletype of the file e/class/connect.php. Such manipulation leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-15197 | 2 Anirbandutta, Code-projects | 2 News-buzz, Content Management System | 2026-01-07 | 5.8 MEDIUM | 4.7 MEDIUM |
| A security flaw has been discovered in code-projects/anirbandutta9 Content Management System and News-Buzz 1.0. This vulnerability affects unknown code of the file /admin/editposts.php. Performing manipulation of the argument image results in unrestricted upload. The attack may be initiated remotely. The exploit has been released to the public and may be exploited. | |||||
| CVE-2025-65176 | 1 Dynatrace | 1 Oneagent | 2026-01-07 | N/A | 7.5 HIGH |
| An issue was discovered in Dynatrace OneAgent before 1.325.47. When attempting to access a remote network share from a machine where OneAgent is installed and receiving a "STATUS_LOGON_FAILURE" error, the agent will retrieve every user token on the machine and repeatedly attempt to access the network share while impersonating them. The exploitation of this vulnerability can allow an unprivileged attacker with access to the affected system to perform NTLM relay attacks. | |||||
| CVE-2022-37341 | 1 Intel | 7 Ethernet Adapter Complete Driver, Ethernet Controller I225-it, Ethernet Controller I225-it Firmware and 4 more | 2026-01-07 | N/A | 7.2 HIGH |
| Improper access control in some Intel(R) Ethernet Adapters and Intel(R) Ethernet Controller I225 Manageability firmware may allow a privileged user to potentially enable escalation of privilege via local access. | |||||
| CVE-2025-63525 | 1 Shridharshukl | 1 Blood Bank Management System | 2026-01-06 | N/A | 9.6 CRITICAL |
| An issue was discovered in Blood Bank Management System 1.0 allowing authenticated attackers to perform actions with escalated privileges via crafted request to delete.php. | |||||
| CVE-2025-15404 | 1 Campcodes | 1 School File Management System | 2026-01-06 | 6.5 MEDIUM | 6.3 MEDIUM |
| A security vulnerability has been detected in campcodes School File Management System 1.0. The affected element is an unknown function of the file /save_file.php. The manipulation of the argument File leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. | |||||