Total
331561 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-1740 | 2026-02-03 | 7.5 HIGH | 7.3 HIGH | ||
| A vulnerability was found in EFM ipTIME A8004T 14.18.2. This impacts the function httpcon_check_session_url of the file /cgi/timepro.cgi of the component Hidden Hiddenloginsetup Interface. The manipulation results in improper authentication. The attack may be performed from remote. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2020-37049 | 2026-02-03 | N/A | 8.4 HIGH | ||
| Frigate 3.36.0.9 contains a local buffer overflow vulnerability in the Command Line input field that allows attackers to execute arbitrary code. Attackers can craft a malicious payload to overflow the buffer, bypass DEP, and execute commands like launching calc.exe through a specially crafted input sequence. | |||||
| CVE-2026-1743 | 2026-02-03 | 1.8 LOW | 3.1 LOW | ||
| A vulnerability has been found in DJI Mavic Mini, Air, Spark and Mini SE up to 01.00.0500. Affected by this vulnerability is an unknown functionality of the component Enhanced Wi-Fi Pairing. The manipulation leads to authentication bypass by capture-replay. The attack must be carried out from within the local network. A high degree of complexity is needed for the attack. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-15510 | 2026-02-03 | N/A | 5.3 MEDIUM | ||
| The NEX-Forms – Ultimate Forms Plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the NF5_Export_Forms class constructor in all versions up to, and including, 9.1.8. This makes it possible for unauthenticated attackers to export form configurations, that may include sensitive data, such as email addresses, PayPal API credentials, and third-party integration keys by enumerating the nex_forms_Id parameter. | |||||
| CVE-2020-37034 | 2026-02-03 | N/A | 7.5 HIGH | ||
| HelloWeb 2.0 contains an arbitrary file download vulnerability that allows remote attackers to download system files by manipulating filepath and filename parameters. Attackers can send crafted GET requests to download.asp with directory traversal to access sensitive configuration and system files. | |||||
| CVE-2026-25253 | 2026-02-03 | N/A | 8.8 HIGH | ||
| OpenClaw (aka clawdbot or Moltbot) before 2026.1.29 obtains a gatewayUrl value from a query string and automatically makes a WebSocket connection without prompting, sending a token value. | |||||
| CVE-2025-47364 | 2026-02-03 | N/A | 6.8 MEDIUM | ||
| Memory corruption while calculating offset from partition start point. | |||||
| CVE-2025-47363 | 2026-02-03 | N/A | 6.8 MEDIUM | ||
| Memory corruption when calculating oversized partition sizes without proper checks. | |||||
| CVE-2022-50952 | 2026-02-03 | N/A | 6.4 MEDIUM | ||
| Banco Guayaquil 8.0.0 mobile iOS application contains a persistent cross-site scripting vulnerability in the TextBox Name Profile input. Attackers can inject malicious script code through a POST request that executes on application review without user interaction. | |||||
| CVE-2020-37046 | 2026-02-03 | N/A | 5.3 MEDIUM | ||
| Sistem Informasi Pengumuman Kelulusan Online 1.0 contains a cross-site request forgery vulnerability that allows attackers to add unauthorized admin users through the tambahuser.php endpoint. Attackers can craft a malicious HTML form to submit admin credentials and create new administrative accounts without the victim's consent. | |||||
| CVE-2020-37063 | 2026-02-03 | N/A | 7.8 HIGH | ||
| TFTP Turbo 4.6.1273 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious executables that will be launched with LocalSystem permissions. | |||||
| CVE-2026-1757 | 2026-02-03 | N/A | 6.2 MEDIUM | ||
| A flaw was identified in the interactive shell of the xmllint utility, part of the libxml2 project, where memory allocated for user input is not properly released under certain conditions. When a user submits input consisting only of whitespace, the program skips command execution but fails to free the allocated buffer. Repeating this action causes memory to continuously accumulate. Over time, this can exhaust system memory and terminate the xmllint process, creating a denial-of-service condition on the local system. | |||||
| CVE-2026-1738 | 2026-02-03 | 5.0 MEDIUM | 5.3 MEDIUM | ||
| A flaw has been found in Open5GS up to 2.7.6. The impacted element is the function sgwc_tunnel_add of the file /src/sgwc/context.c of the component SGWC. Executing a manipulation of the argument pdr can lead to reachable assertion. The attack can be executed remotely. The exploit has been published and may be used. It is advisable to implement a patch to correct this issue. The issue report is flagged as already-fixed. | |||||
| CVE-2024-54263 | 2026-02-03 | N/A | 7.5 HIGH | ||
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Talemy Spirit Framework allows PHP Local File Inclusion.This issue affects Spirit Framework: from n/a through 1.2.13. | |||||
| CVE-2025-7105 | 2026-02-03 | N/A | 5.7 MEDIUM | ||
| A vulnerability in danny-avila/librechat allows attackers to exploit the unrestricted Fork Function in `/api/convos/fork` to fork numerous contents rapidly. If the forked content includes a Mermaid graph with a large number of nodes, it can lead to a JavaScript heap out of memory error upon service restart, causing a denial of service. This issue affects the latest version of the product. | |||||
| CVE-2020-37061 | 2026-02-03 | N/A | 7.8 HIGH | ||
| BOOTP Turbo 2.0.1214 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted executable path to inject malicious code that will be executed when the service starts with LocalSystem permissions. | |||||
| CVE-2021-47917 | 2026-02-03 | N/A | 6.4 MEDIUM | ||
| Simple CMS 2.1 contains a persistent cross-site scripting vulnerability in user input parameters that allows remote attackers to inject malicious script code. Attackers can exploit the newUser and editUser modules to inject persistent scripts that execute on user list preview, potentially leading to session hijacking and application manipulation. | |||||
| CVE-2020-37057 | 2026-02-03 | N/A | 8.2 HIGH | ||
| Online-Exam-System 2015 contains a SQL injection vulnerability in the feedback module that allows attackers to manipulate database queries through the 'fid' parameter. Attackers can inject malicious SQL code into the 'fid' parameter to potentially extract, modify, or delete database information. | |||||
| CVE-2025-47358 | 2026-02-03 | N/A | 7.8 HIGH | ||
| Memory Corruption when user space address is modified and passed to mem_free API, causing kernel memory to be freed inadvertently. | |||||
| CVE-2026-23039 | 2026-02-03 | N/A | N/A | ||
| In the Linux kernel, the following vulnerability has been resolved: drm/gud: fix NULL fb and crtc dereferences on USB disconnect On disconnect drm_atomic_helper_disable_all() is called which sets both the fb and crtc for a plane to NULL before invoking a commit. This causes a kernel oops on every display disconnect. Add guards for those dereferences. | |||||