Total
331306 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-36113 | 1 Ibm | 1 Sterling Connect\ | 2026-02-03 | N/A | 5.4 MEDIUM |
| IBM Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 5.2.0.00 through 5.2.0.12 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | |||||
| CVE-2025-36115 | 1 Ibm | 1 Sterling Connect\ | 2026-02-03 | N/A | 6.3 MEDIUM |
| IBM Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0.00 through 5.2.0.12 does not disallow the session id after use which could allow an authenticated user to impersonate another user on the system. | |||||
| CVE-2026-20413 | 2 Google, Mediatek | 5 Android, Mt6899, Mt6991 and 2 more | 2026-02-03 | N/A | 6.7 MEDIUM |
| In imgsys, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10362725; Issue ID: MSV-5694. | |||||
| CVE-2025-56353 | 1 Justdoit0910 | 1 Tinymqtt | 2026-02-03 | N/A | 7.5 HIGH |
| In tinyMQTT commit 6226ade15bd4f97be2d196352e64dd10937c1962 (2024-02-18), a memory leak occurs due to the broker's failure to validate or reject malformed UTF-8 strings in topic filters. An attacker can exploit this by sending repeated subscription requests with arbitrarily large or invalid filter payloads. Each request causes memory to be allocated for the malformed topic filter, but the broker does not free the associated memory, leading to unbounded heap growth and potential denial of service under sustained attack. | |||||
| CVE-2026-20414 | 2 Google, Mediatek | 9 Android, Mt6897, Mt6989 and 6 more | 2026-02-03 | N/A | 6.7 MEDIUM |
| In imgsys, there is a possible escalation of privilege due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10362999; Issue ID: MSV-5625. | |||||
| CVE-2026-20415 | 2 Google, Mediatek | 3 Android, Mt6897, Mt6989 | 2026-02-03 | N/A | 5.5 MEDIUM |
| In imgsys, there is a possible memory corruption due to improper locking. This could lead to local denial of service if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10363254; Issue ID: MSV-5617. | |||||
| CVE-2026-20417 | 2 Google, Mediatek | 4 Android, Mt6991, Mt6993 and 1 more | 2026-02-03 | N/A | 5.3 MEDIUM |
| In pcie, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10314946 / ALPS10340155; Issue ID: MSV-5154. | |||||
| CVE-2026-20418 | 2 Google, Mediatek | 3 Matter, Mt7931, Mt7933 | 2026-02-03 | N/A | 9.8 CRITICAL |
| In Thread, there is a possible out of bounds write due to a missing bounds check. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00465153; Issue ID: MSV-4927. | |||||
| CVE-2025-64087 | 1 Opensagres | 1 Xdocreport | 2026-02-03 | N/A | 9.8 CRITICAL |
| A Server-Side Template Injection (SSTI) vulnerability in the FreeMarker component of opensagres XDocReport v1.0.0 to v2.1.0 allows attackers to execute arbitrary code via injecting crafted template expressions. | |||||
| CVE-2025-65482 | 1 Opensagres | 1 Xdocreport | 2026-02-03 | N/A | 9.8 CRITICAL |
| An XML External Entity (XXE) vulnerability in opensagres XDocReport v0.9.2 to v2.0.3 allows attackers to execute arbitrary code via uploading a crafted .docx file. | |||||
| CVE-2026-1245 | 1 Keichi | 1 Binary-parser | 2026-02-03 | N/A | 6.5 MEDIUM |
| A code injection vulnerability in the binary-parser library prior to version 2.3.0 allows arbitrary JavaScript code execution when untrusted values are used in parser field names or encoding parameters. The library directly interpolates these values into dynamically generated code without sanitization, enabling attackers to execute arbitrary code in the context of the Node.js process. | |||||
| CVE-2026-0622 | 1 Open5gs | 1 Open5gs | 2026-02-03 | N/A | 6.5 MEDIUM |
| Open 5GS WebUI uses a hard-coded JWT signing key (change-me) whenever the environment variable JWT_SECRET_KEY is unset | |||||
| CVE-2025-55130 | 1 Nodejs | 1 Node.js | 2026-02-03 | N/A | 9.1 CRITICAL |
| A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25. | |||||
| CVE-2025-55132 | 1 Nodejs | 1 Node.js | 2026-02-03 | N/A | 5.3 MEDIUM |
| A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25. | |||||
| CVE-2026-20420 | 1 Mediatek | 40 Mt2735, Mt2737, Mt6813 and 37 more | 2026-02-03 | N/A | 7.5 HIGH |
| In Modem, there is a possible system crash due to incorrect error handling. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01738313; Issue ID: MSV-5935. | |||||
| CVE-2026-20421 | 1 Mediatek | 16 Mt2735, Mt6833, Mt6853 and 13 more | 2026-02-03 | N/A | 7.5 HIGH |
| In Modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01738293; Issue ID: MSV-5922. | |||||
| CVE-2026-20422 | 1 Mediatek | 57 Mt2735, Mt2737, Mt6813 and 54 more | 2026-02-03 | N/A | 7.5 HIGH |
| In Modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY00827332; Issue ID: MSV-5919. | |||||
| CVE-2025-40536 | 1 Solarwinds | 1 Web Help Desk | 2026-02-03 | N/A | 8.1 HIGH |
| SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that if exploited, could allow an unauthenticated attacker to gain access to certain restricted functionality. | |||||
| CVE-2026-1485 | 2026-02-03 | N/A | 2.8 LOW | ||
| A flaw was found in Glib's content type parsing logic. This buffer underflow vulnerability occurs because the length of a header line is stored in a signed integer, which can lead to integer wraparound for very large inputs. This results in pointer underflow and out-of-bounds memory access. Exploitation requires a local user to install or process a specially crafted treemagic file, which can lead to local denial of service or application instability. | |||||
| CVE-2025-40537 | 1 Solarwinds | 1 Web Help Desk | 2026-02-03 | N/A | 7.5 HIGH |
| SolarWinds Web Help Desk was found to be susceptible to a hardcoded credentials vulnerability that, under certain situations, could allow access to administrative functions. | |||||