Total
331221 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-13033 | 2026-02-03 | N/A | 7.5 HIGH | ||
| A vulnerability was identified in the email parsing library due to improper handling of specially formatted recipient email addresses. An attacker can exploit this flaw by crafting a recipient address that embeds an external address within quotes. This causes the application to misdirect the email to the attacker's external address instead of the intended internal recipient. This could lead to a significant data leak of sensitive information and allow an attacker to bypass security filters and access controls. | |||||
| CVE-2025-10666 | 1 Dlink | 2 Dir-825, Dir-825 Firmware | 2026-02-03 | 9.0 HIGH | 8.8 HIGH |
| A security flaw has been discovered in D-Link DIR-825 up to 2.10. Affected by this vulnerability is the function sub_4106d4 of the file apply.cgi. The manipulation of the argument countdown_time results in buffer overflow. The attack can be executed remotely. The exploit has been released to the public and may be exploited. This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2025-10370 | 1 Sourcefabric | 1 Rpi-jukebox-rfid | 2026-02-03 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability was identified in MiczFlor RPi-Jukebox-RFID up to 2.8.0. This vulnerability affects unknown code of the file /htdocs/userScripts.php. The manipulation of the argument Custom script leads to cross site scripting. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-36065 | 1 Ibm | 1 Sterling Connect\ | 2026-02-03 | N/A | 6.3 MEDIUM |
| IBM Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 5.2.0.00 through 5.2.0.12 does not invalidate session after a browser closure which could allow an authenticated user to impersonate another user on the system. | |||||
| CVE-2025-36066 | 1 Ibm | 1 Sterling Connect\ | 2026-02-03 | N/A | 6.1 MEDIUM |
| IBM Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 5.2.0.00 through 5.2.0.12 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | |||||
| CVE-2025-36113 | 1 Ibm | 1 Sterling Connect\ | 2026-02-03 | N/A | 5.4 MEDIUM |
| IBM Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 5.2.0.00 through 5.2.0.12 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | |||||
| CVE-2025-36115 | 1 Ibm | 1 Sterling Connect\ | 2026-02-03 | N/A | 6.3 MEDIUM |
| IBM Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0.00 through 5.2.0.12 does not disallow the session id after use which could allow an authenticated user to impersonate another user on the system. | |||||
| CVE-2026-20413 | 2 Google, Mediatek | 5 Android, Mt6899, Mt6991 and 2 more | 2026-02-03 | N/A | 6.7 MEDIUM |
| In imgsys, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10362725; Issue ID: MSV-5694. | |||||
| CVE-2025-56353 | 1 Justdoit0910 | 1 Tinymqtt | 2026-02-03 | N/A | 7.5 HIGH |
| In tinyMQTT commit 6226ade15bd4f97be2d196352e64dd10937c1962 (2024-02-18), a memory leak occurs due to the broker's failure to validate or reject malformed UTF-8 strings in topic filters. An attacker can exploit this by sending repeated subscription requests with arbitrarily large or invalid filter payloads. Each request causes memory to be allocated for the malformed topic filter, but the broker does not free the associated memory, leading to unbounded heap growth and potential denial of service under sustained attack. | |||||
| CVE-2026-20414 | 2 Google, Mediatek | 9 Android, Mt6897, Mt6989 and 6 more | 2026-02-03 | N/A | 6.7 MEDIUM |
| In imgsys, there is a possible escalation of privilege due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10362999; Issue ID: MSV-5625. | |||||
| CVE-2026-20415 | 2 Google, Mediatek | 3 Android, Mt6897, Mt6989 | 2026-02-03 | N/A | 5.5 MEDIUM |
| In imgsys, there is a possible memory corruption due to improper locking. This could lead to local denial of service if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10363254; Issue ID: MSV-5617. | |||||
| CVE-2026-20417 | 2 Google, Mediatek | 4 Android, Mt6991, Mt6993 and 1 more | 2026-02-03 | N/A | 5.3 MEDIUM |
| In pcie, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10314946 / ALPS10340155; Issue ID: MSV-5154. | |||||
| CVE-2026-20418 | 2 Google, Mediatek | 3 Matter, Mt7931, Mt7933 | 2026-02-03 | N/A | 9.8 CRITICAL |
| In Thread, there is a possible out of bounds write due to a missing bounds check. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00465153; Issue ID: MSV-4927. | |||||
| CVE-2025-64087 | 1 Opensagres | 1 Xdocreport | 2026-02-03 | N/A | 9.8 CRITICAL |
| A Server-Side Template Injection (SSTI) vulnerability in the FreeMarker component of opensagres XDocReport v1.0.0 to v2.1.0 allows attackers to execute arbitrary code via injecting crafted template expressions. | |||||
| CVE-2025-65482 | 1 Opensagres | 1 Xdocreport | 2026-02-03 | N/A | 9.8 CRITICAL |
| An XML External Entity (XXE) vulnerability in opensagres XDocReport v0.9.2 to v2.0.3 allows attackers to execute arbitrary code via uploading a crafted .docx file. | |||||
| CVE-2026-1245 | 1 Keichi | 1 Binary-parser | 2026-02-03 | N/A | 6.5 MEDIUM |
| A code injection vulnerability in the binary-parser library prior to version 2.3.0 allows arbitrary JavaScript code execution when untrusted values are used in parser field names or encoding parameters. The library directly interpolates these values into dynamically generated code without sanitization, enabling attackers to execute arbitrary code in the context of the Node.js process. | |||||
| CVE-2026-0622 | 1 Open5gs | 1 Open5gs | 2026-02-03 | N/A | 6.5 MEDIUM |
| Open 5GS WebUI uses a hard-coded JWT signing key (change-me) whenever the environment variable JWT_SECRET_KEY is unset | |||||
| CVE-2025-55130 | 1 Nodejs | 1 Node.js | 2026-02-03 | N/A | 9.1 CRITICAL |
| A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25. | |||||
| CVE-2025-55132 | 1 Nodejs | 1 Node.js | 2026-02-03 | N/A | 5.3 MEDIUM |
| A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25. | |||||
| CVE-2026-20419 | 2 Mediatek, Openwrt | 28 Mt6890, Mt6989tb, Mt7902 and 25 more | 2026-02-03 | N/A | 7.5 HIGH |
| In wlan AP/STA firmware, there is a possible system becoming irresponsive due to an uncaught exception. This could lead to remote (proximal/adjacent) denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00461663 / WCNCR00463309; Issue ID: MSV-4852. | |||||