Total
332608 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-41727 | 2026-01-27 | N/A | 7.8 HIGH | ||
| A local low privileged attacker can bypass the authentication of the Device Manager user interface, allowing them to perform privileged operations and gain administrator access. | |||||
| CVE-2026-24829 | 2026-01-27 | N/A | 6.5 MEDIUM | ||
| Out-of-bounds Write, Heap-based Buffer Overflow vulnerability in Is-Daouda is-Engine.This issue affects is-Engine: before 3.3.4. | |||||
| CVE-2026-1213 | 2026-01-27 | N/A | N/A | ||
| All versions of askbot before and including 0.12.2 allow an attacker authenticated with normal user permissions to modify the profile picture of other application users.This issue affects askbot: 0.12.2. | |||||
| CVE-2020-36955 | 2026-01-27 | N/A | 6.4 MEDIUM | ||
| Grav CMS 1.6.30 with Admin Plugin 1.9.18 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the page title field. Attackers can create a new page with a malicious script in the title, which will be executed when the page is viewed in the admin panel or on the site. | |||||
| CVE-2026-1484 | 2026-01-27 | N/A | 4.2 MEDIUM | ||
| A flaw was found in the GLib Base64 encoding routine when processing very large input data. Due to incorrect use of integer types during length calculation, the library may miscalculate buffer boundaries. This can cause memory writes outside the allocated buffer. Applications that process untrusted or extremely large Base64 input using GLib may crash or behave unpredictably. | |||||
| CVE-2026-24408 | 2026-01-27 | N/A | N/A | ||
| sigstore-python is a Python tool for generating and verifying Sigstore signatures. Prior to version 4.2.0, the sigstore-python OAuth authentication flow is susceptible to Cross-Site Request Forgery. `_OAuthSession` creates a unique "state" and sends it as a parameter in the authentication request but the "state" in the server response seems not not be cross-checked with this value. Version 4.2.0 contains a patch for the issue. | |||||
| CVE-2025-9615 | 2026-01-27 | N/A | 3.3 LOW | ||
| A flaw was found in NetworkManager. The NetworkManager package allows access to files that may belong to other users. NetworkManager allows non-root users to configure the system's network. The daemon runs with root privileges and can access files owned by users different from the one who added the connection. | |||||
| CVE-2026-24489 | 2026-01-27 | N/A | 5.3 MEDIUM | ||
| Gakido is a Python HTTP client focused on browser impersonation and anti-bot evasion. A vulnerability was discovered in Gakido prior to version 0.1.1 that allowed HTTP header injection through CRLF (Carriage Return Line Feed) sequences in user-supplied header values and names. When making HTTP requests with user-controlled header values containing `\r\n` (CRLF), `\n` (LF), or `\x00` (null byte) characters, an attacker could inject arbitrary HTTP headers into the request. The fix in version 0.1.1 adds a `_sanitize_header()` function that strips `\r`, `\n`, and `\x00` characters from both header names and values before they are included in HTTP requests. | |||||
| CVE-2025-12387 | 2026-01-27 | N/A | N/A | ||
| A vulnerability in the Pix-Link LV-WR21Q router's language module allows remote attackers to trigger a denial of service (DoS) by sending a specially crafted HTTP POST request containing non-existing language parameter. This renders the server unable to serve correct lang.js file, which causes administrator panel to not work, resulting in DoS until the language settings is reverted to a correct value. The Denial of Service affects only the administrator panel and does not affect other router functionalities. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version V108_108 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | |||||
| CVE-2026-0925 | 2026-01-27 | N/A | 2.7 LOW | ||
| Tanium addressed an improper input validation vulnerability in Discover. | |||||
| CVE-2026-0810 | 2026-01-27 | N/A | 6.8 MEDIUM | ||
| A flaw was found in gix-date. The `gix_date::parse::TimeBuf::as_str` function can generate strings containing invalid non-UTF8 characters. This issue violates the internal safety invariants of the `TimeBuf` component, leading to undefined behavior when these malformed strings are subsequently processed. This could potentially result in application instability or other unforeseen consequences. | |||||
| CVE-2025-30248 | 2026-01-27 | N/A | N/A | ||
| DLL hijacking in the WD Discovery Installer in Western Digital WD Discovery 5.2.730 on Windows allows a local attacker to execute arbitrary code via placement of a crafted dll in the installer's search path. | |||||
| CVE-2026-24820 | 2026-01-27 | N/A | N/A | ||
| Out-of-bounds Read vulnerability in turanszkij WickedEngine (WickedEngine/LUA modules). This vulnerability is associated with program files ldebug.C. This issue affects WickedEngine: before 0.71.705. | |||||
| CVE-2025-9521 | 2026-01-27 | N/A | N/A | ||
| Password Confirmation Bypass vulnerability in Omada Controllers, allowing an attacker with a valid session token to bypass secondary verification, and change the user’s password without proper confirmation, leading to weakened account security. | |||||
| CVE-2025-11687 | 2026-01-27 | N/A | 6.1 MEDIUM | ||
| A flaw was found in the gi-docgen. This vulnerability allows arbitrary JavaScript execution in the context of the page — enabling DOM access, session cookie theft and other client-side attacks — via a crafted URL that supplies a malicious value to the q GET parameter (reflected DOM XSS). | |||||
| CVE-2026-24800 | 2026-01-27 | N/A | N/A | ||
| Out-of-bounds Write, Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in tildearrow furnace (extern/zlib modules). This vulnerability is associated with program files inflate.C. | |||||
| CVE-2025-9520 | 2026-01-27 | N/A | N/A | ||
| An IDOR vulnerability exists in Omada Controllers that allows an attacker with Administrator permissions to manipulate requests and potentially hijack the Owner account. | |||||
| CVE-2026-24476 | 2026-01-27 | N/A | N/A | ||
| Shaarli is a personal bookmarking service. Prior to version 0.16.0, crafting a malicious tag which starting with `"` prematurely ends the `<input>` tag on the start page and allows an attacker to add arbitrary html leading to a possible XSS attack. Version 0.16.0 fixes the issue. | |||||
| CVE-2026-24470 | 2026-01-27 | N/A | 8.1 HIGH | ||
| Skipper is an HTTP router and reverse proxy for service composition. Prior to version 0.24.0, when running Skipper as an Ingress controller, users with permissions to create an Ingress and a Service of type ExternalName can create routes that enable them to use Skipper's network access to reach internal services. Version 0.24.0 disables Kubernetes ExternalName by default. As a workaround, developers can allow list targets of an ExternalName and allow list via regular expressions. | |||||
| CVE-2025-9522 | 2026-01-27 | N/A | N/A | ||
| Blind Server-Side Request Forgery (SSRF) in Omada Controllers through webhook functionality, enabling crafted requests to internal services, which may lead to enumeration of information. | |||||